This commit was generated by cvs2svn to compensate for changes in r157016,

which included commits to RCS files with non-trunk default branches.
2006-03-22 19:46:12 +00:00 · 2006-03-22 19:46:12 +00:00 · 4f87d65874
commit 4f87d65874
parent 3a4d58a91a 021d409f5b
98 changed files with 2740 additions and 990 deletions
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@ -1,3 +1,832 @@
 20060201
 - (djm) [regress/test-exec.sh] Try 'logname' as well as 'whoami' to 
   determine the user's login name - needed for regress tests on Solaris 
   10 and OpenSolaris
 - (djm) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2006/02/01 09:06:50
     [sshd.8]
     - merge sections on protocols 1 and 2 into a single section
     - remove configuration file section
     ok markus
   - jmc@cvs.openbsd.org 2006/02/01 09:11:41
     [sshd.8]
     small tweak;
 - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
   [contrib/suse/openssh.spec] Update versions ahead of release
   - markus@cvs.openbsd.org 2006/02/01 11:27:22
     [version.h]
     openssh 4.3
 - (djm) Release OpenSSH 4.3p1
 20060131
 - (djm) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2006/01/20 11:21:45
     [ssh_config.5]
     - word change, agreed w/ markus
     - consistency fixes
   - jmc@cvs.openbsd.org 2006/01/25 09:04:34
     [sshd.8]
     move the options description up the page, and a few additional tweaks
     whilst in here;
     ok markus
   - jmc@cvs.openbsd.org 2006/01/25 09:07:22
     [sshd.8]
     move subsections to full sections;
   - jmc@cvs.openbsd.org 2006/01/26 08:47:56
     [ssh.1]
     add a section on verifying host keys in dns;
     written with a lot of help from jakob;
     feedback dtucker/markus;
     ok markus
   - reyk@cvs.openbsd.org 2006/01/30 12:22:22
     [channels.c]
     mark channel as write failed or dead instead of read failed on error
     of the channel output filter.
     ok markus@
   - jmc@cvs.openbsd.org 2006/01/30 13:37:49
     [ssh.1]
     remove an incorrect sentence;
     reported by roumen petrov;
     ok djm markus
   - djm@cvs.openbsd.org 2006/01/31 10:19:02
     [misc.c misc.h scp.c sftp.c]
     fix local arbitrary command execution vulnerability on local/local and
     remote/remote copies (CVE-2006-0225, bz #1094), patch by
     t8m AT centrum.cz, polished by dtucker@ and myself; ok markus@
   - djm@cvs.openbsd.org 2006/01/31 10:35:43
     [scp.c]
     "scp a b c" shouldn't clobber "c" when it is not a directory, report and
     fix from biorn@; ok markus@
 - (djm) Sync regress tests to OpenBSD:
   - dtucker@cvs.openbsd.org 2005/03/10 10:20:39
     [regress/forwarding.sh]
     Regress test for ClearAllForwardings (bz #994); ok markus@
   - dtucker@cvs.openbsd.org 2005/04/25 09:54:09
     [regress/multiplex.sh]
     Don't call cleanup in multiplex as test-exec will cleanup anyway
     found by tim@, ok djm@
     NB. ID sync only, we already had this
   - djm@cvs.openbsd.org 2005/05/20 23:14:15
     [regress/test-exec.sh]
     force addressfamily=inet for tests, unbreaking dynamic-forward regress for
     recently committed nc SOCKS5 changes
   - djm@cvs.openbsd.org 2005/05/24 04:10:54
     [regress/try-ciphers.sh]
     oops, new arcfour modes here too
   - markus@cvs.openbsd.org 2005/06/30 11:02:37
     [regress/scp.sh]
     allow SUDO=sudo; from Alexander Bluhm
   - grunk@cvs.openbsd.org 2005/11/14 21:25:56
     [regress/agent-getpeereid.sh]
     all other scripts in this dir use $SUDO, not 'sudo', so pull this even
     ok markus@
   - dtucker@cvs.openbsd.org 2005/12/14 04:36:39
     [regress/scp-ssh-wrapper.sh]
     Fix assumption about how many args scp will pass; ok djm@
     NB. ID sync only, we already had this
   - djm@cvs.openbsd.org 2006/01/27 06:49:21
     [scp.sh]
     regress test for local to local scp copies; ok dtucker@
   - djm@cvs.openbsd.org 2006/01/31 10:23:23
     [scp.sh]
     regression test for CVE-2006-0225 written by dtucker@
   - djm@cvs.openbsd.org 2006/01/31 10:36:33
     [scp.sh]
     regress test for "scp a b c" where "c" is not a directory
 20060129
 - (dtucker) [configure.ac opensshd.init.in] Bug #1144: Use /bin/sh for the
   opensshd.init script interpretter if /sbin/sh does not exist.  ok tim@
 20060120
 - (dtucker) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2006/01/15 17:37:05
     [ssh.1]
     correction from deraadt
   - jmc@cvs.openbsd.org 2006/01/18 10:53:29
     [ssh.1]
     add a section on ssh-based vpn, based on reyk's README.tun;
   - dtucker@cvs.openbsd.org 2006/01/20 00:14:55
     [scp.1 ssh.1 ssh_config.5 sftp.1]
     Document RekeyLimit.  Based on patch from jan.iven at cern.ch from mindrot
     #1056 with feedback from jmc, djm and markus; ok jmc@ djm@
 20060114
 - (djm) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2006/01/06 13:27:32
     [ssh.1]
     weed out some duplicate info in the known_hosts FILES entries;
     ok djm
   - jmc@cvs.openbsd.org 2006/01/06 13:29:10
     [ssh.1]
     final round of whacking FILES for duplicate info, and some consistency
     fixes;
     ok djm
   - jmc@cvs.openbsd.org 2006/01/12 14:44:12
     [ssh.1]
     split sections on tcp and x11 forwarding into two sections.
     add an example in the tcp section, based on sth i wrote for ssh faq;
     help + ok: djm markus dtucker
   - jmc@cvs.openbsd.org 2006/01/12 18:48:48
     [ssh.1]
     refer to `TCP' rather than `TCP/IP' in the context of connection
     forwarding;
     ok markus
   - jmc@cvs.openbsd.org 2006/01/12 22:20:00
     [sshd.8]
     refer to TCP forwarding, rather than TCP/IP forwarding;
   - jmc@cvs.openbsd.org 2006/01/12 22:26:02
     [ssh_config.5]
     refer to TCP forwarding, rather than TCP/IP forwarding;
   - jmc@cvs.openbsd.org 2006/01/12 22:34:12
     [ssh.1]
     back out a sentence - AUTHENTICATION already documents this;
 20060109
 - (dtucker) [contrib/cygwin/ssh-host-config] Make sshd service depend on
   tcpip service so it's always started after IP is up.  Patch from
   vinschen at redhat.com.
 20060106
 - (djm) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2006/01/03 16:31:10
     [ssh.1]
     move FILES to a -compact list, and make each files an item in that list.
     this avoids nastly line wrap when we have long pathnames, and treats
     each file as a separate item;
     remove the .Pa too, since it is useless.
   - jmc@cvs.openbsd.org 2006/01/03 16:35:30
     [ssh.1]
     use a larger width for the ENVIRONMENT list;
   - jmc@cvs.openbsd.org 2006/01/03 16:52:36
     [ssh.1]
     put FILES in some sort of order: sort by pathname
   - jmc@cvs.openbsd.org 2006/01/03 16:55:18
     [ssh.1]
     tweak the description of ~/.ssh/environment
   - jmc@cvs.openbsd.org 2006/01/04 18:42:46
     [ssh.1]
     chop out some duplication in the .{r,s}hosts/{h,sh}osts.equiv FILES
     entries;
     ok markus
   - jmc@cvs.openbsd.org 2006/01/04 18:45:01
     [ssh.1]
     remove .Xr's to rsh(1) and telnet(1): they are hardly needed;
   - jmc@cvs.openbsd.org 2006/01/04 19:40:24
     [ssh.1]
     +.Xr ssh-keyscan 1 ,
   - jmc@cvs.openbsd.org 2006/01/04 19:50:09
     [ssh.1]
     -.Xr gzip 1 ,
   - djm@cvs.openbsd.org 2006/01/05 23:43:53
     [misc.c]
     check that stdio file descriptors are actually closed before clobbering
     them in sanitise_stdfd(). problems occurred when a lower numbered fd was
     closed, but higher ones weren't. spotted by, and patch tested by
     Frédéric Olivié
 20060103
 - (djm) [channels.c] clean up harmless merge error, from reyk@
 20060103
 - (djm) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2006/01/02 17:09:49
     [ssh_config.5 sshd_config.5]
     some corrections from michael knudsen;
 20060102
 - (djm) [README.tun] Add README.tun, missed during sync of tun(4) support
 - (djm) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2005/12/31 10:46:17
     [ssh.1]
     merge the "LOGIN SESSION AND REMOTE EXECUTION" and "SERVER
     AUTHENTICATION" sections into "AUTHENTICATION";
     some rewording done to make the text read better, plus some
     improvements from djm;
     ok djm
   - jmc@cvs.openbsd.org 2005/12/31 13:44:04
     [ssh.1]
     clean up ENVIRONMENT a little;
   - jmc@cvs.openbsd.org 2005/12/31 13:45:19
     [ssh.1]
     .Nm does not require an argument;
   - stevesk@cvs.openbsd.org 2006/01/01 08:59:27
     [includes.h misc.c]
     move <net/if.h>; ok djm@
   - stevesk@cvs.openbsd.org 2006/01/01 10:08:48
     [misc.c]
     no trailing "\n" for debug()
   - djm@cvs.openbsd.org 2006/01/02 01:20:31
     [sftp-client.c sftp-common.h sftp-server.c]
     use a common max. packet length, no binary change
   - reyk@cvs.openbsd.org 2006/01/02 07:53:44
     [misc.c]
     clarify tun(4) opening - set the mode and bring the interface up. also
     (re)sets the tun(4) layer 2 LINK0 flag for existing tunnel interfaces.
     suggested and ok by djm@
   - jmc@cvs.openbsd.org 2006/01/02 12:31:06
     [ssh.1]
     start to cut some duplicate info from FILES;
     help/ok djm
 20060101
 - (djm) [Makefile.in configure.ac includes.h misc.c]
         [openbsd-compat/port-tun.c openbsd-compat/port-tun.h] Add support
         for tunnel forwarding for FreeBSD and NetBSD. NetBSD's support is
         limited to IPv4 tunnels only, and most versions don't support the
         tap(4) device at all.
 - (djm) [configure.ac] Fix linux/if_tun.h test
 - (djm) [openbsd-compat/port-tun.c] Linux needs linux/if.h too
 20051229
 - (djm) OpenBSD CVS Sync
   - stevesk@cvs.openbsd.org 2005/12/28 22:46:06
     [canohost.c channels.c clientloop.c]
     use 'break-in' for consistency; ok deraadt@ ok and input jmc@
   - reyk@cvs.openbsd.org 2005/12/30 15:56:37
     [channels.c channels.h clientloop.c]
     add channel output filter interface.
     ok djm@, suggested by markus@
   - jmc@cvs.openbsd.org 2005/12/30 16:59:00
     [sftp.1]
     do not suggest that interactive authentication will work
     with the -b flag;
     based on a diff from john l. scarfone;
     ok djm
   - stevesk@cvs.openbsd.org 2005/12/31 01:38:45
     [ssh.1]
     document -MM; ok djm@
 - (djm) [openbsd-compat/port-tun.c openbsd-compat/port-tun.h configure.ac]
   [serverloop.c ssh.c openbsd-compat/Makefile.in]
   [openbsd-compat/openbsd-compat.h] Implement tun(4) forwarding 
   compatability support for Linux, diff from reyk@
 - (djm) [configure.ac] Disable Linux tun(4) compat code if linux/tun.h does
   not exist
 - (djm) [configure.ac] oops, make that linux/if_tun.h
 20051229
 - (tim) [buildpkg.sh.in] grep for $SSHDUID instead of $SSHDGID on /etc/passwd
 20051224
 - (djm) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2005/12/20 21:59:43
     [ssh.1]
     merge the sections on protocols 1 and 2 into one section on
     authentication;
     feedback djm dtucker
     ok deraadt markus dtucker
   - jmc@cvs.openbsd.org 2005/12/20 22:02:50
     [ssh.1]
     .Ss -> .Sh: subsections have not made this page more readable
   - jmc@cvs.openbsd.org 2005/12/20 22:09:41
     [ssh.1]
     move info on ssh return values and config files up into the main
     description;
   - jmc@cvs.openbsd.org 2005/12/21 11:48:16
     [ssh.1]
     -L and -R descriptions are now above, not below, ~C description;
   - jmc@cvs.openbsd.org 2005/12/21 11:57:25
     [ssh.1]
     options now described `above', rather than `later';
   - jmc@cvs.openbsd.org 2005/12/21 12:53:31
     [ssh.1]
     -Y does X11 forwarding too;
     ok markus
   - stevesk@cvs.openbsd.org 2005/12/21 22:44:26
     [sshd.8]
     clarify precedence of -p, Port, ListenAddress; ok and help jmc@
   - jmc@cvs.openbsd.org 2005/12/22 10:31:40
     [ssh_config.5]
     put the description of "UsePrivilegedPort" in the correct place;
   - jmc@cvs.openbsd.org 2005/12/22 11:23:42
     [ssh.1]
     expand the description of -w somewhat;
     help/ok reyk
   - jmc@cvs.openbsd.org 2005/12/23 14:55:53
     [ssh.1]
     - sync the description of -e w/ synopsis
     - simplify the description of -I
     - note that -I is only available if support compiled in, and that it
     isn't by default
     feedback/ok djm@
   - jmc@cvs.openbsd.org 2005/12/23 23:46:23
     [ssh.1]
     less mark up for -c;
   - djm@cvs.openbsd.org 2005/12/24 02:27:41
     [session.c sshd.c]
     eliminate some code duplicated in privsep and non-privsep paths, and
     explicitly clear SIGALRM handler; "groovy" deraadt@
 20051220
 - (dtucker) OpenBSD CVS Sync
   - reyk@cvs.openbsd.org 2005/12/13 15:03:02
     [serverloop.c]
     if forced_tun_device is not set, it is -1 and not SSH_TUNID_ANY
   - jmc@cvs.openbsd.org 2005/12/16 18:07:08
     [ssh.1]
     move the option descriptions up the page: start of a restructure;
     ok markus deraadt
   - jmc@cvs.openbsd.org 2005/12/16 18:08:53
     [ssh.1]
     simplify a sentence;
   - jmc@cvs.openbsd.org 2005/12/16 18:12:22
     [ssh.1]
     make the description of -c a little nicer;
   - jmc@cvs.openbsd.org 2005/12/16 18:14:40
     [ssh.1]
     signpost the protocol sections;
   - stevesk@cvs.openbsd.org 2005/12/17 21:13:05
     [ssh_config.5 session.c]
     spelling: fowarding, fowarded
   - stevesk@cvs.openbsd.org 2005/12/17 21:36:42
     [ssh_config.5]
     spelling: intented -> intended
   - dtucker@cvs.openbsd.org 2005/12/20 04:41:07
     [ssh.c]
     exit(255) on error to match description in ssh(1); bz #1137; ok deraadt@
 20051219
 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
   openbsd-compat/openssl-compat.h] Check for and work around broken AES
   ciphers >128bit on (some) Solaris 10 systems.  ok djm@
 20051217
 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
   scp.c also uses, so undef them here.
 - (dtucker) [configure.ac openbsd-compat/bsd-snprintf.c] Bug #1133: Our
   snprintf replacement can have a conflicting declaration in HP-UX's system
   headers (const vs. no const) so we now check for and work around it.  Patch
   from the dynamic duo of David Leonard and Ted Percival.
 20051214
 - (dtucker) OpenBSD CVS Sync (regress/)
   - dtucker@cvs.openbsd.org 2005/12/30 04:36:39
     [regress/scp-ssh-wrapper.sh]
     Fix assumption about how many args scp will pass; ok djm@
 20051213
 - (djm) OpenBSD CVS Sync
   - jmc@cvs.openbsd.org 2005/11/30 11:18:27
     [ssh.1]
     timezone -> time zone
   - jmc@cvs.openbsd.org 2005/11/30 11:45:20
     [ssh.1]
     avoid ambiguities in describing TZ;
     ok djm@
   - reyk@cvs.openbsd.org 2005/12/06 22:38:28
     [auth-options.c auth-options.h channels.c channels.h clientloop.c]
     [misc.c misc.h readconf.c readconf.h scp.c servconf.c servconf.h]
     [serverloop.c sftp.c ssh.1 ssh.c ssh_config ssh_config.5 sshconnect.c]
     [sshconnect.h sshd.8 sshd_config sshd_config.5]
     Add support for tun(4) forwarding over OpenSSH, based on an idea and
     initial channel code bits by markus@. This is a simple and easy way to
     use OpenSSH for ad hoc virtual private network connections, e.g.
     administrative tunnels or secure wireless access. It's based on a new
     ssh channel and works similar to the existing TCP forwarding support,
     except that it depends on the tun(4) network interface on both ends of
     the connection for layer 2 or layer 3 tunneling. This diff also adds
     support for LocalCommand in the ssh(1) client.
     ok djm@, markus@, jmc@ (manpages), tested and discussed with others
   - djm@cvs.openbsd.org 2005/12/07 03:52:22
     [clientloop.c]
     reyk forgot to compile with -Werror (missing header)
   - jmc@cvs.openbsd.org 2005/12/07 10:52:13
     [ssh.1]
     - avoid line split in SYNOPSIS
     - add args to -w
     - kill trailing whitespace
   - jmc@cvs.openbsd.org 2005/12/08 14:59:44
     [ssh.1 ssh_config.5]
     make `!command' a little clearer;
     ok reyk
   - jmc@cvs.openbsd.org 2005/12/08 15:06:29
     [ssh_config.5]
     keep options in order;
   - reyk@cvs.openbsd.org 2005/12/08 18:34:11
     [auth-options.c includes.h misc.c misc.h readconf.c servconf.c]
     [serverloop.c ssh.c ssh_config.5 sshd_config.5 configure.ac]
     two changes to the new ssh tunnel support. this breaks compatibility
     with the initial commit but is required for a portable approach.
     - make the tunnel id u_int and platform friendly, use predefined types.
     - support configuration of layer 2 (ethernet) or layer 3
     (point-to-point, default) modes. configuration is done using the
     Tunnel (yes|point-to-point|ethernet|no) option is ssh_config(5) and
     restricted by the PermitTunnel (yes|point-to-point|ethernet|no) option
     in sshd_config(5).
     ok djm@, man page bits by jmc@
   - jmc@cvs.openbsd.org 2005/12/08 21:37:50
     [ssh_config.5]
     new sentence, new line;
   - markus@cvs.openbsd.org 2005/12/12 13:46:18
     [channels.c channels.h session.c]
     make sure protocol messages for internal channels are ignored.
     allow adjust messages for non-open channels; with and ok djm@
 - (djm) [misc.c] Disable tunnel code for non-OpenBSD (for now), enable
   again by providing a sys_tun_open() function for your platform and 
   setting the CUSTOM_SYS_TUN_OPEN define. More work is required to match 
   OpenBSD's tunnel protocol, which prepends the address family to the 
   packet
 20051201
 - (djm) [envpass.sh] Remove regress script that was accidentally committed 
   in top level directory and not noticed for over a year :)
 20051129
 - (tim) [ssh-keygen.c] Move DSA length test after setting default when
   bits == 0.
 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2005/11/29 02:04:55
     [ssh-keygen.c]
     Populate default key sizes before checking them; from & ok tim@
 - (tim) [configure.ac sshd.8] Enable locked account check (a "*LK*" string)
   for UnixWare.
 20051128
 - (dtucker) [regress/yes-head.sh] Work around breakage caused by some
   versions of GNU head.  Based on patch from zappaman at buraphalinux.org
 - (dtucker) [includes.h] Bug #1122: __USE_GNU is a glibc internal macro, use
   _GNU_SOURCE instead.  Patch from t8m at centrum.cz.
 - (dtucker) OpenBSD CVS Sync
   - dtucker@cvs.openbsd.org 2005/11/28 05:16:53
     [ssh-keygen.1 ssh-keygen.c]
     Enforce DSA key length of exactly 1024 bits to comply with FIPS-186-2,
     increase minumum RSA key size to 768 bits and update man page to reflect
     these.  Patch originally bz#1119 (senthilkumar_sen at hotpop.com),
     ok djm@, grudging ok deraadt@.
   - dtucker@cvs.openbsd.org 2005/11/28 06:02:56
     [ssh-agent.1]
     Update agent socket path templates to reflect reality, correct xref for
     time formats.  bz#1121, patch from openssh at roumenpetrov.info, ok djm@
 20051126
 - (dtucker) [configure.ac] Bug #1126: AIX 5.2 and 5.3 (and presumably newer,
   when they're available) need the real UID set otherwise pam_chauthtok will
   set ADMCHG after changing the password, forcing the user to change it
   again immediately.
 20051125
 - (dtucker) [configure.ac] Apply tim's fix for older systems where the
   resolver state in resolv.h is "state" not "__res_state".  With slight
   modification by me to also work on old AIXes.  ok djm@
 - (dtucker) [progressmeter.c scp.c sftp-server.c] Use correct casts for
   snprintf formats, fixes warnings on some 64 bit platforms.  Patch from
   shaw at vranix.com, ok djm@
 20051124
 - (djm) [configure.ac openbsd-compat/Makefile.in openbsd-compat/bsd-asprintf.c 
   openbsd-compat/bsd-snprintf.c openbsd-compat/openbsd-compat.h] Add an 
   asprintf() implementation, after syncing our {v,}snprintf() implementation
   with some extra fixes from Samba's version. With help and debugging from 
   dtucker and tim; ok dtucker@
 - (dtucker) [configure.ac] Fix typos in comments and AC_SEARCH_LIB argument
   order in Reliant Unix block.  Patch from johane at lysator.liu.se.
 - (dtucker) [regress/test-exec.sh] Use 1024 bit keys since we generate so
   many and use them only once.  Speeds up testing on older/slower hardware.
 20051122
 - (dtucker) OpenBSD CVS Sync
   - deraadt@cvs.openbsd.org 2005/11/12 18:37:59
     [ssh-add.c]
     space
   - deraadt@cvs.openbsd.org 2005/11/12 18:38:15
     [scp.c]
     avoid close(-1), as in rcp; ok cloder
   - millert@cvs.openbsd.org 2005/11/15 11:59:54
     [includes.h]
     Include sys/queue.h explicitly instead of assuming some other header
     will pull it in.  At the moment it gets pulled in by sys/select.h
     (which ssh has no business including) via event.h.  OK markus@
     (ID sync only in -portable)
   - dtucker@cvs.openbsd.org 2005/11/21 09:42:10
     [auth-krb5.c]
     Perform Kerberos calls even for invalid users to prevent leaking
     information about account validity.  bz #975, patch originally from
     Senthil Kumar, sanity checked by Simon Wilkinson, tested by djm@, biorn@,
     ok markus@
   - dtucker@cvs.openbsd.org 2005/11/22 03:36:03
     [hostfile.c]
     Correct format/arguments to debug call; spotted by shaw at vranix.com
     ok djm@
 - (dtucker) [loginrec.c] Add casts to prevent compiler warnings, patch
   from shaw at vranix.com.
 20051120
 - (dtucker) [openbsd-compat/openssl-compat.h] Add comment explaining what
   is going on.
 20051112
 - (dtucker) [openbsd-compat/getrrsetbyname.c] Restore Portable-specific
   ifdef lost during sync.  Spotted by tim@.
 - (dtucker) [openbsd-compat/{realpath.c,stroll.c,rresvport.c}] $OpenBSD tag.
 - (dtucker) [configure.ac] Use "$AWK" instead of "awk" in gcc version test.
 - (dtucker) [configure.ac] Remove duplicate utimes() check.  ok djm@
 - (dtucker) [regress/reconfigure.sh] Fix potential race in the reconfigure
   test: if sshd takes too long to reconfigure the subsequent connection will
   fail.  Zap pidfile before HUPing sshd which will rewrite it when it's ready.
 20051110
 - (dtucker) [openbsd-compat/setenv.c] Merge changes for __findenv from
   OpenBSD getenv.c revs 1.4 - 1.8 (ANSIfication of arguments, removal of
   "register").
 - (dtucker) [openbsd-compat/setenv.c] Make __findenv static, remove
   unnecessary prototype.
 - (dtucker) [openbsd-compat/setenv.c] Sync changes from OpenBSD setenv.c
   revs 1.7 - 1.9.
 - (dtucker) [auth-krb5.c] Fix -Wsign-compare warning in non-Heimdal path.
   Patch from djm@.
 - (dtucker) [configure.ac] Disable pointer-sign warnings on gcc 4.0+
   since they're not useful right now.  Patch from djm@.
 - (dtucker) [openbsd-compat/getgrouplist.c] Sync OpenBSD revs 1.10 - 1.2 (ANSI
   prototypes, removal of "register").
 - (dtucker) [openbsd-compat/strlcat.c] Sync OpenBSD revs 1.11 - 1.12 (removal
   of "register").
 - (dtucker) [openbsd-compat/{LOTS}] Move the "OPENBSD ORIGINAL" markers to
   after the copyright notices.  Having them at the top next to the CVSIDs
   guarantees a conflict for each and every sync.
 - (dtucker) [openbsd-compat/strlcpy.c] Update from OpenBSD 1.8 -> 1.10.
 - (dtucker) [openbsd-compat/sigact.h] Add "OPENBSD ORIGINAL" marker.
 - (dtucker) [openbsd-compat/strmode.c] Update from OpenBSD 1.5 -> 1.7.
   Removal of rcsid, "whiteout" inode type.
 - (dtucker) [openbsd-compat/basename.c] Update from OpenBSD 1.11 -> 1.14.
   Removal of rcsid, will no longer strlcpy parts of the string.
 - (dtucker) [openbsd-compat/strtoll.c] Update from OpenBSD 1.4 -> 1.5.
 - (dtucker) [openbsd-compat/strtoul.c] Update from OpenBSD 1.5 -> 1.7.
 - (dtucker) [openbsd-compat/readpassphrase.c] Update from OpenBSD 1.16 -> 1.18.
 - (dtucker) [openbsd-compat/readpassphrase.h] Update from OpenBSD 1.3 -> 1.5.
 - (dtucker) [openbsd-compat/glob.c] Update from OpenBSD 1.22 -> 1.25.
 - (dtucker) [openbsd-compat/glob.h] Update from OpenBSD 1.8 -> 1.9.
 - (dtucker) [openbsd-compat/getcwd.c] Update from OpenBSD 1.9 -> 1.14.
 - (dtucker) [openbsd-compat/getcwd.c] Replace lstat with fstat to match up
   with OpenBSD code since we don't support platforms without fstat any more.
 - (dtucker) [openbsd-compat/inet_aton.c] Update from OpenBSD 1.7 -> 1.9.
 - (dtucker) [openbsd-compat/inet_ntoa.c] Update from OpenBSD 1.4 -> 1.6.
 - (dtucker) [openbsd-compat/inet_ntop.c] Update from OpenBSD 1.5 -> 1.7.
 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.5 -> 1.6.
 - (dtucker) [openbsd-compat/strsep.c] Update from OpenBSD 1.5 -> 1.6.
 - (dtucker) [openbsd-compat/daemon.c] Update from OpenBSD 1.10 -> 1.13.
 - (dtucker) [openbsd-compat/mktemp.c] Update from OpenBSD 1.17 -> 1.19.
 - (dtucker) [openbsd-compat/rresvport.c] Update from OpenBSD 1.6 -> 1.8.
 - (dtucker) [openbsd-compat/bindresvport.c] Add "OPENBSD ORIGINAL" marker.
 - (dtucker) [openbsd-compat/bindresvport.c] Update from OpenBSD 1.16 -> 1.17.
 - (dtucker) [openbsd-compat/sigact.c] Update from OpenBSD 1.3 -> 1.4.
   Id and copyright sync only, there were no substantial changes we need.
 - (dtucker) [openbsd-compat/bsd-closefrom.c openbsd-compat/base64.c]
   -Wsign-compare fixes from djm.
 - (dtucker) [openbsd-compat/sigact.h] Update from OpenBSD 1.2 -> 1.3.
   Id and copyright sync only, there were no substantial changes we need.
 - (dtucker) [configure.ac] Try to get the gcc version number in a way that
   doesn't change between versions, and use a safer default.
 20051105
 - (djm) OpenBSD CVS Sync
   - markus@cvs.openbsd.org 2005/10/07 11:13:57
     [ssh-keygen.c]
     change DSA default back to 1024, as it's defined for 1024 bits only
     and this causes interop problems with other clients.  moreover,
     in order to improve the security of DSA you need to change more
     components of DSA key generation (e.g. the internal SHA1 hash);
     ok deraadt
   - djm@cvs.openbsd.org 2005/10/10 10:23:08
     [channels.c channels.h clientloop.c serverloop.c session.c]
     fix regression I introduced in 4.2: X11 forwardings initiated after
     a session has exited (e.g. "(sleep 5; xterm) &") would not start.
     bz #1086 reported by t8m AT centrum.cz; ok markus@ dtucker@
   - djm@cvs.openbsd.org 2005/10/11 23:37:37
     [channels.c]
     bz #1076 set SO_REUSEADDR on X11 forwarding listner sockets, preventing
     bind() failure when a previous connection's listeners are in TIME_WAIT,
     reported by plattner AT inf.ethz.ch; ok dtucker@
   - stevesk@cvs.openbsd.org 2005/10/13 14:03:01
     [auth2-gss.c gss-genr.c gss-serv.c]
     remove unneeded #includes; ok markus@
   - stevesk@cvs.openbsd.org 2005/10/13 14:20:37
     [gss-serv.c]
     spelling in comments
   - stevesk@cvs.openbsd.org 2005/10/13 19:08:08
     [gss-serv-krb5.c gss-serv.c]
     unused declarations; ok deraadt@
     (id sync only for gss-serv-krb5.c)
   - stevesk@cvs.openbsd.org 2005/10/13 19:13:41
     [dns.c]
     unneeded #include, unused declaration, little knf; ok deraadt@
   - stevesk@cvs.openbsd.org 2005/10/13 22:24:31
     [auth2-gss.c gss-genr.c gss-serv.c monitor.c]
     KNF; ok djm@
   - stevesk@cvs.openbsd.org 2005/10/14 02:17:59
     [ssh-keygen.c ssh.c sshconnect2.c]
     no trailing "\n" for log functions; ok djm@
   - stevesk@cvs.openbsd.org 2005/10/14 02:29:37
     [channels.c clientloop.c]
     free()->xfree(); ok djm@
   - stevesk@cvs.openbsd.org 2005/10/15 15:28:12
     [sshconnect.c]
     make external definition static; ok deraadt@
   - stevesk@cvs.openbsd.org 2005/10/17 13:45:05
     [dns.c]
     fix memory leaks from 2 sources:
         1) key_fingerprint_raw()
         2) malloc in dns_read_rdata()
     ok jakob@
   - stevesk@cvs.openbsd.org 2005/10/17 14:01:28
     [dns.c]
     remove #ifdef LWRES; ok jakob@
   - stevesk@cvs.openbsd.org 2005/10/17 14:13:35
     [dns.c dns.h]
     more cleanups; ok jakob@
   - djm@cvs.openbsd.org 2005/10/30 01:23:19
     [ssh_config.5]
     mention control socket fallback behaviour, reported by 
     tryponraj AT gmail.com
   - djm@cvs.openbsd.org 2005/10/30 04:01:03
     [ssh-keyscan.c]
     make ssh-keygen discard junk from server before SSH- ident, spotted by
     dave AT cirt.net; ok dtucker@
   - djm@cvs.openbsd.org 2005/10/30 04:03:24
     [ssh.c]
     fix misleading debug message; ok dtucker@
   - dtucker@cvs.openbsd.org 2005/10/30 08:29:29
     [canohost.c sshd.c]
     Check for connections with IP options earlier and drop silently.  ok djm@
   - jmc@cvs.openbsd.org 2005/10/30 08:43:47
     [ssh_config.5]
     remove trailing whitespace;
   - djm@cvs.openbsd.org 2005/10/30 08:52:18
     [clientloop.c packet.c serverloop.c session.c ssh-agent.c ssh-keygen.c]
     [ssh.c sshconnect.c sshconnect1.c sshd.c]
     no need to escape single quotes in comments, no binary change
   - dtucker@cvs.openbsd.org 2005/10/31 06:15:04
     [sftp.c]
     Fix sorting with "ls -1" command. From Robert Tsai, "looks right" deraadt@
   - djm@cvs.openbsd.org 2005/10/31 11:12:49
     [ssh-keygen.1 ssh-keygen.c]
     generate a protocol 2 RSA key by default
   - djm@cvs.openbsd.org 2005/10/31 11:48:29
     [serverloop.c]
     make sure we clean up wtmp, etc. file when we receive a SIGTERM,
     SIGINT or SIGQUIT when running without privilege separation (the
     normal privsep case is already OK). Patch mainly by dtucker@ and
     senthilkumar_sen AT hotpop.com; ok dtucker@
   - jmc@cvs.openbsd.org 2005/10/31 19:55:25
     [ssh-keygen.1]
     grammar;
   - dtucker@cvs.openbsd.org 2005/11/03 13:38:29
     [canohost.c]
     Cache reverse lookups with and without DNS separately; ok markus@
   - djm@cvs.openbsd.org 2005/11/04 05:15:59
     [kex.c kex.h kexdh.c kexdhc.c kexdhs.c kexgex.c kexgexc.c kexgexs.c]
     remove hardcoded hash lengths in key exchange code, allowing
     implementation of KEX methods with different hashes (e.g. SHA-256);
     ok markus@ dtucker@ stevesk@
   - djm@cvs.openbsd.org 2005/11/05 05:01:15
     [bufaux.c]
     Fix leaks in error paths, bz #1109 and #1110 reported by kremenek AT
     cs.stanford.edu; ok dtucker@
 - (dtucker) [README.platform] Add PAM section.
 - (djm) [openbsd-compat/getrrsetbyname.c] Sync to latest OpenBSD version,
   resolving memory leak bz#1111 reported by kremenek AT cs.stanford.edu;
   ok dtucker@
 20051102
 - (dtucker) [openbsd-compat/bsd-misc.c] Bug #1108: fix broken strdup().
   Reported by olavi at ipunplugged.com and antoine.brodin at laposte.net
   via FreeBSD.
 20051030
 - (djm) [contrib/suse/openssh.spec contrib/suse/rc.
   sshd contrib/suse/sysconfig.ssh] Bug #1106: Updated SuSE spec and init 
   files from imorgan AT nas.nasa.gov
 - (dtucker) [session.c] Bug #1045do not check /etc/nologin when PAM is
   enabled, instead allow PAM to handle it.  Note that on platforms using PAM,
   the pam_nologin module should be added to sshd's session stack in order to
   maintain exising behaviour.  Based on patch and discussion from t8m at
   centrum.cz, ok djm@
 20051025
 - (dtucker) [configure.ac] Relocate LLONG_MAX calculation to after the
   sizeof(long long) checks, to make fixing bug #1104 easier (no changes
   yet).
 - (dtucker) [configure.ac] Bug #1104: Tru64's printf family doesn't
   understand "%lld", even though the compiler has "long long", so handle
   it as a special case.  Patch tested by mcaskill.scott at epa.gov.
 - (dtucker) [contrib/cygwin/ssh-user-config] Remove duplicate yes/no
   prompt.  Patch from vinschen at redhat.com.
 20051017
 - (dtucker) [configure.ac] Bug #1097: Fix configure for cross-compiling.
   /etc/default/login report and testing from aabaker at iee.org, corrections
   from tim@.
 20051009
 - (dtucker) [configure.ac defines.h openbsd-compat/vis.{c,h}] Sync current
   versions from OpenBSD.  ok djm@
 20051008
 - (dtucker) [configure.ac] Bug #1098: define $MAIL for HP-UX; report from
   brian.smith at agilent com.
 - (djm) [configure.ac] missing 'test' call for -with-Werror test
 20051005
 - (dtucker) [configure.ac sshd.8] Enable locked account check (a prepended
   "*LOCKED*" string) for FreeBSD.  Patch jeremie at le-hen.org and
   senthilkumar_sen at hotpop.com.
 20051003
 - (dtucker) OpenBSD CVS Sync
   - markus@cvs.openbsd.org 2005/09/07 08:53:53
     [channels.c]
     enforce chanid != NULL; ok djm
   - markus@cvs.openbsd.org 2005/09/09 19:18:05
     [clientloop.c]
     typo; from mark at mcs.vuw.ac.nz, bug #1082
   - djm@cvs.openbsd.org 2005/09/13 23:40:07
     [sshd.c ssh.c misc.h sftp.c ssh-keygen.c ssh-keysign.c sftp-server.c
     scp.c misc.c ssh-keyscan.c ssh-add.c ssh-agent.c]
     ensure that stdio fds are attached; ok deraadt@
   - djm@cvs.openbsd.org 2005/09/19 11:37:34
     [ssh_config.5 ssh.1]
     mention ability to specify bind_address for DynamicForward and -D options;
     bz#1077 spotted by Haruyama Seigo
   - djm@cvs.openbsd.org 2005/09/19 11:47:09
     [sshd.c]
     stop connection abort on rekey with delayed compression enabled when
     post-auth privsep is disabled (e.g. when root is logged in); ok dtucker@
   - djm@cvs.openbsd.org 2005/09/19 11:48:10
     [gss-serv.c]
     typo
   - jmc@cvs.openbsd.org 2005/09/19 15:38:27
     [ssh.1]
     some more .Bk/.Ek to avoid ugly line split;
   - jmc@cvs.openbsd.org 2005/09/19 15:42:44
     [ssh.c]
     update -D usage here too;
   - djm@cvs.openbsd.org 2005/09/19 23:31:31
     [ssh.1]
     spelling nit from stevesk@
   - djm@cvs.openbsd.org 2005/09/21 23:36:54
     [sshd_config.5]
     aquire -> acquire, from stevesk@
   - djm@cvs.openbsd.org 2005/09/21 23:37:11
     [sshd.c]
     change label at markus@'s request
   - jaredy@cvs.openbsd.org 2005/09/30 20:34:26
     [ssh-keyscan.1]
     deploy .An -nosplit; ok jmc
   - dtucker@cvs.openbsd.org 2005/10/03 07:44:42
     [canohost.c]
     Relocate check_ip_options call to prevent logging of garbage for
     connections with IP options set.  bz#1092 from David Leonard,
     "looks good" deraadt@
 - (dtucker) [regress/README.regress] Bug #989: Document limitation that scp
   is required in the system path for the multiplex test to work.
 20050930
 - (dtucker) [openbsd-compat/openbsd-compat.h] Bug #1096: Add prototype
   for strtoll.  Patch from o.flebbe at science-computing.de.
 - (dtucker) [monitor.c] Bug #1087: Send loginmsg to preauth privsep
   child during PAM account check without clearing it.  This restores the
   post-login warnings such as LDAP password expiry.  Patch from Tomas Mraz
   with help from several others.
 20050929
 - (dtucker) [monitor_wrap.c] Remove duplicate definition of loginmsg
   introduced during sync.
 20050928
 - (dtucker) [entropy.c] Use u_char for receiving RNG seed for consistency.
 - (dtucker) [auth-pam.c] Bug #1028: send final non-query messages from
   PAM via keyboard-interactive.  Patch tested by the folks at Vintela.
 20050927
 - (dtucker) [entropy.c] Remove unnecessary tests for getuid and geteuid
   calls, since they can't possibly fail.  ok djm@
 - (dtucker) [entropy.c entropy.h sshd.c] Pass RNG seed to the reexec'ed
   process when sshd relies on ssh-random-helper.  Should result in faster
   logins on systems without a real random device or prngd.  ok djm@
 20050924
 - (dtucker) [auth2.c] Move start_pam() calls out of if-else block to remove
   duplicate call.  ok djm@
 20050922
 - (dtucker) [configure.ac] Use -R linker flag for libedit too; patch from
   skeleten at shillest.net.
 - (dtucker) [configure.ac] Fix help for --with-opensc; patch from skeleten at
   shillest.net.
 20050919
 - (tim) [aclocal.m4 configure.ac] Delete acconfig.h and add templates to
   AC_DEFINE and AC_DEFINE_UNQUOTED to quiet autoconf 2.59 warning messages.
   ok dtucker@
 20050912
 - (tim) [configure.ac] Bug 1078. Fix --without-kerberos5. Reported by
   Mike Frysinger.
 20050908
 - (tim) [defines.h openbsd-compat/port-uw.c] Add long password support to
   OpenServer 6 and add osr5bigcrypt support so when someone migrates
   passwords between UnixWare and OpenServer they will still work. OK dtucker@
 20050901
 - (djm) Update RPM spec file versions
@ -2989,4 +3818,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.3887 2005/09/01 09:10:48 djm Exp $
+$Id: ChangeLog,v 1.4117.2.1 2006/02/01 11:33:14 djm Exp $
--- a/crypto/openssh/Makefile.in
+++ b/crypto/openssh/Makefile.in
@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.273 2005/05/29 07:22:29 dtucker Exp $
+# $Id: Makefile.in,v 1.274 2006/01/01 08:47:05 djm Exp $
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@ -139,7 +139,7 @@ sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBWRAP) $(LIBPAM) $(LIBS)
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
-	$(LD) -o $@ scp.o progressmeter.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
 	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
--- a/crypto/openssh/README
+++ b/crypto/openssh/README
@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-4.2 for the release notes.
+See http://www.openssh.com/txt/release-4.3 for the release notes.
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
-$Id: README,v 1.60 2005/08/31 14:05:57 dtucker Exp $
+$Id: README,v 1.61 2005/12/01 11:21:04 dtucker Exp $
--- a/crypto/openssh/README.platform
+++ b/crypto/openssh/README.platform
@ -45,4 +45,14 @@ number is already in use on your system, you may change it at build time
 by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
-$Id: README.platform,v 1.5 2005/02/20 10:01:49 dtucker Exp $
+Platforms using PAM
 -------------------
 As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
 PAM is enabled.  To maintain existing behaviour, pam_nologin should be
 added to sshd's session stack which will prevent users from starting shell
 sessions.  Alternatively, pam_nologin can be added to either the auth or
 account stacks which will prevent authentication entirely, but will still
 return the output from pam_nologin to the client.
 $Id: README.platform,v 1.6 2005/11/05 05:28:35 dtucker Exp $
--- a/crypto/openssh/README.tun
+++ b/crypto/openssh/README.tun
@ -0,0 +1,132 @@
 How to use OpenSSH-based virtual private networks
 -------------------------------------------------
 OpenSSH contains support for VPN tunneling using the tun(4) network
 tunnel pseudo-device which is available on most platforms, either for
 layer 2 or 3 traffic.
 The following brief instructions on how to use this feature use
 a network configuration specific to the OpenBSD operating system.
 (1) Server: Enable support for SSH tunneling
 To enable the ssh server to accept tunnel requests from the client, you
 have to add the following option to the ssh server configuration file
 (/etc/ssh/sshd_config):
 	PermitTunnel yes
 Restart the server or send the hangup signal (SIGHUP) to let the server
 reread it's configuration.
 (2) Server: Restrict client access and assign the tunnel
 The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
 restrict the client to connect to a specified tunnel and to
 automatically start the related interface configuration command. These
 settings are optional but recommended:
 	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
 (3) Client: Configure the local network tunnel interface
 Use the hostname.if(5) interface-specific configuration file to set up
 the network tunnel configuration with OpenBSD. For example, use the
 following configuration in /etc/hostname.tun0 to set up the layer 3
 tunnel on the client:
 	inet 192.168.5.1 255.255.255.252 192.168.5.2
 OpenBSD also supports layer 2 tunneling over the tun device by adding
 the link0 flag:
 	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
 Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
 interface, like the following example for /etc/bridgename.bridge0:
 	add tun0
 	add sis0
 	up
 (4) Client: Configure the OpenSSH client
 To establish tunnel forwarding for connections to a specified
 remote host by default, use the following ssh client configuration for
 the privileged user (in /root/.ssh/config):
 	Host sshgateway
 		Tunnel yes
 		TunnelDevice 0:any
 		PermitLocalCommand yes
 	        LocalCommand sh /etc/netstart tun0
 A more complicated configuration is possible to establish a tunnel to
 a remote host which is not directly accessible by the client.
 The following example describes a client configuration to connect to
 the remote host over two ssh hops in between. It uses the OpenSSH
 ProxyCommand in combination with the nc(1) program to forward the final
 ssh tunnel destination over multiple ssh sessions.
 	Host access.somewhere.net
 	        User puffy
 	Host dmzgw
 	        User puffy
 	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
 	Host sshgateway
 	        Tunnel Ethernet
 	        TunnelDevice 0:any
 	        PermitLocalCommand yes
 	        LocalCommand sh /etc/netstart tun0
 	        ProxyCommand ssh dmzgw nc sshgateway 22
 The following network plan illustrates the previous configuration in
 combination with layer 2 tunneling and Ethernet bridging.
 +--------+       (          )      +----------------------+
 | Client |------(  Internet  )-----| access.somewhere.net |
 +--------+       (          )      +----------------------+
    : 192.168.1.78                             |
    :.............................         +-------+       
     Forwarded ssh connection    :         | dmzgw |
     Layer 2 tunnel              :         +-------+
                                 :             |
                                 :             |
                                 :      +------------+  
                                 :......| sshgateway |
                                      | +------------+
 --- real connection                 Bridge ->  |          +----------+
 ... "virtual connection"                     [ X ]--------| somehost |
 [X] switch                                                +----------+
                                                          192.168.1.25
 (5) Client: Connect to the server and establish the tunnel
 Finally connect to the OpenSSH server to establish the tunnel by using
 the following command:
 	ssh sshgateway
 It is also possible to tell the client to fork into the background after
 the connection has been successfully established:
 	ssh -f sshgateway true
 Without the ssh configuration done in step (4), it is also possible
 to use the following command lines:
 	ssh -fw 0:1 sshgateway true
 	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
 Using OpenSSH tunnel forwarding is a simple way to establish secure
 and ad hoc virtual private networks. Possible fields of application
 could be wireless networks or administrative VPN tunnels.
 Nevertheless, ssh tunneling requires some packet header overhead and
 runs on top of TCP. It is still suggested to use the IP Security
 Protocol (IPSec) for robust and permanent VPN connections and to
 interconnect corporate networks.
 	Reyk Floeter
 $OpenBSD: README.tun,v 1.3 2005/12/08 18:34:10 reyk Exp $
--- a/crypto/openssh/aclocal.m4
+++ b/crypto/openssh/aclocal.m4
@ -1,4 +1,4 @@
-dnl $Id: aclocal.m4,v 1.5 2001/10/22 00:53:59 tim Exp $
+dnl $Id: aclocal.m4,v 1.6 2005/09/19 16:33:39 tim Exp $
 dnl
 dnl OpenSSH-specific autoconf macros
 dnl
@ -26,7 +26,7 @@ AC_DEFUN(OSSH_CHECK_HEADER_FOR_FIELD, [
 	if test -n "`echo $ossh_varname`"; then
 		AC_MSG_RESULT($ossh_result)
 		if test "x$ossh_result" = "xyes"; then
-			AC_DEFINE($3)
+			AC_DEFINE($3, 1, [Define if you have $1 in $2])
 		fi
 	else
 		AC_MSG_RESULT(no)
--- a/crypto/openssh/auth-options.c
+++ b/crypto/openssh/auth-options.c
@ -10,7 +10,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.31 2005/03/10 22:40:38 deraadt Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.33 2005/12/08 18:34:11 reyk Exp $");
 #include "xmalloc.h"
 #include "match.h"
@ -35,6 +35,9 @@ char *forced_command = NULL;
 /* "environment=" options. */
 struct envstring *custom_environment = NULL;
 /* "tunnel=" option. */
 int forced_tun_device = -1;
 extern ServerOptions options;
 void
@ -54,6 +57,7 @@ auth_clear_options(void)
 		xfree(forced_command);
 		forced_command = NULL;
 	}
 	forced_tun_device = -1;
 	channel_clear_permitted_opens();
 	auth_debug_reset();
 }
@ -269,6 +273,41 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			xfree(patterns);
 			goto next_option;
 		}
 		cp = "tunnel=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			char *tun = NULL;
 			opts += strlen(cp);
 			tun = xmalloc(strlen(opts) + 1);
 			i = 0;
 			while (*opts) {
 				if (*opts == '"')
 					break;
 				tun[i++] = *opts++;
 			}
 			if (!*opts) {
 				debug("%.100s, line %lu: missing end quote",
 				    file, linenum);
 				auth_debug_add("%.100s, line %lu: missing end quote",
 				    file, linenum);
 				xfree(tun);
 				forced_tun_device = -1;
 				goto bad_option;
 			}
 			tun[i] = 0;
 			forced_tun_device = a2tun(tun, NULL);
 			xfree(tun);
 			if (forced_tun_device == SSH_TUNID_ERR) {
 				debug("%.100s, line %lu: invalid tun device",
 				    file, linenum);
 				auth_debug_add("%.100s, line %lu: invalid tun device",
 				    file, linenum);
 				forced_tun_device = -1;
 				goto bad_option;
 			}
 			auth_debug_add("Forced tun device: %d", forced_tun_device);
 			opts++;
 			goto next_option;
 		}
 next_option:
 		/*
 		 * Skip the comma, and move to the next option
--- a/crypto/openssh/auth-options.h
+++ b/crypto/openssh/auth-options.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: auth-options.h,v 1.12 2002/07/21 18:34:43 stevesk Exp $	*/
+/*	$OpenBSD: auth-options.h,v 1.13 2005/12/06 22:38:27 reyk Exp $	*/
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -28,6 +28,7 @@ extern int no_x11_forwarding_flag;
 extern int no_pty_flag;
 extern char *forced_command;
 extern struct envstring *custom_environment;
 extern int forced_tun_device;
 int	auth_parse_options(struct passwd *, char *, char *, u_long);
 void	auth_clear_options(void);
--- a/crypto/openssh/auth2-gss.c
+++ b/crypto/openssh/auth2-gss.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: auth2-gss.c,v 1.10 2005/07/17 07:17:54 djm Exp $	*/
+/*	$OpenBSD: auth2-gss.c,v 1.12 2005/10/13 22:24:31 stevesk Exp $	*/
 /*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -34,7 +34,6 @@
 #include "log.h"
 #include "dispatch.h"
 #include "servconf.h"
 #include "compat.h"
 #include "packet.h"
 #include "monitor_wrap.h"
@ -49,7 +48,7 @@ static void input_gssapi_errtok(int, u_int32_t, void *);
 /*
 * We only support those mechanisms that we know about (ie ones that we know
- * how to check local user kuserok and the like
+ * how to check local user kuserok and the like)
 */
 static int
 userauth_gssapi(Authctxt *authctxt)
@ -105,7 +104,7 @@ userauth_gssapi(Authctxt *authctxt)
 		return (0);
 	}
-	authctxt->methoddata=(void *)ctxt;
+	authctxt->methoddata = (void *)ctxt;
 	packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
--- a/crypto/openssh/buildpkg.sh.in
+++ b/crypto/openssh/buildpkg.sh.in
@ -353,7 +353,7 @@ else
 	# Create user if required
 	[ "\$DO_PASSWD" = yes ]  &&  {
 		# Use uid of 67 if possible
-		if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDGID'\$' >/dev/null
+		if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null
 		then
 			:
 		else
--- a/crypto/openssh/cipher-aes.c
+++ b/crypto/openssh/cipher-aes.c
@ -23,7 +23,11 @@
 */
 #include "includes.h"
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+
 /* compatibility with old or broken OpenSSL versions */
 #include "openbsd-compat/openssl-compat.h"
 #ifdef USE_BUILTIN_RIJNDAEL
 RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
 #include <openssl/evp.h>
@ -31,10 +35,6 @@ RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
 #include "xmalloc.h"
 #include "log.h"
 #if OPENSSL_VERSION_NUMBER < 0x00906000L
 #define SSH_OLD_EVP
 #endif
 #define RIJNDAEL_BLOCKSIZE 16
 struct ssh_rijndael_ctx
 {
@ -157,4 +157,4 @@ evp_rijndael(void)
 #endif
 	return (&rijndal_cbc);
 }
-#endif /* OPENSSL_VERSION_NUMBER */
+#endif /* USE_BUILTIN_RIJNDAEL */
--- a/crypto/openssh/cipher-ctr.c
+++ b/crypto/openssh/cipher-ctr.c
@ -21,11 +21,10 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $");
 #include "log.h"
 #include "xmalloc.h"
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
+/* compatibility with old or broken OpenSSL versions */
-#define SSH_OLD_EVP
+#include "openbsd-compat/openssl-compat.h"
 #endif
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#ifdef USE_BUILTIN_RIJNDAEL
 #include "rijndael.h"
 #define AES_KEY rijndael_ctx
 #define AES_BLOCK_SIZE 16
--- a/crypto/openssh/clientloop.c
+++ b/crypto/openssh/clientloop.c
@ -59,7 +59,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $");
+RCSID("$OpenBSD: clientloop.c,v 1.149 2005/12/30 15:56:37 reyk Exp $");
 #include "ssh.h"
 #include "ssh1.h"
@ -77,6 +77,7 @@ RCSID("$OpenBSD: clientloop.c,v 1.141 2005/07/16 01:35:24 djm Exp $");
 #include "log.h"
 #include "readconf.h"
 #include "clientloop.h"
 #include "sshconnect.h"
 #include "authfd.h"
 #include "atomicio.h"
 #include "sshpty.h"
@ -113,7 +114,7 @@ extern char *host;
 static volatile sig_atomic_t received_window_change_signal = 0;
 static volatile sig_atomic_t received_signal = 0;
-/* Flag indicating whether the user\'s terminal is in non-blocking mode. */
+/* Flag indicating whether the user's terminal is in non-blocking mode. */
 static int in_non_blocking_mode = 0;
 /* Common data for the client loop code. */
@ -266,7 +267,7 @@ client_x11_get_proto(const char *display, const char *xauth_path,
 			}
 		}
 		snprintf(cmd, sizeof(cmd),
-		    "%s %s%s list %s . 2>" _PATH_DEVNULL,
+		    "%s %s%s list %s 2>" _PATH_DEVNULL,
 		    xauth_path,
 		    generated ? "-f " : "" ,
 		    generated ? xauthfile : "",
@ -914,6 +915,15 @@ process_cmdline(void)
 		logit("      -Lport:host:hostport    Request local forward");
 		logit("      -Rport:host:hostport    Request remote forward");
 		logit("      -KRhostport             Cancel remote forward");
 		if (!options.permit_local_command)
 			goto out;
 		logit("      !args                   Execute local command");
 		goto out;
 	}
 	if (*s == '!' && options.permit_local_command) {
 		s++;
 		ssh_local_cmd(s);
 		goto out;
 	}
@ -1376,10 +1386,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
 		session_ident = ssh2_chan_id;
 		if (escape_char != SSH_ESCAPECHAR_NONE)
 			channel_register_filter(session_ident,
-			    simple_escape_filter);
+			    simple_escape_filter, NULL);
 		if (session_ident != -1)
 			channel_register_cleanup(session_ident,
-			    client_channel_closed);
+			    client_channel_closed, 0);
 	} else {
 		/* Check if we should immediately send eof on stdin. */
 		client_check_initial_eof_on_stdin();
@ -1678,7 +1688,7 @@ client_request_x11(const char *request_type, int rchan)
 	if (!options.forward_x11) {
 		error("Warning: ssh server tried X11 forwarding.");
-		error("Warning: this is probably a break in attempt by a malicious server.");
+		error("Warning: this is probably a break-in attempt by a malicious server.");
 		return NULL;
 	}
 	originator = packet_get_string(NULL);
@ -1711,7 +1721,7 @@ client_request_agent(const char *request_type, int rchan)
 	if (!options.forward_agent) {
 		error("Warning: ssh server tried agent forwarding.");
-		error("Warning: this is probably a break in attempt by a malicious server.");
+		error("Warning: this is probably a break-in attempt by a malicious server.");
 		return NULL;
 	}
 	sock =  ssh_get_authentication_socket();
@ -1880,7 +1890,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
 			/* Split */
 			name = xstrdup(env[i]);
 			if ((val = strchr(name, '=')) == NULL) {
-				free(name);
+				xfree(name);
 				continue;
 			}
 			*val++ = '\0';
@ -1894,7 +1904,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
 			}
 			if (!matched) {
 				debug3("Ignored env %s", name);
-				free(name);
+				xfree(name);
 				continue;
 			}
@ -1903,7 +1913,7 @@ client_session2_setup(int id, int want_tty, int want_subsystem,
 			packet_put_cstring(name);
 			packet_put_cstring(val);
 			packet_send();
-			free(name);
+			xfree(name);
 		}
 	}
--- a/crypto/openssh/defines.h
+++ b/crypto/openssh/defines.h
@ -25,7 +25,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
-/* $Id: defines.h,v 1.127 2005/08/31 16:59:49 tim Exp $ */
+/* $Id: defines.h,v 1.130 2005/12/17 11:04:09 dtucker Exp $ */
 /* Constants */
@ -450,6 +450,10 @@ struct winsize {
 # define __sentinel__
 #endif
 #if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__bounded__)
 # define __bounded__(x, y, z)
 #endif
 /* *-*-nto-qnx doesn't define this macro in the system headers */
 #ifdef MISSING_HOWMANY
 # define howmany(x,y)	(((x)+((y)-1))/(y))
@ -688,7 +692,7 @@ struct winsize {
 # define CUSTOM_SYS_AUTH_PASSWD 1
 #endif
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef HAVE_LIBIAF
 # define CUSTOM_SYS_AUTH_PASSWD 1
 #endif
@ -711,4 +715,12 @@ struct winsize {
 # undef HAVE_MMAP
 #endif
 /* some system headers on HP-UX define YES/NO */
 #ifdef YES
 # undef YES
 #endif
 #ifdef NO
 # undef NO
 #endif
 #endif /* _DEFINES_H */
--- a/crypto/openssh/dns.c
+++ b/crypto/openssh/dns.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $	*/
+/*	$OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $	*/
 /*
 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -25,27 +25,16 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
 RCSID("$OpenBSD: dns.c,v 1.16 2005/10/17 14:13:35 stevesk Exp $");
 #include <openssl/bn.h>
 #ifdef LWRES
 #include <lwres/netdb.h>
 #include <dns/result.h>
 #else /* LWRES */
 #include <netdb.h>
 #endif /* LWRES */
 #include "xmalloc.h"
 #include "key.h"
 #include "dns.h"
 #include "log.h"
 #include "uuencode.h"
 extern char *__progname;
 RCSID("$OpenBSD: dns.c,v 1.12 2005/06/17 02:44:32 djm Exp $");
 #ifndef LWRES
 static const char *errset_text[] = {
 	"success",		/* 0 ERRSET_SUCCESS */
 	"out of memory",	/* 1 ERRSET_NOMEMORY */
@ -75,8 +64,6 @@ dns_result_totext(unsigned int res)
 		return "unknown error";
 	}
 }
 #endif /* LWRES */
 /*
 * Read SSHFP parameters from key buffer.
@ -95,12 +82,14 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
 		*algorithm = SSHFP_KEY_DSA;
 		break;
 	default:
-		*algorithm = SSHFP_KEY_RESERVED;
+		*algorithm = SSHFP_KEY_RESERVED; /* 0 */
 	}
 	if (*algorithm) {
 		*digest_type = SSHFP_HASH_SHA1;
 		*digest = key_fingerprint_raw(key, SSH_FP_SHA1, digest_len);
 		if (*digest == NULL)
 			fatal("dns_read_key: null from key_fingerprint_raw()");
 		success = 1;
 	} else {
 		*digest_type = SSHFP_HASH_RESERVED;
@ -133,7 +122,7 @@ dns_read_rdata(u_int8_t *algorithm, u_int8_t *digest_type,
 			*digest = (u_char *) xmalloc(*digest_len);
 			memcpy(*digest, rdata + 2, *digest_len);
 		} else {
-			*digest = NULL;
+			*digest = xstrdup("");
 		}
 		success = 1;
@ -187,7 +176,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 	*flags = 0;
-	debug3("verify_hostkey_dns");
+	debug3("verify_host_key_dns");
 	if (hostkey == NULL)
 		fatal("No key to look up!");
@ -223,7 +212,7 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 	if (fingerprints->rri_nrdatas)
 		*flags |= DNS_VERIFY_FOUND;
-	for (counter = 0 ; counter < fingerprints->rri_nrdatas ; counter++)  {
+	for (counter = 0; counter < fingerprints->rri_nrdatas; counter++)  {
 		/*
 		 * Extract the key from the answer. Ignore any badly
 		 * formatted fingerprints.
@ -247,8 +236,10 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 				*flags |= DNS_VERIFY_MATCH;
 			}
 		}
 		xfree(dnskey_digest);
 	}
 	xfree(hostkey_digest); /* from key_fingerprint_raw() */
 	freerrset(fingerprints);
 	if (*flags & DNS_VERIFY_FOUND)
@ -262,7 +253,6 @@ verify_host_key_dns(const char *hostname, struct sockaddr *address,
 	return 0;
 }
 /*
 * Export the fingerprint of a key as a DNS resource record
 */
@ -278,7 +268,7 @@ export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
 	int success = 0;
 	if (dns_read_key(&rdata_pubkey_algorithm, &rdata_digest_type,
-			 &rdata_digest, &rdata_digest_len, key)) {
+	    &rdata_digest, &rdata_digest_len, key)) {
 		if (generic)
 			fprintf(f, "%s IN TYPE%d \\# %d %02x %02x ", hostname,
@ -291,9 +281,10 @@ export_dns_rr(const char *hostname, const Key *key, FILE *f, int generic)
 		for (i = 0; i < rdata_digest_len; i++)
 			fprintf(f, "%02x", rdata_digest[i]);
 		fprintf(f, "\n");
 		xfree(rdata_digest); /* from key_fingerprint_raw() */
 		success = 1;
 	} else {
-		error("dns_export_rr: unsupported algorithm");
+		error("export_dns_rr: unsupported algorithm");
 	}
 	return success;
--- a/crypto/openssh/dns.h
+++ b/crypto/openssh/dns.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: dns.h,v 1.5 2003/11/12 16:39:58 jakob Exp $	*/
+/*	$OpenBSD: dns.h,v 1.6 2005/10/17 14:13:35 stevesk Exp $	*/
 /*
 * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@ -25,7 +25,6 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
 #ifndef DNS_H
@ -49,7 +48,6 @@ enum sshfp_hashes {
 #define DNS_VERIFY_MATCH	0x00000002
 #define DNS_VERIFY_SECURE	0x00000004
 int	verify_host_key_dns(const char *, struct sockaddr *, const Key *, int *);
 int	export_dns_rr(const char *, const Key *, FILE *, int);
--- a/crypto/openssh/entropy.c
+++ b/crypto/openssh/entropy.c
@ -26,6 +26,7 @@
 #include <openssl/rand.h>
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 #include "ssh.h"
 #include "misc.h"
@ -33,6 +34,8 @@
 #include "atomicio.h"
 #include "pathnames.h"
 #include "log.h"
 #include "buffer.h"
 #include "bufaux.h"
 /*
 * Portable OpenSSH PRNG seeding:
@ -45,7 +48,7 @@
 * XXX: we should tell the child how many bytes we need.
 */
-RCSID("$Id: entropy.c,v 1.49 2005/07/17 07:26:44 djm Exp $");
+RCSID("$Id: entropy.c,v 1.52 2005/09/27 22:26:30 dtucker Exp $");
 #ifndef OPENSSL_PRNG_ONLY
 #define RANDOM_SEED_SIZE 48
@ -145,10 +148,35 @@ init_rng(void)
 		    "have %lx", OPENSSL_VERSION_NUMBER, SSLeay());
 #ifndef OPENSSL_PRNG_ONLY
-	if ((original_uid = getuid()) == -1)
+	original_uid = getuid();
-		fatal("getuid: %s", strerror(errno));
+	original_euid = geteuid();
 	if ((original_euid = geteuid()) == -1)
 		fatal("geteuid: %s", strerror(errno));
 #endif
 }
 #ifndef OPENSSL_PRNG_ONLY
 void
 rexec_send_rng_seed(Buffer *m)
 {
 	u_char buf[RANDOM_SEED_SIZE];
 	if (RAND_bytes(buf, sizeof(buf)) <= 0) {
 		error("Couldn't obtain random bytes (error %ld)",
 		    ERR_get_error());
 		buffer_put_string(m, "", 0);
 	} else 
 		buffer_put_string(m, buf, sizeof(buf));
 }
 void
 rexec_recv_rng_seed(Buffer *m)
 {
 	u_char *buf;
 	u_int len;
 	buf = buffer_get_string_ret(m, &len);
 	if (buf != NULL) {
 		debug3("rexec_recv_rng_seed: seeding rng with %u bytes", len);
 		RAND_add(buf, len, len);
 	}
 }
 #endif
--- a/crypto/openssh/entropy.h
+++ b/crypto/openssh/entropy.h
@ -22,12 +22,17 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-/* $Id: entropy.h,v 1.4 2001/02/09 01:55:36 djm Exp $ */
+/* $Id: entropy.h,v 1.5 2005/09/27 12:46:32 dtucker Exp $ */
 #ifndef _RANDOMS_H
 #define _RANDOMS_H
 #include "buffer.h"
 void seed_rng(void);
 void init_rng(void);
 void rexec_send_rng_seed(Buffer *);
 void rexec_recv_rng_seed(Buffer *);
 #endif /* _RANDOMS_H */
--- a/crypto/openssh/gss-genr.c
+++ b/crypto/openssh/gss-genr.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: gss-genr.c,v 1.4 2005/07/17 07:17:55 djm Exp $	*/
+/*	$OpenBSD: gss-genr.c,v 1.6 2005/10/13 22:24:31 stevesk Exp $	*/
 /*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -30,9 +30,7 @@
 #include "xmalloc.h"
 #include "bufaux.h"
 #include "compat.h"
 #include "log.h"
 #include "monitor_wrap.h"
 #include "ssh2.h"
 #include "ssh-gss.h"
@ -270,7 +268,8 @@ ssh_gssapi_buildmic(Buffer *b, const char *user, const char *service,
 }
 OM_uint32
-ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid) {
+ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
 {
 	if (*ctx)
 		ssh_gssapi_delete_ctx(ctx);
 	ssh_gssapi_build_ctx(ctx);
--- a/crypto/openssh/gss-serv-krb5.c
+++ b/crypto/openssh/gss-serv-krb5.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: gss-serv-krb5.c,v 1.3 2004/07/21 10:36:23 djm Exp $	*/
+/*	$OpenBSD: gss-serv-krb5.c,v 1.4 2005/10/13 19:08:08 stevesk Exp $	*/
 /*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
--- a/crypto/openssh/gss-serv.c
+++ b/crypto/openssh/gss-serv.c
@ -1,4 +1,4 @@
-/*	$OpenBSD: gss-serv.c,v 1.8 2005/08/30 22:08:05 djm Exp $	*/
+/*	$OpenBSD: gss-serv.c,v 1.13 2005/10/13 22:24:31 stevesk Exp $	*/
 /*
 * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -29,20 +29,16 @@
 #ifdef GSSAPI
 #include "bufaux.h"
 #include "compat.h"
 #include "auth.h"
 #include "log.h"
 #include "channels.h"
 #include "session.h"
 #include "servconf.h"
 #include "monitor_wrap.h"
 #include "xmalloc.h"
 #include "getput.h"
 #include "ssh-gss.h"
 extern ServerOptions options;
 static ssh_gssapi_client gssapi_client =
    { GSS_C_EMPTY_BUFFER, GSS_C_EMPTY_BUFFER,
    GSS_C_NO_CREDENTIAL, NULL, {NULL, NULL, NULL}};
@ -61,7 +57,7 @@ ssh_gssapi_mech* supported_mechs[]= {
 	&gssapi_null_mech,
 };
-/* Unpriviledged */
+/* Unprivileged */
 void
 ssh_gssapi_supported_oids(gss_OID_set *oidset)
 {
@ -90,7 +86,7 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
 *    oid
 *    credentials	(from ssh_gssapi_acquire_cred)
 */
-/* Priviledged */
+/* Privileged */
 OM_uint32
 ssh_gssapi_accept_ctx(Gssctxt *ctx, gss_buffer_desc *recv_tok,
    gss_buffer_desc *send_tok, OM_uint32 *flags)
@ -138,14 +134,14 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
 	OM_uint32 offset;
 	OM_uint32 oidl;
-	tok=ename->value;
+	tok = ename->value;
 	/*
 	 * Check that ename is long enough for all of the fixed length
 	 * header, and that the initial ID bytes are correct
 	 */
-	if (ename->length<6 || memcmp(tok,"\x04\x01", 2)!=0)
+	if (ename->length < 6 || memcmp(tok, "\x04\x01", 2) != 0)
 		return GSS_S_FAILURE;
 	/*
@ -164,7 +160,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
 	 */
 	if (tok[4] != 0x06 || tok[5] != oidl ||
 	    ename->length < oidl+6 ||
-	    !ssh_gssapi_check_oid(ctx,tok+6,oidl))
+	    !ssh_gssapi_check_oid(ctx, tok+6, oidl))
 		return GSS_S_FAILURE;
 	offset = oidl+6;
@ -179,7 +175,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
 		return GSS_S_FAILURE;
 	name->value = xmalloc(name->length+1);
-	memcpy(name->value,tok+offset,name->length);
+	memcpy(name->value, tok+offset,name->length);
 	((char *)name->value)[name->length] = 0;
 	return GSS_S_COMPLETE;
@ -188,7 +184,7 @@ ssh_gssapi_parse_ename(Gssctxt *ctx, gss_buffer_t ename, gss_buffer_t name)
 /* Extract the client details from a given context. This can only reliably
 * be called once for a context */
-/* Priviledged (called from accept_secure_ctx) */
+/* Privileged (called from accept_secure_ctx) */
 OM_uint32
 ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
 {
@ -263,15 +259,14 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
 	if (gssapi_client.store.envvar != NULL &&
 	    gssapi_client.store.envval != NULL) {
 		debug("Setting %s to %s", gssapi_client.store.envvar,
-		gssapi_client.store.envval);
+		    gssapi_client.store.envval);
 		child_set_env(envp, envsizep, gssapi_client.store.envvar,
 		    gssapi_client.store.envval);
 	}
 }
-/* Priviledged */
+/* Privileged */
 int
 ssh_gssapi_userok(char *user)
 {
@ -298,7 +293,7 @@ ssh_gssapi_userok(char *user)
 	return (0);
 }
-/* Priviledged */
+/* Privileged */
 OM_uint32
 ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
 {
--- a/crypto/openssh/kex.c
+++ b/crypto/openssh/kex.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: kex.c,v 1.64 2005/07/25 11:59:39 markus Exp $");
+RCSID("$OpenBSD: kex.c,v 1.65 2005/11/04 05:15:59 djm Exp $");
 #include <openssl/crypto.h>
@ -294,13 +294,17 @@ choose_kex(Kex *k, char *client, char *server)
 		fatal("no kex alg");
 	if (strcmp(k->name, KEX_DH1) == 0) {
 		k->kex_type = KEX_DH_GRP1_SHA1;
 		k->evp_md = EVP_sha1();
 	} else if (strcmp(k->name, KEX_DH14) == 0) {
 		k->kex_type = KEX_DH_GRP14_SHA1;
-	} else if (strcmp(k->name, KEX_DHGEX) == 0) {
+		k->evp_md = EVP_sha1();
 	} else if (strcmp(k->name, KEX_DHGEX_SHA1) == 0) {
 		k->kex_type = KEX_DH_GEX_SHA1;
 		k->evp_md = EVP_sha1();
 	} else
 		fatal("bad kex alg %s", k->name);
 }
 static void
 choose_hostkeyalg(Kex *k, char *client, char *server)
 {
@ -404,28 +408,28 @@ kex_choose_conf(Kex *kex)
 }
 static u_char *
-derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
+derive_key(Kex *kex, int id, u_int need, u_char *hash, u_int hashlen,
    BIGNUM *shared_secret)
 {
 	Buffer b;
 	const EVP_MD *evp_md = EVP_sha1();
 	EVP_MD_CTX md;
 	char c = id;
 	u_int have;
-	int mdsz = EVP_MD_size(evp_md);
+	int mdsz;
 	u_char *digest;
-	if (mdsz < 0)
+	if ((mdsz = EVP_MD_size(kex->evp_md)) <= 0)
-		fatal("derive_key: mdsz < 0");
+		fatal("bad kex md size %d", mdsz);
-	digest = xmalloc(roundup(need, mdsz));
+ 	digest = xmalloc(roundup(need, mdsz));
 	buffer_init(&b);
 	buffer_put_bignum2(&b, shared_secret);
 	/* K1 = HASH(K || H || "A" || session_id) */
-	EVP_DigestInit(&md, evp_md);
+	EVP_DigestInit(&md, kex->evp_md);
 	if (!(datafellows & SSH_BUG_DERIVEKEY))
 		EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
-	EVP_DigestUpdate(&md, hash, mdsz);
+	EVP_DigestUpdate(&md, hash, hashlen);
 	EVP_DigestUpdate(&md, &c, 1);
 	EVP_DigestUpdate(&md, kex->session_id, kex->session_id_len);
 	EVP_DigestFinal(&md, digest, NULL);
@ -436,10 +440,10 @@ derive_key(Kex *kex, int id, u_int need, u_char *hash, BIGNUM *shared_secret)
 	 * Key = K1 || K2 || ... || Kn
 	 */
 	for (have = mdsz; need > have; have += mdsz) {
-		EVP_DigestInit(&md, evp_md);
+		EVP_DigestInit(&md, kex->evp_md);
 		if (!(datafellows & SSH_BUG_DERIVEKEY))
 			EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
-		EVP_DigestUpdate(&md, hash, mdsz);
+		EVP_DigestUpdate(&md, hash, hashlen);
 		EVP_DigestUpdate(&md, digest, have);
 		EVP_DigestFinal(&md, digest + have, NULL);
 	}
@ -455,13 +459,15 @@ Newkeys *current_keys[MODE_MAX];
 #define NKEYS	6
 void
-kex_derive_keys(Kex *kex, u_char *hash, BIGNUM *shared_secret)
+kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen, BIGNUM *shared_secret)
 {
 	u_char *keys[NKEYS];
 	u_int i, mode, ctos;
-	for (i = 0; i < NKEYS; i++)
+	for (i = 0; i < NKEYS; i++) {
-		keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, shared_secret);
+		keys[i] = derive_key(kex, 'A'+i, kex->we_need, hash, hashlen,
 		    shared_secret);
 	}
 	debug2("kex_derive_keys");
 	for (mode = 0; mode < MODE_MAX; mode++) {
--- a/crypto/openssh/kex.h
+++ b/crypto/openssh/kex.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: kex.h,v 1.37 2005/07/25 11:59:39 markus Exp $	*/
+/*	$OpenBSD: kex.h,v 1.38 2005/11/04 05:15:59 djm Exp $	*/
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@ -31,9 +31,9 @@
 #include "cipher.h"
 #include "key.h"
-#define	KEX_DH1		"diffie-hellman-group1-sha1"
+#define	KEX_DH1			"diffie-hellman-group1-sha1"
-#define	KEX_DH14	"diffie-hellman-group14-sha1"
+#define	KEX_DH14		"diffie-hellman-group14-sha1"
-#define	KEX_DHGEX	"diffie-hellman-group-exchange-sha1"
+#define	KEX_DHGEX_SHA1		"diffie-hellman-group-exchange-sha1"
 #define COMP_NONE	0
 #define COMP_ZLIB	1
@ -114,6 +114,7 @@ struct Kex {
 	Buffer	peer;
 	int	done;
 	int	flags;
 	const EVP_MD *evp_md;
 	char	*client_version_string;
 	char	*server_version_string;
 	int	(*verify_host_key)(Key *);
@ -127,7 +128,7 @@ void	 kex_finish(Kex *);
 void	 kex_send_kexinit(Kex *);
 void	 kex_input_kexinit(int, u_int32_t, void *);
-void	 kex_derive_keys(Kex *, u_char *, BIGNUM *);
+void	 kex_derive_keys(Kex *, u_char *, u_int, BIGNUM *);
 Newkeys *kex_get_newkeys(int);
@ -136,12 +137,13 @@ void	 kexdh_server(Kex *);
 void	 kexgex_client(Kex *);
 void	 kexgex_server(Kex *);
-u_char *
+void
 kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
-    BIGNUM *, BIGNUM *, BIGNUM *);
+    BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
-u_char *
+void
-kexgex_hash(char *, char *, char *, int, char *, int, u_char *, int,
+kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
-    int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *);
+    int, u_char *, int, int, int, int, BIGNUM *, BIGNUM *, BIGNUM *, 
    BIGNUM *, BIGNUM *, u_char **, u_int *);
 void
 derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
--- a/crypto/openssh/kexdh.c
+++ b/crypto/openssh/kexdh.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexdh.c,v 1.20 2005/11/04 05:15:59 djm Exp $");
 #include <openssl/evp.h>
@ -32,7 +32,7 @@ RCSID("$OpenBSD: kexdh.c,v 1.19 2003/02/16 17:09:57 markus Exp $");
 #include "ssh2.h"
 #include "kex.h"
-u_char *
+void
 kex_dh_hash(
    char *client_version_string,
    char *server_version_string,
@ -41,7 +41,8 @@ kex_dh_hash(
    u_char *serverhostkeyblob, int sbloblen,
    BIGNUM *client_dh_pub,
    BIGNUM *server_dh_pub,
-    BIGNUM *shared_secret)
+    BIGNUM *shared_secret,
    u_char **hash, u_int *hashlen)
 {
 	Buffer b;
 	static u_char digest[EVP_MAX_MD_SIZE];
@ -77,5 +78,6 @@ kex_dh_hash(
 #ifdef DEBUG_KEX
 	dump_digest("hash", digest, EVP_MD_size(evp_md));
 #endif
-	return digest;
+	*hash = digest;
 	*hashlen = EVP_MD_size(evp_md);
 }
--- a/crypto/openssh/kexdhc.c
+++ b/crypto/openssh/kexdhc.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: kexdhc.c,v 1.2 2004/06/13 12:53:24 djm Exp $");
+RCSID("$OpenBSD: kexdhc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
 #include "xmalloc.h"
 #include "key.h"
@ -41,7 +41,7 @@ kexdh_client(Kex *kex)
 	Key *server_host_key;
 	u_char *server_host_key_blob = NULL, *signature = NULL;
 	u_char *kbuf, *hash;
-	u_int klen, kout, slen, sbloblen;
+	u_int klen, kout, slen, sbloblen, hashlen;
 	/* generate and send 'e', client DH public key */
 	switch (kex->kex_type) {
@ -114,7 +114,7 @@ kexdh_client(Kex *kex)
 	xfree(kbuf);
 	/* calc and verify H */
-	hash = kex_dh_hash(
+	kex_dh_hash(
 	    kex->client_version_string,
 	    kex->server_version_string,
 	    buffer_ptr(&kex->my), buffer_len(&kex->my),
@ -122,25 +122,26 @@ kexdh_client(Kex *kex)
 	    server_host_key_blob, sbloblen,
 	    dh->pub_key,
 	    dh_server_pub,
-	    shared_secret
+	    shared_secret,
 	    &hash, &hashlen
 	);
 	xfree(server_host_key_blob);
 	BN_clear_free(dh_server_pub);
 	DH_free(dh);
-	if (key_verify(server_host_key, signature, slen, hash, 20) != 1)
+	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
 		fatal("key_verify failed for server_host_key");
 	key_free(server_host_key);
 	xfree(signature);
 	/* save session id */
 	if (kex->session_id == NULL) {
-		kex->session_id_len = 20;
+		kex->session_id_len = hashlen;
 		kex->session_id = xmalloc(kex->session_id_len);
 		memcpy(kex->session_id, hash, kex->session_id_len);
 	}
-	kex_derive_keys(kex, hash, shared_secret);
+	kex_derive_keys(kex, hash, hashlen, shared_secret);
 	BN_clear_free(shared_secret);
 	kex_finish(kex);
 }
--- a/crypto/openssh/kexdhs.c
+++ b/crypto/openssh/kexdhs.c
@ -23,7 +23,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: kexdhs.c,v 1.2 2004/06/13 12:53:24 djm Exp $");
+RCSID("$OpenBSD: kexdhs.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
 #include "xmalloc.h"
 #include "key.h"
@ -41,7 +41,7 @@ kexdh_server(Kex *kex)
 	DH *dh;
 	Key *server_host_key;
 	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-	u_int sbloblen, klen, kout;
+	u_int sbloblen, klen, kout, hashlen;
 	u_int slen;
 	/* generate server DH public key */
@ -103,7 +103,7 @@ kexdh_server(Kex *kex)
 	key_to_blob(server_host_key, &server_host_key_blob, &sbloblen);
 	/* calc H */
-	hash = kex_dh_hash(
+	kex_dh_hash(
 	    kex->client_version_string,
 	    kex->server_version_string,
 	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@ -111,21 +111,20 @@ kexdh_server(Kex *kex)
 	    server_host_key_blob, sbloblen,
 	    dh_client_pub,
 	    dh->pub_key,
-	    shared_secret
+	    shared_secret,
 	    &hash, &hashlen
 	);
 	BN_clear_free(dh_client_pub);
 	/* save session id := H */
 	/* XXX hashlen depends on KEX */
 	if (kex->session_id == NULL) {
-		kex->session_id_len = 20;
+		kex->session_id_len = hashlen;
 		kex->session_id = xmalloc(kex->session_id_len);
 		memcpy(kex->session_id, hash, kex->session_id_len);
 	}
 	/* sign H */
-	/* XXX hashlen depends on KEX */
+	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
 	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
 	/* destroy_sensitive_data(); */
@ -141,7 +140,7 @@ kexdh_server(Kex *kex)
 	/* have keys, free DH */
 	DH_free(dh);
-	kex_derive_keys(kex, hash, shared_secret);
+	kex_derive_keys(kex, hash, hashlen, shared_secret);
 	BN_clear_free(shared_secret);
 	kex_finish(kex);
 }
--- a/crypto/openssh/kexgex.c
+++ b/crypto/openssh/kexgex.c
@ -24,7 +24,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexgex.c,v 1.24 2005/11/04 05:15:59 djm Exp $");
 #include <openssl/evp.h>
@ -33,8 +33,9 @@ RCSID("$OpenBSD: kexgex.c,v 1.23 2003/02/16 17:09:57 markus Exp $");
 #include "kex.h"
 #include "ssh2.h"
-u_char *
+void
 kexgex_hash(
    const EVP_MD *evp_md,
    char *client_version_string,
    char *server_version_string,
    char *ckexinit, int ckexinitlen,
@ -43,11 +44,11 @@ kexgex_hash(
    int min, int wantbits, int max, BIGNUM *prime, BIGNUM *gen,
    BIGNUM *client_dh_pub,
    BIGNUM *server_dh_pub,
-    BIGNUM *shared_secret)
+    BIGNUM *shared_secret,
    u_char **hash, u_int *hashlen)
 {
 	Buffer b;
 	static u_char digest[EVP_MAX_MD_SIZE];
 	const EVP_MD *evp_md = EVP_sha1();
 	EVP_MD_CTX md;
 	buffer_init(&b);
@ -79,14 +80,15 @@ kexgex_hash(
 #ifdef DEBUG_KEXDH
 	buffer_dump(&b);
 #endif
 	EVP_DigestInit(&md, evp_md);
 	EVP_DigestUpdate(&md, buffer_ptr(&b), buffer_len(&b));
 	EVP_DigestFinal(&md, digest, NULL);
 	buffer_free(&b);
-
+	*hash = digest;
 	*hashlen = EVP_MD_size(evp_md);
 #ifdef DEBUG_KEXDH
-	dump_digest("hash", digest, EVP_MD_size(evp_md));
+	dump_digest("hash", digest, *hashlen);
 #endif
 	return digest;
 }
--- a/crypto/openssh/kexgexc.c
+++ b/crypto/openssh/kexgexc.c
@ -24,7 +24,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: kexgexc.c,v 1.2 2003/12/08 11:00:47 markus Exp $");
+RCSID("$OpenBSD: kexgexc.c,v 1.3 2005/11/04 05:15:59 djm Exp $");
 #include "xmalloc.h"
 #include "key.h"
@ -42,7 +42,7 @@ kexgex_client(Kex *kex)
 	BIGNUM *p = NULL, *g = NULL;
 	Key *server_host_key;
 	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-	u_int klen, kout, slen, sbloblen;
+	u_int klen, kout, slen, sbloblen, hashlen;
 	int min, max, nbits;
 	DH *dh;
@ -155,7 +155,8 @@ kexgex_client(Kex *kex)
 		min = max = -1;
 	/* calc and verify H */
-	hash = kexgex_hash(
+	kexgex_hash(
 	    kex->evp_md,
 	    kex->client_version_string,
 	    kex->server_version_string,
 	    buffer_ptr(&kex->my), buffer_len(&kex->my),
@ -165,25 +166,27 @@ kexgex_client(Kex *kex)
 	    dh->p, dh->g,
 	    dh->pub_key,
 	    dh_server_pub,
-	    shared_secret
+	    shared_secret,
 	    &hash, &hashlen
 	);
 	/* have keys, free DH */
 	DH_free(dh);
 	xfree(server_host_key_blob);
 	BN_clear_free(dh_server_pub);
-	if (key_verify(server_host_key, signature, slen, hash, 20) != 1)
+	if (key_verify(server_host_key, signature, slen, hash, hashlen) != 1)
 		fatal("key_verify failed for server_host_key");
 	key_free(server_host_key);
 	xfree(signature);
 	/* save session id */
 	if (kex->session_id == NULL) {
-		kex->session_id_len = 20;
+		kex->session_id_len = hashlen;
 		kex->session_id = xmalloc(kex->session_id_len);
 		memcpy(kex->session_id, hash, kex->session_id_len);
 	}
-	kex_derive_keys(kex, hash, shared_secret);
+	kex_derive_keys(kex, hash, hashlen, shared_secret);
 	BN_clear_free(shared_secret);
 	kex_finish(kex);
--- a/crypto/openssh/kexgexs.c
+++ b/crypto/openssh/kexgexs.c
@ -24,7 +24,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: kexgexs.c,v 1.1 2003/02/16 17:09:57 markus Exp $");
+RCSID("$OpenBSD: kexgexs.c,v 1.2 2005/11/04 05:15:59 djm Exp $");
 #include "xmalloc.h"
 #include "key.h"
@ -43,7 +43,7 @@ kexgex_server(Kex *kex)
 	Key *server_host_key;
 	DH *dh;
 	u_char *kbuf, *hash, *signature = NULL, *server_host_key_blob = NULL;
-	u_int sbloblen, klen, kout, slen;
+	u_int sbloblen, klen, kout, slen, hashlen;
 	int min = -1, max = -1, nbits = -1, type;
 	if (kex->load_host_key == NULL)
@ -137,8 +137,9 @@ kexgex_server(Kex *kex)
 	if (type == SSH2_MSG_KEX_DH_GEX_REQUEST_OLD)
 		min = max = -1;
-	/* calc H */			/* XXX depends on 'kex' */
+	/* calc H */
-	hash = kexgex_hash(
+	kexgex_hash(
 	    kex->evp_md,
 	    kex->client_version_string,
 	    kex->server_version_string,
 	    buffer_ptr(&kex->peer), buffer_len(&kex->peer),
@ -148,21 +149,20 @@ kexgex_server(Kex *kex)
 	    dh->p, dh->g,
 	    dh_client_pub,
 	    dh->pub_key,
-	    shared_secret
+	    shared_secret,
 	    &hash, &hashlen
 	);
 	BN_clear_free(dh_client_pub);
 	/* save session id := H */
 	/* XXX hashlen depends on KEX */
 	if (kex->session_id == NULL) {
-		kex->session_id_len = 20;
+		kex->session_id_len = hashlen;
 		kex->session_id = xmalloc(kex->session_id_len);
 		memcpy(kex->session_id, hash, kex->session_id_len);
 	}
 	/* sign H */
-	/* XXX hashlen depends on KEX */
+	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, hashlen));
 	PRIVSEP(key_sign(server_host_key, &signature, &slen, hash, 20));
 	/* destroy_sensitive_data(); */
@ -179,7 +179,7 @@ kexgex_server(Kex *kex)
 	/* have keys, free DH */
 	DH_free(dh);
-	kex_derive_keys(kex, hash, shared_secret);
+	kex_derive_keys(kex, hash, hashlen, shared_secret);
 	BN_clear_free(shared_secret);
 	kex_finish(kex);
--- a/crypto/openssh/misc.c
+++ b/crypto/openssh/misc.c
@ -24,7 +24,11 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: misc.c,v 1.34 2005/07/08 09:26:18 dtucker Exp $");
+RCSID("$OpenBSD: misc.c,v 1.42 2006/01/31 10:19:02 djm Exp $");
 #ifdef SSH_TUN_OPENBSD
 #include <net/if.h>
 #endif
 #include "misc.h"
 #include "log.h"
@ -194,6 +198,37 @@ a2port(const char *s)
 	return port;
 }
 int
 a2tun(const char *s, int *remote)
 {
 	const char *errstr = NULL;
 	char *sp, *ep;
 	int tun;
 	if (remote != NULL) {
 		*remote = SSH_TUNID_ANY;
 		sp = xstrdup(s);
 		if ((ep = strchr(sp, ':')) == NULL) {
 			xfree(sp);
 			return (a2tun(s, NULL));
 		}
 		ep[0] = '\0'; ep++;
 		*remote = a2tun(ep, NULL);
 		tun = a2tun(sp, NULL);
 		xfree(sp);
 		return (*remote == SSH_TUNID_ERR ? *remote : tun);
 	}
 	if (strcasecmp(s, "any") == 0)
 		return (SSH_TUNID_ANY);
 	tun = strtonum(s, 0, SSH_TUNID_MAX, &errstr);
 	if (errstr != NULL)
 		return (SSH_TUNID_ERR);
 	return (tun);
 }
 #define SECONDS		1
 #define MINUTES		(SECONDS * 60)
 #define HOURS		(MINUTES * 60)
@ -356,12 +391,15 @@ void
 addargs(arglist *args, char *fmt, ...)
 {
 	va_list ap;
-	char buf[1024];
+	char *cp;
 	u_int nalloc;
 	int r;
 	va_start(ap, fmt);
-	vsnprintf(buf, sizeof(buf), fmt, ap);
+	r = vasprintf(&cp, fmt, ap);
 	va_end(ap);
 	if (r == -1)
 		fatal("addargs: argument too long");
 	nalloc = args->nalloc;
 	if (args->list == NULL) {
@ -372,10 +410,44 @@ addargs(arglist *args, char *fmt, ...)
 	args->list = xrealloc(args->list, nalloc * sizeof(char *));
 	args->nalloc = nalloc;
-	args->list[args->num++] = xstrdup(buf);
+	args->list[args->num++] = cp;
 	args->list[args->num] = NULL;
 }
 void
 replacearg(arglist *args, u_int which, char *fmt, ...)
 {
 	va_list ap;
 	char *cp;
 	int r;
 	va_start(ap, fmt);
 	r = vasprintf(&cp, fmt, ap);
 	va_end(ap);
 	if (r == -1)
 		fatal("replacearg: argument too long");
 	if (which >= args->num)
 		fatal("replacearg: tried to replace invalid arg %d >= %d",
 		    which, args->num);
 	xfree(args->list[which]);
 	args->list[which] = cp;
 }
 void
 freeargs(arglist *args)
 {
 	u_int i;
 	if (args->list != NULL) {
 		for (i = 0; i < args->num; i++)
 			xfree(args->list[i]);
 		xfree(args->list);
 		args->nalloc = args->num = 0;
 		args->list = NULL;
 	}
 }
 /*
 * Expands tildes in the file name.  Returns data allocated by xmalloc.
 * Warning: this calls getpw*.
@ -507,6 +579,99 @@ read_keyfile_line(FILE *f, const char *filename, char *buf, size_t bufsz,
 	return -1;
 }
 int
 tun_open(int tun, int mode)
 {
 #if defined(CUSTOM_SYS_TUN_OPEN)
 	return (sys_tun_open(tun, mode));
 #elif defined(SSH_TUN_OPENBSD)
 	struct ifreq ifr;
 	char name[100];
 	int fd = -1, sock;
 	/* Open the tunnel device */
 	if (tun <= SSH_TUNID_MAX) {
 		snprintf(name, sizeof(name), "/dev/tun%d", tun);
 		fd = open(name, O_RDWR);
 	} else if (tun == SSH_TUNID_ANY) {
 		for (tun = 100; tun >= 0; tun--) {
 			snprintf(name, sizeof(name), "/dev/tun%d", tun);
 			if ((fd = open(name, O_RDWR)) >= 0)
 				break;
 		}
 	} else {
 		debug("%s: invalid tunnel %u", __func__, tun);
 		return (-1);
 	}
 	if (fd < 0) {
 		debug("%s: %s open failed: %s", __func__, name, strerror(errno));
 		return (-1);
 	}
 	debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
 	/* Set the tunnel device operation mode */
 	snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "tun%d", tun);
 	if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
 		goto failed;
 	if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
 		goto failed;
 	/* Set interface mode */
 	ifr.ifr_flags &= ~IFF_UP;
 	if (mode == SSH_TUNMODE_ETHERNET)
 		ifr.ifr_flags |= IFF_LINK0;
 	else
 		ifr.ifr_flags &= ~IFF_LINK0;
 	if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
 		goto failed;
 	/* Bring interface up */
 	ifr.ifr_flags |= IFF_UP;
 	if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
 		goto failed;
 	close(sock);
 	return (fd);
 failed:
 	if (fd >= 0)
 		close(fd);
 	if (sock >= 0)
 		close(sock);
 	debug("%s: failed to set %s mode %d: %s", __func__, name,
 	    mode, strerror(errno));
 	return (-1);
 #else
 	error("Tunnel interfaces are not supported on this platform");
 	return (-1);
 #endif
 }
 void
 sanitise_stdfd(void)
 {
 	int nullfd, dupfd;
 	if ((nullfd = dupfd = open(_PATH_DEVNULL, O_RDWR)) == -1) {
 		fprintf(stderr, "Couldn't open /dev/null: %s", strerror(errno));
 		exit(1);
 	}
 	while (++dupfd <= 2) {
 		/* Only clobber closed fds */
 		if (fcntl(dupfd, F_GETFL, 0) >= 0)
 			continue;
 		if (dup2(nullfd, dupfd) == -1) {
 			fprintf(stderr, "dup2: %s", strerror(errno));
 			exit(1);
 		}
 	}
 	if (nullfd > 2)
 		close(nullfd);
 }
 char *
 tohex(const u_char *d, u_int l)
 {
--- a/crypto/openssh/misc.h
+++ b/crypto/openssh/misc.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: misc.h,v 1.25 2005/07/14 04:00:43 dtucker Exp $	*/
+/*	$OpenBSD: misc.h,v 1.29 2006/01/31 10:19:02 djm Exp $	*/
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
@ -20,6 +20,7 @@ int	 set_nonblock(int);
 int	 unset_nonblock(int);
 void	 set_nodelay(int);
 int	 a2port(const char *);
 int	 a2tun(const char *, int *);
 char	*hpdelim(char **);
 char	*cleanhostname(char *);
 char	*colon(char *);
@ -27,6 +28,7 @@ long	 convtime(const char *);
 char	*tilde_expand_filename(const char *, uid_t);
 char	*percent_expand(const char *, ...) __attribute__((__sentinel__));
 char	*tohex(const u_char *, u_int);
 void	 sanitise_stdfd(void);
 struct passwd *pwcopy(struct passwd *);
@ -36,7 +38,11 @@ struct arglist {
 	u_int   num;
 	u_int   nalloc;
 };
-void	 addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3)));
+void	 addargs(arglist *, char *, ...)
 	     __attribute__((format(printf, 2, 3)));
 void	 replacearg(arglist *, u_int, char *, ...)
 	     __attribute__((format(printf, 3, 4)));
 void	 freeargs(arglist *);
 /* readpass.c */
@ -48,3 +54,16 @@ void	 addargs(arglist *, char *, ...) __attribute__((format(printf, 2, 3)));
 char	*read_passphrase(const char *, int);
 int	 ask_permission(const char *, ...) __attribute__((format(printf, 1, 2)));
 int	 read_keyfile_line(FILE *, const char *, char *, size_t, u_long *);
 int	 tun_open(int, int);
 /* Common definitions for ssh tunnel device forwarding */
 #define SSH_TUNMODE_NO		0x00
 #define SSH_TUNMODE_POINTOPOINT	0x01
 #define SSH_TUNMODE_ETHERNET	0x02
 #define SSH_TUNMODE_DEFAULT	SSH_TUNMODE_POINTOPOINT
 #define SSH_TUNMODE_YES		(SSH_TUNMODE_POINTOPOINT|SSH_TUNMODE_ETHERNET)
 #define SSH_TUNID_ANY		0x7fffffff
 #define SSH_TUNID_ERR		(SSH_TUNID_ANY - 1)
 #define SSH_TUNID_MAX		(SSH_TUNID_ANY - 2)
--- a/crypto/openssh/openbsd-compat/Makefile.in
+++ b/crypto/openssh/openbsd-compat/Makefile.in
@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.35 2005/08/26 20:15:20 tim Exp $
+# $Id: Makefile.in,v 1.37 2005/12/31 05:33:37 djm Exp $
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@ -18,9 +18,9 @@ LDFLAGS=-L. @LDFLAGS@
 OPENBSD=base64.o basename.o bindresvport.o daemon.o dirname.o getcwd.o getgrouplist.o getopt.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sigact.o strlcat.o strlcpy.o strmode.o strsep.o strtonum.o strtoll.o strtoul.o vis.o
-COMPAT=bsd-arc4random.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-snprintf.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
-PORTS=port-irix.o port-aix.o port-uw.o
+PORTS=port-irix.o port-aix.o port-uw.o port-tun.o
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
--- a/crypto/openssh/openbsd-compat/base64.c
+++ b/crypto/openssh/openbsd-compat/base64.c
@ -1,5 +1,3 @@
 /* OPENBSD ORIGINAL: lib/libc/net/base64.c */
 /*	$OpenBSD: base64.c,v 1.4 2002/01/02 23:00:10 deraadt Exp $	*/
 /*
@ -44,6 +42,8 @@
 * IF IBM IS APPRISED OF THE POSSIBILITY OF SUCH DAMAGES.
 */
 /* OPENBSD ORIGINAL: lib/libc/net/base64.c */
 #include "includes.h"
 #if (!defined(HAVE_B64_NTOP) && !defined(HAVE___B64_NTOP)) || (!defined(HAVE_B64_PTON) && !defined(HAVE___B64_PTON))
@ -139,7 +139,7 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
 	size_t datalength = 0;
 	u_char input[3];
 	u_char output[4];
-	int i;
+	u_int i;
 	while (2 < srclength) {
 		input[0] = *src++;
@ -206,7 +206,8 @@ b64_ntop(u_char const *src, size_t srclength, char *target, size_t targsize)
 int
 b64_pton(char const *src, u_char *target, size_t targsize)
 {
-	int tarindex, state, ch;
+	u_int tarindex, state;
 	int ch;
 	char *pos;
 	state = 0;
--- a/crypto/openssh/openbsd-compat/basename.c
+++ b/crypto/openssh/openbsd-compat/basename.c
@ -1,9 +1,7 @@
-/* OPENBSD ORIGINAL: lib/libc/gen/basename.c */
+/*	$OpenBSD: basename.c,v 1.14 2005/08/08 08:05:33 espie Exp $	*/
 /*	$OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $	*/
 /*
- * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@ -18,34 +16,35 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 /* OPENBSD ORIGINAL: lib/libc/gen/basename.c */
 #include "includes.h"
 #ifndef HAVE_BASENAME
 #ifndef lint
 static char rcsid[] = "$OpenBSD: basename.c,v 1.11 2003/06/17 21:56:23 millert Exp $";
 #endif /* not lint */
 char *
 basename(const char *path)
 {
 	static char bname[MAXPATHLEN];
-	register const char *endp, *startp;
+	size_t len;
 	const char *endp, *startp;
 	/* Empty or NULL string gets treated as "." */
 	if (path == NULL || *path == '\0') {
-		(void)strlcpy(bname, ".", sizeof bname);
+		bname[0] = '.';
-		return(bname);
+		bname[1] = '\0';
 		return (bname);
 	}
-	/* Strip trailing slashes */
+	/* Strip any trailing slashes */
 	endp = path + strlen(path) - 1;
 	while (endp > path && *endp == '/')
 		endp--;
-	/* All slashes become "/" */
+	/* All slashes becomes "/" */
 	if (endp == path && *endp == '/') {
-		(void)strlcpy(bname, "/", sizeof bname);
+		bname[0] = '/';
-		return(bname);
+		bname[1] = '\0';
 		return (bname);
 	}
 	/* Find the start of the base */
@ -53,12 +52,14 @@ basename(const char *path)
 	while (startp > path && *(startp - 1) != '/')
 		startp--;
-	if (endp - startp + 2 > sizeof(bname)) {
+	len = endp - startp + 1;
 	if (len >= sizeof(bname)) {
 		errno = ENAMETOOLONG;
-		return(NULL);
+		return (NULL);
 	}
-	strlcpy(bname, startp, endp - startp + 2);
+	memcpy(bname, startp, len);
-	return(bname);
+	bname[len] = '\0';
 	return (bname);
 }
 #endif /* !defined(HAVE_BASENAME) */
--- a/crypto/openssh/openbsd-compat/bindresvport.c
+++ b/crypto/openssh/openbsd-compat/bindresvport.c
@ -1,6 +1,6 @@
 /* This file has be substantially modified from the original OpenBSD source */
-/*	$OpenBSD: bindresvport.c,v 1.15 2003/05/20 22:42:35 deraadt Exp $	*/
+/*	$OpenBSD: bindresvport.c,v 1.16 2005/04/01 07:44:03 otto Exp $	*/
 /*
 * Copyright 1996, Jason Downs.  All rights reserved.
@ -28,6 +28,8 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/rpc/bindresvport.c */
 #include "includes.h"
 #ifndef HAVE_BINDRESVPORT_SA
@ -42,9 +44,7 @@
 * Bind a socket to a privileged IP port
 */
 int
-bindresvport_sa(sd, sa)
+bindresvport_sa(int sd, struct sockaddr *sa)
 	int sd;
 	struct sockaddr *sa;
 {
 	int error, af;
 	struct sockaddr_storage myaddr;
--- a/crypto/openssh/openbsd-compat/bsd-asprintf.c
+++ b/crypto/openssh/openbsd-compat/bsd-asprintf.c
@ -0,0 +1,95 @@
 /*
 * Copyright (c) 2004 Darren Tucker.
 *
 * Based originally on asprintf.c from OpenBSD:
 * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #include "includes.h"
 #ifndef HAVE_VASPRINTF
 #ifndef VA_COPY
 # ifdef HAVE_VA_COPY
 #  define VA_COPY(dest, src) va_copy(dest, src)
 # else
 #  ifdef HAVE___VA_COPY
 #   define VA_COPY(dest, src) __va_copy(dest, src)
 #  else
 #   define VA_COPY(dest, src) (dest) = (src)
 #  endif
 # endif
 #endif
 #define INIT_SZ	128
 int vasprintf(char **str, const char *fmt, va_list ap)
 {
 	int ret = -1;
 	va_list ap2;
 	char *string, *newstr;
 	size_t len;
 	VA_COPY(ap2, ap);
 	if ((string = malloc(INIT_SZ)) == NULL)
 		goto fail;
 	ret = vsnprintf(string, INIT_SZ, fmt, ap2);
 	if (ret >= 0 && ret < INIT_SZ) { /* succeeded with initial alloc */
 		*str = string;
 	} else if (ret == INT_MAX) { /* shouldn't happen */
 		goto fail;
 	} else {	/* bigger than initial, realloc allowing for nul */
 		len = (size_t)ret + 1;
 		if ((newstr = realloc(string, len)) == NULL) {
 			free(string);
 			goto fail;
 		} else {
 			va_end(ap2);
 			VA_COPY(ap2, ap);
 			ret = vsnprintf(newstr, len, fmt, ap2);
 			if (ret >= 0 && (size_t)ret < len) {
 				*str = newstr;
 			} else { /* failed with realloc'ed string, give up */
 				free(newstr);
 				goto fail;
 			}
 		}
 	}
 	va_end(ap2);
 	return (ret);
 fail:
 	*str = NULL;
 	errno = ENOMEM;
 	va_end(ap2);
 	return (-1);
 }
 #endif
 #ifndef HAVE_ASPRINTF
 int asprintf(char **str, const char *fmt, ...)
 {
 	va_list ap;
 	int ret;
 	*str = NULL;
 	va_start(ap, fmt);
 	ret = vasprintf(str, fmt, ap);
 	va_end(ap);
 	return ret;
 }
 #endif
--- a/crypto/openssh/openbsd-compat/bsd-closefrom.c
+++ b/crypto/openssh/openbsd-compat/bsd-closefrom.c
@ -46,7 +46,7 @@
 # define OPEN_MAX	256
 #endif
-RCSID("$Id: bsd-closefrom.c,v 1.1 2004/08/15 08:41:00 djm Exp $");
+RCSID("$Id: bsd-closefrom.c,v 1.2 2005/11/10 08:29:13 dtucker Exp $");
 #ifndef lint
 static const char sudorcsid[] = "$Sudo: closefrom.c,v 1.6 2004/06/01 20:51:56 millert Exp $";
@ -67,7 +67,7 @@ closefrom(int lowfd)
    /* Check for a /proc/$$/fd directory. */
    len = snprintf(fdpath, sizeof(fdpath), "/proc/%ld/fd", (long)getpid());
-    if (len != -1 && len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
+    if (len >= 0 && (u_int)len <= sizeof(fdpath) && (dirp = opendir(fdpath))) {
 	while ((dent = readdir(dirp)) != NULL) {
 	    fd = strtol(dent->d_name, &endp, 10);
 	    if (dent->d_name != endp && *endp == '\0' &&
--- a/crypto/openssh/openbsd-compat/bsd-misc.c
+++ b/crypto/openssh/openbsd-compat/bsd-misc.c
@ -18,7 +18,7 @@
 #include "includes.h"
 #include "xmalloc.h"
-RCSID("$Id: bsd-misc.c,v 1.27 2005/05/27 11:13:41 dtucker Exp $");
+RCSID("$Id: bsd-misc.c,v 1.28 2005/11/01 22:07:31 dtucker Exp $");
 #ifndef HAVE___PROGNAME
 char *__progname;
@ -223,10 +223,7 @@ strdup(const char *str)
 	len = strlen(str) + 1;
 	cp = malloc(len);
 	if (cp != NULL)
-		if (strlcpy(cp, str, len) != len) {
+		return(memcpy(cp, str, len));
-			free(cp);
+	return NULL;
 			return NULL;
 		}
 	return cp;
 }
 #endif
--- a/crypto/openssh/openbsd-compat/bsd-snprintf.c
+++ b/crypto/openssh/openbsd-compat/bsd-snprintf.c
@ -45,45 +45,82 @@
 *    missing.  Some systems only have snprintf() but not vsnprintf(), so
 *    the code is now broken down under HAVE_SNPRINTF and HAVE_VSNPRINTF.
 *
- *  Ben Lindstrom <mouring@eviladmin.org> 09/27/00 for OpenSSH
+ *  Andrew Tridgell (tridge@samba.org) Oct 1998
- *    Welcome to the world of %lld and %qd support.  With other
+ *    fixed handling of %.0f
- *    long long support.  This is needed for sftp-server to work
+ *    added test for HAVE_LONG_DOUBLE
 *    right.
 *
- *  Ben Lindstrom <mouring@eviladmin.org> 02/12/01 for OpenSSH
+ * tridge@samba.org, idra@samba.org, April 2001
- *    Removed all hint of VARARGS stuff and banished it to the void,
+ *    got rid of fcvt code (twas buggy and made testing harder)
- *    and did a bit of KNF style work to make things a bit more
+ *    added C99 semantics
- *    acceptable.  Consider stealing from mutt or enlightenment.
+ *
 * date: 2002/12/19 19:56:31;  author: herb;  state: Exp;  lines: +2 -0
 * actually print args for %g and %e
 * 
 * date: 2002/06/03 13:37:52;  author: jmcd;  state: Exp;  lines: +8 -0
 * Since includes.h isn't included here, VA_COPY has to be defined here.  I don't
 * see any include file that is guaranteed to be here, so I'm defining it
 * locally.  Fixes AIX and Solaris builds.
 * 
 * date: 2002/06/03 03:07:24;  author: tridge;  state: Exp;  lines: +5 -13
 * put the ifdef for HAVE_VA_COPY in one place rather than in lots of
 * functions
 * 
 * date: 2002/05/17 14:51:22;  author: jmcd;  state: Exp;  lines: +21 -4
 * Fix usage of va_list passed as an arg.  Use __va_copy before using it
 * when it exists.
 * 
 * date: 2002/04/16 22:38:04;  author: idra;  state: Exp;  lines: +20 -14
 * Fix incorrect zpadlen handling in fmtfp.
 * Thanks to Ollie Oldham <ollie.oldham@metro-optix.com> for spotting it.
 * few mods to make it easier to compile the tests.
 * addedd the "Ollie" test to the floating point ones.
 *
 * Martin Pool (mbp@samba.org) April 2003
 *    Remove NO_CONFIG_H so that the test case can be built within a source
 *    tree with less trouble.
 *    Remove unnecessary SAFE_FREE() definition.
 *
 * Martin Pool (mbp@samba.org) May 2003
 *    Put in a prototype for dummy_snprintf() to quiet compiler warnings.
 *
 *    Move #endif to make sure VA_COPY, LDOUBLE, etc are defined even
 *    if the C library has some snprintf functions already.
 **************************************************************/
 #include "includes.h"
-RCSID("$Id: bsd-snprintf.c,v 1.9 2004/09/23 11:35:09 dtucker Exp $");
+RCSID("$Id: bsd-snprintf.c,v 1.11 2005/12/17 11:32:04 dtucker Exp $");
 #if defined(BROKEN_SNPRINTF)		/* For those with broken snprintf() */
 # undef HAVE_SNPRINTF
 # undef HAVE_VSNPRINTF
 #endif
 #ifndef VA_COPY
 # ifdef HAVE_VA_COPY
 #  define VA_COPY(dest, src) va_copy(dest, src)
 # else
 #  ifdef HAVE___VA_COPY
 #   define VA_COPY(dest, src) __va_copy(dest, src)
 #  else
 #   define VA_COPY(dest, src) (dest) = (src)
 #  endif
 # endif
 #endif
 #if !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF)
-static void 
+#ifdef HAVE_LONG_DOUBLE
-dopr(char *buffer, size_t maxlen, const char *format, va_list args);
+# define LDOUBLE long double
 #else
 # define LDOUBLE double
 #endif
-static void 
+#ifdef HAVE_LONG_LONG
-fmtstr(char *buffer, size_t *currlen, size_t maxlen, char *value, int flags, 
+# define LLONG long long
-    int min, int max);
+#else
-
+# define LLONG long
-static void 
+#endif
 fmtint(char *buffer, size_t *currlen, size_t maxlen, long value, int base, 
    int min, int max, int flags);
 static void 
 fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, 
    int min, int max, int flags);
 static void
 dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
 /*
 * dopr(): poor man's version of doprintf
@ -109,28 +146,49 @@ dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
 #define DP_F_UNSIGNED 	(1 << 6)
 /* Conversion Flags */
-#define DP_C_SHORT     1
+#define DP_C_SHORT   1
-#define DP_C_LONG      2
+#define DP_C_LONG    2
-#define DP_C_LDOUBLE   3
+#define DP_C_LDOUBLE 3
-#define DP_C_LONG_LONG 4
+#define DP_C_LLONG   4
-#define char_to_int(p) (p - '0')
+#define char_to_int(p) ((p)- '0')
-#define abs_val(p) (p < 0 ? -p : p)
+#ifndef MAX
 # define MAX(p,q) (((p) >= (q)) ? (p) : (q))
 #endif
 static size_t dopr(char *buffer, size_t maxlen, const char *format, 
 		   va_list args_in);
 static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
 		    char *value, int flags, int min, int max);
 static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
 		    long value, int base, int min, int max, int flags);
 static void fmtfp(char *buffer, size_t *currlen, size_t maxlen,
 		   LDOUBLE fvalue, int min, int max, int flags);
 static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c);
-static void 
+static size_t dopr(char *buffer, size_t maxlen, const char *format, va_list args_in)
 dopr(char *buffer, size_t maxlen, const char *format, va_list args)
 {
-	char *strvalue, ch;
+	char ch;
-	long value;
+	LLONG value;
-	long double fvalue;
+	LDOUBLE fvalue;
-	int min = 0, max = -1, state = DP_S_DEFAULT, flags = 0, cflags = 0;
+	char *strvalue;
-	size_t currlen = 0;
+	int min;
-  
+	int max;
-	ch = *format++;
+	int state;
 	int flags;
 	int cflags;
 	size_t currlen;
 	va_list args;
 	VA_COPY(args, args_in);
 	state = DP_S_DEFAULT;
 	currlen = flags = cflags = min = 0;
 	max = -1;
 	ch = *format++;
 	while (state != DP_S_DONE) {
-		if ((ch == '\0') || (currlen >= maxlen)) 
+		if (ch == '\0') 
 			state = DP_S_DONE;
 		switch(state) {
@ -138,7 +196,7 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
 			if (ch == '%') 
 				state = DP_S_FLAGS;
 			else 
-				dopr_outch(buffer, &currlen, maxlen, ch);
+				dopr_outch (buffer, &currlen, maxlen, ch);
 			ch = *format++;
 			break;
 		case DP_S_FLAGS:
@ -170,34 +228,37 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
 			break;
 		case DP_S_MIN:
 			if (isdigit((unsigned char)ch)) {
-				min = 10 * min + char_to_int (ch);
+				min = 10*min + char_to_int (ch);
 				ch = *format++;
 			} else if (ch == '*') {
 				min = va_arg (args, int);
 				ch = *format++;
 				state = DP_S_DOT;
-			} else 
+			} else {
 				state = DP_S_DOT;
 			}
 			break;
 		case DP_S_DOT:
 			if (ch == '.') {
 				state = DP_S_MAX;
 				ch = *format++;
-			} else 
+			} else { 
 				state = DP_S_MOD;
 			}
 			break;
 		case DP_S_MAX:
 			if (isdigit((unsigned char)ch)) {
 				if (max < 0)
 					max = 0;
-				max = 10 * max + char_to_int(ch);
+				max = 10*max + char_to_int (ch);
 				ch = *format++;
 			} else if (ch == '*') {
 				max = va_arg (args, int);
 				ch = *format++;
 				state = DP_S_MOD;
-			} else 
+			} else {
 				state = DP_S_MOD;
 			}
 			break;
 		case DP_S_MOD:
 			switch (ch) {
@ -208,15 +269,11 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
 			case 'l':
 				cflags = DP_C_LONG;
 				ch = *format++;
-				if (ch == 'l') {
+				if (ch == 'l') {	/* It's a long long */
-					cflags = DP_C_LONG_LONG;
+					cflags = DP_C_LLONG;
 					ch = *format++;
 				}
 				break;
 			case 'q':
 				cflags = DP_C_LONG_LONG;
 				ch = *format++;
 				break;
 			case 'L':
 				cflags = DP_C_LDOUBLE;
 				ch = *format++;
@ -231,37 +288,37 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
 			case 'd':
 			case 'i':
 				if (cflags == DP_C_SHORT) 
-					value = va_arg(args, int);
+					value = va_arg (args, int);
 				else if (cflags == DP_C_LONG)
-					value = va_arg(args, long int);
+					value = va_arg (args, long int);
-				else if (cflags == DP_C_LONG_LONG)
+				else if (cflags == DP_C_LLONG)
-					value = va_arg (args, long long);
+					value = va_arg (args, LLONG);
 				else
 					value = va_arg (args, int);
-				fmtint(buffer, &currlen, maxlen, value, 10, min, max, flags);
+				fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
 				break;
 			case 'o':
 				flags |= DP_F_UNSIGNED;
 				if (cflags == DP_C_SHORT)
-					value = va_arg(args, unsigned int);
+					value = va_arg (args, unsigned int);
 				else if (cflags == DP_C_LONG)
-					value = va_arg(args, unsigned long int);
+					value = (long)va_arg (args, unsigned long int);
-				else if (cflags == DP_C_LONG_LONG)
+				else if (cflags == DP_C_LLONG)
-					value = va_arg(args, unsigned long long);
+					value = (long)va_arg (args, unsigned LLONG);
 				else
-					value = va_arg(args, unsigned int);
+					value = (long)va_arg (args, unsigned int);
-				fmtint(buffer, &currlen, maxlen, value, 8, min, max, flags);
+				fmtint (buffer, &currlen, maxlen, value, 8, min, max, flags);
 				break;
 			case 'u':
 				flags |= DP_F_UNSIGNED;
 				if (cflags == DP_C_SHORT)
-					value = va_arg(args, unsigned int);
+					value = va_arg (args, unsigned int);
 				else if (cflags == DP_C_LONG)
-					value = va_arg(args, unsigned long int);
+					value = (long)va_arg (args, unsigned long int);
-				else if (cflags == DP_C_LONG_LONG)
+				else if (cflags == DP_C_LLONG)
-					value = va_arg(args, unsigned long long);
+					value = (LLONG)va_arg (args, unsigned LLONG);
 				else
-					value = va_arg(args, unsigned int);
+					value = (long)va_arg (args, unsigned int);
 				fmtint (buffer, &currlen, maxlen, value, 10, min, max, flags);
 				break;
 			case 'X':
@ -269,79 +326,86 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
 			case 'x':
 				flags |= DP_F_UNSIGNED;
 				if (cflags == DP_C_SHORT)
-					value = va_arg(args, unsigned int);
+					value = va_arg (args, unsigned int);
 				else if (cflags == DP_C_LONG)
-					value = va_arg(args, unsigned long int);
+					value = (long)va_arg (args, unsigned long int);
-				else if (cflags == DP_C_LONG_LONG)
+				else if (cflags == DP_C_LLONG)
-					value = va_arg(args, unsigned long long);
+					value = (LLONG)va_arg (args, unsigned LLONG);
 				else
-					value = va_arg(args, unsigned int);
+					value = (long)va_arg (args, unsigned int);
-				fmtint(buffer, &currlen, maxlen, value, 16, min, max, flags);
+				fmtint (buffer, &currlen, maxlen, value, 16, min, max, flags);
 				break;
 			case 'f':
 				if (cflags == DP_C_LDOUBLE)
-					fvalue = va_arg(args, long double);
+					fvalue = va_arg (args, LDOUBLE);
 				else
-					fvalue = va_arg(args, double);
+					fvalue = va_arg (args, double);
 				/* um, floating point? */
-				fmtfp(buffer, &currlen, maxlen, fvalue, min, max, flags);
+				fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
 				break;
 			case 'E':
 				flags |= DP_F_UP;
 			case 'e':
 				if (cflags == DP_C_LDOUBLE)
-					fvalue = va_arg(args, long double);
+					fvalue = va_arg (args, LDOUBLE);
 				else
-					fvalue = va_arg(args, double);
+					fvalue = va_arg (args, double);
 				fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
 				break;
 			case 'G':
 				flags |= DP_F_UP;
 			case 'g':
 				if (cflags == DP_C_LDOUBLE)
-					fvalue = va_arg(args, long double);
+					fvalue = va_arg (args, LDOUBLE);
 				else
-					fvalue = va_arg(args, double);
+					fvalue = va_arg (args, double);
 				fmtfp (buffer, &currlen, maxlen, fvalue, min, max, flags);
 				break;
 			case 'c':
-				dopr_outch(buffer, &currlen, maxlen, va_arg(args, int));
+				dopr_outch (buffer, &currlen, maxlen, va_arg (args, int));
 				break;
 			case 's':
-				strvalue = va_arg(args, char *);
+				strvalue = va_arg (args, char *);
-				if (max < 0) 
+				if (!strvalue) strvalue = "(NULL)";
-					max = maxlen; /* ie, no max */
+				if (max == -1) {
-				fmtstr(buffer, &currlen, maxlen, strvalue, flags, min, max);
+					max = strlen(strvalue);
 				}
 				if (min > 0 && max >= 0 && min > max) max = min;
 				fmtstr (buffer, &currlen, maxlen, strvalue, flags, min, max);
 				break;
 			case 'p':
-				strvalue = va_arg(args, void *);
+				strvalue = va_arg (args, void *);
-				fmtint(buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
+				fmtint (buffer, &currlen, maxlen, (long) strvalue, 16, min, max, flags);
 				break;
 			case 'n':
 				if (cflags == DP_C_SHORT) {
 					short int *num;
-					num = va_arg(args, short int *);
+					num = va_arg (args, short int *);
 					*num = currlen;
 				} else if (cflags == DP_C_LONG) {
 					long int *num;
-					num = va_arg(args, long int *);
+					num = va_arg (args, long int *);
-					*num = currlen;
+					*num = (long int)currlen;
-				} else if (cflags == DP_C_LONG_LONG) {
+				} else if (cflags == DP_C_LLONG) {
-					long long *num;
+					LLONG *num;
-					num = va_arg(args, long long *);
+					num = va_arg (args, LLONG *);
-					*num = currlen;
+					*num = (LLONG)currlen;
 				} else {
 					int *num;
-					num = va_arg(args, int *);
+					num = va_arg (args, int *);
 					*num = currlen;
 				}
 				break;
 			case '%':
-				dopr_outch(buffer, &currlen, maxlen, ch);
+				dopr_outch (buffer, &currlen, maxlen, ch);
 				break;
-			case 'w': /* not supported yet, treat as next char */
+			case 'w':
 				/* not supported yet, treat as next char */
 				ch = *format++;
 				break;
-			default: /* Unknown, skip */
+			default:
-			break;
+				/* Unknown, skip */
 				break;
 			}
 			ch = *format++;
 			state = DP_S_DEFAULT;
@ -350,24 +414,33 @@ dopr(char *buffer, size_t maxlen, const char *format, va_list args)
 			break;
 		case DP_S_DONE:
 			break;
-		default: /* hmm? */
+		default:
 			/* hmm? */
 			break; /* some picky compilers need this */
 		}
 	}
-	if (currlen < maxlen - 1) 
+	if (maxlen != 0) {
-		buffer[currlen] = '\0';
+		if (currlen < maxlen - 1) 
-	else 
+			buffer[currlen] = '\0';
-		buffer[maxlen - 1] = '\0';
+		else if (maxlen > 0) 
 			buffer[maxlen - 1] = '\0';
 	}
 	return currlen;
 }
-static void
+static void fmtstr(char *buffer, size_t *currlen, size_t maxlen,
-fmtstr(char *buffer, size_t *currlen, size_t maxlen,
+		    char *value, int flags, int min, int max)
    char *value, int flags, int min, int max)
 {
-	int cnt = 0, padlen, strln;     /* amount to pad */
+	int padlen, strln;     /* amount to pad */
-  
+	int cnt = 0;
-	if (value == 0) 
+
 #ifdef DEBUG_SNPRINTF
 	printf("fmtstr min=%d max=%d s=[%s]\n", min, max, value);
 #endif
 	if (value == 0) {
 		value = "<NULL>";
 	}
 	for (strln = 0; strln < max && value[strln]; ++strln); /* strlen */
 	padlen = min - strln;
@ -375,18 +448,18 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
 		padlen = 0;
 	if (flags & DP_F_MINUS) 
 		padlen = -padlen; /* Left Justify */
-
+	
 	while ((padlen > 0) && (cnt < max)) {
-		dopr_outch(buffer, currlen, maxlen, ' ');
+		dopr_outch (buffer, currlen, maxlen, ' ');
 		--padlen;
 		++cnt;
 	}
 	while (*value && (cnt < max)) {
-		dopr_outch(buffer, currlen, maxlen, *value++);
+		dopr_outch (buffer, currlen, maxlen, *value++);
 		++cnt;
 	}
 	while ((padlen < 0) && (cnt < max)) {
-		dopr_outch(buffer, currlen, maxlen, ' ');
+		dopr_outch (buffer, currlen, maxlen, ' ');
 		++padlen;
 		++cnt;
 	}
@ -394,49 +467,49 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
 /* Have to handle DP_F_NUM (ie 0x and 0 alternates) */
-static void 
+static void fmtint(char *buffer, size_t *currlen, size_t maxlen,
-fmtint(char *buffer, size_t *currlen, size_t maxlen,
+		    long value, int base, int min, int max, int flags)
    long value, int base, int min, int max, int flags)
 {
 	int signvalue = 0;
 	unsigned long uvalue;
 	char convert[20];
-	int signvalue = 0, place = 0, caps = 0;
+	int place = 0;
 	int spadlen = 0; /* amount to space pad */
 	int zpadlen = 0; /* amount to zero pad */
-  
+	int caps = 0;
 	if (max < 0)
 		max = 0;
-
+	
 	uvalue = value;
-
+	
-	if (!(flags & DP_F_UNSIGNED)) {
+	if(!(flags & DP_F_UNSIGNED)) {
-		if (value < 0) {
+		if( value < 0 ) {
 			signvalue = '-';
 			uvalue = -value;
-		} else if (flags & DP_F_PLUS)  /* Do a sign (+/i) */
+		} else {
-			signvalue = '+';
+			if (flags & DP_F_PLUS)  /* Do a sign (+/i) */
-		else if (flags & DP_F_SPACE)
+				signvalue = '+';
-			signvalue = ' ';
+			else if (flags & DP_F_SPACE)
 				signvalue = ' ';
 		}
 	}
-	if (flags & DP_F_UP) 
+	if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
-		caps = 1; /* Should characters be upper case? */
+
 	do {
 		convert[place++] =
-		    (caps ? "0123456789ABCDEF" : "0123456789abcdef")
+			(caps? "0123456789ABCDEF":"0123456789abcdef")
-		    [uvalue % (unsigned)base];
+			[uvalue % (unsigned)base  ];
 		uvalue = (uvalue / (unsigned)base );
-	} while (uvalue && (place < 20));
+	} while(uvalue && (place < 20));
-	if (place == 20) 
+	if (place == 20) place--;
 		place--;
 	convert[place] = 0;
 	zpadlen = max - place;
 	spadlen = min - MAX (max, place) - (signvalue ? 1 : 0);
-	if (zpadlen < 0)
+	if (zpadlen < 0) zpadlen = 0;
-		zpadlen = 0;
+	if (spadlen < 0) spadlen = 0;
 	if (spadlen < 0)
 		spadlen = 0;
 	if (flags & DP_F_ZERO) {
 		zpadlen = MAX(zpadlen, spadlen);
 		spadlen = 0;
@ -444,27 +517,32 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen,
 	if (flags & DP_F_MINUS) 
 		spadlen = -spadlen; /* Left Justifty */
 #ifdef DEBUG_SNPRINTF
 	printf("zpad: %d, spad: %d, min: %d, max: %d, place: %d\n",
 	       zpadlen, spadlen, min, max, place);
 #endif
 	/* Spaces */
 	while (spadlen > 0) {
-		dopr_outch(buffer, currlen, maxlen, ' ');
+		dopr_outch (buffer, currlen, maxlen, ' ');
 		--spadlen;
 	}
 	/* Sign */
 	if (signvalue) 
-		dopr_outch(buffer, currlen, maxlen, signvalue);
+		dopr_outch (buffer, currlen, maxlen, signvalue);
 	/* Zeros */
 	if (zpadlen > 0) {
 		while (zpadlen > 0) {
-			dopr_outch(buffer, currlen, maxlen, '0');
+			dopr_outch (buffer, currlen, maxlen, '0');
 			--zpadlen;
 		}
 	}
 	/* Digits */
 	while (place > 0) 
-		dopr_outch(buffer, currlen, maxlen, convert[--place]);
+		dopr_outch (buffer, currlen, maxlen, convert[--place]);
 	/* Left Justified spaces */
 	while (spadlen < 0) {
@ -473,11 +551,20 @@ fmtint(char *buffer, size_t *currlen, size_t maxlen,
 	}
 }
-static long double 
+static LDOUBLE abs_val(LDOUBLE value)
 pow10(int exp)
 {
-	long double result = 1;
+	LDOUBLE result = value;
 	if (value < 0)
 		result = -value;
 	return result;
 }
 static LDOUBLE POW10(int exp)
 {
 	LDOUBLE result = 1;
 	while (exp) {
 		result *= 10;
 		exp--;
@ -486,28 +573,69 @@ pow10(int exp)
 	return result;
 }
-static long 
+static LLONG ROUND(LDOUBLE value)
 round(long double value)
 {
-	long intpart = value;
+	LLONG intpart;
 	value -= intpart;
 	if (value >= 0.5)
 		intpart++;
 	intpart = (LLONG)value;
 	value = value - intpart;
 	if (value >= 0.5) intpart++;
 	return intpart;
 }
-static void 
+/* a replacement for modf that doesn't need the math library. Should
-fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue, 
+   be portable, but slow */
-      int min, int max, int flags)
+static double my_modf(double x0, double *iptr)
 {
-	char iconvert[20], fconvert[20];
+	int i;
-	int signvalue = 0, iplace = 0, fplace = 0;
+	long l;
 	double x = x0;
 	double f = 1.0;
 	for (i=0;i<100;i++) {
 		l = (long)x;
 		if (l <= (x+1) && l >= (x-1)) break;
 		x *= 0.1;
 		f *= 10.0;
 	}
 	if (i == 100) {
 		/* yikes! the number is beyond what we can handle. What do we do? */
 		(*iptr) = 0;
 		return 0;
 	}
 	if (i != 0) {
 		double i2;
 		double ret;
 		ret = my_modf(x0-l*f, &i2);
 		(*iptr) = l*f + i2;
 		return ret;
 	} 
 	(*iptr) = l;
 	return x - (*iptr);
 }
 static void fmtfp (char *buffer, size_t *currlen, size_t maxlen,
 		   LDOUBLE fvalue, int min, int max, int flags)
 {
 	int signvalue = 0;
 	double ufvalue;
 	char iconvert[311];
 	char fconvert[311];
 	int iplace = 0;
 	int fplace = 0;
 	int padlen = 0; /* amount to pad */
-	int zpadlen = 0, caps = 0;
+	int zpadlen = 0; 
-	long intpart, fracpart;
+	int caps = 0;
-	long double ufvalue;
+	int idx;
 	double intpart;
 	double fracpart;
 	double temp;
 	/* 
 	 * AIX manpage says the default is 0, but Solaris says the default
@ -516,137 +644,159 @@ fmtfp(char *buffer, size_t *currlen, size_t maxlen, long double fvalue,
 	if (max < 0)
 		max = 6;
-	ufvalue = abs_val(fvalue);
+	ufvalue = abs_val (fvalue);
-	if (fvalue < 0)
+	if (fvalue < 0) {
 		signvalue = '-';
-	else if (flags & DP_F_PLUS)  /* Do a sign (+/i) */
+	} else {
-		signvalue = '+';
+		if (flags & DP_F_PLUS) { /* Do a sign (+/i) */
-	else if (flags & DP_F_SPACE)
+			signvalue = '+';
-		signvalue = ' ';
+		} else {
 			if (flags & DP_F_SPACE)
 				signvalue = ' ';
 		}
 	}
-	intpart = ufvalue;
+#if 0
 	if (flags & DP_F_UP) caps = 1; /* Should characters be upper case? */
 #endif
 #if 0
 	 if (max == 0) ufvalue += 0.5; /* if max = 0 we must round */
 #endif
 	/* 
-	 * Sorry, we only support 9 digits past the decimal because of our 
+	 * Sorry, we only support 16 digits past the decimal because of our 
 	 * conversion method
 	 */
-	if (max > 9)
+	if (max > 16)
-		max = 9;
+		max = 16;
 	/* We "cheat" by converting the fractional part to integer by
 	 * multiplying by a factor of 10
 	 */
 	fracpart = round((pow10 (max)) * (ufvalue - intpart));
-	if (fracpart >= pow10 (max)) {
+	temp = ufvalue;
 	my_modf(temp, &intpart);
 	fracpart = ROUND((POW10(max)) * (ufvalue - intpart));
 	if (fracpart >= POW10(max)) {
 		intpart++;
-		fracpart -= pow10 (max);
+		fracpart -= POW10(max);
 	}
 	/* Convert integer part */
 	do {
 		temp = intpart*0.1;
 		my_modf(temp, &intpart);
 		idx = (int) ((temp -intpart +0.05)* 10.0);
 		/* idx = (int) (((double)(temp*0.1) -intpart +0.05) *10.0); */
 		/* printf ("%llf, %f, %x\n", temp, intpart, idx); */
 		iconvert[iplace++] =
-		    (caps ? "0123456789ABCDEF" : "0123456789abcdef")
+			(caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
-		    [intpart % 10];
+	} while (intpart && (iplace < 311));
-		intpart = (intpart / 10);
+	if (iplace == 311) iplace--;
 	} while(intpart && (iplace < 20));
 	if (iplace == 20) 
 		iplace--;
 	iconvert[iplace] = 0;
 	/* Convert fractional part */
-	do {
+	if (fracpart)
-		fconvert[fplace++] =
+	{
-		    (caps ? "0123456789ABCDEF" : "0123456789abcdef")
+		do {
-		    [fracpart % 10];
+			temp = fracpart*0.1;
-		fracpart = (fracpart / 10);
+			my_modf(temp, &fracpart);
-	} while(fracpart && (fplace < 20));
+			idx = (int) ((temp -fracpart +0.05)* 10.0);
-	if (fplace == 20) 
+			/* idx = (int) ((((temp/10) -fracpart) +0.05) *10); */
-		fplace--;
+			/* printf ("%lf, %lf, %ld\n", temp, fracpart, idx ); */
 			fconvert[fplace++] =
 			(caps? "0123456789ABCDEF":"0123456789abcdef")[idx];
 		} while(fracpart && (fplace < 311));
 		if (fplace == 311) fplace--;
 	}
 	fconvert[fplace] = 0;
-
+  
 	/* -1 for decimal point, another -1 if we are printing a sign */
 	padlen = min - iplace - max - 1 - ((signvalue) ? 1 : 0); 
 	zpadlen = max - fplace;
-	if (zpadlen < 0)
+	if (zpadlen < 0) zpadlen = 0;
 		zpadlen = 0;
 	if (padlen < 0) 
 		padlen = 0;
 	if (flags & DP_F_MINUS) 
 		padlen = -padlen; /* Left Justifty */
-
+	
 	if ((flags & DP_F_ZERO) && (padlen > 0)) {
 		if (signvalue) {
-			dopr_outch(buffer, currlen, maxlen, signvalue);
+			dopr_outch (buffer, currlen, maxlen, signvalue);
 			--padlen;
 			signvalue = 0;
 		}
 		while (padlen > 0) {
-			dopr_outch(buffer, currlen, maxlen, '0');
+			dopr_outch (buffer, currlen, maxlen, '0');
 			--padlen;
 		}
 	}
 	while (padlen > 0) {
-		dopr_outch(buffer, currlen, maxlen, ' ');
+		dopr_outch (buffer, currlen, maxlen, ' ');
 		--padlen;
 	}
 	if (signvalue) 
-		dopr_outch(buffer, currlen, maxlen, signvalue);
+		dopr_outch (buffer, currlen, maxlen, signvalue);
-
+	
 	while (iplace > 0) 
-		dopr_outch(buffer, currlen, maxlen, iconvert[--iplace]);
+		dopr_outch (buffer, currlen, maxlen, iconvert[--iplace]);
 #ifdef DEBUG_SNPRINTF
 	printf("fmtfp: fplace=%d zpadlen=%d\n", fplace, zpadlen);
 #endif
 	/*
-	 * Decimal point.  This should probably use locale to find the 
+	 * Decimal point.  This should probably use locale to find the correct
-	 * correct char to print out.
+	 * char to print out.
 	 */
-	dopr_outch(buffer, currlen, maxlen, '.');
+	if (max > 0) {
 		dopr_outch (buffer, currlen, maxlen, '.');
 		while (zpadlen > 0) {
 			dopr_outch (buffer, currlen, maxlen, '0');
 			--zpadlen;
 		}
-	while (fplace > 0) 
+		while (fplace > 0) 
-		dopr_outch(buffer, currlen, maxlen, fconvert[--fplace]);
+			dopr_outch (buffer, currlen, maxlen, fconvert[--fplace]);
 	while (zpadlen > 0) {
 		dopr_outch(buffer, currlen, maxlen, '0');
 		--zpadlen;
 	}
 	while (padlen < 0) {
-		dopr_outch(buffer, currlen, maxlen, ' ');
+		dopr_outch (buffer, currlen, maxlen, ' ');
 		++padlen;
 	}
 }
-static void 
+static void dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
 dopr_outch(char *buffer, size_t *currlen, size_t maxlen, char c)
 {
-	if (*currlen < maxlen)
+	if (*currlen < maxlen) {
-		buffer[(*currlen)++] = c;
+		buffer[(*currlen)] = c;
 	}
 	(*currlen)++;
 }
 #endif /* !defined(HAVE_SNPRINTF) || !defined(HAVE_VSNPRINTF) */
-#ifndef HAVE_VSNPRINTF
+#if !defined(HAVE_VSNPRINTF)
-int 
+int vsnprintf (char *str, size_t count, const char *fmt, va_list args)
 vsnprintf(char *str, size_t count, const char *fmt, va_list args)
 {
-	str[0] = 0;
+	return dopr(str, count, fmt, args);
 	dopr(str, count, fmt, args);
 	return(strlen(str));
 }
-#endif /* !HAVE_VSNPRINTF */
+#endif
-#ifndef HAVE_SNPRINTF
+#if !defined(HAVE_SNPRINTF)
-int 
+int snprintf(char *str, size_t count, SNPRINTF_CONST char *fmt, ...)
 snprintf(char *str,size_t count,const char *fmt,...)
 {
 	size_t ret;
 	va_list ap;
 	va_start(ap, fmt);
-	(void) vsnprintf(str, count, fmt, ap);
+	ret = vsnprintf(str, count, fmt, ap);
 	va_end(ap);
-
+	return ret;
 	return(strlen(str));
 }
 #endif
 #endif /* !HAVE_SNPRINTF */
--- a/crypto/openssh/openbsd-compat/daemon.c
+++ b/crypto/openssh/openbsd-compat/daemon.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */
+/*	$OpenBSD: daemon.c,v 1.6 2005/08/08 08:05:33 espie Exp $ */
 /*-
 * Copyright (c) 1990, 1993
 *	The Regents of the University of California.  All rights reserved.
@ -29,14 +28,12 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/gen/daemon.c */
 #include "includes.h"
 #ifndef HAVE_DAEMON
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] = "$OpenBSD: daemon.c,v 1.5 2003/07/15 17:32:41 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 int
 daemon(int nochdir, int noclose)
 {
--- a/crypto/openssh/openbsd-compat/dirname.c
+++ b/crypto/openssh/openbsd-compat/dirname.c
@ -1,9 +1,7 @@
-/* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */
+/*	$OpenBSD: dirname.c,v 1.13 2005/08/08 08:05:33 espie Exp $	*/
 /*      $OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $    */
 /*
- * Copyright (c) 1997 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 1997, 2004 Todd C. Miller <Todd.Miller@courtesan.com>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
@ -18,13 +16,11 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 /* OPENBSD ORIGINAL: lib/libc/gen/dirname.c */
 #include "includes.h"
 #ifndef HAVE_DIRNAME
 #ifndef lint
 static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Exp $";
 #endif /* not lint */
 #include <errno.h>
 #include <string.h>
 #include <sys/param.h>
@ -32,16 +28,18 @@ static char rcsid[] = "$OpenBSD: dirname.c,v 1.10 2003/06/17 21:56:23 millert Ex
 char *
 dirname(const char *path)
 {
-	static char bname[MAXPATHLEN];
+	static char dname[MAXPATHLEN];
-	register const char *endp;
+	size_t len;
 	const char *endp;
 	/* Empty or NULL string gets treated as "." */
 	if (path == NULL || *path == '\0') {
-		(void)strlcpy(bname, ".", sizeof bname);
+		dname[0] = '.';
-		return(bname);
+		dname[1] = '\0';
 		return (dname);
 	}
-	/* Strip trailing slashes */
+	/* Strip any trailing slashes */
 	endp = path + strlen(path) - 1;
 	while (endp > path && *endp == '/')
 		endp--;
@ -52,19 +50,23 @@ dirname(const char *path)
 	/* Either the dir is "/" or there are no slashes */
 	if (endp == path) {
-		(void)strlcpy(bname, *endp == '/' ? "/" : ".", sizeof bname);
+		dname[0] = *endp == '/' ? '/' : '.';
-		return(bname);
+		dname[1] = '\0';
 		return (dname);
 	} else {
 		/* Move forward past the separating slashes */
 		do {
 			endp--;
 		} while (endp > path && *endp == '/');
 	}
-	if (endp - path + 2 > sizeof(bname)) {
+	len = endp - path + 1;
 	if (len >= sizeof(dname)) {
 		errno = ENAMETOOLONG;
-		return(NULL);
+		return (NULL);
 	}
-	strlcpy(bname, path, endp - path + 2);
+	memcpy(dname, path, len);
-	return(bname);
+	dname[len] = '\0';
 	return (dname);
 }
 #endif
--- a/crypto/openssh/openbsd-compat/getcwd.c
+++ b/crypto/openssh/openbsd-compat/getcwd.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */
+/*	$OpenBSD: getcwd.c,v 1.14 2005/08/08 08:05:34 espie Exp $ */
 /*
 * Copyright (c) 1989, 1991, 1993
 *	The Regents of the University of California.  All rights reserved.
@ -29,14 +28,12 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/gen/getcwd.c */
 #include "includes.h"
 #if !defined(HAVE_GETCWD)
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/param.h>
 #include <sys/stat.h>
 #include <errno.h>
@ -54,12 +51,12 @@ static char rcsid[] = "$OpenBSD: getcwd.c,v 1.9 2003/06/11 21:03:10 deraadt Exp
 char *
 getcwd(char *pt, size_t size)
 {
-	register struct dirent *dp;
+	struct dirent *dp;
-	register DIR *dir = NULL;
+	DIR *dir = NULL;
-	register dev_t dev;
+	dev_t dev;
-	register ino_t ino;
+	ino_t ino;
-	register int first;
+	int first;
-	register char *bpt, *bup;
+	char *bpt, *bup;
 	struct stat s;
 	dev_t root_dev;
 	ino_t root_ino;
@ -80,7 +77,7 @@ getcwd(char *pt, size_t size)
 		}
 		ept = pt + size;
 	} else {
-		if ((pt = malloc(ptsize = 1024 - 4)) == NULL)
+		if ((pt = malloc(ptsize = MAXPATHLEN)) == NULL)
 			return (NULL);
 		ept = pt + ptsize;
 	}
@ -88,13 +85,13 @@ getcwd(char *pt, size_t size)
 	*bpt = '\0';
 	/*
-	 * Allocate bytes (1024 - malloc space) for the string of "../"'s.
+	 * Allocate bytes for the string of "../"'s.
 	 * Should always be enough (it's 340 levels).  If it's not, allocate
 	 * as necessary.  Special * case the first stat, it's ".", not "..".
 	 */
-	if ((up = malloc(upsize = 1024 - 4)) == NULL)
+	if ((up = malloc(upsize = MAXPATHLEN)) == NULL)
 		goto err;
-	eup = up + MAXPATHLEN;
+	eup = up + upsize;
 	bup = up;
 	up[0] = '.';
 	up[1] = '\0';
@ -139,18 +136,16 @@ getcwd(char *pt, size_t size)
 			if ((nup = realloc(up, upsize *= 2)) == NULL)
 				goto err;
 			bup = nup + (bup - up);
 			up = nup;
 			bup = up;
 			eup = up + upsize;
 		}
 		*bup++ = '.';
 		*bup++ = '.';
 		*bup = '\0';
-		/* Open and stat parent directory. 
+		/* Open and stat parent directory. */
-		 * RACE?? - replaced fstat(dirfd(dir), &s) w/ lstat(up,&s) 
+		if (!(dir = opendir(up)) || fstat(dirfd(dir), &s))
                 */
 		if (!(dir = opendir(up)) || lstat(up,&s))
 			goto err;
 		/* Add trailing slash for next directory. */
@ -175,7 +170,7 @@ getcwd(char *pt, size_t size)
 					goto notfound;
 				if (ISDOT(dp))
 					continue;
-				memmove(bup, dp->d_name, dp->d_namlen + 1);
+				memcpy(bup, dp->d_name, dp->d_namlen + 1);
 				/* Save the first error for later. */
 				if (lstat(up, &s)) {
@ -193,19 +188,18 @@ getcwd(char *pt, size_t size)
 		 * leading slash.
 		 */
 		if (bpt - pt < dp->d_namlen + (first ? 1 : 2)) {
-			size_t len, off;
+			size_t len;
 			char *npt;
 			if (!ptsize) {
 				errno = ERANGE;
 				goto err;
 			}
 			off = bpt - pt;
 			len = ept - bpt;
 			if ((npt = realloc(pt, ptsize *= 2)) == NULL)
 				goto err;
 			bpt = npt + (bpt - pt);
 			pt = npt;
 			bpt = pt + off;
 			ept = pt + ptsize;
 			memmove(ept - len, bpt, len);
 			bpt = ept - len;
@ -213,7 +207,7 @@ getcwd(char *pt, size_t size)
 		if (!first)
 			*--bpt = '/';
 		bpt -= dp->d_namlen;
-		memmove(bpt, dp->d_name, dp->d_namlen);
+		memcpy(bpt, dp->d_name, dp->d_namlen);
 		(void)closedir(dir);
 		/* Truncate any file name. */
@ -230,12 +224,16 @@ getcwd(char *pt, size_t size)
 		errno = save_errno ? save_errno : ENOENT;
 	/* FALLTHROUGH */
 err:
 	save_errno = errno;
 	if (ptsize)
 		free(pt);
-	if (up)
+	free(up);
 		free(up);
 	if (dir)
 		(void)closedir(dir);
 	errno = save_errno;
 	return (NULL);
 }
--- a/crypto/openssh/openbsd-compat/getgrouplist.c
+++ b/crypto/openssh/openbsd-compat/getgrouplist.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */
+/*	$OpenBSD: getgrouplist.c,v 1.12 2005/08/08 08:05:34 espie Exp $ */
 /*
 * Copyright (c) 1991, 1993
 *	The Regents of the University of California.  All rights reserved.
@ -29,14 +28,12 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/gen/getgrouplist.c */
 #include "includes.h"
 #ifndef HAVE_GETGROUPLIST
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 /*
 * get credential
 */
@ -46,14 +43,10 @@ static char rcsid[] = "$OpenBSD: getgrouplist.c,v 1.9 2003/06/25 21:16:47 deraad
 #include <grp.h>
 int
-getgrouplist(uname, agroup, groups, grpcnt)
+getgrouplist(const char *uname, gid_t agroup, gid_t *groups, int *grpcnt)
 	const char *uname;
 	gid_t agroup;
 	register gid_t *groups;
 	int *grpcnt;
 {
-	register struct group *grp;
+	struct group *grp;
-	register int i, ngroups;
+	int i, ngroups;
 	int ret, maxgroups;
 	int bail;
--- a/crypto/openssh/openbsd-compat/getopt.c
+++ b/crypto/openssh/openbsd-compat/getopt.c
@ -1,5 +1,3 @@
 /* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
 /*
 * Copyright (c) 1987, 1993, 1994
 *	The Regents of the University of California.  All rights reserved.
@ -29,6 +27,8 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/stdlib/getopt.c */
 #include "includes.h"
 #if !defined(HAVE_GETOPT) || !defined(HAVE_GETOPT_OPTRESET)
--- a/crypto/openssh/openbsd-compat/getrrsetbyname.c
+++ b/crypto/openssh/openbsd-compat/getrrsetbyname.c
@ -1,6 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */
+/* $OpenBSD: getrrsetbyname.c,v 1.10 2005/03/30 02:58:28 tedu Exp $ */
 /* $OpenBSD: getrrsetbyname.c,v 1.7 2003/03/07 07:34:14 itojun Exp $ */
 /*
 * Copyright (c) 2001 Jakob Schlyter. All rights reserved.
@ -45,54 +43,26 @@
 * WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 /* OPENBSD ORIGINAL: lib/libc/net/getrrsetbyname.c */
 #include "includes.h"
 #ifndef HAVE_GETRRSETBYNAME
 #include "getrrsetbyname.h"
 #define ANSWER_BUFFER_SIZE 1024*64
 #if defined(HAVE_DECL_H_ERRNO) && !HAVE_DECL_H_ERRNO
 extern int h_errno;
 #endif
-struct dns_query {
+/* We don't need multithread support here */
-	char			*name;
+#ifdef _THREAD_PRIVATE
-	u_int16_t		type;
+# undef _THREAD_PRIVATE
-	u_int16_t		class;
+#endif
-	struct dns_query	*next;
+#define _THREAD_PRIVATE(a,b,c) (c)
-};
+struct __res_state _res;
-struct dns_rr {
+/* Necessary functions and macros */
 	char			*name;
 	u_int16_t		type;
 	u_int16_t		class;
 	u_int16_t		ttl;
 	u_int16_t		size;
 	void			*rdata;
 	struct dns_rr		*next;
 };
 struct dns_response {
 	HEADER			header;
 	struct dns_query	*query;
 	struct dns_rr		*answer;
 	struct dns_rr		*authority;
 	struct dns_rr		*additional;
 };
 static struct dns_response *parse_dns_response(const u_char *, int);
 static struct dns_query *parse_dns_qsection(const u_char *, int,
    const u_char **, int);
 static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **,
    int);
 static void free_dns_query(struct dns_query *);
 static void free_dns_rr(struct dns_rr *);
 static void free_dns_response(struct dns_response *);
 static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t);
 /*
 * Inline versions of get/put short/long.  Pointer is advanced.
@ -162,14 +132,56 @@ _getlong(msgp)
 u_int32_t _getlong(register const u_char *);
 #endif
 /* ************** */
 #define ANSWER_BUFFER_SIZE 1024*64
 struct dns_query {
 	char			*name;
 	u_int16_t		type;
 	u_int16_t		class;
 	struct dns_query	*next;
 };
 struct dns_rr {
 	char			*name;
 	u_int16_t		type;
 	u_int16_t		class;
 	u_int16_t		ttl;
 	u_int16_t		size;
 	void			*rdata;
 	struct dns_rr		*next;
 };
 struct dns_response {
 	HEADER			header;
 	struct dns_query	*query;
 	struct dns_rr		*answer;
 	struct dns_rr		*authority;
 	struct dns_rr		*additional;
 };
 static struct dns_response *parse_dns_response(const u_char *, int);
 static struct dns_query *parse_dns_qsection(const u_char *, int,
    const u_char **, int);
 static struct dns_rr *parse_dns_rrsection(const u_char *, int, const u_char **,
    int);
 static void free_dns_query(struct dns_query *);
 static void free_dns_rr(struct dns_rr *);
 static void free_dns_response(struct dns_response *);
 static int count_dns_rr(struct dns_rr *, u_int16_t, u_int16_t);
 int
 getrrsetbyname(const char *hostname, unsigned int rdclass,
    unsigned int rdtype, unsigned int flags,
    struct rrsetinfo **res)
 {
 	struct __res_state *_resp = _THREAD_PRIVATE(_res, _res, &_res);
 	int result;
 	struct rrsetinfo *rrset = NULL;
-	struct dns_response *response;
+	struct dns_response *response = NULL;
 	struct dns_rr *rr;
 	struct rdatainfo *rdata;
 	int length;
@ -195,19 +207,19 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 	}
 	/* initialize resolver */
-	if ((_res.options & RES_INIT) == 0 && res_init() == -1) {
+	if ((_resp->options & RES_INIT) == 0 && res_init() == -1) {
 		result = ERRSET_FAIL;
 		goto fail;
 	}
 #ifdef DEBUG
-	_res.options |= RES_DEBUG;
+	_resp->options |= RES_DEBUG;
 #endif /* DEBUG */
 #ifdef RES_USE_DNSSEC
 	/* turn on DNSSEC if EDNS0 is configured */
-	if (_res.options & RES_USE_EDNS0)
+	if (_resp->options & RES_USE_EDNS0)
-		_res.options |= RES_USE_DNSSEC;
+		_resp->options |= RES_USE_DNSSEC;
 #endif /* RES_USE_DNSEC */
 	/* make query */
@ -257,13 +269,11 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 #endif
 	/* copy name from answer section */
-	length = strlen(response->answer->name);
+	rrset->rri_name = strdup(response->answer->name);
 	rrset->rri_name = malloc(length + 1);
 	if (rrset->rri_name == NULL) {
 		result = ERRSET_NOMEMORY;
 		goto fail;
 	}
 	strlcpy(rrset->rri_name, response->answer->name, length + 1);
 	/* count answers */
 	rrset->rri_nrdatas = count_dns_rr(response->answer, rrset->rri_rdclass,
@ -281,7 +291,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 	/* allocate memory for signatures */
 	rrset->rri_sigs = calloc(rrset->rri_nsigs, sizeof(struct rdatainfo));
-	if (rrset->rri_nsigs > 0 && rrset->rri_sigs == NULL) {
+	if (rrset->rri_sigs == NULL) {
 		result = ERRSET_NOMEMORY;
 		goto fail;
 	}
@ -311,6 +321,7 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 			memcpy(rdata->rdi_data, rr->rdata, rr->size);
 		}
 	}
 	free_dns_response(response);
 	*res = rrset;
 	return (ERRSET_SUCCESS);
@ -318,6 +329,8 @@ getrrsetbyname(const char *hostname, unsigned int rdclass,
 fail:
 	if (rrset != NULL)
 		freerrset(rrset);
 	if (response != NULL)
 		free_dns_response(response);
 	return (result);
 }
@ -467,7 +480,8 @@ parse_dns_qsection(const u_char *answer, int size, const u_char **cp, int count)
 }
 static struct dns_rr *
-parse_dns_rrsection(const u_char *answer, int size, const u_char **cp, int count)
+parse_dns_rrsection(const u_char *answer, int size, const u_char **cp,
    int count)
 {
 	struct dns_rr *head, *curr, *prev;
 	int i, length;
--- a/crypto/openssh/openbsd-compat/glob.c
+++ b/crypto/openssh/openbsd-compat/glob.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/gen/glob.c */
+/*	$OpenBSD: glob.c,v 1.25 2005/08/08 08:05:34 espie Exp $ */
 /*
 * Copyright (c) 1989, 1993
 *	The Regents of the University of California.  All rights reserved.
@ -32,6 +31,8 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/gen/glob.c */
 #include "includes.h"
 #include <ctype.h>
@ -50,14 +51,6 @@ get_arg_max(void)
 #if !defined(HAVE_GLOB) || !defined(GLOB_HAS_ALTDIRFUNC) || \
    !defined(GLOB_HAS_GL_MATCHC)
 #if defined(LIBC_SCCS) && !defined(lint)
 #if 0
 static char sccsid[] = "@(#)glob.c	8.3 (Berkeley) 10/13/93";
 #else
 static char rcsid[] = "$OpenBSD: glob.c,v 1.22 2003/06/25 21:16:47 deraadt Exp $";
 #endif
 #endif /* LIBC_SCCS and not lint */
 /*
 * glob(3) -- a superset of the one defined in POSIX 1003.2.
 *
@ -158,10 +151,8 @@ static void	 qprintf(const char *, Char *);
 #endif
 int
-glob(pattern, flags, errfunc, pglob)
+glob(const char *pattern, int flags, int (*errfunc)(const char *, int),
-	const char *pattern;
+    glob_t *pglob)
 	int flags, (*errfunc)(const char *, int);
 	glob_t *pglob;
 {
 	const u_char *patnext;
 	int c;
@ -209,9 +200,7 @@ glob(pattern, flags, errfunc, pglob)
 * characters
 */
 static int
-globexp1(pattern, pglob)
+globexp1(const Char *pattern, glob_t *pglob)
 	const Char *pattern;
 	glob_t *pglob;
 {
 	const Char* ptr = pattern;
 	int rv;
@ -234,10 +223,7 @@ globexp1(pattern, pglob)
 * If it fails then it tries to glob the rest of the pattern and returns.
 */
 static int
-globexp2(ptr, pattern, pglob, rv)
+globexp2(const Char *ptr, const Char *pattern, glob_t *pglob, int *rv)
 	const Char *ptr, *pattern;
 	glob_t *pglob;
 	int *rv;
 {
 	int     i;
 	Char   *lm, *ls;
@ -342,11 +328,7 @@ globexp2(ptr, pattern, pglob, rv)
 * expand tilde from the passwd file.
 */
 static const Char *
-globtilde(pattern, patbuf, patbuf_len, pglob)
+globtilde(const Char *pattern, Char *patbuf, size_t patbuf_len, glob_t *pglob)
 	const Char *pattern;
 	Char *patbuf;
 	size_t patbuf_len;
 	glob_t *pglob;
 {
 	struct passwd *pwd;
 	char *h;
@ -414,9 +396,7 @@ globtilde(pattern, patbuf, patbuf_len, pglob)
 * to find no matches.
 */
 static int
-glob0(pattern, pglob)
+glob0(const Char *pattern, glob_t *pglob)
 	const Char *pattern;
 	glob_t *pglob;
 {
 	const Char *qpatnext;
 	int c, err, oldpathc;
@ -503,17 +483,13 @@ glob0(pattern, pglob)
 }
 static int
-compare(p, q)
+compare(const void *p, const void *q)
 	const void *p, *q;
 {
 	return(strcmp(*(char **)p, *(char **)q));
 }
 static int
-glob1(pattern, pattern_last, pglob, limitp)
+glob1(Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp)
 	Char *pattern, *pattern_last;
 	glob_t *pglob;
 	size_t *limitp;
 {
 	Char pathbuf[MAXPATHLEN];
@ -531,12 +507,8 @@ glob1(pattern, pattern_last, pglob, limitp)
 * meta characters.
 */
 static int
-glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern,
+glob2(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
-    pattern_last, pglob, limitp)
+    Char *pattern, Char *pattern_last, glob_t *pglob, size_t *limitp)
 	Char *pathbuf, *pathbuf_last, *pathend, *pathend_last;
 	Char *pattern, *pattern_last;
 	glob_t *pglob;
 	size_t *limitp;
 {
 	struct stat sb;
 	Char *p, *q;
@ -595,14 +567,11 @@ glob2(pathbuf, pathbuf_last, pathend, pathend_last, pattern,
 }
 static int
-glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
+glob3(Char *pathbuf, Char *pathbuf_last, Char *pathend, Char *pathend_last,
-    restpattern, restpattern_last, pglob, limitp)
+    Char *pattern, Char *pattern_last, Char *restpattern,
-	Char *pathbuf, *pathbuf_last, *pathend, *pathend_last;
+    Char *restpattern_last, glob_t *pglob, size_t *limitp)
 	Char *pattern, *pattern_last, *restpattern, *restpattern_last;
 	glob_t *pglob;
 	size_t *limitp;
 {
-	register struct dirent *dp;
+	struct dirent *dp;
 	DIR *dirp;
 	int err;
 	char buf[MAXPATHLEN];
@ -640,8 +609,8 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
 	else
 		readdirfunc = (struct dirent *(*)(void *))readdir;
 	while ((dp = (*readdirfunc)(dirp))) {
-		register u_char *sc;
+		u_char *sc;
-		register Char *dc;
+		Char *dc;
 		/* Initial DOT must be matched literally. */
 		if (dp->d_name[0] == DOT && *pattern != DOT)
@ -689,13 +658,10 @@ glob3(pathbuf, pathbuf_last, pathend, pathend_last, pattern, pattern_last,
 *	gl_pathv points to (gl_offs + gl_pathc + 1) items.
 */
 static int
-globextend(path, pglob, limitp)
+globextend(const Char *path, glob_t *pglob, size_t *limitp)
 	const Char *path;
 	glob_t *pglob;
 	size_t *limitp;
 {
-	register char **pathv;
+	char **pathv;
-	register int i;
+	int i;
 	u_int newsize, len;
 	char *copy;
 	const Char *p;
@ -747,8 +713,7 @@ globextend(path, pglob, limitp)
 * pattern causes a recursion level.
 */
 static int
-match(name, pat, patend)
+match(Char *name, Char *pat, Char *patend)
 	register Char *name, *pat, *patend;
 {
 	int ok, negate_range;
 	Char c, k;
@ -759,11 +724,10 @@ match(name, pat, patend)
 		case M_ALL:
 			if (pat == patend)
 				return(1);
-			do
+			do {
 			    if (match(name, pat, patend))
 				    return(1);
-			while (*name++ != EOS)
+			} while (*name++ != EOS);
 				;
 			return(0);
 		case M_ONE:
 			if (*name++ == EOS)
@ -796,11 +760,10 @@ match(name, pat, patend)
 /* Free allocated data belonging to a glob_t structure. */
 void
-globfree(pglob)
+globfree(glob_t *pglob)
 	glob_t *pglob;
 {
-	register int i;
+	int i;
-	register char **pp;
+	char **pp;
 	if (pglob->gl_pathv != NULL) {
 		pp = pglob->gl_pathv + pglob->gl_offs;
@ -813,9 +776,7 @@ globfree(pglob)
 }
 static DIR *
-g_opendir(str, pglob)
+g_opendir(Char *str, glob_t *pglob)
 	register Char *str;
 	glob_t *pglob;
 {
 	char buf[MAXPATHLEN];
@ -833,10 +794,7 @@ g_opendir(str, pglob)
 }
 static int
-g_lstat(fn, sb, pglob)
+g_lstat(Char *fn, struct stat *sb, glob_t *pglob)
 	register Char *fn;
 	struct stat *sb;
 	glob_t *pglob;
 {
 	char buf[MAXPATHLEN];
@ -848,10 +806,7 @@ g_lstat(fn, sb, pglob)
 }
 static int
-g_stat(fn, sb, pglob)
+g_stat(Char *fn, struct stat *sb, glob_t *pglob)
 	register Char *fn;
 	struct stat *sb;
 	glob_t *pglob;
 {
 	char buf[MAXPATHLEN];
@ -863,9 +818,7 @@ g_stat(fn, sb, pglob)
 }
 static Char *
-g_strchr(str, ch)
+g_strchr(Char *str, int ch)
 	Char *str;
 	int ch;
 {
 	do {
 		if (*str == ch)
@ -875,10 +828,7 @@ g_strchr(str, ch)
 }
 static int
-g_Ctoc(str, buf, len)
+g_Ctoc(const Char *str, char *buf, u_int len)
 	register const Char *str;
 	char *buf;
 	u_int len;
 {
 	while (len--) {
@ -890,11 +840,9 @@ g_Ctoc(str, buf, len)
 #ifdef DEBUG
 static void
-qprintf(str, s)
+qprintf(const char *str, Char *s)
 	const char *str;
 	register Char *s;
 {
-	register Char *p;
+	Char *p;
 	(void)printf("%s:\n", str);
 	for (p = s; *p; p++)
--- a/crypto/openssh/openbsd-compat/glob.h
+++ b/crypto/openssh/openbsd-compat/glob.h
@ -1,6 +1,4 @@
-/* OPENBSD ORIGINAL: include/glob.h */
+/*	$OpenBSD: glob.h,v 1.9 2004/10/07 16:56:11 millert Exp $	*/
 /*	$OpenBSD: glob.h,v 1.8 2003/06/02 19:34:12 millert Exp $	*/
 /*	$NetBSD: glob.h,v 1.5 1994/10/26 00:55:56 cgd Exp $	*/
 /*
@ -37,6 +35,8 @@
 *	@(#)glob.h	8.1 (Berkeley) 6/2/93
 */
 /* OPENBSD ORIGINAL: include/glob.h */
 #if !defined(HAVE_GLOB_H) || !defined(GLOB_HAS_ALTDIRFUNC) || \
    !defined(GLOB_HAS_GL_MATCHC)
@ -72,6 +72,7 @@ typedef struct {
 #define	GLOB_MARK	0x0008	/* Append / to matching directories. */
 #define	GLOB_NOCHECK	0x0010	/* Return pattern itself if nothing matches. */
 #define	GLOB_NOSORT	0x0020	/* Don't sort. */
 #define	GLOB_NOESCAPE	0x1000	/* Disable backslash escaping. */
 #define	GLOB_ALTDIRFUNC	0x0040	/* Use alternately specified directory funcs. */
 #define	GLOB_BRACE	0x0080	/* Expand braces ala csh. */
@ -79,7 +80,6 @@ typedef struct {
 #define	GLOB_NOMAGIC	0x0200	/* GLOB_NOCHECK without magic chars (csh). */
 #define	GLOB_QUOTE	0x0400	/* Quote special chars with \. */
 #define	GLOB_TILDE	0x0800	/* Expand tilde names from the passwd file. */
 #define	GLOB_NOESCAPE	0x1000	/* Disable backslash escaping. */
 #define GLOB_LIMIT	0x2000	/* Limit pattern match output to ARG_MAX */
 /* Error values returned by glob(3) */
--- a/crypto/openssh/openbsd-compat/inet_aton.c
+++ b/crypto/openssh/openbsd-compat/inet_aton.c
@ -1,6 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */
+/*	$OpenBSD: inet_addr.c,v 1.9 2005/08/06 20:30:03 espie Exp $	*/
 /*	$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $	*/
 /*
 * Copyright (c) 1983, 1990, 1993
@ -51,19 +49,12 @@
 * --Copyright--
 */
 /* OPENBSD ORIGINAL: lib/libc/net/inet_addr.c */
 #include "includes.h"
 #if !defined(HAVE_INET_ATON)
 #if defined(LIBC_SCCS) && !defined(lint)
 #if 0
 static char sccsid[] = "@(#)inet_addr.c	8.1 (Berkeley) 6/17/93";
 static char rcsid[] = "$From: inet_addr.c,v 8.5 1996/08/05 08:31:35 vixie Exp $";
 #else
 static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert Exp $";
 #endif
 #endif /* LIBC_SCCS and not lint */
 #include <sys/types.h>
 #include <sys/param.h>
 #include <netinet/in.h>
@ -76,8 +67,7 @@ static char rcsid[] = "$OpenBSD: inet_addr.c,v 1.7 2003/06/02 20:18:35 millert E
 * The value returned is in network order.
 */
 in_addr_t
-inet_addr(cp)
+inet_addr(const char *cp)
 	register const char *cp;
 {
 	struct in_addr val;
@ -97,11 +87,11 @@ inet_addr(cp)
 int
 inet_aton(const char *cp, struct in_addr *addr)
 {
-	register u_int32_t val;
+	u_int32_t val;
-	register int base, n;
+	int base, n;
-	register char c;
+	char c;
-	unsigned int parts[4];
+	u_int parts[4];
-	register unsigned int *pp = parts;
+	u_int *pp = parts;
 	c = *cp;
 	for (;;) {
--- a/crypto/openssh/openbsd-compat/inet_ntoa.c
+++ b/crypto/openssh/openbsd-compat/inet_ntoa.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */
+/*	$OpenBSD: inet_ntoa.c,v 1.6 2005/08/06 20:30:03 espie Exp $ */
 /*
 * Copyright (c) 1983, 1993
 *	The Regents of the University of California.  All rights reserved.
@ -29,14 +28,12 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/net/inet_ntoa.c */
 #include "includes.h"
 #if defined(BROKEN_INET_NTOA) || !defined(HAVE_INET_NTOA)
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 /*
 * Convert network-format internet address
 * to base 256 d.d.d.d representation.
@ -46,10 +43,11 @@ static char rcsid[] = "$OpenBSD: inet_ntoa.c,v 1.4 2003/06/02 20:18:35 millert E
 #include <arpa/inet.h>
 #include <stdio.h>
-char *inet_ntoa(struct in_addr in)
+char *
 inet_ntoa(struct in_addr in)
 {
 	static char b[18];
-	register char *p;
+	char *p;
 	p = (char *)&in;
 #define	UC(b)	(((int)b)&0xff)
--- a/crypto/openssh/openbsd-compat/inet_ntop.c
+++ b/crypto/openssh/openbsd-compat/inet_ntop.c
@ -1,6 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */
+/*	$OpenBSD: inet_ntop.c,v 1.7 2005/08/06 20:30:03 espie Exp $	*/
 /*	$OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $	*/
 /* Copyright (c) 1996 by Internet Software Consortium.
 *
@ -18,18 +16,12 @@
 * SOFTWARE.
 */
 /* OPENBSD ORIGINAL: lib/libc/net/inet_ntop.c */
 #include "includes.h"
 #ifndef HAVE_INET_NTOP
 #if defined(LIBC_SCCS) && !defined(lint)
 #if 0
 static char rcsid[] = "$From: inet_ntop.c,v 8.7 1996/08/05 08:41:18 vixie Exp $";
 #else
 static char rcsid[] = "$OpenBSD: inet_ntop.c,v 1.5 2002/08/23 16:27:31 itojun Exp $";
 #endif
 #endif /* LIBC_SCCS and not lint */
 #include <sys/param.h>
 #include <sys/types.h>
 #include <sys/socket.h>
@ -65,11 +57,7 @@ static const char *inet_ntop6(const u_char *src, char *dst, size_t size);
 *	Paul Vixie, 1996.
 */
 const char *
-inet_ntop(af, src, dst, size)
+inet_ntop(int af, const void *src, char *dst, size_t size)
 	int af;
 	const void *src;
 	char *dst;
 	size_t size;
 {
 	switch (af) {
 	case AF_INET:
@ -95,10 +83,7 @@ inet_ntop(af, src, dst, size)
 *	Paul Vixie, 1996.
 */
 static const char *
-inet_ntop4(src, dst, size)
+inet_ntop4(const u_char *src, char *dst, size_t size)
 	const u_char *src;
 	char *dst;
 	size_t size;
 {
 	static const char fmt[] = "%u.%u.%u.%u";
 	char tmp[sizeof "255.255.255.255"];
@ -120,10 +105,7 @@ inet_ntop4(src, dst, size)
 *	Paul Vixie, 1996.
 */
 static const char *
-inet_ntop6(src, dst, size)
+inet_ntop6(const u_char *src, char *dst, size_t size)
 	const u_char *src;
 	char *dst;
 	size_t size;
 {
 	/*
 	 * Note that int32_t and int16_t need only be "at least" large enough
--- a/crypto/openssh/openbsd-compat/mktemp.c
+++ b/crypto/openssh/openbsd-compat/mktemp.c
@ -1,8 +1,7 @@
 /* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */
 /* THIS FILE HAS BEEN MODIFIED FROM THE ORIGINAL OPENBSD SOURCE */
 /* Changes: Removed mktemp */
 /*	$OpenBSD: mktemp.c,v 1.19 2005/08/08 08:05:36 espie Exp $ */
 /*
 * Copyright (c) 1987, 1993
 *	The Regents of the University of California.  All rights reserved.
@ -32,20 +31,16 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/stdio/mktemp.c */
 #include "includes.h"
 #if !defined(HAVE_MKDTEMP) || defined(HAVE_STRICT_MKSTEMP)
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] = "$OpenBSD: mktemp.c,v 1.17 2003/06/02 20:18:37 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 static int _gettemp(char *, int *, int, int);
 int
-mkstemps(path, slen)
+mkstemps(char *path, int slen)
 	char *path;
 	int slen;
 {
 	int fd;
@ -53,8 +48,7 @@ mkstemps(path, slen)
 }
 int
-mkstemp(path)
+mkstemp(char *path)
 	char *path;
 {
 	int fd;
@ -62,8 +56,7 @@ mkstemp(path)
 }
 char *
-mkdtemp(path)
+mkdtemp(char *path)
 	char *path;
 {
 	return(_gettemp(path, (int *)NULL, 1, 0) ? path : (char *)NULL);
 }
--- a/crypto/openssh/openbsd-compat/openbsd-compat.h
+++ b/crypto/openssh/openbsd-compat/openbsd-compat.h
@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.30 2005/08/26 20:15:20 tim Exp $ */
+/* $Id: openbsd-compat.h,v 1.33 2005/12/31 05:33:37 djm Exp $ */
 /*
 * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@ -142,6 +142,10 @@ unsigned int arc4random(void);
 void arc4random_stir(void);
 #endif /* !HAVE_ARC4RANDOM */
 #ifndef HAVE_ASPRINTF
 int asprintf(char **, const char *, ...);
 #endif 
 #ifndef HAVE_OPENPTY
 int openpty(int *, int *, char *, struct termios *, struct winsize *);
 #endif /* HAVE_OPENPTY */
@ -152,10 +156,18 @@ int openpty(int *, int *, char *, struct termios *, struct winsize *);
 int snprintf(char *, size_t, const char *, ...);
 #endif 
 #ifndef HAVE_STRTOLL
 long long strtoll(const char *, char **, int);
 #endif
 #ifndef HAVE_STRTONUM
 long long strtonum(const char *, long long, long long, const char **);
 #endif
 #ifndef HAVE_VASPRINTF
 int vasprintf(char **, const char *, va_list);
 #endif
 #ifndef HAVE_VSNPRINTF
 int vsnprintf(char *, size_t, const char *, va_list);
 #endif
@ -174,5 +186,6 @@ char *shadow_pw(struct passwd *pw);
 #include "port-irix.h"
 #include "port-aix.h"
 #include "port-uw.h"
 #include "port-tun.h"
 #endif /* _OPENBSD_COMPAT_H */
--- a/crypto/openssh/openbsd-compat/openssl-compat.h
+++ b/crypto/openssh/openbsd-compat/openssl-compat.h
@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.1 2005/06/09 11:45:11 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */
 /*
 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@ -24,7 +24,11 @@
 # define EVP_CIPHER_CTX_get_app_data(e)		((e)->app_data)
 #endif
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
 # define USE_BUILTIN_RIJNDAEL
 #endif
 #ifdef USE_BUILTIN_RIJNDAEL
 # define EVP_aes_128_cbc evp_rijndael
 # define EVP_aes_192_cbc evp_rijndael
 # define EVP_aes_256_cbc evp_rijndael
@ -43,7 +47,12 @@ extern const EVP_CIPHER *evp_acss(void);
 #endif
 /*
- * insert comment here
+ * We overload some of the OpenSSL crypto functions with ssh_* equivalents
 * which cater for older and/or less featureful OpenSSL version.
 *
 * In order for the compat library to call the real functions, it must
 * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
 * implement the ssh_* equivalents.
 */
 #ifdef SSH_OLD_EVP
--- a/crypto/openssh/openbsd-compat/port-tun.c
+++ b/crypto/openssh/openbsd-compat/port-tun.c
@ -0,0 +1,252 @@
 /*
 * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #include "includes.h"
 #include "log.h"
 #include "misc.h"
 #include "bufaux.h"
 /*
 * This is the portable version of the SSH tunnel forwarding, it
 * uses some preprocessor definitions for various platform-specific
 * settings.
 *
 * SSH_TUN_LINUX	Use the (newer) Linux tun/tap device
 * SSH_TUN_COMPAT_AF	Translate the OpenBSD address family
 * SSH_TUN_PREPEND_AF	Prepend/remove the address family
 */
 /*
 * System-specific tunnel open function
 */
 #if defined(SSH_TUN_LINUX)
 #include <linux/if.h>
 #include <linux/if_tun.h>
 int
 sys_tun_open(int tun, int mode)
 {
 	struct ifreq ifr;
 	int fd = -1;
 	const char *name = NULL;
 	if ((fd = open("/dev/net/tun", O_RDWR)) == -1) {
 		debug("%s: failed to open tunnel control interface: %s",
 		    __func__, strerror(errno));
 		return (-1);
 	}
 	bzero(&ifr, sizeof(ifr));	
 	if (mode == SSH_TUNMODE_ETHERNET) {
 		ifr.ifr_flags = IFF_TAP;
 		name = "tap%d";
 	} else {
 		ifr.ifr_flags = IFF_TUN;
 		name = "tun%d";
 	}
 	ifr.ifr_flags |= IFF_NO_PI;
 	if (tun != SSH_TUNID_ANY) {
 		if (tun > SSH_TUNID_MAX) {
 			debug("%s: invalid tunnel id %x: %s", __func__,
 			    tun, strerror(errno));
 			goto failed;
 		}
 		snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), name, tun);
 	}
 	if (ioctl(fd, TUNSETIFF, &ifr) == -1) {
 		debug("%s: failed to configure tunnel (mode %d): %s", __func__,
 		    mode, strerror(errno));
 		goto failed;
 	}
 	if (tun == SSH_TUNID_ANY)
 		debug("%s: tunnel mode %d fd %d", __func__, mode, fd);
 	else
 		debug("%s: %s mode %d fd %d", __func__, ifr.ifr_name, mode, fd);
 	return (fd);
 failed:
 	close(fd);
 	return (-1);
 }
 #endif /* SSH_TUN_LINUX */
 #ifdef SSH_TUN_FREEBSD
 #include <sys/socket.h>
 #include <net/if.h>
 #include <net/if_tun.h>
 int
 sys_tun_open(int tun, int mode)
 {
 	struct ifreq ifr;
 	char name[100];
 	int fd = -1, sock, flag;
 	const char *tunbase = "tun";
 	if (mode == SSH_TUNMODE_ETHERNET) {
 #ifdef SSH_TUN_NO_L2
 		debug("%s: no layer 2 tunnelling support", __func__);
 		return (-1);
 #else
 		tunbase = "tap";
 #endif
 	}
 	/* Open the tunnel device */
 	if (tun <= SSH_TUNID_MAX) {
 		snprintf(name, sizeof(name), "/dev/%s%d", tunbase, tun);
 		fd = open(name, O_RDWR);
 	} else if (tun == SSH_TUNID_ANY) {
 		for (tun = 100; tun >= 0; tun--) {
 			snprintf(name, sizeof(name), "/dev/%s%d",
 			    tunbase, tun);
 			if ((fd = open(name, O_RDWR)) >= 0)
 				break;
 		}
 	} else {
 		debug("%s: invalid tunnel %u\n", __func__, tun);
 		return (-1);
 	}
 	if (fd < 0) {
 		debug("%s: %s open failed: %s", __func__, name,
 		    strerror(errno));
 		return (-1);
 	}
 	/* Turn on tunnel headers */
 	flag = 1;
 #if defined(TUNSIFHEAD) && !defined(SSH_TUN_PREPEND_AF)
 	if (mode != SSH_TUNMODE_ETHERNET &&
 	    ioctl(fd, TUNSIFHEAD, &flag) == -1) {
 		debug("%s: ioctl(%d, TUNSIFHEAD, 1): %s", __func__, fd,
 		    strerror(errno));
 		close(fd);
 	}
 #endif
 	debug("%s: %s mode %d fd %d", __func__, name, mode, fd);
 	/* Set the tunnel device operation mode */
 	snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s%d", tunbase, tun);
 	if ((sock = socket(PF_UNIX, SOCK_STREAM, 0)) == -1)
 		goto failed;
 	if (ioctl(sock, SIOCGIFFLAGS, &ifr) == -1)
 		goto failed;
 	ifr.ifr_flags |= IFF_UP;
 	if (ioctl(sock, SIOCSIFFLAGS, &ifr) == -1)
 		goto failed;
 	close(sock);
 	return (fd);
 failed:
 	if (fd >= 0)
 		close(fd);
 	if (sock >= 0)
 		close(sock);
 	debug("%s: failed to set %s mode %d: %s", __func__, name,
 	    mode, strerror(errno));
 	return (-1);
 }
 #endif /* SSH_TUN_FREEBSD */
 /*
 * System-specific channel filters
 */
 #if defined(SSH_TUN_FILTER)
 #define OPENBSD_AF_INET		2
 #define OPENBSD_AF_INET6	24
 int
 sys_tun_infilter(struct Channel *c, char *buf, int len)
 {
 #if defined(SSH_TUN_PREPEND_AF)
 	char rbuf[CHAN_RBUF];
 	struct ip *iph;
 #endif
 	u_int32_t *af;
 	char *ptr = buf;
 #if defined(SSH_TUN_PREPEND_AF)
 	if (len <= 0 || len > (int)(sizeof(rbuf) - sizeof(*af)))
 		return (-1);
 	ptr = (char *)&rbuf[0];
 	bcopy(buf, ptr + sizeof(u_int32_t), len);
 	len += sizeof(u_int32_t);
 	af = (u_int32_t *)ptr;
 	iph = (struct ip *)(ptr + sizeof(u_int32_t));
 	switch (iph->ip_v) {
 	case 6:
 		*af = AF_INET6;
 		break;
 	case 4:
 	default:
 		*af = AF_INET;
 		break;
 	}
 #endif
 #if defined(SSH_TUN_COMPAT_AF)
 	if (len < (int)sizeof(u_int32_t))
 		return (-1);
 	af = (u_int32_t *)ptr;
 	if (*af == htonl(AF_INET6))
 		*af = htonl(OPENBSD_AF_INET6);
 	else
 		*af = htonl(OPENBSD_AF_INET);
 #endif
 	buffer_put_string(&c->input, ptr, len);
 	return (0);
 }
 u_char *
 sys_tun_outfilter(struct Channel *c, u_char **data, u_int *dlen)
 {
 	u_char *buf;
 	u_int32_t *af;
 	*data = buffer_get_string(&c->output, dlen);
 	if (*dlen < sizeof(*af))
 		return (NULL);
 	buf = *data;
 #if defined(SSH_TUN_PREPEND_AF)
 	*dlen -= sizeof(u_int32_t);
 	buf = *data + sizeof(u_int32_t);
 #elif defined(SSH_TUN_COMPAT_AF)
 	af = ntohl(*(u_int32_t *)buf);
 	if (*af == OPENBSD_AF_INET6)
 		*af = htonl(AF_INET6);
 	else
 		*af = htonl(AF_INET);
 #endif
 	return (buf);
 }
 #endif /* SSH_TUN_FILTER */
--- a/crypto/openssh/openbsd-compat/port-tun.h
+++ b/crypto/openssh/openbsd-compat/port-tun.h
@ -0,0 +1,33 @@
 /*
 * Copyright (c) 2005 Reyk Floeter <reyk@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #ifndef _PORT_TUN_H
 #define _PORT_TUN_H
 #include "channels.h"
 #if defined(SSH_TUN_LINUX) || defined(SSH_TUN_FREEBSD)
 # define CUSTOM_SYS_TUN_OPEN
 int	  sys_tun_open(int, int);
 #endif
 #if defined(SSH_TUN_COMPAT_AF) || defined(SSH_TUN_PREPEND_AF)
 # define SSH_TUN_FILTER
 int	 sys_tun_infilter(struct Channel *, char *, int);
 u_char	*sys_tun_outfilter(struct Channel *, u_char **, u_int *);
 #endif
 #endif
--- a/crypto/openssh/openbsd-compat/port-uw.c
+++ b/crypto/openssh/openbsd-compat/port-uw.c
@ -25,7 +25,7 @@
 #include "includes.h"
-#if defined(HAVE_LIBIAF)  &&  !defined(BROKEN_LIBIAF)
+#ifdef HAVE_LIBIAF
 #ifdef HAVE_CRYPT_H
 #include <crypt.h>
 #endif
@ -42,7 +42,6 @@ int
 sys_auth_passwd(Authctxt *authctxt, const char *password)
 {
 	struct passwd *pw = authctxt->pw;
 	char *encrypted_password;
 	char *salt;
 	int result;
@ -55,21 +54,24 @@ sys_auth_passwd(Authctxt *authctxt, const char *password)
 	/* Encrypt the candidate password using the proper salt. */
 	salt = (pw_password[0] && pw_password[1]) ? pw_password : "xx";
 #ifdef UNIXWARE_LONG_PASSWORDS
 	if (!nischeck(pw->pw_name))
 		encrypted_password = bigcrypt(password, salt);
 	else
 #endif /* UNIXWARE_LONG_PASSWORDS */
 		encrypted_password = xcrypt(password, salt);
 	/*
 	 * Authentication is accepted if the encrypted passwords
 	 * are identical.
 	 */
-	result = (strcmp(encrypted_password, pw_password) == 0);
+#ifdef UNIXWARE_LONG_PASSWORDS
 	if (!nischeck(pw->pw_name)) {
 		result = ((strcmp(bigcrypt(password, salt), pw_password) == 0)
 		||  (strcmp(osr5bigcrypt(password, salt), pw_password) == 0));
 	}
 	else
 #endif /* UNIXWARE_LONG_PASSWORDS */
 		result = (strcmp(xcrypt(password, salt), pw_password) == 0);
 #if !defined(BROKEN_LIBIAF)
 	if (authctxt->valid)
 		free(pw_password);
 #endif
 	return(result);
 }
@ -114,6 +116,7 @@ nischeck(char *namep)
 	functions that call shadow_pw() will need to free
 */
 #if !defined(BROKEN_LIBIAF)
 char *
 get_iaf_password(struct passwd *pw)
 {
@ -130,5 +133,6 @@ get_iaf_password(struct passwd *pw)
 	else
 		fatal("ia_openinfo: Unable to open the shadow passwd file");
 }
-#endif /* HAVE_LIBIAF  && !BROKEN_LIBIAF */
+#endif /* !BROKEN_LIBIAF */
 #endif /* HAVE_LIBIAF */
--- a/crypto/openssh/openbsd-compat/readpassphrase.c
+++ b/crypto/openssh/openbsd-compat/readpassphrase.c
@ -1,6 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
+/*	$OpenBSD: readpassphrase.c,v 1.18 2005/08/08 08:05:34 espie Exp $	*/
 /*	$OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $	*/
 /*
 * Copyright (c) 2000-2002 Todd C. Miller <Todd.Miller@courtesan.com>
@ -22,9 +20,7 @@
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
 */
-#if defined(LIBC_SCCS) && !defined(lint)
+/* OPENBSD ORIGINAL: lib/libc/gen/readpassphrase.c */
 static const char rcsid[] = "$OpenBSD: readpassphrase.c,v 1.16 2003/06/17 21:56:23 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include "includes.h"
--- a/crypto/openssh/openbsd-compat/readpassphrase.h
+++ b/crypto/openssh/openbsd-compat/readpassphrase.h
@ -1,34 +1,27 @@
-/* OPENBSD ORIGINAL: include/readpassphrase.h */
+/*	$OpenBSD: readpassphrase.h,v 1.5 2003/06/17 21:56:23 millert Exp $	*/
 /*	$OpenBSD: readpassphrase.h,v 1.3 2002/06/28 12:32:22 millert Exp $	*/
 /*
- * Copyright (c) 2000 Todd C. Miller <Todd.Miller@courtesan.com>
+ * Copyright (c) 2000, 2002 Todd C. Miller <Todd.Miller@courtesan.com>
 * All rights reserved.
 *
- * Redistribution and use in source and binary forms, with or without
+ * Permission to use, copy, modify, and distribute this software for any
- * modification, are permitted provided that the following conditions
+ * purpose with or without fee is hereby granted, provided that the above
- * are met:
+ * copyright notice and this permission notice appear in all copies.
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. The name of the author may not be used to endorse or promote products
 *    derived from this software without specific prior written permission.
 *
- * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS;
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR
+ *
- * OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF
+ * Sponsored in part by the Defense Advanced Research Projects
- * ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * Agency (DARPA) and Air Force Research Laboratory, Air Force
 * Materiel Command, USAF, under agreement number F39502-99-1-0512.
 */
 /* OPENBSD ORIGINAL: include/readpassphrase.h */
 #ifndef _READPASSPHRASE_H_
 #define _READPASSPHRASE_H_
--- a/crypto/openssh/openbsd-compat/realpath.c
+++ b/crypto/openssh/openbsd-compat/realpath.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
+/*	$OpenBSD: realpath.c,v 1.13 2005/08/08 08:05:37 espie Exp $ */
 /*
 * Copyright (c) 2003 Constantin S. Svintsoff <kostik@iclub.nsu.ru>
 *
@ -28,6 +27,8 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/stdlib/realpath.c */
 #include "includes.h"
 #if !defined(HAVE_REALPATH) || defined(BROKEN_REALPATH)
--- a/crypto/openssh/openbsd-compat/rresvport.c
+++ b/crypto/openssh/openbsd-compat/rresvport.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */
+/* $OpenBSD: rresvport.c,v 1.9 2005/11/10 10:00:17 espie Exp $ */
 /*
 * Copyright (c) 1995, 1996, 1998 Theo de Raadt.  All rights reserved.
 * Copyright (c) 1983, 1993, 1994
@ -30,26 +29,21 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/net/rresvport.c */
 #include "includes.h"
 #ifndef HAVE_RRESVPORT_AF
 #if defined(LIBC_SCCS) && !defined(lint)
 static char *rcsid = "$OpenBSD: rresvport.c,v 1.6 2003/06/03 02:11:35 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include "includes.h"
 #if 0
 int
-rresvport(alport)
+rresvport(int *alport)
 	int *alport;
 {
 	return rresvport_af(alport, AF_INET);
 }
 #endif
-int 
+int
 rresvport_af(int *alport, sa_family_t af)
 {
 	struct sockaddr_storage ss;
--- a/crypto/openssh/openbsd-compat/setenv.c
+++ b/crypto/openssh/openbsd-compat/setenv.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */
+/*	$OpenBSD: setenv.c,v 1.9 2005/08/08 08:05:37 espie Exp $ */
 /*
 * Copyright (c) 1987 Regents of the University of California.
 * All rights reserved.
@ -29,36 +28,31 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/stdlib/setenv.c */
 #include "includes.h"
 #if !defined(HAVE_SETENV) || !defined(HAVE_UNSETENV)
 #if defined(LIBC_SCCS) && !defined(lint)
 static char *rcsid = "$OpenBSD: setenv.c,v 1.6 2003/06/02 20:18:38 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <stdlib.h>
 #include <string.h>
-char *__findenv(const char *name, int *offset);
+extern char **environ;
 /* OpenSSH Portable: __findenv is from getenv.c rev 1.8, made static */
 /*
 * __findenv --
 *	Returns pointer to value associated with name, if any, else NULL.
 *	Sets offset to be the offset of the name/value combination in the
 *	environmental array, for use by setenv(3) and unsetenv(3).
 *	Explicitly removes '=' in argument name.
 *
 *	This routine *should* be a static; don't use it.
 */
-char *
+static char *
-__findenv(name, offset)
+__findenv(const char *name, int *offset)
 	register const char *name;
 	int *offset;
 {
 	extern char **environ;
-	register int len, i;
+	int len, i;
-	register const char *np;
+	const char *np;
-	register char **p, *cp;
+	char **p, *cp;
 	if (name == NULL || environ == NULL)
 		return (NULL);
@ -84,14 +78,10 @@ __findenv(name, offset)
 *	"value".  If rewrite is set, replace any current value.
 */
 int
-setenv(name, value, rewrite)
+setenv(const char *name, const char *value, int rewrite)
 	register const char *name;
 	register const char *value;
 	int rewrite;
 {
-	extern char **environ;
+	static char **lastenv;			/* last value of environ */
-	static int alloced;			/* if allocated space before */
+	char *C;
 	register char *C;
 	int l_value, offset;
 	if (*value == '=')			/* no `=' in value */
@ -106,30 +96,23 @@ setenv(name, value, rewrite)
 			return (0);
 		}
 	} else {					/* create new slot */
-		register int	cnt;
+		size_t cnt;
-		register char	**P;
+		char **P;
-		for (P = environ, cnt = 0; *P; ++P, ++cnt);
+		for (P = environ; *P != NULL; P++)
-		if (alloced) {			/* just increase size */
+			;
-			P = (char **)realloc((void *)environ,
+		cnt = P - environ;
-			    (size_t)(sizeof(char *) * (cnt + 2)));
+		P = (char **)realloc(lastenv, sizeof(char *) * (cnt + 2));
-			if (!P)
+		if (!P)
-				return (-1);
+			return (-1);
-			environ = P;
+		if (lastenv != environ)
-		}
+			memcpy(P, environ, cnt * sizeof(char *));
-		else {				/* get new space */
+		lastenv = environ = P;
 			alloced = 1;		/* copy old entries into it */
 			P = (char **)malloc((size_t)(sizeof(char *) *
 			    (cnt + 2)));
 			if (!P)
 				return (-1);
 			memmove(P, environ, cnt * sizeof(char *));
 			environ = P;
 		}
 		environ[cnt + 1] = NULL;
 		offset = cnt;
 		environ[cnt + 1] = NULL;
 	}
-	for (C = (char *)name; *C && *C != '='; ++C);	/* no `=' in name */
+	for (C = (char *)name; *C && *C != '='; ++C)
 		;				/* no `=' in name */
 	if (!(environ[offset] =			/* name + `=' + value */
 	    malloc((size_t)((int)(C - name) + l_value + 2))))
 		return (-1);
@ -147,15 +130,12 @@ setenv(name, value, rewrite)
 *	Delete environmental variable "name".
 */
 void
-unsetenv(name)
+unsetenv(const char *name)
 	const char	*name;
 {
-	extern char **environ;
+	char **P;
 	register char **P;
 	int offset;
 	char *__findenv();
-	while (__findenv(name, &offset))		/* if set multiple times */
+	while (__findenv(name, &offset))	/* if set multiple times */
 		for (P = &environ[offset];; ++P)
 			if (!(*P = *(P + 1)))
 				break;
--- a/crypto/openssh/openbsd-compat/sigact.c
+++ b/crypto/openssh/openbsd-compat/sigact.c
@ -1,9 +1,7 @@
-/* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */
+/*	$OpenBSD: sigaction.c,v 1.4 2001/01/22 18:01:48 millert Exp $	*/
 /*	$OpenBSD: sigaction.c,v 1.3 1999/06/27 08:14:21 millert Exp $	*/
 /****************************************************************************
- * Copyright (c) 1998 Free Software Foundation, Inc.                        *
+ * Copyright (c) 1998,2000 Free Software Foundation, Inc.                   *
 *                                                                          *
 * Permission is hereby granted, free of charge, to any person obtaining a  *
 * copy of this software and associated documentation files (the            *
@ -35,6 +33,8 @@
 *     and: Eric S. Raymond <esr@snark.thyrsus.com>                         *
 ****************************************************************************/
 /* OPENBSD ORIGINAL: lib/libcurses/base/sigaction.c */
 #include "includes.h"
 #include <signal.h>
 #include "sigact.h"
--- a/crypto/openssh/openbsd-compat/sigact.h
+++ b/crypto/openssh/openbsd-compat/sigact.h
@ -1,7 +1,7 @@
-/*	$OpenBSD: SigAction.h,v 1.2 1999/06/27 08:15:19 millert Exp $	*/
+/*	$OpenBSD: SigAction.h,v 1.3 2001/01/22 18:01:32 millert Exp $	*/
 /****************************************************************************
- * Copyright (c) 1998 Free Software Foundation, Inc.                        *
+ * Copyright (c) 1998,2000 Free Software Foundation, Inc.                   *
 *                                                                          *
 * Permission is hereby granted, free of charge, to any person obtaining a  *
 * copy of this software and associated documentation files (the            *
@ -34,12 +34,14 @@
 ****************************************************************************/
 /*
- * $From: SigAction.h,v 1.5 1999/06/19 23:00:54 tom Exp $
+ * $From: SigAction.h,v 1.6 2000/12/10 02:36:10 tom Exp $
 *
 * This file exists to handle non-POSIX systems which don't have <unistd.h>,
 * and usually no sigaction() nor <termios.h>
 */
 /* OPENBSD ORIGINAL: lib/libcurses/SigAction.h */
 #ifndef _SIGACTION_H
 #define _SIGACTION_H
--- a/crypto/openssh/openbsd-compat/strlcat.c
+++ b/crypto/openssh/openbsd-compat/strlcat.c
@ -1,6 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */
+/*	$OpenBSD: strlcat.c,v 1.13 2005/08/08 08:05:37 espie Exp $	*/
 /*	$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $	*/
 /*
 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
@ -18,13 +16,11 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 /* OPENBSD ORIGINAL: lib/libc/string/strlcat.c */
 #include "includes.h"
 #ifndef HAVE_STRLCAT
 #if defined(LIBC_SCCS) && !defined(lint)
 static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/types.h>
 #include <string.h>
@ -38,9 +34,9 @@ static char *rcsid = "$OpenBSD: strlcat.c,v 1.11 2003/06/17 21:56:24 millert Exp
 size_t
 strlcat(char *dst, const char *src, size_t siz)
 {
-	register char *d = dst;
+	char *d = dst;
-	register const char *s = src;
+	const char *s = src;
-	register size_t n = siz;
+	size_t n = siz;
 	size_t dlen;
 	/* Find the end of dst and adjust bytes left but don't go past end */
--- a/crypto/openssh/openbsd-compat/strlcpy.c
+++ b/crypto/openssh/openbsd-compat/strlcpy.c
@ -1,6 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */
+/*	$OpenBSD: strlcpy.c,v 1.10 2005/08/08 08:05:37 espie Exp $	*/
 /*	$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $	*/
 /*
 * Copyright (c) 1998 Todd C. Miller <Todd.Miller@courtesan.com>
@ -18,13 +16,11 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 /* OPENBSD ORIGINAL: lib/libc/string/strlcpy.c */
 #include "includes.h"
 #ifndef HAVE_STRLCPY
 #if defined(LIBC_SCCS) && !defined(lint)
 static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/types.h>
 #include <string.h>
@ -36,9 +32,9 @@ static char *rcsid = "$OpenBSD: strlcpy.c,v 1.8 2003/06/17 21:56:24 millert Exp
 size_t
 strlcpy(char *dst, const char *src, size_t siz)
 {
-	register char *d = dst;
+	char *d = dst;
-	register const char *s = src;
+	const char *s = src;
-	register size_t n = siz;
+	size_t n = siz;
 	/* Copy as many bytes as will fit */
 	if (n != 0 && --n != 0) {
--- a/crypto/openssh/openbsd-compat/strmode.c
+++ b/crypto/openssh/openbsd-compat/strmode.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/string/strmode.c */
+/*	$OpenBSD: strmode.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */
 /*-
 * Copyright (c) 1990 The Regents of the University of California.
 * All rights reserved.
@ -29,13 +28,11 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/string/strmode.c */
 #include "includes.h"
 #ifndef HAVE_STRMODE
 #if defined(LIBC_SCCS) && !defined(lint)
 static char *rcsid = "$OpenBSD: strmode.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <string.h>
@ -71,11 +68,6 @@ strmode(int mode, char *p)
 	case S_IFIFO:			/* fifo */
 		*p++ = 'p';
 		break;
 #endif
 #ifdef S_IFWHT
 	case S_IFWHT:			/* whiteout */
 		*p++ = 'w';
 		break;
 #endif
 	default:			/* unknown */
 		*p++ = '?';
--- a/crypto/openssh/openbsd-compat/strsep.c
+++ b/crypto/openssh/openbsd-compat/strsep.c
@ -1,6 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/string/strsep.c */
+/*	$OpenBSD: strsep.c,v 1.6 2005/08/08 08:05:37 espie Exp $	*/
 /*	$OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $	*/
 /*-
 * Copyright (c) 1990, 1993
@ -31,6 +29,8 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/string/strsep.c */
 #include "includes.h"
 #if !defined(HAVE_STRSEP)
@ -38,14 +38,6 @@
 #include <string.h>
 #include <stdio.h>
 #if defined(LIBC_SCCS) && !defined(lint)
 #if 0
 static char sccsid[] = "@(#)strsep.c	8.1 (Berkeley) 6/4/93";
 #else
 static char *rcsid = "$OpenBSD: strsep.c,v 1.5 2003/06/11 21:08:16 deraadt Exp $";
 #endif
 #endif /* LIBC_SCCS and not lint */
 /*
 * Get next token from string *stringp, where tokens are possibly-empty
 * strings separated by characters from delim.  
--- a/crypto/openssh/openbsd-compat/strtoll.c
+++ b/crypto/openssh/openbsd-compat/strtoll.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
+/* $OpenBSD: strtoll.c,v 1.6 2005/11/10 10:00:17 espie Exp $ */
 /*-
 * Copyright (c) 1992 The Regents of the University of California.
 * All rights reserved.
@ -29,13 +28,11 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/stdlib/strtoll.c */
 #include "includes.h"
 #ifndef HAVE_STRTOLL
 #if defined(LIBC_SCCS) && !defined(lint)
 static const char rcsid[] = "$OpenBSD: strtoll.c,v 1.4 2005/03/30 18:51:49 pat Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <sys/types.h>
 #include <ctype.h>
--- a/crypto/openssh/openbsd-compat/strtonum.c
+++ b/crypto/openssh/openbsd-compat/strtonum.c
@ -1,5 +1,3 @@
 /* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
 /*	$OpenBSD: strtonum.c,v 1.6 2004/08/03 19:38:01 millert Exp $	*/
 /*
@ -19,6 +17,8 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 /* OPENBSD ORIGINAL: lib/libc/stdlib/strtonum.c */
 #include "includes.h"
 #ifndef HAVE_STRTONUM
 #include <limits.h>
--- a/crypto/openssh/openbsd-compat/strtoul.c
+++ b/crypto/openssh/openbsd-compat/strtoul.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */
+/*	$OpenBSD: strtoul.c,v 1.7 2005/08/08 08:05:37 espie Exp $ */
 /*
 * Copyright (c) 1990 Regents of the University of California.
 * All rights reserved.
@ -29,13 +28,11 @@
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/stdlib/strtoul.c */
 #include "includes.h"
 #ifndef HAVE_STRTOUL
 #if defined(LIBC_SCCS) && !defined(lint)
 static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <ctype.h>
 #include <errno.h>
 #include <limits.h>
@ -48,15 +45,12 @@ static char *rcsid = "$OpenBSD: strtoul.c,v 1.5 2003/06/02 20:18:38 millert Exp
 * alphabets and digits are each contiguous.
 */
 unsigned long
-strtoul(nptr, endptr, base)
+strtoul(const char *nptr, char **endptr, int base)
 	const char *nptr;
 	char **endptr;
 	register int base;
 {
-	register const char *s;
+	const char *s;
-	register unsigned long acc, cutoff;
+	unsigned long acc, cutoff;
-	register int c;
+	int c;
-	register int neg, any, cutlim;
+	int neg, any, cutlim;
 	/*
 	 * See strtol for comments as to the logic used.
--- a/crypto/openssh/openbsd-compat/sys-queue.h
+++ b/crypto/openssh/openbsd-compat/sys-queue.h
@ -1,5 +1,3 @@
 /* OPENBSD ORIGINAL: sys/sys/queue.h */
 /*	$OpenBSD: queue.h,v 1.25 2004/04/08 16:08:21 henning Exp $	*/
 /*	$NetBSD: queue.h,v 1.11 1996/05/16 05:17:14 mycroft Exp $	*/
@ -34,6 +32,8 @@
 *	@(#)queue.h	8.5 (Berkeley) 8/20/94
 */
 /* OPENBSD ORIGINAL: sys/sys/queue.h */
 #ifndef	_FAKE_QUEUE_H_
 #define	_FAKE_QUEUE_H_
--- a/crypto/openssh/openbsd-compat/sys-tree.h
+++ b/crypto/openssh/openbsd-compat/sys-tree.h
@ -1,5 +1,3 @@
 /* OPENBSD ORIGINAL: sys/sys/tree.h */
 /*	$OpenBSD: tree.h,v 1.7 2002/10/17 21:51:54 art Exp $	*/
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@ -26,6 +24,8 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: sys/sys/tree.h */
 #ifndef	_SYS_TREE_H_
 #define	_SYS_TREE_H_
--- a/crypto/openssh/openbsd-compat/vis.c
+++ b/crypto/openssh/openbsd-compat/vis.c
@ -1,5 +1,4 @@
-/* OPENBSD ORIGINAL: lib/libc/gen/vis.c */
+/*	$OpenBSD: vis.c,v 1.19 2005/09/01 17:15:49 millert Exp $ */
 /*-
 * Copyright (c) 1989, 1993
 *	The Regents of the University of California.  All rights reserved.
@ -28,36 +27,34 @@
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */
 /* OPENBSD ORIGINAL: lib/libc/gen/vis.c */
 #include "includes.h"
 #if !defined(HAVE_STRNVIS)
 #if defined(LIBC_SCCS) && !defined(lint)
 static char rcsid[] = "$OpenBSD: vis.c,v 1.12 2003/06/02 20:18:35 millert Exp $";
 #endif /* LIBC_SCCS and not lint */
 #include <ctype.h>
 #include <string.h>
 #include "vis.h"
 #define	isoctal(c)	(((u_char)(c)) >= '0' && ((u_char)(c)) <= '7')
-#define isvisible(c)	(((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) && \
+#define	isvisible(c)							\
-				isgraph((u_char)(c))) ||		     \
+	(((u_int)(c) <= UCHAR_MAX && isascii((u_char)(c)) &&		\
-				((flag & VIS_SP) == 0 && (c) == ' ') ||	     \
+	(((c) != '*' && (c) != '?' && (c) != '[' && (c) != '#') ||	\
-				((flag & VIS_TAB) == 0 && (c) == '\t') ||    \
+		(flag & VIS_GLOB) == 0) && isgraph((u_char)(c))) ||	\
-				((flag & VIS_NL) == 0 && (c) == '\n') ||     \
+	((flag & VIS_SP) == 0 && (c) == ' ') ||				\
-				((flag & VIS_SAFE) && ((c) == '\b' ||	     \
+	((flag & VIS_TAB) == 0 && (c) == '\t') ||			\
-				(c) == '\007' || (c) == '\r' ||		     \
+	((flag & VIS_NL) == 0 && (c) == '\n') ||			\
-				isgraph((u_char)(c)))))
+	((flag & VIS_SAFE) && ((c) == '\b' ||				\
 		(c) == '\007' || (c) == '\r' ||				\
 		isgraph((u_char)(c)))))
 /*
 * vis - visually encode characters
 */
 char *
-vis(dst, c, flag, nextc)
+vis(char *dst, int c, int flag, int nextc)
 	register char *dst;
 	int c, nextc;
 	register int flag;
 {
 	if (isvisible(c)) {
 		*dst++ = c;
@ -111,7 +108,8 @@ vis(dst, c, flag, nextc)
 			goto done;
 		}
 	}
-	if (((c & 0177) == ' ') || (flag & VIS_OCTAL)) {	
+	if (((c & 0177) == ' ') || (flag & VIS_OCTAL) ||
 	    ((flag & VIS_GLOB) && (c == '*' || c == '?' || c == '[' || c == '#'))) {
 		*dst++ = '\\';
 		*dst++ = ((u_char)c >> 6 & 07) + '0';
 		*dst++ = ((u_char)c >> 3 & 07) + '0';
@ -124,7 +122,7 @@ vis(dst, c, flag, nextc)
 		c &= 0177;
 		*dst++ = 'M';
 	}
-	if (iscntrl(c)) {
+	if (iscntrl((u_char)c)) {
 		*dst++ = '^';
 		if (c == 0177)
 			*dst++ = '?';
@ -153,12 +151,9 @@ vis(dst, c, flag, nextc)
 *	This is useful for encoding a block of data.
 */
 int
-strvis(dst, src, flag)
+strvis(char *dst, const char *src, int flag)
 	register char *dst;
 	register const char *src;
 	int flag;
 {
-	register char c;
+	char c;
 	char *start;
 	for (start = dst; (c = *src);)
@ -168,16 +163,11 @@ strvis(dst, src, flag)
 }
 int
-strnvis(dst, src, siz, flag)
+strnvis(char *dst, const char *src, size_t siz, int flag)
 	char *dst;
 	const char *src;
 	size_t siz;
 	int flag;
 {
 	char c;
 	char *start, *end;
 	char tbuf[5];
-	int  i;
+	int c, i;
 	i = 0;
 	for (start = dst, end = start + siz - 1; (c = *src) && dst < end; ) {
@ -217,13 +207,9 @@ strnvis(dst, src, siz, flag)
 }
 int
-strvisx(dst, src, len, flag)
+strvisx(char *dst, const char *src, size_t len, int flag)
 	register char *dst;
 	register const char *src;
 	register size_t len;
 	int flag;
 {
-	register char c;
+	char c;
 	char *start;
 	for (start = dst; len > 1; len--) {
--- a/crypto/openssh/openbsd-compat/vis.h
+++ b/crypto/openssh/openbsd-compat/vis.h
@ -1,6 +1,4 @@
-/* OPENBSD ORIGINAL: include/vis.h */
+/*	$OpenBSD: vis.h,v 1.11 2005/08/09 19:38:31 millert Exp $	*/
 /*	$OpenBSD: vis.h,v 1.6 2003/06/02 19:34:12 millert Exp $	*/
 /*	$NetBSD: vis.h,v 1.4 1994/10/26 00:56:41 cgd Exp $	*/
 /*-
@ -34,6 +32,8 @@
 *	@(#)vis.h	5.9 (Berkeley) 4/3/91
 */
 /* OPENBSD ORIGINAL: include/vis.h */
 #include "includes.h"
 #if !defined(HAVE_STRNVIS)
@ -63,6 +63,7 @@
 * other
 */
 #define	VIS_NOSLASH	0x40	/* inhibit printing '\' */
 #define	VIS_GLOB	0x100	/* encode glob(3) magics and '#' */
 /*
 * unvis return codes
@ -80,10 +81,14 @@
 char	*vis(char *, int, int, int);
 int	strvis(char *, const char *, int);
-int	strnvis(char *, const char *, size_t, int);
+int	strnvis(char *, const char *, size_t, int)
-int	strvisx(char *, const char *, size_t, int);
+		__attribute__ ((__bounded__(__string__,1,3)));
 int	strvisx(char *, const char *, size_t, int)
 		__attribute__ ((__bounded__(__string__,1,3)));
 int	strunvis(char *, const char *);
 int	unvis(char *, char, int *, int);
 ssize_t strnunvis(char *, const char *, size_t)
 		__attribute__ ((__bounded__(__string__,1,3)));
 #endif /* !_VIS_H_ */
--- a/crypto/openssh/opensshd.init.in
+++ b/crypto/openssh/opensshd.init.in
@ -1,4 +1,4 @@
-#!/sbin/sh
+#!@STARTUP_SCRIPT_SHELL@
 # Donated code that was put under PD license.
 #
 # Stripped PRNGd out of it for the time being.
--- a/crypto/openssh/packet.c
+++ b/crypto/openssh/packet.c
@ -37,7 +37,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: packet.c,v 1.119 2005/07/28 17:36:22 markus Exp $");
+RCSID("$OpenBSD: packet.c,v 1.120 2005/10/30 08:52:17 djm Exp $");
 #include "openbsd-compat/sys-queue.h"
@ -572,7 +572,7 @@ packet_send1(void)
 	buffer_clear(&outgoing_packet);
 	/*
-	 * Note that the packet is now only buffered in output.  It won\'t be
+	 * Note that the packet is now only buffered in output.  It won't be
 	 * actually sent until packet_write_wait or packet_write_poll is
 	 * called.
 	 */
--- a/crypto/openssh/progressmeter.c
+++ b/crypto/openssh/progressmeter.c
@ -85,8 +85,8 @@ format_rate(char *buf, int size, off_t bytes)
 		bytes = (bytes + 512) / 1024;
 	}
 	snprintf(buf, size, "%3lld.%1lld%c%s",
-	    (int64_t) (bytes + 5) / 100,
+	    (long long) (bytes + 5) / 100,
-	    (int64_t) (bytes + 5) / 10 % 10,
+	    (long long) (bytes + 5) / 10 % 10,
 	    unit[i],
 	    i ? "B" : " ");
 }
@ -99,7 +99,7 @@ format_size(char *buf, int size, off_t bytes)
 	for (i = 0; bytes >= 10000 && unit[i] != 'T'; i++)
 		bytes = (bytes + 512) / 1024;
 	snprintf(buf, size, "%4lld%c%s",
-	    (int64_t) bytes,
+	    (long long) bytes,
 	    unit[i],
 	    i ? "B" : " ");
 }
--- a/crypto/openssh/regress/README.regress
+++ b/crypto/openssh/regress/README.regress
@ -97,8 +97,12 @@ Known Issues.
  unless ssh-rand-helper is in pre-installed (the path to
  ssh-rand-helper is hard coded).
 - Similarly, if you do not have "scp" in your system's $PATH then the
  multiplex scp tests will fail (since the system's shell startup scripts
  will determine where the shell started by sshd will look for scp).
 - Recent GNU coreutils deprecate "head -[n]": this will cause the yes-head
  test to fail.  The old behaviour can be restored by setting (and
  exporting) _POSIX2_VERSION=199209 before running the tests.
-$Id: README.regress,v 1.9 2004/08/17 12:31:33 dtucker Exp $
+$Id: README.regress,v 1.10 2005/10/03 10:14:18 dtucker Exp $
--- a/crypto/openssh/regress/agent-getpeereid.sh
+++ b/crypto/openssh/regress/agent-getpeereid.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: agent-getpeereid.sh,v 1.1 2002/12/09 16:05:02 markus Exp $
+#	$OpenBSD: agent-getpeereid.sh,v 1.2 2005/11/14 21:25:56 grunk Exp $
 #	Placed in the Public Domain.
 tid="disallow agent attach from other uid"
@ -27,7 +27,7 @@ else
 		fail "ssh-add failed with $r != 1"
 	fi
-	< /dev/null sudo -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1
+	< /dev/null ${SUDO} -S -u ${UNPRIV} ssh-add -l > /dev/null 2>&1
 	r=$?
 	if [ $r -lt 2 ]; then
 		fail "ssh-add did not fail for ${UNPRIV}: $r < 2"
--- a/crypto/openssh/regress/forwarding.sh
+++ b/crypto/openssh/regress/forwarding.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: forwarding.sh,v 1.4 2002/03/15 13:08:56 markus Exp $
+#	$OpenBSD: forwarding.sh,v 1.5 2005/03/10 10:20:39 dtucker Exp $
 #	Placed in the Public Domain.
 tid="local and remote forwarding"
@ -32,3 +32,34 @@ for p in 1 2; do
 	sleep 10
 done
 for p in 1 2; do
 	trace "simple clear forwarding proto $p"
 	${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
 	trace "clear local forward proto $p"
 	${SSH} -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
 	    -oClearAllForwardings=yes somehost sleep 10
 	if [ $? != 0 ]; then
 		fail "connection failed with cleared local forwarding"
 	else
 		# this one should fail
 		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
 		     2>${TEST_SSH_LOGFILE} && \
 			fail "local forwarding not cleared"
 	fi
 	sleep 10
 	trace "clear remote forward proto $p"
 	${SSH} -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
 	    -oClearAllForwardings=yes somehost sleep 10
 	if [ $? != 0 ]; then
 		fail "connection failed with cleared remote forwarding"
 	else
 		# this one should fail
 		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 true \
 		     2>${TEST_SSH_LOGFILE} && \
 			fail "remote forwarding not cleared"
 	fi
 	sleep 10
 done
--- a/crypto/openssh/regress/multiplex.sh
+++ b/crypto/openssh/regress/multiplex.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: multiplex.sh,v 1.10 2005/02/27 11:33:30 dtucker Exp $
+#	$OpenBSD: multiplex.sh,v 1.11 2005/04/25 09:54:09 dtucker Exp $
 #	Placed in the Public Domain.
 CTL=/tmp/openssh.regress.ctl-sock.$$
--- a/crypto/openssh/regress/reconfigure.sh
+++ b/crypto/openssh/regress/reconfigure.sh
@ -15,8 +15,9 @@ esac
 start_sshd
-$SUDO kill -HUP `cat $PIDFILE`
+PID=`cat $PIDFILE`
-sleep 1
+rm -f $PIDFILE
 $SUDO kill -HUP $PID
 trace "wait for sshd to restart"
 i=0;
--- a/crypto/openssh/regress/scp-ssh-wrapper.sh
+++ b/crypto/openssh/regress/scp-ssh-wrapper.sh
@ -1,5 +1,5 @@
 #!/bin/sh
-#       $OpenBSD: scp-ssh-wrapper.sh,v 1.1 2004/06/13 13:51:02 dtucker Exp $
+#       $OpenBSD: scp-ssh-wrapper.sh,v 1.2 2005/12/14 04:36:39 dtucker Exp $
 #       Placed in the Public Domain.
 printname () {
@ -16,8 +16,11 @@ printname () {
 	done
 }
-# discard first 5 args
+# Discard all but last argument.  We use arg later.
-shift; shift; shift; shift; shift
+while test "$1" != ""; do
 	arg="$1"
 	shift
 done
 BAD="../../../../../../../../../../../../../${DIR}/dotpathdir"
@ -49,6 +52,6 @@ badserver_4)
 	echo "X"
 	;;
 *)
-	exec $1
+	exec $arg
 	;;
 esac
--- a/crypto/openssh/regress/scp.sh
+++ b/crypto/openssh/regress/scp.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: scp.sh,v 1.3 2004/07/08 12:59:35 dtucker Exp $
+#	$OpenBSD: scp.sh,v 1.7 2006/01/31 10:36:33 djm Exp $
 #	Placed in the Public Domain.
 tid="scp"
@ -28,6 +28,11 @@ scpclean() {
 	mkdir ${DIR} ${DIR2}
 }
 verbose "$tid: simple copy local file to local file"
 scpclean
 $SCP $scpopts ${DATA} ${COPY} || fail "copy failed"
 cmp ${DATA} ${COPY} || fail "corrupted copy"
 verbose "$tid: simple copy local file to remote file"
 scpclean
 $SCP $scpopts ${DATA} somehost:${COPY} || fail "copy failed"
@ -44,6 +49,12 @@ cp ${DATA} ${COPY}
 $SCP $scpopts ${COPY} somehost:${DIR} || fail "copy failed"
 cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
 verbose "$tid: simple copy local file to local dir"
 scpclean
 cp ${DATA} ${COPY}
 $SCP $scpopts ${COPY} ${DIR} || fail "copy failed"
 cmp ${COPY} ${DIR}/copy || fail "corrupted copy"
 verbose "$tid: simple copy remote file to local dir"
 scpclean
 cp ${DATA} ${COPY}
@ -57,6 +68,13 @@ cp ${DATA} ${DIR}/copy
 $SCP $scpopts -r ${DIR} somehost:${DIR2} || fail "copy failed"
 diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
 verbose "$tid: recursive local dir to local dir"
 scpclean
 rm -rf ${DIR2}
 cp ${DATA} ${DIR}/copy
 $SCP $scpopts -r ${DIR} ${DIR2} || fail "copy failed"
 diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
 verbose "$tid: recursive remote dir to local dir"
 scpclean
 rm -rf ${DIR2}
@ -64,6 +82,13 @@ cp ${DATA} ${DIR}/copy
 $SCP $scpopts -r somehost:${DIR} ${DIR2} || fail "copy failed"
 diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
 verbose "$tid: shell metacharacters"
 scpclean
 (cd ${DIR} && \
 touch '`touch metachartest`' && \
 $SCP $scpopts *metachar* ${DIR2} 2>/dev/null; \
 [ ! -f metachartest ] ) || fail "shell metacharacters"
 if [ ! -z "$SUDO" ]; then
 	verbose "$tid: skipped file after scp -p with failed chown+utimes"
 	scpclean
@ -73,7 +98,7 @@ if [ ! -z "$SUDO" ]; then
 	chmod 660 ${DIR2}/copy
 	$SUDO chown root ${DIR2}/copy
 	$SCP -p $scpopts somehost:${DIR}/\* ${DIR2} >/dev/null 2>&1
-	diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
+	$SUDO diff ${DIFFOPT} ${DIR} ${DIR2} || fail "corrupted copy"
 	$SUDO rm ${DIR2}/copy
 fi
@ -91,5 +116,12 @@ for i in 0 1 2 3 4; do
 	[ -d ${DIR}/dotpathdir ] && fail "allows dir creation outside of subdir"
 done
 verbose "$tid: detect non-directory target"
 scpclean
 echo a > ${COPY}
 echo b > ${COPY2}
 $SCP $scpopts ${DATA} ${COPY} ${COPY2}
 cmp ${COPY} ${COPY2} >/dev/null && fail "corrupt target"
 scpclean
 rm -f ${OBJ}/scp-ssh-wrapper.scp
--- a/crypto/openssh/regress/test-exec.sh
+++ b/crypto/openssh/regress/test-exec.sh
@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.27 2005/02/27 11:33:30 dtucker Exp $
+#	$OpenBSD: test-exec.sh,v 1.28 2005/05/20 23:14:15 djm Exp $
 #	Placed in the Public Domain.
 #SUDO=sudo
@ -24,6 +24,8 @@ if [ -x /usr/ucb/whoami ]; then
 	USER=`/usr/ucb/whoami`
 elif whoami >/dev/null 2>&1; then
 	USER=`whoami`
 elif logname >/dev/null 2>&1; then
 	USER=`logname`
 else
 	USER=`id -un`
 fi
@ -194,6 +196,7 @@ trap fatal 3 2
 cat << EOF > $OBJ/sshd_config
 	StrictModes		no
 	Port			$PORT
 	AddressFamily		inet
 	ListenAddress		127.0.0.1
 	#ListenAddress		::1
 	PidFile			$PIDFILE
@ -244,7 +247,7 @@ trace "generate keys"
 for t in rsa rsa1; do
 	# generate user key
 	rm -f $OBJ/$t
-	${SSHKEYGEN} -q -N '' -t $t  -f $OBJ/$t ||\
+	${SSHKEYGEN} -b 1024 -q -N '' -t $t  -f $OBJ/$t ||\
 		fail "ssh-keygen for $t failed"
 	# known hosts file for client
--- a/crypto/openssh/regress/try-ciphers.sh
+++ b/crypto/openssh/regress/try-ciphers.sh
@ -1,9 +1,10 @@
-#	$OpenBSD: try-ciphers.sh,v 1.9 2004/02/28 13:44:45 dtucker Exp $
+#	$OpenBSD: try-ciphers.sh,v 1.10 2005/05/24 04:10:54 djm Exp $
 #	Placed in the Public Domain.
 tid="try ciphers"
-ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc arcfour 
+ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
 	arcfour128 arcfour256 arcfour 
 	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
 	aes128-ctr aes192-ctr aes256-ctr"
 macs="hmac-sha1 hmac-md5 hmac-sha1-96 hmac-md5-96"
--- a/crypto/openssh/regress/yes-head.sh
+++ b/crypto/openssh/regress/yes-head.sh
@ -4,7 +4,7 @@
 tid="yes pipe head"
 for p in 1 2; do
-	lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | head -2000"' | (sleep 3 ; wc -l)`
+	lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
 	if [ $? -ne 0 ]; then
 		fail "yes|head test failed"
 		lines = 0;
--- a/crypto/openssh/scp.1
+++ b/crypto/openssh/scp.1
@ -9,7 +9,7 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.38 2005/03/01 17:19:35 jmc Exp $
+.\" $OpenBSD: scp.1,v 1.39 2006/01/20 00:14:55 dtucker Exp $
 .\"
 .Dd September 25, 1999
 .Dt SCP 1
@ -152,6 +152,7 @@ For full details of the options listed below, and their possible values, see
 .It Protocol
 .It ProxyCommand
 .It PubkeyAuthentication
 .It RekeyLimit
 .It RhostsRSAAuthentication
 .It RSAAuthentication
 .It SendEnv
--- a/crypto/openssh/sftp-client.c
+++ b/crypto/openssh/sftp-client.c
@ -20,7 +20,7 @@
 /* XXX: copy between two remote sites */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-client.c,v 1.57 2005/07/27 10:39:03 dtucker Exp $");
+RCSID("$OpenBSD: sftp-client.c,v 1.58 2006/01/02 01:20:31 djm Exp $");
 #include "openbsd-compat/sys-queue.h"
@ -42,9 +42,6 @@ extern int showprogress;
 /* Minimum amount of data to read at at time */
 #define MIN_READ_SIZE	512
 /* Maximum packet size */
 #define MAX_MSG_LENGTH	(256 * 1024)
 struct sftp_conn {
 	int fd_in;
 	int fd_out;
@ -59,7 +56,7 @@ send_msg(int fd, Buffer *m)
 {
 	u_char mlen[4];
-	if (buffer_len(m) > MAX_MSG_LENGTH)
+	if (buffer_len(m) > SFTP_MAX_MSG_LENGTH)
 		fatal("Outbound message too long %u", buffer_len(m));
 	/* Send length first */
@ -87,7 +84,7 @@ get_msg(int fd, Buffer *m)
 	}
 	msg_len = buffer_get_int(m);
-	if (msg_len > MAX_MSG_LENGTH)
+	if (msg_len > SFTP_MAX_MSG_LENGTH)
 		fatal("Received message too long %u", msg_len);
 	buffer_append_space(m, msg_len);
--- a/crypto/openssh/sftp-common.h
+++ b/crypto/openssh/sftp-common.h
@ -1,4 +1,4 @@
-/*	$OpenBSD: sftp-common.h,v 1.5 2003/11/10 16:23:41 jakob Exp $	*/
+/*	$OpenBSD: sftp-common.h,v 1.6 2006/01/02 01:20:31 djm Exp $	*/
 /*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@ -25,6 +25,9 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 /* Maximum packet that we are willing to send/accept */
 #define SFTP_MAX_MSG_LENGTH	(256 * 1024)
 typedef struct Attrib Attrib;
 /* File attributes */
--- a/crypto/openssh/sftp-server.c
+++ b/crypto/openssh/sftp-server.c
@ -14,13 +14,14 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: sftp-server.c,v 1.48 2005/06/17 02:44:33 djm Exp $");
+RCSID("$OpenBSD: sftp-server.c,v 1.50 2006/01/02 01:20:31 djm Exp $");
 #include "buffer.h"
 #include "bufaux.h"
 #include "getput.h"
 #include "log.h"
 #include "xmalloc.h"
 #include "misc.h"
 #include "sftp.h"
 #include "sftp-common.h"
@ -427,7 +428,7 @@ process_read(void)
 	len = get_int();
 	TRACE("read id %u handle %d off %llu len %d", id, handle,
-	    (u_int64_t)off, len);
+	    (unsigned long long)off, len);
 	if (len > sizeof buf) {
 		len = sizeof buf;
 		logit("read change len %d", len);
@ -468,7 +469,7 @@ process_write(void)
 	data = get_string(&len);
 	TRACE("write id %u handle %d off %llu len %d", id, handle,
-	    (u_int64_t)off, len);
+	    (unsigned long long)off, len);
 	fd = handle_to_fd(handle);
 	if (fd >= 0) {
 		if (lseek(fd, off, SEEK_SET) < 0) {
@ -945,7 +946,7 @@ process(void)
 		return;		/* Incomplete message. */
 	cp = buffer_ptr(&iqueue);
 	msg_len = GET_32BIT(cp);
-	if (msg_len > 256 * 1024) {
+	if (msg_len > SFTP_MAX_MSG_LENGTH) {
 		error("bad message ");
 		exit(11);
 	}
@ -1036,6 +1037,9 @@ main(int ac, char **av)
 	int in, out, max;
 	ssize_t len, olen, set_size;
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 	/* XXX should use getopt */
 	__progname = ssh_get_progname(av[0]);
--- a/crypto/openssh/sftp.1
+++ b/crypto/openssh/sftp.1
@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.61 2005/03/01 17:19:35 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.63 2006/01/20 00:14:55 dtucker Exp $
 .\"
 .\" Copyright (c) 2001 Damien Miller.  All rights reserved.
 .\"
@ -78,7 +78,7 @@ to start in a remote directory.
 The final usage format allows for automated sessions using the
 .Fl b
 option.
-In such cases, it is usually necessary to configure public key authentication
+In such cases, it is necessary to configure non-interactive authentication
 to obviate the need to enter a password at connection time (see
 .Xr sshd 8
 and
@ -180,6 +180,7 @@ For full details of the options listed below, and their possible values, see
 .It Protocol
 .It ProxyCommand
 .It PubkeyAuthentication
 .It RekeyLimit
 .It RhostsRSAAuthentication
 .It RSAAuthentication
 .It SendEnv
--- a/crypto/openssh/sftp.c
+++ b/crypto/openssh/sftp.c
@ -16,7 +16,7 @@
 #include "includes.h"
-RCSID("$OpenBSD: sftp.c,v 1.66 2005/08/08 13:22:48 jaredy Exp $");
+RCSID("$OpenBSD: sftp.c,v 1.70 2006/01/31 10:19:02 djm Exp $");
 #ifdef USE_LIBEDIT
 #include <histedit.h>
@ -697,6 +697,8 @@ do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
 	}
 	if (lflag & SORT_FLAGS) {
 		for (n = 0; d[n] != NULL; n++)
 			;	/* count entries */
 		sort_flag = lflag & (SORT_FLAGS|LS_REVERSE_SORT);
 		qsort(d, n, sizeof(*d), sdirent_comp);
 	}
@ -1447,11 +1449,16 @@ main(int argc, char **argv)
 	extern int optind;
 	extern char *optarg;
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 	__progname = ssh_get_progname(argv[0]);
 	memset(&args, '\0', sizeof(args));
 	args.list = NULL;
-	addargs(&args, "ssh");		/* overwritten with ssh_program */
+	addargs(&args, ssh_program);
 	addargs(&args, "-oForwardX11 no");
 	addargs(&args, "-oForwardAgent no");
 	addargs(&args, "-oPermitLocalCommand no");
 	addargs(&args, "-oClearAllForwardings yes");
 	ll = SYSLOG_LEVEL_INFO;
@ -1483,6 +1490,7 @@ main(int argc, char **argv)
 			break;
 		case 'S':
 			ssh_program = optarg;
 			replacearg(&args, 0, "%s", ssh_program);
 			break;
 		case 'b':
 			if (batchmode)
@ -1559,7 +1567,6 @@ main(int argc, char **argv)
 		addargs(&args, "%s", host);
 		addargs(&args, "%s", (sftp_server != NULL ?
 		    sftp_server : "sftp"));
 		args.list[0] = ssh_program;
 		if (!batchmode)
 			fprintf(stderr, "Connecting to %s...\n", host);
@ -1572,6 +1579,7 @@ main(int argc, char **argv)
 			fprintf(stderr, "Attaching to %s...\n", sftp_direct);
 		connect_to_server(sftp_direct, args.list, &in, &out);
 	}
 	freeargs(&args);
 	err = interactive_loop(in, out, file1, file2);
--- a/crypto/openssh/ssh-agent.1
+++ b/crypto/openssh/ssh-agent.1
@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.42 2005/04/21 06:17:50 djm Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.43 2005/11/28 06:02:56 dtucker Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@ -70,7 +70,7 @@ The options are as follows:
 Bind the agent to the unix-domain socket
 .Ar bind_address .
 The default is
-.Pa /tmp/ssh-XXXXXXXX/agent.<ppid> .
+.Pa /tmp/ssh-XXXXXXXXXX/agent.<ppid> .
 .It Fl c
 Generate C-shell commands on
 .Dv stdout .
@ -90,7 +90,7 @@ environment variable).
 .It Fl t Ar life
 Set a default value for the maximum lifetime of identities added to the agent.
 The lifetime may be specified in seconds or in a time format specified in
-.Xr sshd 8 .
+.Xr sshd_config 5 .
 A lifetime specified for an identity with
 .Xr ssh-add 1
 overrides this value.
@ -185,7 +185,7 @@ Contains the protocol version 1 RSA authentication identity of the user.
 Contains the protocol version 2 DSA authentication identity of the user.
 .It Pa ~/.ssh/id_rsa
 Contains the protocol version 2 RSA authentication identity of the user.
-.It Pa /tmp/ssh-XXXXXXXX/agent.<ppid>
+.It Pa /tmp/ssh-XXXXXXXXXX/agent.<ppid>
 Unix-domain sockets used to contain the connection to the
 authentication agent.
 These sockets should only be readable by the owner.
--- a/crypto/openssh/ssh-keygen.1
+++ b/crypto/openssh/ssh-keygen.1
@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keygen.1,v 1.69 2005/06/08 03:50:00 djm Exp $
+.\"	$OpenBSD: ssh-keygen.1,v 1.72 2005/11/28 05:16:53 dtucker Exp $
 .\"
 .\"  -*- nroff -*-
 .\"
@ -118,6 +118,9 @@ keys for use by SSH protocol version 2.
 The type of key to be generated is specified with the
 .Fl t
 option.
 If invoked without any arguments,
 .Nm
 will generate an RSA key for use in SSH protocol 2 connections.
 .Pp
 .Nm
 is also used to generate groups for use in Diffie-Hellman group
@ -187,9 +190,9 @@ command.
 Show the bubblebabble digest of specified private or public key file.
 .It Fl b Ar bits
 Specifies the number of bits in the key to create.
-Minimum is 512 bits.
+For RSA keys, the minimum size is 768 bits and the default is 2048 bits.
 Generally, 2048 bits is considered sufficient.
-The default is 2048 bits.
+DSA keys must be exactly 1024 bits as specified by FIPS 186-2.
 .It Fl C Ar comment
 Provides a new comment.
 .It Fl c
--- a/crypto/openssh/ssh-keygen.c
+++ b/crypto/openssh/ssh-keygen.c
@ -12,7 +12,7 @@
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $");
+RCSID("$OpenBSD: ssh-keygen.c,v 1.135 2005/11/29 02:04:55 dtucker Exp $");
 #include <openssl/evp.h>
 #include <openssl/pem.h>
@ -35,8 +35,10 @@ RCSID("$OpenBSD: ssh-keygen.c,v 1.128 2005/07/17 07:17:55 djm Exp $");
 #endif
 #include "dns.h"
-/* Number of bits in the RSA/DSA key.  This value can be changed on the command line. */
+/* Number of bits in the RSA/DSA key.  This value can be set on the command line. */
-u_int32_t bits = 2048;
+#define DEFAULT_BITS		2048
 #define DEFAULT_BITS_DSA	1024
 u_int32_t bits = 0;
 /*
 * Flag indicating that we just want to change the passphrase.  This can be
@ -1018,6 +1020,9 @@ main(int ac, char **av)
 	extern int optind;
 	extern char *optarg;
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 	__progname = ssh_get_progname(av[0]);
 	SSLeay_add_all_algorithms();
@ -1041,7 +1046,7 @@ main(int ac, char **av)
 	    "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
 		switch (opt) {
 		case 'b':
-			bits = strtonum(optarg, 512, 32768, &errstr);
+			bits = strtonum(optarg, 768, 32768, &errstr);
 			if (errstr)
 				fatal("Bits has bad value %s (%s)",
 					optarg, errstr);
@ -1214,8 +1219,10 @@ main(int ac, char **av)
 			    out_file, strerror(errno));
 			return (1);
 		}
 		if (bits == 0)
 			bits = DEFAULT_BITS;
 		if (gen_candidates(out, memory, bits, start) != 0)
-			fatal("modulus candidate generation failed\n");
+			fatal("modulus candidate generation failed");
 		return (0);
 	}
@ -1238,21 +1245,24 @@ main(int ac, char **av)
 			    out_file, strerror(errno));
 		}
 		if (prime_test(in, out, trials, generator_wanted) != 0)
-			fatal("modulus screening failed\n");
+			fatal("modulus screening failed");
 		return (0);
 	}
 	arc4random_stir();
-	if (key_type_name == NULL) {
+	if (key_type_name == NULL)
-		printf("You must specify a key type (-t).\n");
+		key_type_name = "rsa";
-		usage();
+
 	}
 	type = key_type_from_name(key_type_name);
 	if (type == KEY_UNSPEC) {
 		fprintf(stderr, "unknown key type %s\n", key_type_name);
 		exit(1);
 	}
 	if (bits == 0)
 		bits = (type == KEY_DSA) ? DEFAULT_BITS_DSA : DEFAULT_BITS;
 	if (type == KEY_DSA && bits != 1024)
 		fatal("DSA keys must be 1024 bits");
 	if (!quiet)
 		printf("Generating public/private %s key pair.\n", key_type_name);
 	private = key_generate(type, bits);
@ -1265,7 +1275,7 @@ main(int ac, char **av)
 	if (!have_identity)
 		ask_filename(pw, "Enter file in which to save the key");
-	/* Create ~/.ssh directory if it doesn\'t already exist. */
+	/* Create ~/.ssh directory if it doesn't already exist. */
 	snprintf(dotsshdir, sizeof dotsshdir, "%s/%s", pw->pw_dir, _PATH_SSH_USER_DIR);
 	if (strstr(identity_file, dotsshdir) != NULL &&
 	    stat(dotsshdir, &st) < 0) {
--- a/crypto/openssh/ssh-keyscan.1
+++ b/crypto/openssh/ssh-keyscan.1
@ -1,4 +1,4 @@
-.\"	$OpenBSD: ssh-keyscan.1,v 1.20 2005/03/01 15:47:14 jmc Exp $
+.\"	$OpenBSD: ssh-keyscan.1,v 1.21 2005/09/30 20:34:26 jaredy Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@ -156,6 +156,7 @@ $ ssh-keyscan -t rsa,dsa -f ssh_hosts | \e
 .Xr ssh 1 ,
 .Xr sshd 8
 .Sh AUTHORS
 .An -nosplit
 .An David Mazieres Aq dm@lcs.mit.edu
 wrote the initial version, and
 .An Wayne Davison Aq wayned@users.sourceforge.net
--- a/crypto/openssh/ssh-keysign.c
+++ b/crypto/openssh/ssh-keysign.c
@ -22,7 +22,7 @@
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
 #include "includes.h"
-RCSID("$OpenBSD: ssh-keysign.c,v 1.18 2004/08/23 14:29:23 dtucker Exp $");
+RCSID("$OpenBSD: ssh-keysign.c,v 1.19 2005/09/13 23:40:07 djm Exp $");
 #include <openssl/evp.h>
 #include <openssl/rand.h>
@ -148,6 +148,13 @@ main(int argc, char **argv)
 	u_int slen, dlen;
 	u_int32_t rnd[256];
 	/* Ensure that stdin and stdout are connected */
 	if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
 		exit(1);
 	/* Leave /dev/null fd iff it is attached to stderr */
 	if (fd > 2)
 		close(fd);
 	key_fd[0] = open(_PATH_HOST_RSA_KEY_FILE, O_RDONLY);
 	key_fd[1] = open(_PATH_HOST_DSA_KEY_FILE, O_RDONLY);