Update README.md

Delete .github/workflows directory (#2344 )
Update README.md
2025-08-23 19:08:35 +02:00 · 2025-04-29 14:52:56 -04:00 · 2025-04-09 09:32:16 -04:00 · 2025-04-08 16:59:42 -04:00 · 2025-04-03 15:31:45 -04:00 · 2024-11-14 13:26:40 -05:00
880 changed files with 113 additions and 227794 deletions
--- a/.cvsignore
+++ b/.cvsignore
@ -1,28 +0,0 @@
-*.0
-*.out
-Makefile
-autom4te.cache
-buildit.sh
-buildpkg.sh
-config.cache
-config.h
-config.h.in
-config.log
-config.status
-configure
-openssh.xml
-opensshd.init
-scp
-sftp
-sftp-server
-ssh
-ssh-add
-ssh-agent
-ssh-keygen
-ssh-keyscan
-ssh-keysign
-ssh-pkcs11-helper
-sshd
-stamp-h.in
-survey
-survey.sh
--- a/.gitattributes
+++ b/.gitattributes
@ -1,23 +0,0 @@
-# Auto detect text files and perform LF normalization
-* text=auto
-
-# Custom for Visual Studio
-*.cs     diff=csharp
-
-# Standard to msysgit
-*.doc	 diff=astextplain
-*.DOC	 diff=astextplain
-*.docx diff=astextplain
-*.DOCX diff=astextplain
-*.dot  diff=astextplain
-*.DOT  diff=astextplain
-*.pdf  diff=astextplain
-*.PDF	 diff=astextplain
-*.rtf	 diff=astextplain
-*.RTF	 diff=astextplain
-
-
-# conditions for Win32-OpenSSH
-*.sh text eol=lf
-config.sub text eol=lf
-fixalgorithms text eol=lf
--- a/.github/CODE_OF_CONDUCT.md
+++ b/.github/CODE_OF_CONDUCT.md
@ -0,0 +1,10 @@
+# Microsoft Open Source Code of Conduct
+
+This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/).
+
+Resources:
+
+- [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/)
+- [Microsoft Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/)
+- Contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with questions or concerns
+- Employees can reach out at [aka.ms/opensource/moderation-support](https://aka.ms/opensource/moderation-support)
--- a/.github/SECURITY.md
+++ b/.github/SECURITY.md
@ -0,0 +1,41 @@
+<!-- BEGIN MICROSOFT SECURITY.MD V0.0.9 BLOCK -->
+
+## Security
+
+Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin) and [PowerShell](https://github.com/PowerShell).
+
+If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below.
+
+## Reporting Security Issues
+
+**Please do not report security vulnerabilities through public GitHub issues.**
+
+Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report).
+
+If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp).
+
+You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). 
+
+Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
+
+  * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
+  * Full paths of source file(s) related to the manifestation of the issue
+  * The location of the affected source code (tag/branch/commit or direct URL)
+  * Any special configuration required to reproduce the issue
+  * Step-by-step instructions to reproduce the issue
+  * Proof-of-concept or exploit code (if possible)
+  * Impact of the issue, including how an attacker might exploit the issue
+
+This information will help us triage your report more quickly.
+
+If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs.
+
+## Preferred Languages
+
+We prefer all communications to be in English.
+
+## Policy
+
+Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd).
+
+<!-- END MICROSOFT SECURITY.MD BLOCK -->
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"
--- a/.gitignore
+++ b/.gitignore
@ -1,257 +0,0 @@
-#################
-## Eclipse
-#################
-
-*.pydevproject
-.project
-.metadata
-bin/
-tmp/
-*.tmp
-*.bak
-*.swp
-*~.nib
-local.properties
-.classpath
-.settings/
-.loadpath
-
-# External tool builders
-.externalToolBuilders/
-
-# Locally stored "Eclipse launch configurations"
-*.launch
-
-# CDT-specific
-.cproject
-
-# PDT-specific
-.buildpath
-
-
-#################
-## Visual Studio
-#################
-
-## Ignore Visual Studio temporary files, build results, and
-## files generated by popular Visual Studio add-ons.
-
-# User-specific files
-*.suo
-*.user
-*.sln.docstates
-
-# Build results
-
-[Dd]ebug/
-[Rr]elease/
-x64/
-build/
-[Bb]in/
-[Oo]bj/
-
-# MSTest test Results
-[Tt]est[Rr]esult*/
-[Bb]uild[Ll]og.*
-
-*_i.c
-*_p.c
-*.ilk
-*.meta
-*.obj
-*.pch
-*.pdb
-*.pgc
-*.pgd
-*.rsp
-*.sbr
-*.tlb
-*.tli
-*.tlh
-*.tmp
-*.tmp_proj
-*.log
-*.vspscc
-*.vssscc
-.builds
-*.pidb
-*.log
-*.scc
-
-# Visual C++ cache files
-ipch/
-*.aps
-*.ncb
-*.opensdf
-*.sdf
-*.cachefile
-
-# Visual Studio profiler
-*.psess
-*.vsp
-*.vspx
-
-# Guidance Automation Toolkit
-*.gpState
-
-# ReSharper is a .NET coding add-in
-_ReSharper*/
-*.[Rr]e[Ss]harper
-
-# TeamCity is a build add-in
-_TeamCity*
-
-# DotCover is a Code Coverage Tool
-*.dotCover
-
-# NCrunch
-*.ncrunch*
-.*crunch*.local.xml
-
-# Installshield output folder
-[Ee]xpress/
-
-# DocProject is a documentation generator add-in
-DocProject/buildhelp/
-DocProject/Help/*.HxT
-DocProject/Help/*.HxC
-DocProject/Help/*.hhc
-DocProject/Help/*.hhk
-DocProject/Help/*.hhp
-DocProject/Help/Html2
-DocProject/Help/html
-
-# Click-Once directory
-publish/
-
-# Publish Web Output
-*.Publish.xml
-*.pubxml
-*.publishproj
-
-# NuGet Packages Directory
-## TODO: If you have NuGet Package Restore enabled, uncomment the next line
-#packages/
-
-# Windows Azure Build Output
-csx
-*.build.csdef
-
-# Windows Store app package directory
-AppPackages/
-
-# Others
-sql/
-*.Cache
-ClientBin/
-[Ss]tyle[Cc]op.*
-~$*
-*~
-*.dbmdl
-*.[Pp]ublish.xml
-*.pfx
-*.publishsettings
-
-# RIA/Silverlight projects
-Generated_Code/
-
-# Backup & report files from converting an old project file to a newer
-# Visual Studio version. Backup files are not needed, because we have git ;-)
-_UpgradeReport_Files/
-Backup*/
-UpgradeLog*.XML
-UpgradeLog*.htm
-
-# SQL Server files
-App_Data/*.mdf
-App_Data/*.ldf
-
-#############
-## Windows detritus
-#############
-
-# Windows image file caches
-Thumbs.db
-ehthumbs.db
-
-# Folder config file
-Desktop.ini
-
-# Recycle Bin used on file shares
-$RECYCLE.BIN/
-
-# Mac crap
-.DS_Store
-
-
-#############
-## Python
-#############
-
-*.py[cod]
-
-# Packages
-*.egg
-*.egg-info
-dist/
-build/
-eggs/
-parts/
-var/
-sdist/
-develop-eggs/
-.installed.cfg
-
-# Installer logs
-pip-log.txt
-
-# Unit test / coverage reports
-.coverage
-.tox
-
-#Translations
-*.mo
-
-#Mr Developer
-.mr.developer.cfg
-
-##################
-# Win32-OpenSSH
-##################
-
-*.o
-*.dll
-*.exe
-*.out
-*.a
-#Makefile
-config.status
-openssh.xml
-opensshd.init
-survey.sh
-buildpkg.sh
-config.h.in
-
-
-config.h
-ssh_host_rsa_key.pub
-ssh_host_rsa_key
-ssh_host_rsa_key
-ssh_host_rsa_key
-ssh_host_dsa_key
-ssh_host_ecdsa_key.pub
-ssh_host_rsa_key.pub
-id_rsa.pub
-regress/t10.out.pub
-regress/t12.out.pub
-regress/t6.out1
-regress/t8.out.pub
-regress/t9.out.pub
-regress/t6.out1
-regress/t10.out.pub
-regress/t10.out.pub
-regress/t6.out1
-Makefile
-openbsd-compat/Makefile
-openbsd-compat/regress/Makefile
-contrib/win32/win32compat/Makefile
--- a/105
+++ b/105
@ -1,105 +0,0 @@
-Tatu Ylonen <ylo@cs.hut.fi> - Creator of SSH
-
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos,
-Theo de Raadt, and Dug Song - Creators of OpenSSH
-
-Ahsan Rashid <arms@sco.com> - UnixWare long passwords
-Alain St-Denis <Alain.St-Denis@ec.gc.ca> - Irix fix
-Alexandre Oliva <oliva@lsd.ic.unicamp.br> - AIX fixes
-Andre Lucas <andre@ae-35.com> - new login code, many fixes
-Andreas Steinmetz <ast@domdv.de> - Shadow password expiry support
-Andrew McGill <andrewm@datrix.co.za> - SCO fixes
-Andrew Morgan <morgan@transmeta.com> - PAM bugfixes
-Andrew Stribblehill <a.d.stribblehill@durham.ac.uk> - Bugfixes
-Andy Sloane <andy@guildsoftware.com> - bugfixes
-Aran Cox <acox@cv.telegroup.com> - SCO bugfixes
-Arkadiusz Miskiewicz <misiek@pld.org.pl> - IPv6 compat fixes
-Ben Lindstrom <mouring@eviladmin.org> - NeXT support
-Ben Taylor <bent@clark.net> - Solaris debugging and fixes
-Bratislav ILICH <bilic@zepter.ru> - Configure fix
-Charles Levert <charles@comm.polymtl.ca> - SunOS 4 & bug fixes
-Chip Salzenberg <chip@valinux.com> - Assorted patches
-Chris Adams <cmadams@hiwaay.net> - OSF SIA support
-Chris Saia <csaia@wtower.com> - SuSE packaging
-Chris, the Young One <cky@pobox.com> - Password auth fixes
-Christos Zoulas <christos@zoulas.com> - Autoconf fixes
-Chun-Chung Chen <cjj@u.washington.edu> - RPM fixes
-Corinna Vinschen <vinschen@redhat.com> - Cygwin support
-Chad Mynhier <mynhier@interstel.net> - Solaris Process Contract support
-Dan Brosemer <odin@linuxfreak.com> - Autoconf support, build fixes
-Darren Hall <dhall@virage.org> - AIX patches
-Darren Tucker <dtucker@zip.com.au> - AIX BFF package scripts
-David Agraz <dagraz@jahoopa.com> - Build fixes
-David Del Piero <David.DelPiero@qed.qld.gov.au> - bug fixes
-David Hesprich <darkgrue@gue-tech.org> - Configure fixes
-David Rankin <drankin@bohemians.lexington.ky.us> - libwrap, AIX, NetBSD fixes
-Dag-Erling Smørgrav <des at freebsd.org> - Challenge-Response PAM code.
-Dhiraj Gulati <dgulati@sco.com> - UnixWare long passwords
-Ed Eden <ede370@stl.rural.usda.gov> - configure fixes
-Garrick James <garrick@james.net> - configure fixes
-Gary E. Miller <gem@rellim.com> - SCO support
-Ged Lodder <lodder@yacc.com.au> - HPUX fixes and enhancements
-Gert Doering <gd@hilb1.medat.de> - bug and portability fixes
-HARUYAMA Seigo <haruyama@unixuser.org> - Translations & doc fixes
-Hideaki YOSHIFUJI <yoshfuji@ecei.tohoku.ac.jp> - IPv6 and bug fixes
-Hiroshi Takekawa <takekawa@sr3.t.u-tokyo.ac.jp> - Configure fixes
-Holger Trapp <Holger.Trapp@Informatik.TU-Chemnitz.DE> - KRB4/AFS config patch
-IWAMURO Motonori <iwa@mmp.fujitsu.co.jp> - bugfixes
-Jani Hakala <jahakala@cc.jyu.fi> - Patches
-Jarno Huuskonen <jhuuskon@hytti.uku.fi> - Bugfixes
-Jim Knoble <jmknoble@pobox.com> - Many patches
-Jonchen (email unknown) - the original author of PAM support of SSH
-Juergen Keil <jk@tools.de> - scp bugfixing
-KAMAHARA Junzo <kamahara@cc.kshosen.ac.jp> - Configure fixes
-Kees Cook <cook@cpoint.net> - scp fixes
-Kenji Miyake <kenji@miyake.org> - Configure fixes
-Kevin Cawlfield <cawlfiel@us.ibm.com> - AIX fixes.
-Kevin O'Connor <kevin_oconnor@standardandpoors.com> - RSAless operation
-Kevin Steves <stevesk@pobox.com> - HP support, bugfixes, improvements
-Kiyokazu SUTO <suto@ks-and-ks.ne.jp> - Bugfixes
-Larry Jones <larry.jones@sdrc.com> - Bugfixes
-Lutz Jaenicke <Lutz.Jaenicke@aet.TU-Cottbus.DE> - Bugfixes
-Marc G. Fournier <marc.fournier@acadiau.ca> - Solaris patches
-Mark D. Baushke <mdb@juniper.net> - bug fixes
-Martin Johansson <fatbob@acc.umu.se> - Linux fixes
-Mark D. Roth <roth+openssh@feep.net> - Features, bug fixes
-Mark Miller <markm@swoon.net> - Bugfixes
-Matt Richards <v2matt@btv.ibm.com> - AIX patches
-Michael Steffens <michael_steffens at hp.com> - HP-UX fixes
-Michael Stone <mstone@cs.loyola.edu> - Irix enhancements
-Nakaji Hiroyuki <nakaji@tutrp.tut.ac.jp> - Sony News-OS patch
-Nalin Dahyabhai <nalin.dahyabhai@pobox.com> - PAM environment patch
-Nate Itkin <nitkin@europa.com> - SunOS 4.1.x fixes
-Niels Kristian Bech Jensen <nkbj@image.dk> - Assorted patches
-Pavel Kankovsky <peak@argo.troja.mff.cuni.cz> - Security fixes
-Pavel Troller <patrol@omni.sinus.cz> - Bugfixes
-Pekka Savola <pekkas@netcore.fi> - Bugfixes
-Peter Kocks <peter.kocks@baygate.com> - Makefile fixes
-Peter Stuge <stuge@cdy.org> - mdoc2man.awk script
-Phil Hands <phil@hands.com> - Debian scripts, assorted patches
-Phil Karn <karn@ka9q.ampr.org> - Autoconf fixes
-Philippe WILLEM <Philippe.WILLEM@urssaf.fr> - Bugfixes
-Phill Camp <P.S.S.Camp@ukc.ac.uk> - login code fix
-Rip Loomis <loomisg@cist.saic.com> - Solaris package support, fixes
-Robert Dahlem <Robert.Dahlem at siemens.com> - Reliant Unix fixes
-Roumen Petrov <openssh@roumenpetrov.info> - Compile & configure fixes
-SAKAI Kiyotaka <ksakai@kso.netwk.ntt-at.co.jp> - Multiple bugfixes
-Simon Wilkinson <sxw@dcs.ed.ac.uk> - PAM fixes, Compat with MIT KrbV
-Solar Designer <solar@openwall.com> - many patches and technical assistance
-Svante Signell <svante.signell@telia.com> - Bugfixes
-Thomas Neumann <tom@smart.ruhr.de> - Shadow passwords
-Tim Rice <tim@multitalents.net> - Portability & SCO fixes
-Tobias Oetiker <oetiker@ee.ethz.ch> - Bugfixes
-Tom Bertelson's <tbert@abac.com> - AIX auth fixes
-Tor-Ake Fransson <torake@hotmail.com> - AIX support
-Tudor Bosman <tudorb@jm.nu> - MD5 password support
-Udo Schweigert <ust@cert.siemens.de> - ReliantUNIX support
-Wendy Palm <wendyp at cray.com> - Cray support.
-Zack Weinberg <zack@wolery.cumb.org> - GNOME askpass enhancement
-
-Apologies to anyone I have missed.
-
-Damien Miller <djm@mindrot.org>
-
-$Id: CREDITS,v 1.81 2006/08/30 17:24:41 djm Exp $
-
--- a/1723
+++ b/1723
--- a/262
+++ b/262
@ -1,262 +0,0 @@
-1. Prerequisites
----------------
-
-You will need working installations of Zlib and libcrypto (LibreSSL /
-OpenSSL)
-
-Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
-http://www.gzip.org/zlib/
-
-libcrypto (LibreSSL or OpenSSL >= 0.9.8f)
-LibreSSL http://www.libressl.org/ ; or
-OpenSSL http://www.openssl.org/
-
-LibreSSL/OpenSSL should be compiled as a position-independent library
-(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
-If you must use a non-position-independent libcrypto, then you may need
-to configure OpenSSH --without-pie.
-
-The remaining items are optional.
-
-NB. If you operating system supports /dev/random, you should configure
-libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
-direct support of /dev/random, or failing that, either prngd or egd
-
-PRNGD:
-
-If your system lacks kernel-based random collection, the use of Lutz
-Jaenicke's PRNGd is recommended.
-
-http://prngd.sourceforge.net/
-
-EGD:
-
-If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
-supported only if libcrypto supports it.
-
-http://egd.sourceforge.net/
-
-PAM:
-
-OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
-system supports it. PAM is standard most Linux distributions, Solaris,
-HP-UX 11, AIX >= 5.2, FreeBSD and NetBSD.
-
-Information about the various PAM implementations are available:
-
-Solaris PAM:	http://www.sun.com/software/solaris/pam/
-Linux PAM:	http://www.kernel.org/pub/linux/libs/pam/
-OpenPAM:	http://www.openpam.org/
-
-If you wish to build the GNOME passphrase requester, you will need the GNOME
-libraries and headers.
-
-GNOME:
-http://www.gnome.org/
-
-Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
-passphrase requester. This is maintained separately at:
-
-http://www.jmknoble.net/software/x11-ssh-askpass/
-
-S/Key Libraries:
-
-If you wish to use --with-skey then you will need the library below
-installed.  No other S/Key library is currently known to be supported.
-
-http://www.sparc.spb.su/solaris/skey/
-
-LibEdit:
-
-sftp supports command-line editing via NetBSD's libedit.  If your platform
-has it available natively you can use that, alternatively you might try
-these multi-platform ports:
-
-http://www.thrysoee.dk/editline/
-http://sourceforge.net/projects/libedit/
-
-LDNS:
-
-LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
-
-http://nlnetlabs.nl/projects/ldns/
-
-Autoconf:
-
-If you modify configure.ac or configure doesn't exist (eg if you checked
-the code out of CVS yourself) then you will need autoconf-2.68 to rebuild
-the automatically generated files by running "autoreconf".  Earlier
-versions may also work but this is not guaranteed.
-
-http://www.gnu.org/software/autoconf/
-
-Basic Security Module (BSM):
-
-Native BSM support is know to exist in Solaris from at least 2.5.1,
-FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
-implementation (http://www.openbsm.org).
-
-
-2. Building / Installation
--------------------------
-
-To install OpenSSH with default options:
-
-./configure
-make
-make install
-
-This will install the OpenSSH binaries in /usr/local/bin, configuration files
-in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
-installation prefix, use the --prefix option to configure:
-
-./configure --prefix=/opt
-make
-make install
-
-Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
-specific paths, for example:
-
-./configure --prefix=/opt --sysconfdir=/etc/ssh
-make
-make install
-
-This will install the binaries in /opt/{bin,lib,sbin}, but will place the
-configuration files in /etc/ssh.
-
-If you are using Privilege Separation (which is enabled by default)
-then you will also need to create the user, group and directory used by
-sshd for privilege separation.  See README.privsep for details.
-
-If you are using PAM, you may need to manually install a PAM control
-file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
-them).  Note that the service name used to start PAM is __progname,
-which is the basename of the path of your sshd (e.g., the service name
-for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
-executable, your PAM configuration may need to be modified.
-
-A generic PAM configuration is included as "contrib/sshd.pam.generic",
-you may need to edit it before using it on your system. If you are
-using a recent version of Red Hat Linux, the config file in
-contrib/redhat/sshd.pam should be more useful.  Failure to install a
-valid PAM file may result in an inability to use password
-authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
-configuration will work with sshd (sshd will match the other service
-name).
-
-There are a few other options to the configure script:
-
--with-audit=[module] enable additional auditing via the specified module.
-Currently, drivers for "debug" (additional info via syslog) and "bsm"
-(Sun's Basic Security Module) are supported.
-
--with-pam enables PAM support. If PAM support is compiled in, it must
-also be enabled in sshd_config (refer to the UsePAM directive).
-
--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
-support and to specify a PRNGd socket. Use this if your Unix lacks
-/dev/random and you don't want to use OpenSSH's builtin entropy
-collection support.
-
--with-prngd-port=portnum allows you to enable EGD or PRNGD support
-and to specify a EGD localhost TCP port. Use this if your Unix lacks
-/dev/random and you don't want to use OpenSSH's builtin entropy
-collection support.
-
--with-lastlog=FILE will specify the location of the lastlog file.
-./configure searches a few locations for lastlog, but may not find
-it if lastlog is installed in a different place.
-
--without-lastlog will disable lastlog support entirely.
-
--with-osfsia, --without-osfsia will enable or disable OSF1's Security
-Integration Architecture.  The default for OSF1 machines is enable.
-
--with-skey=PATH will enable S/Key one time password support. You will
-need the S/Key libraries and header files installed for this to work.
-
--with-md5-passwords will enable the use of MD5 passwords. Enable this
-if your operating system uses MD5 passwords and the system crypt() does
-not support them directly (see the crypt(3/3c) man page). If enabled, the
-resulting binary will support both MD5 and traditional crypt passwords.
-
--with-utmpx enables utmpx support. utmpx support is automatic for
-some platforms.
-
--without-shadow disables shadow password support.
-
--with-ipaddr-display forces the use of a numeric IP address in the
-$DISPLAY environment variable. Some broken systems need this.
-
--with-default-path=PATH allows you to specify a default $PATH for sessions
-started by sshd. This replaces the standard path entirely.
-
--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
-created.
-
--with-xauth=PATH specifies the location of the xauth binary
-
--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
-libraries
-are installed.
-
--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
-
--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
-real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
-
-If you need to pass special options to the compiler or linker, you
-can specify these as environment variables before running ./configure.
-For example:
-
-CFLAGS="-O -m486" LDFLAGS="-s" LIBS="-lrubbish" LD="/usr/foo/ld" ./configure
-
-3. Configuration
----------------
-
-The runtime configuration files are installed by in ${prefix}/etc or
-whatever you specified as your --sysconfdir (/usr/local/etc by default).
-
-The default configuration should be instantly usable, though you should
-review it to ensure that it matches your security requirements.
-
-To generate a host key, run "make host-key". Alternately you can do so
-manually using the following commands:
-
-    ssh-keygen -t rsa1 -f /etc/ssh/ssh_host_key -N ""
-    ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key -N ""
-    ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key -N ""
-
-Replacing /etc/ssh with the correct path to the configuration directory.
-(${prefix}/etc or whatever you specified with --sysconfdir during
-configuration)
-
-If you have configured OpenSSH with EGD support, ensure that EGD is
-running and has collected some Entropy.
-
-For more information on configuration, please refer to the manual pages
-for sshd, ssh and ssh-agent.
-
-4. (Optional) Send survey
-------------------------
-
-$ make survey
-[check the contents of the file "survey" to ensure there's no information
-that you consider sensitive]
-$ make send-survey
-
-This will send configuration information for the currently configured
-host to a survey address.  This will help determine which configurations
-are actually in use, and what valid combinations of configure options
-exist.  The raw data is available only to the OpenSSH developers, however
-summary data may be published.
-
-5. Problems?
------------
-
-If you experience problems compiling, installing or running OpenSSH.
-Please refer to the "reporting bugs" section of the webpage at
-http://www.openssh.com/
-
-
-$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $
--- a/INSTALL.win32
+++ b/INSTALL.win32
@ -1,227 +0,0 @@
-STEP 1: Prepare the Cygwin environment
-======================================
-
-1. Download the Cygwin installer from  www.cygwin.com
-
-2. Launch the Cygwin installer, and ensure that packages listed below are selected as  'install':
-
-   devel/mingw-*
-   devel/mingw64-*
-   perl/*
-   devel/make: GNU Tool
-   devel/autoconf
-   devel/autoconf-2.69-2
-   
-   See REFERENCE VERSIONS below for the detailed list of packages used for reference build.
-
-   
-
-STEP 2: Compile
-===============
-
-Build with Cygwin 32-bit
------------------------
-
-1. Ensure that are you using correct mingw32 toolchain. You must have administrative rights.
-   
-   To do that, create symbolic links:
-
-   /bin/i686-pc-mingw32-* |-> /bin/*
-   
-   or run the <openssh_dir>/scripts/set-mingw32.sh script  from the Cygwin /bin directory
-  
-
-2. Prepare the 32-bit libssl.a and libcrypto.a libraries and the openssl headers.
-
-   These libraries are used by 32-bit openssh and 32-bit ssh-lsa.
-
-   - Download OpenSSL sources from http://www.openssl.org/source/.
-
-     Version used as reference build is openssl-1.0.1e.
-
-   - Compile sources by running:
-
-     $./Configure mingw
-     $make
-     
-
-3. Prepare 32-bit libz.a and zlib.dll.
-     
-   - Download ZLIB sources from http://www.zlib.net
-
-     Version used as reference build is 1.2.8.
-     
-   - Compile sources by running:
-   
-     make -f win32/Makefile.gcc
-     
-
-4. Build 32-bit OpenSSH:
-
-Run the following commands under a Cygwin shell in the openssh directory:
-      
-     $autoreconf
-
-     $./configure --build=i686-pc-mingw32 
-                  --host=i686-pc-mingw32 
-                  --with-ssl-dir=<OPENSSL_DIR> 
-                  --with-zlib=<ZLIB_DIR>
-                  --with-kerberos5
-                  
-where <OPENSSL_DIR> is a directory where openssl sources are extracted and <ZLIB_DIR> is a directory where zlib sources are extracted
-
-
-     
-     $cat config.h.tail >> config.h   
- 
-
- 
-
-Build one of SSH family tool:
-
-Run:
-    
-      $make <program>
-      
-       where <program> is any of the OpenSSH tools ported to Win32.
-   
-
-       sftp.exe          available starting from openssh-5.9p1-win32
-       ssh-agent.exe     available starting from openssh-4.7p1-win32
-       ssh-add.exe       available starting from openssh-4.7p1-win32
-       ssh-keygen.exe    available starting from openssh-4.7p1-win32
-       sftp-server.exe   available starting from openssh-4.7p1-win32
-       ssh.exe
-       sshd.exe
-
-4. Build 32-bit ssh-lsa for native RSA/DSA key authorization
-
-Move to <openssh_directory>contribwin32win32compatlsa directory and run:
-
-    $export LIBSSL_PATH="/home/nars/openssl-1.0.1e"
-    
-    $make -f Makefile.mingw32
-           
-  - This command should produce the 32-bit ssh-lsa.dll file.
-
- 
-Build with Cygwin 64-bit
------------------------
-
-1. Build 32-bit openssl, zlib and openssh following 1-4 steps from  32-bit instruction.  OpenSSH tools are always 32-bit.
-   
-2. Ensure that you are using correct mingw64 toolchain. You must have administrative rights.
-   
-   To do that you must create symbolic links:
-
-   /bin/x86_64-w64-mingw32-* |-> /bin/*
-   
-   or run <openssh_dir>/scripts/set-mingw64.sh from the Cygwin /bin directory.
-   
-
-3. Prepare the 64-bit libssl.a and libcrypto.a libraries and the openssl headers. These libraries are used by 64-bit ssh-lsa.
-
-   - Move clean OpenSSL sources into another directory, e.g. openssl-64.
-
-   - Compile sources by running:
-
-     $./Configure mingw64
-     $make
-
-4. Build 64-bit ssh-lsa for native RSA/DSA key authorization
-
-  - Move to <openssh_directory>contribwin32win32compatlsa directory and run:
-
-    $export LIBSSL_PATH="/home/nars/openssl-1.0.1e"
-
-    $make -f Makefile.mingw32
-    
-  - This command should produce 64-bit ssh-lsa.dll file.
- 
-
-STEP 3 - Install ssh-lsa on system where sshd server is running
-===============================================================
-
- Copy the ssh-lsa.dll to the %WINDIR%/System32 directory.
- 
-
-IMPORTANT NOTE:
-
-If your Windows is at 64-bit, be sure that you use a 64-bit file manager to copy ssh-lsa.dll, otherwise this dll will be not visible on the 64-bit OS.
-
-For example:
-
- Drag and drop file using Windows explorer.
-
-Or:
-
-  Run copy ssh-lsa.dll c:/windows/system32 under a cmd.exe console. 
-
- Then, by using the regedit tool, add 'ssh-lsa' string to the end of the registry key below:
-
-    HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Control/Lsa/Authentication Packages
- 
-
-Reboot the machine.
- 
-
- 
-REFERENCE VERSIONS 
-==================
- 
-CYGWIN PACKAGES
---------------
-
-13-1           Devel/autoconf: Wrapper for autoconf command
-
-2.13-12        Devel/autoconf2.1: Stable version of the automatic configure builder
-
-2.69-2         Devel/autoconf2.5: An extensible package of m4 macros shell scripts
-                                  to automatically configure software code packages
-
-2.23.51-1      Devel/binutils: The GNU assembler, linker and binary utilites
-4.8.2-1        Devel/libgcc1: GCC C runtime library
-4.8.2-1        Devel/libssp0: GCC Stack-smashing Protection runtime library
-4.8.2-1        Devel/libstdc++6: GCC C++ runtime library
-4.0-2          Devel/make: The GNU version of 'make' utility
-2.23.1-1       Devel/mingw-binutils: Bintutils for MinGW.org win32 toolchain (util)
-
-4.7.3-1        Devel/mingw-gcc-core
-4.7.3-1        Devel/mingw-gcc-g++
-4.7.3-1        Devel/mingw-gcc-obj
-               
-20110507-2     Devel/mingw-pthreads: Libpthread for MinGW.org
-
-4.0-1          Devel/mingw-runtime: MinGW.org MSVC & compiler runtime header and libraries
-4.0-1          Devel/mingw-w32api
-
-2.22.52-1      Devel/mingw64-i686-binutils
-4.7.3-1        Devel/mingw64-i686-gcc-core
-4.7.3-1        Devel/mingw64-i686-gcc-g++
-3.0.0-1        Devel/mingw64-i686-headers
-20100619-5     Devel/mingw64-i686-pthreads
-3.0.0-1        Devel/mingw64-i686-runtime
-3.0b_svn5935-1 Devel/mingw64-winpthreads
-
-2.22.52-1      Devel/mingw64-x86_64-binutils
-4.7.3-1        Devel/mingw64-x86_64-gcc
-4.7.3-1        Devel/mingw64-x86_64-core
-4.7.3-1        Devel/mingw64-x86_64-g++
-3.0.0-1        Devel/mingw64-x86_64-headers
-20100619-5     Devel/mingw64-x86_64-pthreads
-3.0.0-1        Devel/mingw64-x86_64-runtime
-3.0b-svn5935-1 Devel/mingw64-x86_64-winpthreads
-
-5.14.2-3       Perl/perl
-
- 
-OpenSSL
-------
-
-openssl-1.0.1e
- 
-
-ZLIB 
----
-
-zlib-1.2.8
--- a/ISSUE_TEMPLATE.md
+++ b/ISSUE_TEMPLATE.md
@ -0,0 +1,22 @@
+**Troubleshooting steps**
+https://github.com/PowerShell/Win32-OpenSSH/wiki/Troubleshooting-Steps
+
+
+**Terminal issue? please go through wiki**
+https://github.com/PowerShell/Win32-OpenSSH/wiki/TTY-PTY-support-in-Windows-OpenSSH
+
+Please answer the following
+
+**"OpenSSH for Windows" version**
+ `((Get-Item (Get-Command sshd).Source).VersionInfo.FileVersion)`
+ 
+**Server OperatingSystem**
+ `((Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows nt\CurrentVersion\" -Name ProductName).ProductName)`
+
+**Client OperatingSystem**
+
+**What is failing**
+
+**Expected output**
+
+**Actual output**
--- a/340
+++ b/340
@ -1,340 +0,0 @@
-This file is part of the OpenSSH software.
-
-The licences which components of this software fall under are as
-follows.  First, we will summarize and say that all components
-are under a BSD licence, or a licence more free than that.
-
-OpenSSH contains no GPL code.
-
-1)
-     * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
-     *                    All rights reserved
-     *
-     * As far as I am concerned, the code I have written for this software
-     * can be used freely for any purpose.  Any derived versions of this
-     * software must be clearly marked as such, and if the derived work is
-     * incompatible with the protocol description in the RFC file, it must be
-     * called by a name other than "ssh" or "Secure Shell".
-
-    [Tatu continues]
-     *  However, I am not implying to give any licenses to any patents or
-     * copyrights held by third parties, and the software includes parts that
-     * are not under my direct control.  As far as I know, all included
-     * source code is used in accordance with the relevant license agreements
-     * and can be used freely for any purpose (the GNU license being the most
-     * restrictive); see below for details.
-
-    [However, none of that term is relevant at this point in time.  All of
-    these restrictively licenced software components which he talks about
-    have been removed from OpenSSH, i.e.,
-
-     - RSA is no longer included, found in the OpenSSL library
-     - IDEA is no longer included, its use is deprecated
-     - DES is now external, in the OpenSSL library
-     - GMP is no longer used, and instead we call BN code from OpenSSL
-     - Zlib is now external, in a library
-     - The make-ssh-known-hosts script is no longer included
-     - TSS has been removed
-     - MD5 is now external, in the OpenSSL library
-     - RC4 support has been replaced with ARC4 support from OpenSSL
-     - Blowfish is now external, in the OpenSSL library
-
-    [The licence continues]
-
-    Note that any information and cryptographic algorithms used in this
-    software are publicly available on the Internet and at any major
-    bookstore, scientific library, and patent office worldwide.  More
-    information can be found e.g. at "http://www.cs.hut.fi/crypto".
-
-    The legal status of this program is some combination of all these
-    permissions and restrictions.  Use only at your own responsibility.
-    You will be responsible for any legal consequences yourself; I am not
-    making any claims whether possessing or using this is legal or not in
-    your country, and I am not taking any responsibility on your behalf.
-
-
-			    NO WARRANTY
-
-    BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
-    FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW.  EXCEPT WHEN
-    OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
-    PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
-    OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
-    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.  THE ENTIRE RISK AS
-    TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.  SHOULD THE
-    PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
-    REPAIR OR CORRECTION.
-
-    IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-    WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
-    REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
-    INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
-    OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
-    TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
-    YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
-    PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
-    POSSIBILITY OF SUCH DAMAGES.
-
-2)
-    The 32-bit CRC compensation attack detector in deattack.c was
-    contributed by CORE SDI S.A. under a BSD-style license.
-
-     * Cryptographic attack detector for ssh - source code
-     *
-     * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina.
-     *
-     * All rights reserved. Redistribution and use in source and binary
-     * forms, with or without modification, are permitted provided that
-     * this copyright notice is retained.
-     *
-     * THIS SOFTWARE IS PROVIDED ``AS IS'' AND ANY EXPRESS OR IMPLIED
-     * WARRANTIES ARE DISCLAIMED. IN NO EVENT SHALL CORE SDI S.A. BE
-     * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY OR
-     * CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS
-     * SOFTWARE.
-     *
-     * Ariel Futoransky <futo@core-sdi.com>
-     * <http://www.core-sdi.com>
-
-3)
-    ssh-keyscan was contributed by David Mazieres under a BSD-style
-    license.
-
-     * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
-     *
-     * Modification and redistribution in source and binary forms is
-     * permitted provided that due credit is given to the author and the
-     * OpenBSD project by leaving this copyright notice intact.
-
-4)
-    The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers
-    and Paulo Barreto is in the public domain and distributed
-    with the following license:
-
-     * @version 3.0 (December 2000)
-     *
-     * Optimised ANSI C code for the Rijndael cipher (now AES)
-     *
-     * @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
-     * @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
-     * @author Paulo Barreto <paulo.barreto@terra.com.br>
-     *
-     * This code is hereby placed in the public domain.
-     *
-     * THIS SOFTWARE IS PROVIDED BY THE AUTHORS ''AS IS'' AND ANY EXPRESS
-     * OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
-     * WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-     * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHORS OR CONTRIBUTORS BE
-     * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
-     * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
-     * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
-     * BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
-     * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE
-     * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
-     * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-5)
-    One component of the ssh source code is under a 3-clause BSD license,
-    held by the University of California, since we pulled these parts from
-    original Berkeley code.
-
-     * Copyright (c) 1983, 1990, 1992, 1993, 1995
-     *      The Regents of the University of California.  All rights reserved.
-     *
-     * Redistribution and use in source and binary forms, with or without
-     * modification, are permitted provided that the following conditions
-     * are met:
-     * 1. Redistributions of source code must retain the above copyright
-     *    notice, this list of conditions and the following disclaimer.
-     * 2. Redistributions in binary form must reproduce the above copyright
-     *    notice, this list of conditions and the following disclaimer in the
-     *    documentation and/or other materials provided with the distribution.
-     * 3. Neither the name of the University nor the names of its contributors
-     *    may be used to endorse or promote products derived from this software
-     *    without specific prior written permission.
-     *
-     * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-     * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-     * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-     * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-     * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-     * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-     * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-     * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-     * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-     * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-     * SUCH DAMAGE.
-
-6)
-    Remaining components of the software are provided under a standard
-    2-term BSD licence with the following names as copyright holders:
-
-	Markus Friedl
-	Theo de Raadt
-	Niels Provos
-	Dug Song
-	Aaron Campbell
-	Damien Miller
-	Kevin Steves
-	Daniel Kouril
-	Wesley Griffin
-	Per Allansson
-	Nils Nordman
-	Simon Wilkinson
-
-    Portable OpenSSH additionally includes code from the following copyright
-    holders, also under the 2-term BSD license:
-
-	Ben Lindstrom
-	Tim Rice
-	Andre Lucas
-	Chris Adams
-	Corinna Vinschen
-	Cray Inc.
-	Denis Parker
-	Gert Doering
-	Jakob Schlyter
-	Jason Downs
-	Juha Yrjölä
-	Michael Stone
-	Networks Associates Technology, Inc.
-	Solar Designer
-	Todd C. Miller
-	Wayne Schroeder
-	William Jones
-	Darren Tucker
-	Sun Microsystems
-	The SCO Group
-	Daniel Walsh
-	Red Hat, Inc
-	Simon Vallet / Genoscope
-
-     * Redistribution and use in source and binary forms, with or without
-     * modification, are permitted provided that the following conditions
-     * are met:
-     * 1. Redistributions of source code must retain the above copyright
-     *    notice, this list of conditions and the following disclaimer.
-     * 2. Redistributions in binary form must reproduce the above copyright
-     *    notice, this list of conditions and the following disclaimer in the
-     *    documentation and/or other materials provided with the distribution.
-     *
-     * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-     * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-     * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-     * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-     * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-     * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-     * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-     * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-     * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-     * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-
-8) Portable OpenSSH contains the following additional licenses:
-
-    a) md5crypt.c, md5crypt.h
-
-	 * "THE BEER-WARE LICENSE" (Revision 42):
-	 * <phk@login.dknet.dk> wrote this file.  As long as you retain this
-	 * notice you can do whatever you want with this stuff. If we meet
-	 * some day, and you think this stuff is worth it, you can buy me a
-	 * beer in return.   Poul-Henning Kamp
-
-    b) snprintf replacement
-
-	* Copyright Patrick Powell 1995
-	* This code is based on code written by Patrick Powell
-	* (papowell@astart.com) It may be used for any purpose as long as this
-	* notice remains intact on all source code distributions
-
-    c) Compatibility code (openbsd-compat)
-
-       Apart from the previously mentioned licenses, various pieces of code
-       in the openbsd-compat/ subdirectory are licensed as follows:
-
-       Some code is licensed under a 3-term BSD license, to the following
-       copyright holders:
-
-	Todd C. Miller
-	Theo de Raadt
-	Damien Miller
-	Eric P. Allman
-	The Regents of the University of California
-	Constantin S. Svintsoff
-
-	* Redistribution and use in source and binary forms, with or without
-	* modification, are permitted provided that the following conditions
-	* are met:
-	* 1. Redistributions of source code must retain the above copyright
-	*    notice, this list of conditions and the following disclaimer.
-	* 2. Redistributions in binary form must reproduce the above copyright
-	*    notice, this list of conditions and the following disclaimer in the
-	*    documentation and/or other materials provided with the distribution.
-	* 3. Neither the name of the University nor the names of its contributors
-	*    may be used to endorse or promote products derived from this software
-	*    without specific prior written permission.
-	*
-	* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
-	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
-	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
-	* ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
-	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
-	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
-	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
-	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
-	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
-	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
-	* SUCH DAMAGE.
-
-       Some code is licensed under an ISC-style license, to the following
-       copyright holders:
-
-	Internet Software Consortium.
-	Todd C. Miller
-	Reyk Floeter
-	Chad Mynhier
-
-	* Permission to use, copy, modify, and distribute this software for any
-	* purpose with or without fee is hereby granted, provided that the above
-	* copyright notice and this permission notice appear in all copies.
-	*
-	* THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL
-	* WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES
-	* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL TODD C. MILLER BE LIABLE
-	* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
-	* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
-	* OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
-	* CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-       Some code is licensed under a MIT-style license to the following
-       copyright holders:
-
-	Free Software Foundation, Inc.
-
-	* Permission is hereby granted, free of charge, to any person obtaining a  *
-	* copy of this software and associated documentation files (the            *
-	* "Software"), to deal in the Software without restriction, including      *
-	* without limitation the rights to use, copy, modify, merge, publish,      *
-	* distribute, distribute with modifications, sublicense, and/or sell       *
-	* copies of the Software, and to permit persons to whom the Software is    *
-	* furnished to do so, subject to the following conditions:                 *
-	*                                                                          *
-	* The above copyright notice and this permission notice shall be included  *
-	* in all copies or substantial portions of the Software.                   *
-	*                                                                          *
-	* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS  *
-	* OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF               *
-	* MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT.   *
-	* IN NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,   *
-	* DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR    *
-	* OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR    *
-	* THE USE OR OTHER DEALINGS IN THE SOFTWARE.                               *
-	*                                                                          *
-	* Except as contained in this notice, the name(s) of the above copyright   *
-	* holders shall not be used in advertising or otherwise to promote the     *
-	* sale, use or other dealings in this Software without prior written       *
-	* authorization.                                                           *
-	****************************************************************************/
-
-
------
-$OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $
--- a/616
+++ b/616
@ -1,616 +0,0 @@
-# $Id: Makefile.in,v 1.325 2011/08/05 20:15:18 djm Exp $
-
-# uncomment if you run a non bourne compatable shell. Ie. csh
-#SHELL = /usr/bin/sh
-
-AUTORECONF=autoreconf
-
-prefix=/usr/local
-exec_prefix=${prefix}
-bindir=${exec_prefix}/bin
-sbindir=${exec_prefix}/sbin
-libexecdir=${exec_prefix}/libexec
-datadir=${datarootdir}
-datarootdir=${prefix}/share
-mandir=${datarootdir}/man
-mansubdir=man
-sysconfdir=${prefix}/etc
-piddir=/var/run
-srcdir=.
-top_srcdir=.
-
-DESTDIR=
-
-SSH_PROGRAM=${exec_prefix}/bin/ssh
-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
-SFTP_SERVER=$(libexecdir)/sftp-server
-SSH_KEYSIGN=$(libexecdir)/ssh-keysign
-SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
-PRIVSEP_PATH=/var/empty
-SSH_PRIVSEP_USER=sshd
-STRIP_OPT=-s
-TEST_SHELL=sh
-
-PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-	-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-	-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
-	-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
-	-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
-	-D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
-	-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
-	-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
-
-CC=i686-pc-mingw32-gcc
-LD=i686-pc-mingw32-gcc
-CFLAGS=-g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -fno-builtin-memset -fstack-protector-all -I/cygdrive/c/openssh/Win32-OpenSSH/contrib/win32/win32compat/includes -I/cygdrive/c/openssh/Win32-OpenSSH/openbsd-compat -I/cygdrive/c/openssh/Win32-OpenSSH/contrib/win32/win32compat/includes -I/cygdrive/c/openssh/Win32-OpenSSH/libkrb -I/usr/local 
-CPPFLAGS=-I. -I$(srcdir) -I/cygdrive/c/openssh/openssl-1.0.2d/include -I/cygdrive/c/openssh/zlib-1.2.8  $(PATHS) -DHAVE_CONFIG_H
-LIBS=-lcrypto -lz  -lws2_32 -lgdi32 -lNetAPI32 -luserenv -lsecur32 -lshlwapi 
-K5LIBS=@K5LIBS@
-GSSLIBS=@GSSLIBS@
-SSHLIBS=
-SSHDLIBS=
-LIBEDIT=
-AR=/usr/bin/ar
-AWK=gawk
-RANLIB=i686-pc-mingw32-ranlib
-INSTALL=/usr/bin/install -c
-PERL=/usr/bin/perl
-SED=/usr/bin/sed
-ENT=
-XAUTH_PATH=undefined
-LDFLAGS=-L. -Lopenbsd-compat/ -Lcontrib/win32/win32compat -L/cygdrive/c/openssh/openssl-1.0.2d -L/cygdrive/c/openssh/zlib-1.2.8  -fstack-protector-all
-EXEEXT=.exe
-MANFMT=/usr/bin/nroff -mandoc
-
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-
-LIBOPENSSH_OBJS=\
-	ssh_api.o \
-	ssherr.o \
-	sshbuf.o \
-	sshkey.o \
-	sshbuf-getput-basic.o \
-	sshbuf-misc.o \
-	sshbuf-getput-crypto.o \
-	krl.o \
-	bitmap.o
-
-LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
-	authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
-	canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
-	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
-	compat.o crc32.o deattack.o fatal.o hostfile.o \
-	log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
-	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
-	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
-	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
-	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
-	ssh-pkcs11.o smult_curve25519_ref.o \
-	poly1305.o chacha.o cipher-chachapoly.o \
-	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
-	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
-	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
-	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
-	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
-	kerberos-sspi.o schnorr.o jpake.o
-
-SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-	roaming_common.o roaming_client.o
-
-SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
-	audit.o audit-bsm.o audit-linux.o platform.o \
-	sshpty.o sshlogin.o servconf.o serverloop.o \
-	auth.o auth1.o auth2.o auth-options.o session.o \
-	auth-chall.o auth2-chall.o groupaccess.o \
-	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
-	auth2-none.o auth2-passwd.o auth2-pubkey.o \
-	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
-	auth2-gss.o gss-serv.o gss-serv-krb5.o \
-	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
-	sftp-server.o sftp-common.o \
-	roaming_common.o roaming_serv.o \
-	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-	sandbox-seccomp-filter.o sandbox-capsicum.o \
-	pam.o kexdhs.o kexgexs.o kexecdhs.o 
-
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
-MANTYPE		= doc
-
-CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-CONFIGFILES_IN=sshd_config ssh_config moduli
-
-PATHSUBS	= \
-	-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
-	-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
-	-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
-	-e 's|/usr/libexec|$(libexecdir)|g' \
-	-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
-	-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
-	-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
-	-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
-	-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
-	-e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
-	-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
-	-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
-	-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
-	-e 's|/etc/ssh/sshrc|$(sysconfdir)/sshrc|g' \
-	-e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \
-	-e 's|/var/empty|$(PRIVSEP_PATH)|g' \
-	-e 's|/usr/bin:/bin:/usr/sbin:/sbin|/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin|g'
-
-FIXPATHSCMD	= $(SED) $(PATHSUBS)
-FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
-		     @UNSUPPORTED_ALGORITHMS@
-
-all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
-
-$(LIBSSH_OBJS): Makefile.in config.h
-$(SSHOBJS): Makefile.in config.h
-$(SSHDOBJS): Makefile.in config.h
-
-.c.o:
-	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
-
-LIBWIN32COMPAT=contrib/win32/win32compat/libwin32compat.a
-$(LIBWIN32COMPAT): always
-	(cd contrib/win32/win32compat && $(MAKE))
-
-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
-$(LIBCOMPAT): always
-	(cd openbsd-compat && $(MAKE))
-always:
-
-libssh.a: $(LIBSSH_OBJS)
-	$(AR) rv $@ $(LIBSSH_OBJS)
-	$(RANLIB) $@
-
-ssh$(EXEEXT): $(LIBCOMPAT) libssh.a contrib/win32/win32compat/libwin32compat.a $(SSHOBJS)
-	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) ./libssh.a -lopenbsd-compat $(SSHLIBS) -lwin32compat $(LIBS)
-
-sshd$(EXEEXT): libssh.a contrib/win32/win32compat/libwin32compat.a $(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(SSHDLIBS) $(LIBS)
-
-ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o contrib/win32/win32compat/libwin32compat.a
-	$(LD) -o $@ ssh-add.o $(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o contrib/win32/win32compat/libwin32compat.a
-	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o contrib/win32/win32compat/libwin32compat.a
-	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o contrib/win32/win32compat/libwin32compat.a
-	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o contrib/win32/win32compat/libwin32compat.a
-	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) ./libssh.a -lopenbsd-compat -lopenbsd-compat -lwin32compat $(LIBS)
-
-ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o contrib/win32/win32compat/libwin32compat.a
-	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o contrib/win32/win32compat/libwin32compat.a
-	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o contrib/win32/win32compat/libwin32compat.a
-	$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS) $(LIBEDIT)
-
-# test driver for the loginrec code - not built by default
-logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o contrib/win32/win32compat/libwin32compat.a
-	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat ./libssh.a -lwin32compat $(LIBS)
-
-$(MANPAGES): $(MANPAGES_IN)
-	if test "$(MANTYPE)" = "cat"; then \
-		manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
-	else \
-		manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
-	fi; \
-	if test "$(MANTYPE)" = "man"; then \
-		$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \
-		    $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
-	else \
-		$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
-	fi
-
-$(CONFIGFILES): $(CONFIGFILES_IN)
-	conffile=`echo $@ | sed 's/.out$$//'`; \
-	$(FIXPATHSCMD) $(srcdir)/$${conffile} > $@
-
-# fake rule to stop make trying to compile moduli.o into a binary "moduli.o"
-moduli:
-	echo
-
-# special case target for umac128
-umac128.o:	umac.c
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
-	    -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
-	    -Dumac_update=umac128_update -Dumac_final=umac128_final \
-	    -Dumac_delete=umac128_delete
-
-clean:	regressclean
-	rm -f *.o *.a $(TARGETS) logintest config.cache config.log
-	rm -f *.out core survey
-	rm -f regress/unittests/test_helper/*.a
-	rm -f regress/unittests/test_helper/*.o
-	rm -f regress/unittests/sshbuf/*.o
-	rm -f regress/unittests/sshbuf/test_sshbuf
-	rm -f regress/unittests/sshkey/*.o
-	rm -f regress/unittests/sshkey/test_sshkey
-	rm -f regress/unittests/bitmap/*.o
-	rm -f regress/unittests/bitmap/test_bitmap
-	rm -f regress/unittests/hostkeys/*.o
-	rm -f regress/unittests/hostkeys/test_hostkeys
-	rm -f regress/unittests/kex/*.o
-	rm -f regress/unittests/kex/test_kex
-	(cd openbsd-compat && $(MAKE) clean)
-	if test -f contrib/win32/win32compat/Makefile ; then \
-		(cd contrib/win32/win32compat && $(MAKE) clean) \
-	fi
-
-distclean:	regressclean
-	rm -f *.o *.a $(TARGETS) logintest config.cache config.log
-	rm -f *.out core opensshd.init openssh.xml
-	rm -f Makefile buildpkg.sh config.h config.status
-	rm -f survey.sh openbsd-compat/regress/Makefile *~ 
-	rm -rf autom4te.cache
-	rm -f regress/unittests/test_helper/*.a
-	rm -f regress/unittests/test_helper/*.o
-	rm -f regress/unittests/sshbuf/*.o
-	rm -f regress/unittests/sshbuf/test_sshbuf
-	rm -f regress/unittests/sshkey/*.o
-	rm -f regress/unittests/sshkey/test_sshkey
-	rm -f regress/unittests/bitmap/*.o
-	rm -f regress/unittests/bitmap/test_bitmap
-	rm -f regress/unittests/hostkeys/*.o
-	rm -f regress/unittests/hostkeys/test_hostkeys
-	rm -f regress/unittests/kex/*.o
-	rm -f regress/unittests/kex/test_kex
-	(cd openbsd-compat && $(MAKE) distclean)
-	if test -f contrib/win32/win32compat/Makefile ; then \
-		(cd contrib/win32/win32compat && $(MAKE) distclean) \
-	fi
-	if test -d pkg ; then \
-		rm -fr pkg ; \
-	fi
-
-veryclean: distclean
-	rm -f configure config.h.in *.0
-
-cleandir: veryclean
-
-mrproper: veryclean
-
-realclean: veryclean
-
-catman-do:
-	@for f in $(MANPAGES_IN) ; do \
-		base=`echo $$f | sed 's/\..*$$//'` ; \
-		echo "$$f -> $$base.0" ; \
-		$(MANFMT) $$f | cat -v | sed -e 's/.\^H//g' \
-			>$$base.0 ; \
-	done
-
-distprep: catman-do
-	$(AUTORECONF)
-	-rm -rf autom4te.cache
-
-install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
-install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
-
-check-config:
-	-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
-
-install-files:
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
-	(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-	$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
-	$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
-	$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
-	$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
-	$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
-	$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
-	$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
-	$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
-	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-	-rm -f $(DESTDIR)$(bindir)/slogin
-	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-	ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-
-install-sysconf:
-	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
-		$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
-	fi
-	@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
-		$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
-	else \
-		echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \
-	fi
-	@if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
-		$(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \
-	else \
-		echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \
-	fi
-	@if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \
-		if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \
-			echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
-			mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
-		else \
-			$(INSTALL) -m 644 moduli.out $(DESTDIR)$(sysconfdir)/moduli; \
-		fi ; \
-	else \
-		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
-	fi
-
-host-key: ssh-keygen$(EXEEXT)
-	@if [ -z "$(DESTDIR)" ] ; then \
-		if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
-			echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
-		fi ; \
-		if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
-		fi ; \
-		if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
-		fi ; \
-		if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \
-		fi ; \
-		if [ -z "" ] ; then \
-		    if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
-		    else \
-			./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
-		    fi ; \
-		fi ; \
-	fi ;
-
-host-key-force: ssh-keygen$(EXEEXT)
-	./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
-	./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
-	./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
-	./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
-	test -z "" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
-
-uninstallall:	uninstall
-	-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
-	-rm -f $(DESTDIR)$(sysconfdir)/sshd_config
-	-rmdir $(DESTDIR)$(sysconfdir)
-	-rmdir $(DESTDIR)$(bindir)
-	-rmdir $(DESTDIR)$(sbindir)
-	-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1
-	-rmdir $(DESTDIR)$(mandir)/$(mansubdir)8
-	-rmdir $(DESTDIR)$(mandir)
-	-rmdir $(DESTDIR)$(libexecdir)
-
-uninstall:
-	-rm -f $(DESTDIR)$(bindir)/slogin
-	-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-	-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-
-regress-prep:
-	[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
-	[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
-	[ -d `pwd`/regress/unittests/test_helper ] || \
-		mkdir -p `pwd`/regress/unittests/test_helper
-	[ -d `pwd`/regress/unittests/sshbuf ] || \
-		mkdir -p `pwd`/regress/unittests/sshbuf
-	[ -d `pwd`/regress/unittests/sshkey ] || \
-		mkdir -p `pwd`/regress/unittests/sshkey
-	[ -d `pwd`/regress/unittests/bitmap ] || \
-		mkdir -p `pwd`/regress/unittests/bitmap
-	[ -d `pwd`/regress/unittests/hostkeys ] || \
-		mkdir -p `pwd`/regress/unittests/hostkeys
-	[ -d `pwd`/regress/unittests/kex ] || \
-		mkdir -p `pwd`/regress/unittests/kex
-	[ -f `pwd`/regress/Makefile ] || \
-	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
-
-regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
-	$(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
-	$(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
-	$(LDFLAGS) ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-UNITTESTS_TEST_HELPER_OBJS=\
-	regress/unittests/test_helper/test_helper.o \
-	regress/unittests/test_helper/fuzz.o
-
-regress/unittests/test_helper/libtest_helper.a: ${UNITTESTS_TEST_HELPER_OBJS}
-	$(AR) rv $@ $(UNITTESTS_TEST_HELPER_OBJS)
-	$(RANLIB) $@
-
-UNITTESTS_TEST_SSHBUF_OBJS=\
-	regress/unittests/sshbuf/tests.o \
-	regress/unittests/sshbuf/test_sshbuf.o \
-	regress/unittests/sshbuf/test_sshbuf_getput_basic.o \
-	regress/unittests/sshbuf/test_sshbuf_getput_crypto.o \
-	regress/unittests/sshbuf/test_sshbuf_misc.o \
-	regress/unittests/sshbuf/test_sshbuf_fuzz.o \
-	regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o \
-	regress/unittests/sshbuf/test_sshbuf_fixed.o
-
-regress/unittests/sshbuf/test_sshbuf$(EXEEXT): ${UNITTESTS_TEST_SSHBUF_OBJS} \
-    regress/unittests/test_helper/libtest_helper.a libssh.a
-	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
-	    regress/unittests/test_helper/libtest_helper.a \
-		./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-UNITTESTS_TEST_SSHKEY_OBJS=\
-	regress/unittests/sshkey/test_fuzz.o \
-	regress/unittests/sshkey/tests.o \
-	regress/unittests/sshkey/common.o \
-	regress/unittests/sshkey/test_file.o \
-	regress/unittests/sshkey/test_sshkey.o
-
-regress/unittests/sshkey/test_sshkey$(EXEEXT): ${UNITTESTS_TEST_SSHKEY_OBJS} \
-    regress/unittests/test_helper/libtest_helper.a libssh.a
-	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
-	    regress/unittests/test_helper/libtest_helper.a \
-	    ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-UNITTESTS_TEST_BITMAP_OBJS=\
-	regress/unittests/bitmap/tests.o
-
-regress/unittests/bitmap/test_bitmap$(EXEEXT): ${UNITTESTS_TEST_BITMAP_OBJS} \
-    regress/unittests/test_helper/libtest_helper.a libssh.a
-	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_BITMAP_OBJS) \
-	    regress/unittests/test_helper/libtest_helper.a \
-	    ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-UNITTESTS_TEST_KEX_OBJS=\
-	regress/unittests/kex/tests.o \
-	regress/unittests/kex/test_kex.o \
-	roaming_dummy.o
-
-regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \
-    regress/unittests/test_helper/libtest_helper.a libssh.a
-	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_KEX_OBJS) \
-	    regress/unittests/test_helper/libtest_helper.a \
-	    ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-UNITTESTS_TEST_HOSTKEYS_OBJS=\
-	regress/unittests/hostkeys/tests.o \
-	regress/unittests/hostkeys/test_iterate.o
-
-regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
-    ${UNITTESTS_TEST_HOSTKEYS_OBJS} \
-    regress/unittests/test_helper/libtest_helper.a libssh.a
-	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_HOSTKEYS_OBJS) \
-	    regress/unittests/test_helper/libtest_helper.a \
-	    ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-REGRESS_BINARIES=\
-	regress/modpipe$(EXEEXT) \
-	regress/setuid-allowed$(EXEEXT) \
-	regress/netcat$(EXEEXT) \
-	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
-	regress/unittests/sshkey/test_sshkey$(EXEEXT) \
-	regress/unittests/bitmap/test_bitmap$(EXEEXT) \
-	regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \
-	regress/unittests/kex/test_kex$(EXEEXT)
-
-tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
-	BUILDDIR=`pwd`; \
-	TEST_SSH_SCP="$${BUILDDIR}/scp"; \
-	TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
-	TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
-	TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
-	TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \
-	TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \
-	TEST_SSH_SSHPKCS11HELPER="$${BUILDDIR}/ssh-pkcs11-helper"; \
-	TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \
-	TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \
-	TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \
-	TEST_SSH_PLINK="plink"; \
-	TEST_SSH_PUTTYGEN="puttygen"; \
-	TEST_SSH_CONCH="conch"; \
-	TEST_SSH_IPV6="no" ; \
-	TEST_SSH_ECC="yes" ; \
-	cd $(srcdir)/regress || exit $$?; \
-	$(MAKE) \
-		.OBJDIR="$${BUILDDIR}/regress" \
-		.CURDIR="`pwd`" \
-		BUILDDIR="$${BUILDDIR}" \
-		OBJ="$${BUILDDIR}/regress/" \
-		PATH="$${BUILDDIR}:$${PATH}" \
-		TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
-		TEST_SSH_SCP="$${TEST_SSH_SCP}" \
-		TEST_SSH_SSH="$${TEST_SSH_SSH}" \
-		TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
-		TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \
-		TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \
-		TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \
-		TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
-		TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
-		TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
-		TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
-		TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
-		TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
-		TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
-		TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
-		TEST_SSH_ECC="$${TEST_SSH_ECC}" \
-		TEST_SHELL="${TEST_SHELL}" \
-		EXEEXT="$(EXEEXT)" \
-		$@ && echo all tests passed
-
-compat-tests: $(LIBCOMPAT)
-	(cd openbsd-compat/regress && $(MAKE))
-
-regressclean:
-	if [ -f regress/Makefile ] && [ -r regress/Makefile ]; then \
-		(cd regress && $(MAKE) clean) \
-	fi
-
-survey: survey.sh ssh
-	@$(SHELL) ./survey.sh > survey
-	@echo 'The survey results have been placed in the file "survey" in the'
-	@echo 'current directory.  Please review the file then send with'
-	@echo '"make send-survey".'
-
-send-survey:	survey
-	mail portable-survey@mindrot.org <survey
-
-package: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
-	if [ "no" = yes ]; then \
-		sh buildpkg.sh; \
-	fi
--- a/Makefile.in
+++ b/Makefile.in
@ -1,616 +0,0 @@
-# $Id: Makefile.in,v 1.325 2011/08/05 20:15:18 djm Exp $
-
-# uncomment if you run a non bourne compatable shell. Ie. csh
-#SHELL = @SH@
-
-AUTORECONF=autoreconf
-
-prefix=@prefix@
-exec_prefix=@exec_prefix@
-bindir=@bindir@
-sbindir=@sbindir@
-libexecdir=@libexecdir@
-datadir=@datadir@
-datarootdir=@datarootdir@
-mandir=@mandir@
-mansubdir=@mansubdir@
-sysconfdir=@sysconfdir@
-piddir=@piddir@
-srcdir=@srcdir@
-top_srcdir=@top_srcdir@
-
-DESTDIR=
-VPATH=@srcdir@
-SSH_PROGRAM=@bindir@/ssh
-ASKPASS_PROGRAM=$(libexecdir)/ssh-askpass
-SFTP_SERVER=$(libexecdir)/sftp-server
-SSH_KEYSIGN=$(libexecdir)/ssh-keysign
-SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
-PRIVSEP_PATH=@PRIVSEP_PATH@
-SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
-STRIP_OPT=@STRIP_OPT@
-TEST_SHELL=@TEST_SHELL@
-
-PATHS= -DSSHDIR=\"$(sysconfdir)\" \
-	-D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
-	-D_PATH_SSH_ASKPASS_DEFAULT=\"$(ASKPASS_PROGRAM)\" \
-	-D_PATH_SFTP_SERVER=\"$(SFTP_SERVER)\" \
-	-D_PATH_SSH_KEY_SIGN=\"$(SSH_KEYSIGN)\" \
-	-D_PATH_SSH_PKCS11_HELPER=\"$(SSH_PKCS11_HELPER)\" \
-	-D_PATH_SSH_PIDDIR=\"$(piddir)\" \
-	-D_PATH_PRIVSEP_CHROOT_DIR=\"$(PRIVSEP_PATH)\"
-
-CC=@CC@
-LD=@LD@
-CFLAGS=@CFLAGS@
-CPPFLAGS=-I. -I$(srcdir) @CPPFLAGS@ $(PATHS) @DEFS@
-LIBS=@LIBS@
-K5LIBS=@K5LIBS@
-GSSLIBS=@GSSLIBS@
-SSHLIBS=@SSHLIBS@
-SSHDLIBS=@SSHDLIBS@
-LIBEDIT=@LIBEDIT@
-AR=@AR@
-AWK=@AWK@
-RANLIB=@RANLIB@
-INSTALL=@INSTALL@
-PERL=@PERL@
-SED=@SED@
-ENT=@ENT@
-XAUTH_PATH=@XAUTH_PATH@
-LDFLAGS=-L. -Lopenbsd-compat/ -Lcontrib/win32/win32compat @LDFLAGS@
-EXEEXT=@EXEEXT@
-MANFMT=@MANFMT@
-
-TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
-
-LIBOPENSSH_OBJS=\
-	ssh_api.o \
-	ssherr.o \
-	sshbuf.o \
-	sshkey.o \
-	sshbuf-getput-basic.o \
-	sshbuf-misc.o \
-	sshbuf-getput-crypto.o \
-	krl.o \
-	bitmap.o
-
-LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
-	authfd.o authfile.o bufaux.o bufbn.o bufec.o buffer.o \
-	canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
-	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
-	compat.o crc32.o deattack.o fatal.o hostfile.o \
-	log.o match.o md-sha256.o moduli.o nchan.o packet.o opacket.o \
-	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
-	atomicio.o key.o dispatch.o mac.o uidswap.o uuencode.o misc.o \
-	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
-	msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
-	ssh-pkcs11.o smult_curve25519_ref.o \
-	poly1305.o chacha.o cipher-chachapoly.o \
-	ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
-	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
-	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
-	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
-	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
-	kerberos-sspi.o schnorr.o jpake.o
-
-SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-	roaming_common.o roaming_client.o
-
-SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
-	audit.o audit-bsm.o audit-linux.o platform.o \
-	sshpty.o sshlogin.o servconf.o serverloop.o \
-	auth.o auth1.o auth2.o auth-options.o session.o \
-	auth-chall.o auth2-chall.o groupaccess.o \
-	auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
-	auth2-none.o auth2-passwd.o auth2-pubkey.o \
-	monitor_mm.o monitor.o monitor_wrap.o auth-krb5.o \
-	auth2-gss.o gss-serv.o gss-serv-krb5.o \
-	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
-	sftp-server.o sftp-common.o \
-	roaming_common.o roaming_serv.o \
-	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-	sandbox-seccomp-filter.o sandbox-capsicum.o \
-	pam.o kexdhs.o kexgexs.o kexecdhs.o 
-
-MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
-MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
-MANTYPE		= @MANTYPE@
-
-CONFIGFILES=sshd_config.out ssh_config.out moduli.out
-CONFIGFILES_IN=sshd_config ssh_config moduli
-
-PATHSUBS	= \
-	-e 's|/etc/ssh/ssh_config|$(sysconfdir)/ssh_config|g' \
-	-e 's|/etc/ssh/ssh_known_hosts|$(sysconfdir)/ssh_known_hosts|g' \
-	-e 's|/etc/ssh/sshd_config|$(sysconfdir)/sshd_config|g' \
-	-e 's|/usr/libexec|$(libexecdir)|g' \
-	-e 's|/etc/shosts.equiv|$(sysconfdir)/shosts.equiv|g' \
-	-e 's|/etc/ssh/ssh_host_key|$(sysconfdir)/ssh_host_key|g' \
-	-e 's|/etc/ssh/ssh_host_ecdsa_key|$(sysconfdir)/ssh_host_ecdsa_key|g' \
-	-e 's|/etc/ssh/ssh_host_dsa_key|$(sysconfdir)/ssh_host_dsa_key|g' \
-	-e 's|/etc/ssh/ssh_host_rsa_key|$(sysconfdir)/ssh_host_rsa_key|g' \
-	-e 's|/etc/ssh/ssh_host_ed25519_key|$(sysconfdir)/ssh_host_ed25519_key|g' \
-	-e 's|/var/run/sshd.pid|$(piddir)/sshd.pid|g' \
-	-e 's|/etc/moduli|$(sysconfdir)/moduli|g' \
-	-e 's|/etc/ssh/moduli|$(sysconfdir)/moduli|g' \
-	-e 's|/etc/ssh/sshrc|$(sysconfdir)/sshrc|g' \
-	-e 's|/usr/X11R6/bin/xauth|$(XAUTH_PATH)|g' \
-	-e 's|/var/empty|$(PRIVSEP_PATH)|g' \
-	-e 's|/usr/bin:/bin:/usr/sbin:/sbin|@user_path@|g'
-
-FIXPATHSCMD	= $(SED) $(PATHSUBS)
-FIXALGORITHMSCMD= $(SHELL) $(srcdir)/fixalgorithms $(SED) \
-		     @UNSUPPORTED_ALGORITHMS@
-
-all: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
-
-$(LIBSSH_OBJS): Makefile.in config.h
-$(SSHOBJS): Makefile.in config.h
-$(SSHDOBJS): Makefile.in config.h
-
-.c.o:
-	$(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
-
-LIBWIN32COMPAT=contrib/win32/win32compat/@LIBWIN32COMPAT@
-$(LIBWIN32COMPAT): always
-	(cd contrib/win32/win32compat && $(MAKE))
-
-LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
-$(LIBCOMPAT): always
-	(cd openbsd-compat && $(MAKE))
-always:
-
-libssh.a: $(LIBSSH_OBJS)
-	$(AR) rv $@ $(LIBSSH_OBJS)
-	$(RANLIB) $@
-
-ssh$(EXEEXT): $(LIBCOMPAT) libssh.a @LIBWIN32COMPATDEPEND@ $(SSHOBJS)
-	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) ./libssh.a -lopenbsd-compat $(SSHLIBS) @LINKWIN32COMPAT@ $(LIBS)
-
-sshd$(EXEEXT): libssh.a @LIBWIN32COMPATDEPEND@ $(LIBCOMPAT) $(SSHDOBJS)
-	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(SSHDLIBS) $(LIBS)
-
-ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o @LIBWIN32COMPATDEPEND@
-	$(LD) -o $@ ssh-add.o $(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS)
-
-ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o @LIBWIN32COMPATDEPEND@
-	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS)
-
-ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o @LIBWIN32COMPATDEPEND@
-	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS)
-
-ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o @LIBWIN32COMPATDEPEND@
-	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS)
-
-ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o @LIBWIN32COMPATDEPEND@
-	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) ./libssh.a -lopenbsd-compat -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS)
-
-ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o @LIBWIN32COMPATDEPEND@
-	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS)
-
-sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o @LIBWIN32COMPATDEPEND@
-	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS)
-
-sftp$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-client.o sftp-common.o sftp-glob.o progressmeter.o @LIBWIN32COMPATDEPEND@
-	$(LD) -o $@ progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o $(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS) $(LIBEDIT)
-
-# test driver for the loginrec code - not built by default
-logintest: logintest.o $(LIBCOMPAT) libssh.a loginrec.o @LIBWIN32COMPATDEPEND@
-	$(LD) -o $@ logintest.o $(LDFLAGS) loginrec.o -lopenbsd-compat ./libssh.a @LINKWIN32COMPAT@ $(LIBS)
-
-$(MANPAGES): $(MANPAGES_IN)
-	if test "$(MANTYPE)" = "cat"; then \
-		manpage=$(srcdir)/`echo $@ | sed 's/\.[1-9]\.out$$/\.0/'`; \
-	else \
-		manpage=$(srcdir)/`echo $@ | sed 's/\.out$$//'`; \
-	fi; \
-	if test "$(MANTYPE)" = "man"; then \
-		$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) | \
-		    $(AWK) -f $(srcdir)/mdoc2man.awk > $@; \
-	else \
-		$(FIXPATHSCMD) $${manpage} | $(FIXALGORITHMSCMD) > $@; \
-	fi
-
-$(CONFIGFILES): $(CONFIGFILES_IN)
-	conffile=`echo $@ | sed 's/.out$$//'`; \
-	$(FIXPATHSCMD) $(srcdir)/$${conffile} > $@
-
-# fake rule to stop make trying to compile moduli.o into a binary "moduli.o"
-moduli:
-	echo
-
-# special case target for umac128
-umac128.o:	umac.c
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o umac128.o -c $(srcdir)/umac.c \
-	    -DUMAC_OUTPUT_LEN=16 -Dumac_new=umac128_new \
-	    -Dumac_update=umac128_update -Dumac_final=umac128_final \
-	    -Dumac_delete=umac128_delete
-
-clean:	regressclean
-	rm -f *.o *.a $(TARGETS) logintest config.cache config.log
-	rm -f *.out core survey
-	rm -f regress/unittests/test_helper/*.a
-	rm -f regress/unittests/test_helper/*.o
-	rm -f regress/unittests/sshbuf/*.o
-	rm -f regress/unittests/sshbuf/test_sshbuf
-	rm -f regress/unittests/sshkey/*.o
-	rm -f regress/unittests/sshkey/test_sshkey
-	rm -f regress/unittests/bitmap/*.o
-	rm -f regress/unittests/bitmap/test_bitmap
-	rm -f regress/unittests/hostkeys/*.o
-	rm -f regress/unittests/hostkeys/test_hostkeys
-	rm -f regress/unittests/kex/*.o
-	rm -f regress/unittests/kex/test_kex
-	(cd openbsd-compat && $(MAKE) clean)
-	if test -f contrib/win32/win32compat/Makefile ; then \
-		(cd contrib/win32/win32compat && $(MAKE) clean) \
-	fi
-
-distclean:	regressclean
-	rm -f *.o *.a $(TARGETS) logintest config.cache config.log
-	rm -f *.out core opensshd.init openssh.xml
-	rm -f Makefile buildpkg.sh config.h config.status
-	rm -f survey.sh openbsd-compat/regress/Makefile *~ 
-	rm -rf autom4te.cache
-	rm -f regress/unittests/test_helper/*.a
-	rm -f regress/unittests/test_helper/*.o
-	rm -f regress/unittests/sshbuf/*.o
-	rm -f regress/unittests/sshbuf/test_sshbuf
-	rm -f regress/unittests/sshkey/*.o
-	rm -f regress/unittests/sshkey/test_sshkey
-	rm -f regress/unittests/bitmap/*.o
-	rm -f regress/unittests/bitmap/test_bitmap
-	rm -f regress/unittests/hostkeys/*.o
-	rm -f regress/unittests/hostkeys/test_hostkeys
-	rm -f regress/unittests/kex/*.o
-	rm -f regress/unittests/kex/test_kex
-	(cd openbsd-compat && $(MAKE) distclean)
-	if test -f contrib/win32/win32compat/Makefile ; then \
-		(cd contrib/win32/win32compat && $(MAKE) distclean) \
-	fi
-	if test -d pkg ; then \
-		rm -fr pkg ; \
-	fi
-
-veryclean: distclean
-	rm -f configure config.h.in *.0
-
-cleandir: veryclean
-
-mrproper: veryclean
-
-realclean: veryclean
-
-catman-do:
-	@for f in $(MANPAGES_IN) ; do \
-		base=`echo $$f | sed 's/\..*$$//'` ; \
-		echo "$$f -> $$base.0" ; \
-		$(MANFMT) $$f | cat -v | sed -e 's/.\^H//g' \
-			>$$base.0 ; \
-	done
-
-distprep: catman-do
-	$(AUTORECONF)
-	-rm -rf autom4te.cache
-
-install: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf host-key check-config
-install-nokeys: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files install-sysconf
-install-nosysconf: $(CONFIGFILES) $(MANPAGES) $(TARGETS) install-files
-
-check-config:
-	-$(DESTDIR)$(sbindir)/sshd -t -f $(DESTDIR)$(sysconfdir)/sshd_config
-
-install-files:
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(bindir)
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(sbindir)
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)1
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)5
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(mandir)/$(mansubdir)8
-	$(srcdir)/mkinstalldirs $(DESTDIR)$(libexecdir)
-	(umask 022 ; $(srcdir)/mkinstalldirs $(DESTDIR)$(PRIVSEP_PATH))
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh$(EXEEXT) $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) scp$(EXEEXT) $(DESTDIR)$(bindir)/scp$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-add$(EXEEXT) $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-agent$(EXEEXT) $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keygen$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-keyscan$(EXEEXT) $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) sshd$(EXEEXT) $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-	$(INSTALL) -m 4711 $(STRIP_OPT) ssh-keysign$(EXEEXT) $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) ssh-pkcs11-helper$(EXEEXT) $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-	$(INSTALL) -m 644 scp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-	$(INSTALL) -m 644 ssh-add.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-	$(INSTALL) -m 644 ssh-agent.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
-	$(INSTALL) -m 644 ssh-keygen.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
-	$(INSTALL) -m 644 ssh-keyscan.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
-	$(INSTALL) -m 644 moduli.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/moduli.5
-	$(INSTALL) -m 644 sshd_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/sshd_config.5
-	$(INSTALL) -m 644 ssh_config.5.out $(DESTDIR)$(mandir)/$(mansubdir)5/ssh_config.5
-	$(INSTALL) -m 644 sshd.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
-	$(INSTALL) -m 644 sftp.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
-	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-	-rm -f $(DESTDIR)$(bindir)/slogin
-	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-	ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-
-install-sysconf:
-	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
-		$(srcdir)/mkinstalldirs $(DESTDIR)$(sysconfdir); \
-	fi
-	@if [ ! -f $(DESTDIR)$(sysconfdir)/ssh_config ]; then \
-		$(INSTALL) -m 644 ssh_config.out $(DESTDIR)$(sysconfdir)/ssh_config; \
-	else \
-		echo "$(DESTDIR)$(sysconfdir)/ssh_config already exists, install will not overwrite"; \
-	fi
-	@if [ ! -f $(DESTDIR)$(sysconfdir)/sshd_config ]; then \
-		$(INSTALL) -m 644 sshd_config.out $(DESTDIR)$(sysconfdir)/sshd_config; \
-	else \
-		echo "$(DESTDIR)$(sysconfdir)/sshd_config already exists, install will not overwrite"; \
-	fi
-	@if [ ! -f $(DESTDIR)$(sysconfdir)/moduli ]; then \
-		if [ -f $(DESTDIR)$(sysconfdir)/primes ]; then \
-			echo "moving $(DESTDIR)$(sysconfdir)/primes to $(DESTDIR)$(sysconfdir)/moduli"; \
-			mv "$(DESTDIR)$(sysconfdir)/primes" "$(DESTDIR)$(sysconfdir)/moduli"; \
-		else \
-			$(INSTALL) -m 644 moduli.out $(DESTDIR)$(sysconfdir)/moduli; \
-		fi ; \
-	else \
-		echo "$(DESTDIR)$(sysconfdir)/moduli already exists, install will not overwrite"; \
-	fi
-
-host-key: ssh-keygen$(EXEEXT)
-	@if [ -z "$(DESTDIR)" ] ; then \
-		if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
-			echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
-		fi ; \
-		if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
-		fi ; \
-		if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
-		fi ; \
-		if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \
-		fi ; \
-		if [ -z "@COMMENT_OUT_ECC@" ] ; then \
-		    if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
-		    else \
-			./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
-		    fi ; \
-		fi ; \
-	fi ;
-
-host-key-force: ssh-keygen$(EXEEXT)
-	./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
-	./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
-	./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
-	./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
-	test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
-
-uninstallall:	uninstall
-	-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
-	-rm -f $(DESTDIR)$(sysconfdir)/sshd_config
-	-rmdir $(DESTDIR)$(sysconfdir)
-	-rmdir $(DESTDIR)$(bindir)
-	-rmdir $(DESTDIR)$(sbindir)
-	-rmdir $(DESTDIR)$(mandir)/$(mansubdir)1
-	-rmdir $(DESTDIR)$(mandir)/$(mansubdir)8
-	-rmdir $(DESTDIR)$(mandir)
-	-rmdir $(DESTDIR)$(libexecdir)
-
-uninstall:
-	-rm -f $(DESTDIR)$(bindir)/slogin
-	-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-agent$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-keygen$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/ssh-keyscan$(EXEEXT)
-	-rm -f $(DESTDIR)$(bindir)/sftp$(EXEEXT)
-	-rm -f $(DESTDIR)$(sbindir)/sshd$(EXEEXT)
-	-rm -r $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
-	-rm -f $(DESTDIR)$(SSH_KEYSIGN)$(EXEEXT)
-	-rm -f $(DESTDIR)$(SSH_PKCS11_HELPER)$(EXEEXT)
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/scp.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-add.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-agent.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keygen.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/sftp.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/ssh-keyscan.1
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sshd.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-
-regress-prep:
-	[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
-	[ -d `pwd`/regress/unittests ] || mkdir -p `pwd`/regress/unittests
-	[ -d `pwd`/regress/unittests/test_helper ] || \
-		mkdir -p `pwd`/regress/unittests/test_helper
-	[ -d `pwd`/regress/unittests/sshbuf ] || \
-		mkdir -p `pwd`/regress/unittests/sshbuf
-	[ -d `pwd`/regress/unittests/sshkey ] || \
-		mkdir -p `pwd`/regress/unittests/sshkey
-	[ -d `pwd`/regress/unittests/bitmap ] || \
-		mkdir -p `pwd`/regress/unittests/bitmap
-	[ -d `pwd`/regress/unittests/hostkeys ] || \
-		mkdir -p `pwd`/regress/unittests/hostkeys
-	[ -d `pwd`/regress/unittests/kex ] || \
-		mkdir -p `pwd`/regress/unittests/kex
-	[ -f `pwd`/regress/Makefile ] || \
-	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
-
-regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
-	$(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS)
-
-regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
-	$(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS)
-
-regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c
-	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
-	$(LDFLAGS) ./libssh.a -lopenbsd-compat @LINKWIN32COMPAT@ $(LIBS)
-
-UNITTESTS_TEST_HELPER_OBJS=\
-	regress/unittests/test_helper/test_helper.o \
-	regress/unittests/test_helper/fuzz.o
-
-regress/unittests/test_helper/libtest_helper.a: ${UNITTESTS_TEST_HELPER_OBJS}
-	$(AR) rv $@ $(UNITTESTS_TEST_HELPER_OBJS)
-	$(RANLIB) $@
-
-UNITTESTS_TEST_SSHBUF_OBJS=\
-	regress/unittests/sshbuf/tests.o \
-	regress/unittests/sshbuf/test_sshbuf.o \
-	regress/unittests/sshbuf/test_sshbuf_getput_basic.o \
-	regress/unittests/sshbuf/test_sshbuf_getput_crypto.o \
-	regress/unittests/sshbuf/test_sshbuf_misc.o \
-	regress/unittests/sshbuf/test_sshbuf_fuzz.o \
-	regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o \
-	regress/unittests/sshbuf/test_sshbuf_fixed.o
-
-regress/unittests/sshbuf/test_sshbuf$(EXEEXT): ${UNITTESTS_TEST_SSHBUF_OBJS} \
-    regress/unittests/test_helper/libtest_helper.a libssh.a
-	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
-	    regress/unittests/test_helper/libtest_helper.a \
-		./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-UNITTESTS_TEST_SSHKEY_OBJS=\
-	regress/unittests/sshkey/test_fuzz.o \
-	regress/unittests/sshkey/tests.o \
-	regress/unittests/sshkey/common.o \
-	regress/unittests/sshkey/test_file.o \
-	regress/unittests/sshkey/test_sshkey.o
-
-regress/unittests/sshkey/test_sshkey$(EXEEXT): ${UNITTESTS_TEST_SSHKEY_OBJS} \
-    regress/unittests/test_helper/libtest_helper.a libssh.a
-	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
-	    regress/unittests/test_helper/libtest_helper.a \
-	    ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-UNITTESTS_TEST_BITMAP_OBJS=\
-	regress/unittests/bitmap/tests.o
-
-regress/unittests/bitmap/test_bitmap$(EXEEXT): ${UNITTESTS_TEST_BITMAP_OBJS} \
-    regress/unittests/test_helper/libtest_helper.a libssh.a
-	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_BITMAP_OBJS) \
-	    regress/unittests/test_helper/libtest_helper.a \
-	    ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-UNITTESTS_TEST_KEX_OBJS=\
-	regress/unittests/kex/tests.o \
-	regress/unittests/kex/test_kex.o \
-	roaming_dummy.o
-
-regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \
-    regress/unittests/test_helper/libtest_helper.a libssh.a
-	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_KEX_OBJS) \
-	    regress/unittests/test_helper/libtest_helper.a \
-	    ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-UNITTESTS_TEST_HOSTKEYS_OBJS=\
-	regress/unittests/hostkeys/tests.o \
-	regress/unittests/hostkeys/test_iterate.o
-
-regress/unittests/hostkeys/test_hostkeys$(EXEEXT): \
-    ${UNITTESTS_TEST_HOSTKEYS_OBJS} \
-    regress/unittests/test_helper/libtest_helper.a libssh.a
-	$(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_HOSTKEYS_OBJS) \
-	    regress/unittests/test_helper/libtest_helper.a \
-	    ./libssh.a -lopenbsd-compat -lwin32compat $(LIBS)
-
-REGRESS_BINARIES=\
-	regress/modpipe$(EXEEXT) \
-	regress/setuid-allowed$(EXEEXT) \
-	regress/netcat$(EXEEXT) \
-	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
-	regress/unittests/sshkey/test_sshkey$(EXEEXT) \
-	regress/unittests/bitmap/test_bitmap$(EXEEXT) \
-	regress/unittests/hostkeys/test_hostkeys$(EXEEXT) \
-	regress/unittests/kex/test_kex$(EXEEXT)
-
-tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
-	BUILDDIR=`pwd`; \
-	TEST_SSH_SCP="$${BUILDDIR}/scp"; \
-	TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
-	TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
-	TEST_SSH_SSHAGENT="$${BUILDDIR}/ssh-agent"; \
-	TEST_SSH_SSHADD="$${BUILDDIR}/ssh-add"; \
-	TEST_SSH_SSHKEYGEN="$${BUILDDIR}/ssh-keygen"; \
-	TEST_SSH_SSHPKCS11HELPER="$${BUILDDIR}/ssh-pkcs11-helper"; \
-	TEST_SSH_SSHKEYSCAN="$${BUILDDIR}/ssh-keyscan"; \
-	TEST_SSH_SFTP="$${BUILDDIR}/sftp"; \
-	TEST_SSH_SFTPSERVER="$${BUILDDIR}/sftp-server"; \
-	TEST_SSH_PLINK="plink"; \
-	TEST_SSH_PUTTYGEN="puttygen"; \
-	TEST_SSH_CONCH="conch"; \
-	TEST_SSH_IPV6="@TEST_SSH_IPV6@" ; \
-	TEST_SSH_ECC="@TEST_SSH_ECC@" ; \
-	cd $(srcdir)/regress || exit $$?; \
-	$(MAKE) \
-		.OBJDIR="$${BUILDDIR}/regress" \
-		.CURDIR="`pwd`" \
-		BUILDDIR="$${BUILDDIR}" \
-		OBJ="$${BUILDDIR}/regress/" \
-		PATH="$${BUILDDIR}:$${PATH}" \
-		TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
-		TEST_SSH_SCP="$${TEST_SSH_SCP}" \
-		TEST_SSH_SSH="$${TEST_SSH_SSH}" \
-		TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
-		TEST_SSH_SSHAGENT="$${TEST_SSH_SSHAGENT}" \
-		TEST_SSH_SSHADD="$${TEST_SSH_SSHADD}" \
-		TEST_SSH_SSHKEYGEN="$${TEST_SSH_SSHKEYGEN}" \
-		TEST_SSH_SSHPKCS11HELPER="$${TEST_SSH_SSHPKCS11HELPER}" \
-		TEST_SSH_SSHKEYSCAN="$${TEST_SSH_SSHKEYSCAN}" \
-		TEST_SSH_SFTP="$${TEST_SSH_SFTP}" \
-		TEST_SSH_SFTPSERVER="$${TEST_SSH_SFTPSERVER}" \
-		TEST_SSH_PLINK="$${TEST_SSH_PLINK}" \
-		TEST_SSH_PUTTYGEN="$${TEST_SSH_PUTTYGEN}" \
-		TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
-		TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
-		TEST_SSH_ECC="$${TEST_SSH_ECC}" \
-		TEST_SHELL="${TEST_SHELL}" \
-		EXEEXT="$(EXEEXT)" \
-		$@ && echo all tests passed
-
-compat-tests: $(LIBCOMPAT)
-	(cd openbsd-compat/regress && $(MAKE))
-
-regressclean:
-	if [ -f regress/Makefile ] && [ -r regress/Makefile ]; then \
-		(cd regress && $(MAKE) clean) \
-	fi
-
-survey: survey.sh ssh
-	@$(SHELL) ./survey.sh > survey
-	@echo 'The survey results have been placed in the file "survey" in the'
-	@echo 'current directory.  Please review the file then send with'
-	@echo '"make send-survey".'
-
-send-survey:	survey
-	mail portable-survey@mindrot.org <survey
-
-package: $(CONFIGFILES) $(MANPAGES) $(TARGETS)
-	if [ "@MAKE_PACKAGE_SUPPORTED@" = yes ]; then \
-		sh buildpkg.sh; \
-	fi
--- a/168
+++ b/168
@ -1,168 +0,0 @@
-[Note: This file has not been updated for OpenSSH versions after
-OpenSSH-1.2 and should be considered OBSOLETE.  It has been left in
-the distribution because some of its information may still be useful
-to developers.]
-
-This document is intended for those who wish to read the ssh source
-code.  This tries to give an overview of the structure of the code.
-
-Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>
-Updated 17 Nov 1995.
-Updated 19 Oct 1999 for OpenSSH-1.2
-Updated 20 May 2001 note obsolete for > OpenSSH-1.2
-
-The software consists of ssh (client), sshd (server), scp, sdist, and
-the auxiliary programs ssh-keygen, ssh-agent, ssh-add, and
-make-ssh-known-hosts.  The main program for each of these is in a .c
-file with the same name.
-
-There are some subsystems/abstractions that are used by a number of
-these programs.
-
-  Buffer manipulation routines
-
-    - These provide an arbitrary size buffer, where data can be appended.
-      Data can be consumed from either end.  The code is used heavily
-      throughout ssh.  The basic buffer manipulation functions are in
-      buffer.c (header buffer.h), and additional code to manipulate specific
-      data types is in bufaux.c.
-
-  Compression Library
-
-    - Ssh uses the GNU GZIP compression library (ZLIB).
-
-  Encryption/Decryption
-
-    - Ssh contains several encryption algorithms.  These are all
-      accessed through the cipher.h interface.  The interface code is
-      in cipher.c, and the implementations are in libc.
-
-  Multiple Precision Integer Library
-
-    - Uses the SSLeay BIGNUM sublibrary.
-
-  Random Numbers
-
-    - Uses arc4random() and such.
-
-  RSA key generation, encryption, decryption
-
-    - Ssh uses the RSA routines in libssl.
-
-  RSA key files
-
-    - RSA keys are stored in files with a special format.  The code to
-      read/write these files is in authfile.c.  The files are normally
-      encrypted with a passphrase.  The functions to read passphrases
-      are in readpass.c (the same code is used to read passwords).
-
-  Binary packet protocol
-
-    - The ssh binary packet protocol is implemented in packet.c.  The
-      code in packet.c does not concern itself with packet types or their
-      execution; it contains code to build packets, to receive them and
-      extract data from them, and the code to compress and/or encrypt
-      packets.  CRC code comes from crc32.c.
-
-    - The code in packet.c calls the buffer manipulation routines
-      (buffer.c, bufaux.c), compression routines (zlib), and the
-      encryption routines.
-
-  X11, TCP/IP, and Agent forwarding
-
-    - Code for various types of channel forwarding is in channels.c.
-      The file defines a generic framework for arbitrary communication
-      channels inside the secure channel, and uses this framework to
-      implement X11 forwarding, TCP/IP forwarding, and authentication
-      agent forwarding.
-      The new, Protocol 1.5, channel close implementation is in nchan.c
-
-  Authentication agent
-
-    - Code to communicate with the authentication agent is in authfd.c.
-
-  Authentication methods
-
-    - Code for various authentication methods resides in auth-*.c
-      (auth-passwd.c, auth-rh-rsa.c, auth-rhosts.c, auth-rsa.c).  This
-      code is linked into the server.  The routines also manipulate
-      known hosts files using code in hostfile.c.  Code in canohost.c
-      is used to retrieve the canonical host name of the remote host.
-      Code in match.c is used to match host names.
-
-    - In the client end, authentication code is in sshconnect.c.  It
-      reads Passwords/passphrases using code in readpass.c.  It reads
-      RSA key files with authfile.c.  It communicates the
-      authentication agent using authfd.c.
-
-  The ssh client
-
-    - The client main program is in ssh.c.  It first parses arguments
-      and reads configuration (readconf.c), then calls ssh_connect (in
-      sshconnect.c) to open a connection to the server (possibly via a
-      proxy), and performs authentication (ssh_login in sshconnect.c).
-      It then makes any pty, forwarding, etc. requests.  It may call
-      code in ttymodes.c to encode current tty modes.  Finally it
-      calls client_loop in clientloop.c.  This does the real work for
-      the session.
-
-    - The client is suid root.  It tries to temporarily give up this
-      rights while reading the configuration data.  The root
-      privileges are only used to make the connection (from a
-      privileged socket).  Any extra privileges are dropped before
-      calling ssh_login.
-
-  Pseudo-tty manipulation and tty modes
-
-    - Code to allocate and use a pseudo tty is in pty.c.  Code to
-      encode and set terminal modes is in ttymodes.c.
-
-  Logging in (updating utmp, lastlog, etc.)
-
-    - The code to do things that are done when a user logs in are in
-      login.c.  This includes things such as updating the utmp, wtmp,
-      and lastlog files.  Some of the code is in sshd.c.
-
-  Writing to the system log and terminal
-
-    - The programs use the functions fatal(), log(), debug(), error()
-      in many places to write messages to system log or user's
-      terminal.  The implementation that logs to system log is in
-      log-server.c; it is used in the server program.  The other
-      programs use an implementation that sends output to stderr; it
-      is in log-client.c.  The definitions are in ssh.h.
-
-  The sshd server (daemon)
-
-    - The sshd daemon starts by processing arguments and reading the
-      configuration file (servconf.c).  It then reads the host key,
-      starts listening for connections, and generates the server key.
-      The server key will be regenerated every hour by an alarm.
-
-    - When the server receives a connection, it forks, disables the
-      regeneration alarm, and starts communicating with the client.
-      They first perform identification string exchange, then
-      negotiate encryption, then perform authentication, preparatory
-      operations, and finally the server enters the normal session
-      mode by calling server_loop in serverloop.c.  This does the real
-      work, calling functions in other modules.
-
-    - The code for the server is in sshd.c.  It contains a lot of
-      stuff, including:
-	- server main program
-	- waiting for connections
-	- processing new connection
-	- authentication
-	- preparatory operations
-	- building up the execution environment for the user program
-	- starting the user program.
-
-  Auxiliary files
-
-    - There are several other files in the distribution that contain
-      various auxiliary routines:
-	ssh.h	     the main header file for ssh (various definitions)
-	uidswap.c    uid-swapping
-	xmalloc.c    "safe" malloc routines
-
-$OpenBSD: OVERVIEW,v 1.12 2015/07/08 19:01:15 markus Exp $
--- a/455
+++ b/455
@ -1,455 +0,0 @@
-This documents OpenSSH's deviations and extensions to the published SSH
-protocol.
-
-Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH
-filexfer protocol described in:
-
-http://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt
-
-Newer versions of the draft will not be supported, though some features
-are individually implemented as extensions described below.
-
-The protocol used by OpenSSH's ssh-agent is described in the file
-PROTOCOL.agent
-
-1. Transport protocol changes
-
-1.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com"
-
-This is a new transport-layer MAC method using the UMAC algorithm
-(rfc4418). This method is identical to the "umac-64" method documented
-in:
-
-http://www.openssh.com/txt/draft-miller-secsh-umac-01.txt
-
-1.2. transport: Protocol 2 compression algorithm "zlib@openssh.com"
-
-This transport-layer compression method uses the zlib compression
-algorithm (identical to the "zlib" method in rfc4253), but delays the
-start of compression until after authentication has completed. This
-avoids exposing compression code to attacks from unauthenticated users.
-
-The method is documented in:
-
-http://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt
-
-1.3. transport: New public key algorithms "ssh-rsa-cert-v00@openssh.com",
-     "ssh-dsa-cert-v00@openssh.com",
-     "ecdsa-sha2-nistp256-cert-v01@openssh.com",
-     "ecdsa-sha2-nistp384-cert-v01@openssh.com" and
-     "ecdsa-sha2-nistp521-cert-v01@openssh.com"
-
-OpenSSH introduces new public key algorithms to support certificate
-authentication for users and host keys. These methods are documented
-in the file PROTOCOL.certkeys
-
-1.4. transport: Elliptic Curve cryptography
-
-OpenSSH supports ECC key exchange and public key authentication as
-specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384
-and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic
-curve points encoded using point compression are NOT accepted or
-generated.
-
-1.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms
-
-OpenSSH supports MAC algorithms, whose names contain "-etm", that
-perform the calculations in a different order to that defined in RFC
-4253. These variants use the so-called "encrypt then MAC" ordering,
-calculating the MAC over the packet ciphertext rather than the
-plaintext. This ordering closes a security flaw in the SSH transport
-protocol, where decryption of unauthenticated ciphertext provided a
-"decryption oracle" that could, in conjunction with cipher flaws, reveal
-session plaintext.
-
-Specifically, the "-etm" MAC algorithms modify the transport protocol
-to calculate the MAC over the packet ciphertext and to send the packet
-length unencrypted. This is necessary for the transport to obtain the
-length of the packet and location of the MAC tag so that it may be
-verified without decrypting unauthenticated data.
-
-As such, the MAC covers:
-
-      mac = MAC(key, sequence_number || packet_length || encrypted_packet)
-
-where "packet_length" is encoded as a uint32 and "encrypted_packet"
-contains:
-
-      byte      padding_length
-      byte[n1]  payload; n1 = packet_length - padding_length - 1
-      byte[n2]  random padding; n2 = padding_length
-
-1.6 transport: AES-GCM
-
-OpenSSH supports the AES-GCM algorithm as specified in RFC 5647.
-Because of problems with the specification of the key exchange
-the behaviour of OpenSSH differs from the RFC as follows:
-
-AES-GCM is only negotiated as the cipher algorithms
-"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as
-an MAC algorithm. Additionally, if AES-GCM is selected as the cipher
-the exchanged MAC algorithms are ignored and there doesn't have to be
-a matching MAC.
-
-1.7 transport: chacha20-poly1305@openssh.com authenticated encryption
-
-OpenSSH supports authenticated encryption using ChaCha20 and Poly1305
-as described in PROTOCOL.chacha20poly1305.
-
-1.8 transport: curve25519-sha256@libssh.org key exchange algorithm
-
-OpenSSH supports the use of ECDH in Curve25519 for key exchange as
-described at:
-http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519
-
-2. Connection protocol changes
-
-2.1. connection: Channel write close extension "eow@openssh.com"
-
-The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF
-message to allow an endpoint to signal its peer that it will send no
-more data over a channel. Unfortunately, there is no symmetric way for
-an endpoint to request that its peer should cease sending data to it
-while still keeping the channel open for the endpoint to send data to
-the peer.
-
-This is desirable, since it saves the transmission of data that would
-otherwise need to be discarded and it allows an endpoint to signal local
-processes of the condition, e.g. by closing the corresponding file
-descriptor.
-
-OpenSSH implements a channel extension message to perform this
-signalling: "eow@openssh.com" (End Of Write). This message is sent by
-an endpoint when the local output of a session channel is closed or
-experiences a write error. The message is formatted as follows:
-
-	byte		SSH_MSG_CHANNEL_REQUEST
-	uint32		recipient channel
-	string		"eow@openssh.com"
-	boolean		FALSE
-
-On receiving this message, the peer SHOULD cease sending data of
-the channel and MAY signal the process from which the channel data
-originates (e.g. by closing its read file descriptor).
-
-As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does
-remain open after a "eow@openssh.com" has been sent and more data may
-still be sent in the other direction. This message does not consume
-window space and may be sent even if no window space is available.
-
-NB. due to certain broken SSH implementations aborting upon receipt
-of this message (in contravention of RFC4254 section 5.4), this
-message is only sent to OpenSSH peers (identified by banner).
-Other SSH implementations may be whitelisted to receive this message
-upon request.
-
-2.2. connection: disallow additional sessions extension
-     "no-more-sessions@openssh.com"
-
-Most SSH connections will only ever request a single session, but a
-attacker may abuse a running ssh client to surreptitiously open
-additional sessions under their control. OpenSSH provides a global
-request "no-more-sessions@openssh.com" to mitigate this attack.
-
-When an OpenSSH client expects that it will never open another session
-(i.e. it has been started with connection multiplexing disabled), it
-will send the following global request:
-
-	byte		SSH_MSG_GLOBAL_REQUEST
-	string		"no-more-sessions@openssh.com"
-	char		want-reply
-
-On receipt of such a message, an OpenSSH server will refuse to open
-future channels of type "session" and instead immediately abort the
-connection.
-
-Note that this is not a general defence against compromised clients
-(that is impossible), but it thwarts a simple attack.
-
-NB. due to certain broken SSH implementations aborting upon receipt
-of this message, the no-more-sessions request is only sent to OpenSSH
-servers (identified by banner). Other SSH implementations may be
-whitelisted to receive this message upon request.
-
-2.3. connection: Tunnel forward extension "tun@openssh.com"
-
-OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com"
-channel type. This channel type supports forwarding of network packets
-with datagram boundaries intact between endpoints equipped with
-interfaces like the BSD tun(4) device. Tunnel forwarding channels are
-requested by the client with the following packet:
-
-	byte		SSH_MSG_CHANNEL_OPEN
-	string		"tun@openssh.com"
-	uint32		sender channel
-	uint32		initial window size
-	uint32		maximum packet size
-	uint32		tunnel mode
-	uint32		remote unit number
-
-The "tunnel mode" parameter specifies whether the tunnel should forward
-layer 2 frames or layer 3 packets. It may take one of the following values:
-
-	SSH_TUNMODE_POINTOPOINT  1		/* layer 3 packets */
-	SSH_TUNMODE_ETHERNET     2		/* layer 2 frames */
-
-The "tunnel unit number" specifies the remote interface number, or may
-be 0x7fffffff to allow the server to automatically chose an interface. A
-server that is not willing to open a client-specified unit should refuse
-the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful
-open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS.
-
-Once established the client and server may exchange packet or frames
-over the tunnel channel by encapsulating them in SSH protocol strings
-and sending them as channel data. This ensures that packet boundaries
-are kept intact. Specifically, packets are transmitted using normal
-SSH_MSG_CHANNEL_DATA packets:
-
-	byte		SSH_MSG_CHANNEL_DATA
-	uint32		recipient channel
-	string		data
-
-The contents of the "data" field for layer 3 packets is:
-
-	uint32			packet length
-	uint32			address family
-	byte[packet length - 4]	packet data
-
-The "address family" field identifies the type of packet in the message.
-It may be one of:
-
-	SSH_TUN_AF_INET		2		/* IPv4 */
-	SSH_TUN_AF_INET6	24		/* IPv6 */
-
-The "packet data" field consists of the IPv4/IPv6 datagram itself
-without any link layer header.
-
-The contents of the "data" field for layer 2 packets is:
-
-	uint32			packet length
-	byte[packet length]	frame
-
-The "frame" field contains an IEEE 802.3 Ethernet frame, including
-header.
-
-2.4. connection: Unix domain socket forwarding
-
-OpenSSH supports local and remote Unix domain socket forwarding
-using the "streamlocal" extension.  Forwarding is initiated as per
-TCP sockets but with a single path instead of a host and port.
-
-Similar to direct-tcpip, direct-streamlocal is sent by the client
-to request that the server make a connection to a Unix domain socket.
-
-	byte		SSH_MSG_CHANNEL_OPEN
-	string		"direct-streamlocal@openssh.com"
-	uint32		sender channel
-	uint32		initial window size
-	uint32		maximum packet size
-	string		socket path
-
-Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
-server when the client has previously send the server a streamlocal-forward
-GLOBAL_REQUEST.
-
-	byte		SSH_MSG_CHANNEL_OPEN
-	string		"forwarded-streamlocal@openssh.com"
-	uint32		sender channel
-	uint32		initial window size
-	uint32		maximum packet size
-	string		socket path
-	string		reserved for future use
-
-The reserved field is not currently defined and is ignored on the
-remote end.  It is intended to be used in the future to pass
-information about the socket file, such as ownership and mode.
-The client currently sends the empty string for this field.
-
-Similar to tcpip-forward, streamlocal-forward is sent by the client
-to request remote forwarding of a Unix domain socket.
-
-	byte		SSH2_MSG_GLOBAL_REQUEST
-	string		"streamlocal-forward@openssh.com"
-	boolean		TRUE
-	string		socket path
-
-Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent
-by the client cancel the forwarding of a Unix domain socket.
-
-	byte		SSH2_MSG_GLOBAL_REQUEST
-	string		"cancel-streamlocal-forward@openssh.com"
-	boolean		FALSE
-	string		socket path
-
-2.5. connection: hostkey update and rotation "hostkeys-00@openssh.com"
-and "hostkeys-prove-00@openssh.com"
-
-OpenSSH supports a protocol extension allowing a server to inform
-a client of all its protocol v.2 host keys after user-authentication
-has completed.
-
-	byte		SSH_MSG_GLOBAL_REQUEST
-	string		"hostkeys-00@openssh.com"
-	string[]	hostkeys
-
-Upon receiving this message, a client should check which of the
-supplied host keys are present in known_hosts. For keys that are
-not present, it should send a "hostkeys-prove@openssh.com" message
-to request the server prove ownership of the private half of the
-key.
-
-	byte		SSH_MSG_GLOBAL_REQUEST
-	string		"hostkeys-prove-00@openssh.com"
-	char		1 /* want-reply */
-	string[]	hostkeys
-
-When a server receives this message, it should generate a signature
-using each requested key over the following:
-
-	string		"hostkeys-prove-00@openssh.com"
-	string		session identifier
-	string		hostkey
-
-These signatures should be included in the reply, in the order matching
-the hostkeys in the request:
-
-	byte		SSH_MSG_REQUEST_SUCCESS
-	string[]	signatures
-
-When the client receives this reply (and not a failure), it should
-validate the signatures and may update its known_hosts file, adding keys
-that it has not seen before and deleting keys for the server host that
-are no longer offered.
-
-These extensions let a client learn key types that it had not previously
-encountered, thereby allowing it to potentially upgrade from weaker
-key algorithms to better ones. It also supports graceful key rotation:
-a server may offer multiple keys of the same type for a period (to
-give clients an opportunity to learn them using this extension) before
-removing the deprecated key from those offered.
-
-3. SFTP protocol changes
-
-3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
-
-When OpenSSH's sftp-server was implemented, the order of the arguments
-to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately,
-the reversal was not noticed until the server was widely deployed. Since
-fixing this to follow the specification would cause incompatibility, the
-current order was retained. For correct operation, clients should send
-SSH_FXP_SYMLINK as follows:
-
-	uint32		id
-	string		targetpath
-	string		linkpath
-
-3.2. sftp: Server extension announcement in SSH_FXP_VERSION
-
-OpenSSH's sftp-server lists the extensions it supports using the
-standard extension announcement mechanism in the SSH_FXP_VERSION server
-hello packet:
-
-	uint32		3		/* protocol version */
-	string		ext1-name
-	string		ext1-version
-	string		ext2-name
-	string		ext2-version
-	...
-	string		extN-name
-	string		extN-version
-
-Each extension reports its integer version number as an ASCII encoded
-string, e.g. "1". The version will be incremented if the extension is
-ever changed in an incompatible way. The server MAY advertise the same
-extension with multiple versions (though this is unlikely). Clients MUST
-check the version number before attempting to use the extension.
-
-3.3. sftp: Extension request "posix-rename@openssh.com"
-
-This operation provides a rename operation with POSIX semantics, which
-are different to those provided by the standard SSH_FXP_RENAME in
-draft-ietf-secsh-filexfer-02.txt. This request is implemented as a
-SSH_FXP_EXTENDED request with the following format:
-
-	uint32		id
-	string		"posix-rename@openssh.com"
-	string		oldpath
-	string		newpath
-
-On receiving this request the server will perform the POSIX operation
-rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
-This extension is advertised in the SSH_FXP_VERSION hello with version
-"1".
-
-3.4. sftp: Extension requests "statvfs@openssh.com" and
-         "fstatvfs@openssh.com"
-
-These requests correspond to the statvfs and fstatvfs POSIX system
-interfaces. The "statvfs@openssh.com" request operates on an explicit
-pathname, and is formatted as follows:
-
-	uint32		id
-	string		"statvfs@openssh.com"
-	string		path
-
-The "fstatvfs@openssh.com" operates on an open file handle:
-
-	uint32		id
-	string		"fstatvfs@openssh.com"
-	string		handle
-
-These requests return a SSH_FXP_STATUS reply on failure. On success they
-return the following SSH_FXP_EXTENDED_REPLY reply:
-
-	uint32		id
-	uint64		f_bsize		/* file system block size */
-	uint64		f_frsize	/* fundamental fs block size */
-	uint64		f_blocks	/* number of blocks (unit f_frsize) */
-	uint64		f_bfree		/* free blocks in file system */
-	uint64		f_bavail	/* free blocks for non-root */
-	uint64		f_files		/* total file inodes */
-	uint64		f_ffree		/* free file inodes */
-	uint64		f_favail	/* free file inodes for to non-root */
-	uint64		f_fsid		/* file system id */
-	uint64		f_flag		/* bit mask of f_flag values */
-	uint64		f_namemax	/* maximum filename length */
-
-The values of the f_flag bitmask are as follows:
-
-	#define SSH_FXE_STATVFS_ST_RDONLY	0x1	/* read-only */
-	#define SSH_FXE_STATVFS_ST_NOSUID	0x2	/* no setuid */
-
-Both the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are
-advertised in the SSH_FXP_VERSION hello with version "2".
-
-10. sftp: Extension request "hardlink@openssh.com"
-
-This request is for creating a hard link to a regular file. This
-request is implemented as a SSH_FXP_EXTENDED request with the
-following format:
-
-	uint32		id
-	string		"hardlink@openssh.com"
-	string		oldpath
-	string		newpath
-
-On receiving this request the server will perform the operation
-link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message.
-This extension is advertised in the SSH_FXP_VERSION hello with version
-"1".
-
-10. sftp: Extension request "fsync@openssh.com"
-
-This request asks the server to call fsync(2) on an open file handle.
-
-	uint32		id
-	string		"fsync@openssh.com"
-	string		handle
-
-One receiving this request, a server will call fsync(handle_fd) and will
-respond with a SSH_FXP_STATUS message.
-
-This extension is advertised in the SSH_FXP_VERSION hello with version
-"1".
-
-$OpenBSD: PROTOCOL,v 1.29 2015/07/17 03:09:19 djm Exp $
--- a/PROTOCOL.agent
+++ b/PROTOCOL.agent
@ -1,560 +0,0 @@
-This describes the protocol used by OpenSSH's ssh-agent.
-
-OpenSSH's agent supports managing keys for the standard SSH protocol
-2 as well as the legacy SSH protocol 1. Support for these key types
-is almost completely disjoint - in all but a few cases, operations on
-protocol 2 keys cannot see or affect protocol 1 keys and vice-versa.
-
-Protocol 1 and protocol 2 keys are separated because of the differing
-cryptographic usage: protocol 1 private RSA keys are used to decrypt
-challenges that were encrypted with the corresponding public key,
-whereas protocol 2 RSA private keys are used to sign challenges with
-a private key for verification with the corresponding public key. It
-is considered unsound practice to use the same key for signing and
-encryption.
-
-With a couple of exceptions, the protocol message names used in this
-document indicate which type of key the message relates to. SSH_*
-messages refer to protocol 1 keys only. SSH2_* messages refer to
-protocol 2 keys. Furthermore, the names also indicate whether the
-message is a request to the agent (*_AGENTC_*) or a reply from the
-agent (*_AGENT_*). Section 3 below contains the mapping of the
-protocol message names to their integer values.
-
-1. Data types
-
-Because of support for legacy SSH protocol 1 keys, OpenSSH's agent
-protocol makes use of some data types not defined in RFC 4251.
-
-1.1 uint16
-
-The "uint16" data type is a simple MSB-first 16 bit unsigned integer
-encoded in two bytes.
-
-1.2 mpint1
-
-The "mpint1" type represents an arbitrary precision integer (bignum).
-Its format is as follows:
-
-	uint16			bits
-	byte[(bits + 7) / 8]	bignum
-
-"bignum" contains an unsigned arbitrary precision integer encoded as
-eight bits per byte in big-endian (MSB first) format.
-
-Note the difference between the "mpint1" encoding and the "mpint"
-encoding defined in RFC 4251. Also note that the length of the encoded
-integer is specified in bits, not bytes and that the byte length of
-the integer must be calculated by rounding up the number of bits to the
-nearest eight.
-
-2. Protocol Messages
-
-All protocol messages are prefixed with their length in bytes, encoded
-as a 32 bit unsigned integer. Specifically:
-
-	uint32			message_length
-	byte[message_length]	message
-
-The following message descriptions refer only to the content the
-"message" field.
-
-2.1 Generic server responses
-
-The following generic messages may be sent by the server in response to
-requests from the client. On success the agent may reply either with:
-
-	byte			SSH_AGENT_SUCCESS
-
-or a request-specific success message.
-
-On failure, the agent may reply with:
-
-	byte			SSH_AGENT_FAILURE
-
-SSH_AGENT_FAILURE messages are also sent in reply to unknown request
-types.
-
-2.2 Adding keys to the agent
-
-Keys are added to the agent using the SSH_AGENTC_ADD_RSA_IDENTITY and
-SSH2_AGENTC_ADD_IDENTITY requests for protocol 1 and protocol 2 keys
-respectively.
-
-Two variants of these requests are SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
-and SSH2_AGENTC_ADD_ID_CONSTRAINED - these add keys with optional
-"constraints" on their usage.
-
-OpenSSH may be built with support for keys hosted on a smartcard
-or other hardware security module. These keys may be added
-to the agent using the SSH_AGENTC_ADD_SMARTCARD_KEY and
-SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED requests.
-
-2.2.1 Key constraints
-
-The OpenSSH agent supports some basic optional constraints on key usage.
-At present there are two constraints defined.
-
-The first constraint limits the validity duration of a key. It is
-encoded as:
-
-	byte			SSH_AGENT_CONSTRAIN_LIFETIME
-	uint32			seconds
-
-Where "seconds" contains the number of seconds that the key shall remain
-valid measured from the moment that the agent receives it. After the
-validity period has expired, OpenSSH's agent will erase these keys from
-memory.
-
-The second constraint requires the agent to seek explicit user
-confirmation before performing private key operations with the loaded
-key. This constraint is encoded as:
-
-	byte			SSH_AGENT_CONSTRAIN_CONFIRM
-
-Zero or more constraints may be specified when adding a key with one
-of the *_CONSTRAINED requests. Multiple constraints are appended
-consecutively to the end of the request:
-
-	byte			constraint1_type
-	....			constraint1_data
-	byte			constraint2_type
-	....			constraint2_data
-	....
-	byte			constraintN_type
-	....			constraintN_data
-
-Such a sequence of zero or more constraints will be referred to below
-as "constraint[]". Agents may determine whether there are constraints
-by checking whether additional data exists in the "add key" request
-after the key data itself. OpenSSH will refuse to add a key if it
-contains unknown constraints.
-
-2.2.2 Add protocol 1 key
-
-A client may add a protocol 1 key to an agent with the following
-request:
-
-	byte			SSH_AGENTC_ADD_RSA_IDENTITY or
-				SSH_AGENTC_ADD_RSA_ID_CONSTRAINED
-	uint32			ignored
-	mpint1			rsa_n
-	mpint1			rsa_e
-	mpint1			rsa_d
-	mpint1			rsa_iqmp
-	mpint1			rsa_q
-	mpint1			rsa_p
-	string			key_comment
-	constraint[]		key_constraints
-
-Note that there is some redundancy in the key parameters; a key could be
-fully specified using just rsa_q, rsa_p and rsa_e at the cost of extra
-computation.
-
-"key_constraints" may only be present if the request type is
-SSH_AGENTC_ADD_RSA_ID_CONSTRAINED.
-
-The agent will reply with a SSH_AGENT_SUCCESS if the key has been
-successfully added or a SSH_AGENT_FAILURE if an error occurred.
-
-2.2.3 Add protocol 2 key
-
-The OpenSSH agent supports DSA, ECDSA and RSA keys for protocol 2. DSA
-keys may be added using the following request
-
-	byte			SSH2_AGENTC_ADD_IDENTITY or
-				SSH2_AGENTC_ADD_ID_CONSTRAINED
-	string			"ssh-dss"
-	mpint			dsa_p
-	mpint			dsa_q
-	mpint			dsa_g
-	mpint			dsa_public_key
-	mpint			dsa_private_key
-	string			key_comment
-	constraint[]		key_constraints
-
-DSA certificates may be added with:
-	byte			SSH2_AGENTC_ADD_IDENTITY or
-				SSH2_AGENTC_ADD_ID_CONSTRAINED
-	string			"ssh-dss-cert-v00@openssh.com"
-	string			certificate
-	mpint			dsa_private_key
-	string			key_comment
-	constraint[]		key_constraints
-
-ECDSA keys may be added using the following request
-
-	byte			SSH2_AGENTC_ADD_IDENTITY or
-				SSH2_AGENTC_ADD_ID_CONSTRAINED
-	string			"ecdsa-sha2-nistp256" |
-				"ecdsa-sha2-nistp384" |
-				"ecdsa-sha2-nistp521"
-	string			ecdsa_curve_name
-	string			ecdsa_public_key
-	mpint			ecdsa_private
-	string			key_comment
-	constraint[]		key_constraints
-
-ECDSA certificates may be added with:
-	byte			SSH2_AGENTC_ADD_IDENTITY or
-				SSH2_AGENTC_ADD_ID_CONSTRAINED
-	string			"ecdsa-sha2-nistp256-cert-v01@openssh.com" |
-				"ecdsa-sha2-nistp384-cert-v01@openssh.com" |
-				"ecdsa-sha2-nistp521-cert-v01@openssh.com"
-	string			certificate
-	mpint			ecdsa_private_key
-	string			key_comment
-	constraint[]		key_constraints
-
-RSA keys may be added with this request:
-
-	byte			SSH2_AGENTC_ADD_IDENTITY or
-				SSH2_AGENTC_ADD_ID_CONSTRAINED
-	string			"ssh-rsa"
-	mpint			rsa_n
-	mpint			rsa_e
-	mpint			rsa_d
-	mpint			rsa_iqmp
-	mpint			rsa_p
-	mpint			rsa_q
-	string			key_comment
-	constraint[]		key_constraints
-
-RSA certificates may be added with this request:
-
-	byte			SSH2_AGENTC_ADD_IDENTITY or
-				SSH2_AGENTC_ADD_ID_CONSTRAINED
-	string			"ssh-rsa-cert-v00@openssh.com"
-	string			certificate
-	mpint			rsa_d
-	mpint			rsa_iqmp
-	mpint			rsa_p
-	mpint			rsa_q
-	string			key_comment
-	constraint[]		key_constraints
-
-Note that the 'rsa_p' and 'rsa_q' parameters are sent in the reverse
-order to the protocol 1 add keys message. As with the corresponding
-protocol 1 "add key" request, the private key is overspecified to avoid
-redundant processing.
-
-For DSA, ECDSA and RSA key add requests, "key_constraints" may only be
-present if the request type is SSH2_AGENTC_ADD_ID_CONSTRAINED.
-
-The agent will reply with a SSH_AGENT_SUCCESS if the key has been
-successfully added or a SSH_AGENT_FAILURE if an error occurred.
-
-2.2.4 Loading keys from a smartcard
-
-The OpenSSH agent may have optional smartcard support built in to it. If
-so, it supports an operation to load keys from a smartcard. Technically,
-only the public components of the keys are loaded into the agent so
-this operation really arranges for future private key operations to be
-delegated to the smartcard.
-
-	byte			SSH_AGENTC_ADD_SMARTCARD_KEY or
-				SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED
-	string			reader_id
-	string			pin
-	constraint[]		key_constraints
-
-"reader_id" is an identifier to a smartcard reader and "pin"
-is a PIN or passphrase used to unlock the private key(s) on the
-device. "key_constraints" may only be present if the request type is
-SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED.
-
-This operation may load all SSH keys that are unlocked using the
-"pin" on the specified reader. The type of key loaded (protocol 1
-or protocol 2) will be specified by the smartcard itself, it is not
-client-specified.
-
-The agent will reply with a SSH_AGENT_SUCCESS if one or more keys have
-been successfully loaded or a SSH_AGENT_FAILURE if an error occurred.
-The agent will also return SSH_AGENT_FAILURE if it does not support
-smartcards.
-
-2.3 Removing multiple keys
-
-A client may request that an agent delete all protocol 1 keys using the
-following request:
-
-	byte			SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES
-
-This message requests the deletion of all protocol 2 keys:
-
-	byte			SSH2_AGENTC_REMOVE_ALL_IDENTITIES
-
-On success, the agent will delete all keys of the requested type and
-reply with a SSH_AGENT_SUCCESS message. If an error occurred, the agent
-will reply with SSH_AGENT_FAILURE.
-
-Note that, to delete all keys (both protocol 1 and 2), a client
-must send both a SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES and a
-SSH2_AGENTC_REMOVE_ALL_IDENTITIES request.
-
-2.4 Removing specific keys
-
-2.4.1 Removing a protocol 1 key
-
-Removal of a protocol 1 key may be requested with the following message:
-
-	byte 			SSH_AGENTC_REMOVE_RSA_IDENTITY
-	uint32			key_bits
-	mpint1			rsa_e
-	mpint1			rsa_n
-
-Note that key_bits is strictly redundant, as it may be inferred by the
-length of rsa_n.
-
-The agent will delete any private key matching the specified public key
-and return SSH_AGENT_SUCCESS. If no such key was found, the agent will
-return SSH_AGENT_FAILURE.
-
-2.4.2 Removing a protocol 2 key
-
-Protocol 2 keys may be removed with the following request:
-
-	byte			SSH2_AGENTC_REMOVE_IDENTITY
-	string			key_blob
-
-Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key
-Algorithms" for any of the supported protocol 2 key types.
-
-The agent will delete any private key matching the specified public key
-and return SSH_AGENT_SUCCESS. If no such key was found, the agent will
-return SSH_AGENT_FAILURE.
-
-2.4.3 Removing keys loaded from a smartcard
-
-A client may request that a server remove one or more smartcard-hosted
-keys using this message:
-
-	byte			SSH_AGENTC_REMOVE_SMARTCARD_KEY
-	string			reader_id
-	string			pin
-
-"reader_id" the an identifier to a smartcard reader and "pin" is a PIN
-or passphrase used to unlock the private key(s) on the device.
-
-When this message is received, and if the agent supports
-smartcard-hosted keys, it will delete all keys that are hosted on the
-specified smartcard that may be accessed with the given "pin".
-
-The agent will reply with a SSH_AGENT_SUCCESS if one or more keys have
-been successfully removed or a SSH_AGENT_FAILURE if an error occurred.
-The agent will also return SSH_AGENT_FAILURE if it does not support
-smartcards.
-
-2.5 Requesting a list of known keys
-
-An agent may be requested to list which keys it holds. Different
-requests exist for protocol 1 and protocol 2 keys.
-
-2.5.1 Requesting a list of protocol 1 keys
-
-To request a list of protocol 1 keys that are held in the agent, a
-client may send the following message:
-
-	byte			SSH_AGENTC_REQUEST_RSA_IDENTITIES
-
-The agent will reply with the following message:
-
-	byte			SSH_AGENT_RSA_IDENTITIES_ANSWER
-	uint32			num_keys
-
-Followed by zero or more consecutive keys, encoded as:
-
-	uint32			bits
-	mpint1			rsa_e
-	mpint1			rsa_n
-	string			key_comment
-
-2.5.2 Requesting a list of protocol 2 keys
-
-A client may send the following message to request a list of
-protocol 2 keys that are stored in the agent:
-
-	byte			SSH2_AGENTC_REQUEST_IDENTITIES
-
-The agent will reply with the following message header:
-
-	byte			SSH2_AGENT_IDENTITIES_ANSWER
-	uint32			num_keys
-
-Followed by zero or more consecutive keys, encoded as:
-
-	string			key_blob
-	string			key_comment
-
-Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key
-Algorithms" for any of the supported protocol 2 key types.
-
-2.6 Private key operations
-
-The purpose of the agent is to perform private key operations, such as
-signing and encryption without requiring a passphrase to unlock the
-key and without allowing the private key itself to be exposed. There
-are separate requests for the protocol 1 and protocol 2 private key
-operations.
-
-2.6.1 Protocol 1 private key challenge
-
-The private key operation used in version 1 of the SSH protocol is
-decrypting a challenge that has been encrypted with a public key.
-It may be requested using this message:
-
-	byte			SSH_AGENTC_RSA_CHALLENGE
-	uint32			ignored
-	mpint1			rsa_e
-	mpint1			rsa_n
-	mpint1			encrypted_challenge
-	byte[16]		session_id
-	uint32			response_type /* must be 1 */
-
-"rsa_e" and "rsa_n" are used to identify which private key to use.
-"encrypted_challenge" is a challenge blob that has (presumably)
-been encrypted with the public key and must be in the range
-1 <= encrypted_challenge < 2^256. "session_id" is the SSH protocol 1
-session ID (computed from the server host key, the server semi-ephemeral
-key and the session cookie).
-
-"ignored" and "response_type" exist for compatibility with legacy
-implementations. "response_type" must be equal to 1; other response
-types are not supported.
-
-On receiving this request, the server decrypts the "encrypted_challenge"
-using the private key matching the supplied (rsa_e, rsa_n) values. For
-the response derivation, the decrypted challenge is represented as an
-unsigned, big-endian integer encoded in a 32 byte buffer (i.e. values
-smaller than 2^248 will have leading 0 bytes).
-
-The response value is then calculated as:
-
-	response = MD5(decrypted_challenge || session_id)
-
-and returned in the following message
-
-	byte			SSH_AGENT_RSA_RESPONSE
-	byte[16]		response
-
-If the agent cannot find the key specified by the supplied (rsa_e,
-rsa_n) then it will return SSH_AGENT_FAILURE.
-
-2.6.2 Protocol 2 private key signature request
-
-A client may use the following message to request signing of data using
-a protocol 2 key:
-
-	byte			SSH2_AGENTC_SIGN_REQUEST
-	string			key_blob
-	string			data
-	uint32			flags
-
-Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key
-Algorithms" for any of the supported protocol 2 key types. "flags" is
-a bit-mask, but at present only one possible value is defined (see below
-for its meaning):
-
-	SSH_AGENT_OLD_SIGNATURE		1
-
-Upon receiving this request, the agent will look up the private key that
-corresponds to the public key contained in key_blob. It will use this
-private key to sign the "data" and produce a signature blob using the
-key type-specific method described in RFC 4253 section 6.6 "Public Key
-Algorithms".
-
-An exception to this is for "ssh-dss" keys where the "flags" word
-contains the value SSH_AGENT_OLD_SIGNATURE. In this case, a legacy
-signature encoding is used in lieu of the standard one. In this case,
-the DSA signature blob is encoded as:
-
-	byte[40]		signature
-
-The signature will be returned in the response message:
-
-	byte			SSH2_AGENT_SIGN_RESPONSE
-	string			signature_blob
-
-If the agent cannot find the key specified by the supplied key_blob then
-it will return SSH_AGENT_FAILURE.
-
-2.7 Locking or unlocking an agent
-
-The agent supports temporary locking with a passphrase to suspend
-processing of sensitive operations until it has been unlocked with the
-same passphrase. To lock an agent, a client send the following request:
-
-	byte			SSH_AGENTC_LOCK
-	string			passphrase
-
-Upon receipt of this message and if the agent is not already locked,
-it will suspend processing requests and return a SSH_AGENT_SUCCESS
-reply. If the agent is already locked, it will return SSH_AGENT_FAILURE.
-
-While locked, the agent will refuse all requests except
-SSH_AGENTC_UNLOCK, SSH_AGENTC_REQUEST_RSA_IDENTITIES and
-SSH2_AGENTC_REQUEST_IDENTITIES. The "request identities" requests are
-treated specially by a locked agent: it will always return an empty list
-of keys.
-
-To unlock an agent, a client may request:
-
-	byte			SSH_AGENTC_UNLOCK
-	string			passphrase
-
-If the passphrase matches and the agent is locked, then it will resume
-processing all requests and return SSH_AGENT_SUCCESS. If the agent
-is not locked or the passphrase does not match then it will return
-SSH_AGENT_FAILURE.
-
-Locking and unlocking affects both protocol 1 and protocol 2 keys.
-
-3. Protocol message numbers
-
-3.1 Requests from client to agent for protocol 1 key operations
-
-	SSH_AGENTC_REQUEST_RSA_IDENTITIES		1
-	SSH_AGENTC_RSA_CHALLENGE			3
-	SSH_AGENTC_ADD_RSA_IDENTITY			7
-	SSH_AGENTC_REMOVE_RSA_IDENTITY			8
-	SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES		9
-	SSH_AGENTC_ADD_RSA_ID_CONSTRAINED		24
-
-3.2 Requests from client to agent for protocol 2 key operations
-
-	SSH2_AGENTC_REQUEST_IDENTITIES			11
-	SSH2_AGENTC_SIGN_REQUEST			13
-	SSH2_AGENTC_ADD_IDENTITY			17
-	SSH2_AGENTC_REMOVE_IDENTITY			18
-	SSH2_AGENTC_REMOVE_ALL_IDENTITIES		19
-	SSH2_AGENTC_ADD_ID_CONSTRAINED			25
-
-3.3 Key-type independent requests from client to agent
-
-	SSH_AGENTC_ADD_SMARTCARD_KEY			20
-	SSH_AGENTC_REMOVE_SMARTCARD_KEY			21
-	SSH_AGENTC_LOCK					22
-	SSH_AGENTC_UNLOCK				23
-	SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED	26
-
-3.4 Generic replies from agent to client
-
-	SSH_AGENT_FAILURE				5
-	SSH_AGENT_SUCCESS				6
-
-3.5 Replies from agent to client for protocol 1 key operations
-
-	SSH_AGENT_RSA_IDENTITIES_ANSWER			2
-	SSH_AGENT_RSA_RESPONSE				4
-
-3.6 Replies from agent to client for protocol 2 key operations
-
-	SSH2_AGENT_IDENTITIES_ANSWER			12
-	SSH2_AGENT_SIGN_RESPONSE			14
-
-3.7 Key constraint identifiers
-
-	SSH_AGENT_CONSTRAIN_LIFETIME			1
-	SSH_AGENT_CONSTRAIN_CONFIRM			2
-
-$OpenBSD: PROTOCOL.agent,v 1.8 2015/05/08 03:56:51 djm Exp $
--- a/PROTOCOL.certkeys
+++ b/PROTOCOL.certkeys
@ -1,265 +0,0 @@
-This document describes a simple public-key certificate authentication
-system for use by SSH.
-
-Background
----------
-
-The SSH protocol currently supports a simple public key authentication
-mechanism. Unlike other public key implementations, SSH eschews the use
-of X.509 certificates and uses raw keys. This approach has some benefits
-relating to simplicity of configuration and minimisation of attack
-surface, but it does not support the important use-cases of centrally
-managed, passwordless authentication and centrally certified host keys.
-
-These protocol extensions build on the simple public key authentication
-system already in SSH to allow certificate-based authentication. The
-certificates used are not traditional X.509 certificates, with numerous
-options and complex encoding rules, but something rather more minimal: a
-key, some identity information and usage options that have been signed
-with some other trusted key.
-
-A sshd server may be configured to allow authentication via certified
-keys, by extending the existing ~/.ssh/authorized_keys mechanism to
-allow specification of certification authority keys in addition to
-raw user keys. The ssh client will support automatic verification of
-acceptance of certified host keys, by adding a similar ability to
-specify CA keys in ~/.ssh/known_hosts.
-
-Certified keys are represented using new key types:
-
-    ssh-rsa-cert-v01@openssh.com
-    ssh-dss-cert-v01@openssh.com
-    ecdsa-sha2-nistp256-cert-v01@openssh.com
-    ecdsa-sha2-nistp384-cert-v01@openssh.com
-    ecdsa-sha2-nistp521-cert-v01@openssh.com
-
-These include certification information along with the public key
-that is used to sign challenges. ssh-keygen performs the CA signing
-operation.
-
-Protocol extensions
-------------------
-
-The SSH wire protocol includes several extensibility mechanisms.
-These modifications shall take advantage of namespaced public key
-algorithm names to add support for certificate authentication without
-breaking the protocol - implementations that do not support the
-extensions will simply ignore them.
-
-Authentication using the new key formats described below proceeds
-using the existing SSH "publickey" authentication method described
-in RFC4252 section 7.
-
-New public key formats
----------------------
-
-The certificate key types take a similar high-level format (note: data
-types and encoding are as per RFC4251 section 5). The serialised wire
-encoding of these certificates is also used for storing them on disk.
-
-#define SSH_CERT_TYPE_USER    1
-#define SSH_CERT_TYPE_HOST    2
-
-RSA certificate
-
-    string    "ssh-rsa-cert-v01@openssh.com"
-    string    nonce
-    mpint     e
-    mpint     n
-    uint64    serial
-    uint32    type
-    string    key id
-    string    valid principals
-    uint64    valid after
-    uint64    valid before
-    string    critical options
-    string    extensions
-    string    reserved
-    string    signature key
-    string    signature
-
-DSA certificate
-
-    string    "ssh-dss-cert-v01@openssh.com"
-    string    nonce
-    mpint     p
-    mpint     q
-    mpint     g
-    mpint     y
-    uint64    serial
-    uint32    type
-    string    key id
-    string    valid principals
-    uint64    valid after
-    uint64    valid before
-    string    critical options
-    string    extensions
-    string    reserved
-    string    signature key
-    string    signature
-
-ECDSA certificate
-
-    string    "ecdsa-sha2-nistp256@openssh.com" |
-              "ecdsa-sha2-nistp384@openssh.com" |
-              "ecdsa-sha2-nistp521@openssh.com"
-    string    nonce
-    string    curve
-    string    public_key
-    uint64    serial
-    uint32    type
-    string    key id
-    string    valid principals
-    uint64    valid after
-    uint64    valid before
-    string    critical options
-    string    extensions
-    string    reserved
-    string    signature key
-    string    signature
-
-The nonce field is a CA-provided random bitstring of arbitrary length
-(but typically 16 or 32 bytes) included to make attacks that depend on
-inducing collisions in the signature hash infeasible.
-
-e and n are the RSA exponent and public modulus respectively.
-
-p, q, g, y are the DSA parameters as described in FIPS-186-2.
-
-curve and public key are respectively the ECDSA "[identifier]" and "Q"
-defined in section 3.1 of RFC5656.
-
-serial is an optional certificate serial number set by the CA to
-provide an abbreviated way to refer to certificates from that CA.
-If a CA does not wish to number its certificates it must set this
-field to zero.
-
-type specifies whether this certificate is for identification of a user
-or a host using a SSH_CERT_TYPE_... value.
-
-key id is a free-form text field that is filled in by the CA at the time
-of signing; the intention is that the contents of this field are used to
-identify the identity principal in log messages.
-
-"valid principals" is a string containing zero or more principals as
-strings packed inside it. These principals list the names for which this
-certificate is valid; hostnames for SSH_CERT_TYPE_HOST certificates and
-usernames for SSH_CERT_TYPE_USER certificates. As a special case, a
-zero-length "valid principals" field means the certificate is valid for
-any principal of the specified type. XXX DNS wildcards?
-
-"valid after" and "valid before" specify a validity period for the
-certificate. Each represents a time in seconds since 1970-01-01
-00:00:00. A certificate is considered valid if:
-
-    valid after <= current time < valid before
-
-criticial options is a set of zero or more key options encoded as
-below. All such options are "critical" in the sense that an implementation
-must refuse to authorise a key that has an unrecognised option.
-
-extensions is a set of zero or more optional extensions. These extensions
-are not critical, and an implementation that encounters one that it does
-not recognise may safely ignore it.
-
-Generally, critical options are used to control features that restrict
-access where extensions are used to enable features that grant access.
-This ensures that certificates containing unknown restrictions do not
-inadvertently grant access while allowing new protocol features to be
-enabled via extensions without breaking certificates' backwards
-compatibility.
-
-The reserved field is currently unused and is ignored in this version of
-the protocol.
-
-signature key contains the CA key used to sign the certificate.
-The valid key types for CA keys are ssh-rsa, ssh-dss and the ECDSA types
-ecdsa-sha2-nistp256, ecdsa-sha2-nistp384, ecdsa-sha2-nistp521. "Chained"
-certificates, where the signature key type is a certificate type itself
-are NOT supported. Note that it is possible for a RSA certificate key to
-be signed by a DSS or ECDSA CA key and vice-versa.
-
-signature is computed over all preceding fields from the initial string
-up to, and including the signature key. Signatures are computed and
-encoded according to the rules defined for the CA's public key algorithm
-(RFC4253 section 6.6 for ssh-rsa and ssh-dss, RFC5656 for the ECDSA
-types).
-
-Critical options
----------------
-
-The critical options section of the certificate specifies zero or more
-options on the certificates validity. The format of this field
-is a sequence of zero or more tuples:
-
-    string       name
-    string       data
-
-Options must be lexically ordered by "name" if they appear in the
-sequence. Each named option may only appear once in a certificate.
-
-The name field identifies the option and the data field encodes
-option-specific information (see below). All options are
-"critical", if an implementation does not recognise a option
-then the validating party should refuse to accept the certificate.
-
-The supported options and the contents and structure of their
-data fields are:
-
-Name                    Format        Description
-----------------------------------------------------------------------------
-force-command           string        Specifies a command that is executed
-                                      (replacing any the user specified on the
-                                      ssh command-line) whenever this key is
-                                      used for authentication.
-
-source-address          string        Comma-separated list of source addresses
-                                      from which this certificate is accepted
-                                      for authentication. Addresses are
-                                      specified in CIDR format (nn.nn.nn.nn/nn
-                                      or hhhh::hhhh/nn).
-                                      If this option is not present then
-                                      certificates may be presented from any
-                                      source address.
-
-Extensions
----------
-
-The extensions section of the certificate specifies zero or more
-non-critical certificate extensions. The encoding and ordering of
-extensions in this field is identical to that of the critical options,
-as is the requirement that each name appear only once.
-
-If an implementation does not recognise an extension, then it should
-ignore it.
-
-The supported extensions and the contents and structure of their data
-fields are:
-
-Name                    Format        Description
-----------------------------------------------------------------------------
-permit-X11-forwarding   empty         Flag indicating that X11 forwarding
-                                      should be permitted. X11 forwarding will
-                                      be refused if this option is absent.
-
-permit-agent-forwarding empty         Flag indicating that agent forwarding
-                                      should be allowed. Agent forwarding
-                                      must not be permitted unless this
-                                      option is present.
-
-permit-port-forwarding  empty         Flag indicating that port-forwarding
-                                      should be allowed. If this option is
-                                      not present then no port forwarding will
-                                      be allowed.
-
-permit-pty              empty         Flag indicating that PTY allocation
-                                      should be permitted. In the absence of
-                                      this option PTY allocation will be
-                                      disabled.
-
-permit-user-rc          empty         Flag indicating that execution of
-                                      ~/.ssh/rc should be permitted. Execution
-                                      of this script will not be permitted if
-                                      this option is not present.
-
-$OpenBSD: PROTOCOL.certkeys,v 1.9 2012/03/28 07:23:22 djm Exp $
--- a/PROTOCOL.chacha20poly1305
+++ b/PROTOCOL.chacha20poly1305
@ -1,105 +0,0 @@
-This document describes the chacha20-poly1305@openssh.com authenticated
-encryption cipher supported by OpenSSH.
-
-Background
----------
-
-ChaCha20 is a stream cipher designed by Daniel Bernstein and described
-in [1]. It operates by permuting 128 fixed bits, 128 or 256 bits of key,
-a 64 bit nonce and a 64 bit counter into 64 bytes of output. This output
-is used as a keystream, with any unused bytes simply discarded.
-
-Poly1305[2], also by Daniel Bernstein, is a one-time Carter-Wegman MAC
-that computes a 128 bit integrity tag given a message and a single-use
-256 bit secret key.
-
-The chacha20-poly1305@openssh.com combines these two primitives into an
-authenticated encryption mode. The construction used is based on that
-proposed for TLS by Adam Langley in [3], but differs in the layout of
-data passed to the MAC and in the addition of encyption of the packet
-lengths.
-
-Negotiation
-----------
-
-The chacha20-poly1305@openssh.com offers both encryption and
-authentication. As such, no separate MAC is required. If the
-chacha20-poly1305@openssh.com cipher is selected in key exchange,
-the offered MAC algorithms are ignored and no MAC is required to be
-negotiated.
-
-Detailed Construction
---------------------
-
-The chacha20-poly1305@openssh.com cipher requires 512 bits of key
-material as output from the SSH key exchange. This forms two 256 bit
-keys (K_1 and K_2), used by two separate instances of chacha20.
-
-The instance keyed by K_1 is a stream cipher that is used only
-to encrypt the 4 byte packet length field. The second instance,
-keyed by K_2, is used in conjunction with poly1305 to build an AEAD
-(Authenticated Encryption with Associated Data) that is used to encrypt
-and authenticate the entire packet.
-
-Two separate cipher instances are used here so as to keep the packet
-lengths confidential but not create an oracle for the packet payload
-cipher by decrypting and using the packet length prior to checking
-the MAC. By using an independently-keyed cipher instance to encrypt the
-length, an active attacker seeking to exploit the packet input handling
-as a decryption oracle can learn nothing about the payload contents or
-its MAC (assuming key derivation, ChaCha20 and Poly1305 are secure).
-
-The AEAD is constructed as follows: for each packet, generate a Poly1305
-key by taking the first 256 bits of ChaCha20 stream output generated
-using K_2, an IV consisting of the packet sequence number encoded as an
-uint64 under the SSH wire encoding rules and a ChaCha20 block counter of
-zero. The K_2 ChaCha20 block counter is then set to the little-endian
-encoding of 1 (i.e. {1, 0, 0, 0, 0, 0, 0, 0}) and this instance is used
-for encryption of the packet payload.
-
-Packet Handling
---------------
-
-When receiving a packet, the length must be decrypted first. When 4
-bytes of ciphertext length have been received, they may be decrypted
-using the K_1 key, a nonce consisting of the packet sequence number
-encoded as a uint64 under the usual SSH wire encoding and a zero block
-counter to obtain the plaintext length.
-
-Once the entire packet has been received, the MAC MUST be checked
-before decryption. A per-packet Poly1305 key is generated as described
-above and the MAC tag calculated using Poly1305 with this key over the
-ciphertext of the packet length and the payload together. The calculated
-MAC is then compared in constant time with the one appended to the
-packet and the packet decrypted using ChaCha20 as described above (with
-K_2, the packet sequence number as nonce and a starting block counter of
-1).
-
-To send a packet, first encode the 4 byte length and encrypt it using
-K_1. Encrypt the packet payload (using K_2) and append it to the
-encrypted length. Finally, calculate a MAC tag and append it.
-
-Rekeying
--------
-
-ChaCha20 must never reuse a {key, nonce} for encryption nor may it be
-used to encrypt more than 2^70 bytes under the same {key, nonce}. The
-SSH Transport protocol (RFC4253) recommends a far more conservative
-rekeying every 1GB of data sent or received. If this recommendation
-is followed, then chacha20-poly1305@openssh.com requires no special
-handling in this area.
-
-References
----------
-
-[1] "ChaCha, a variant of Salsa20", Daniel Bernstein
-    http://cr.yp.to/chacha/chacha-20080128.pdf
-
-[2] "The Poly1305-AES message-authentication code", Daniel Bernstein
-    http://cr.yp.to/mac/poly1305-20050329.pdf
-
-[3] "ChaCha20 and Poly1305 based Cipher Suites for TLS", Adam Langley
-    http://tools.ietf.org/html/draft-agl-tls-chacha20poly1305-03
-
-$OpenBSD: PROTOCOL.chacha20poly1305,v 1.2 2013/12/02 02:50:27 djm Exp $
-
--- a/PROTOCOL.key
+++ b/PROTOCOL.key
@ -1,68 +0,0 @@
-This document describes the private key format for OpenSSH.
-
-1. Overall format
-
-The key consists of a header, a list of public keys, and
-an encrypted list of matching private keys.
-
-#define AUTH_MAGIC      "openssh-key-v1"
-
-	byte[]	AUTH_MAGIC
-	string	ciphername
-	string	kdfname
-	string	kdfoptions
-	int	number of keys N
-	string	publickey1
-	string	publickey2
-	...
-	string	publickeyN
-	string	encrypted, padded list of private keys
-
-2. KDF options for kdfname "bcrypt"
-
-The options:
-
-	string salt
-	uint32 rounds
-
-are concatenated and represented as a string.
-
-3. Unencrypted list of N private keys
-
-The list of privatekey/comment pairs is padded with the
-bytes 1, 2, 3, ... until the total length is a multiple
-of the cipher block size.
-
-	uint32	checkint
-	uint32	checkint
-	string	privatekey1
-	string	comment1
-	string	privatekey2
-	string	comment2
-	...
-	string	privatekeyN
-	string	commentN
-	char	1
-	char	2
-	char	3
-	...
-	char	padlen % 255
-
-Before the key is encrypted, a random integer is assigned
-to both checkint fields so successful decryption can be
-quickly checked by verifying that both checkint fields
-hold the same value.
-
-4. Encryption
-
-The KDF is used to derive a key, IV (and other values required by
-the cipher) from the passphrase. These values are then used to
-encrypt the unencrypted list of private keys.
-
-5. No encryption
-
-For unencrypted keys the cipher "none" and the KDF "none"
-are used with empty passphrases. The options if the KDF "none"
-are the empty string.
-
-$OpenBSD: PROTOCOL.key,v 1.1 2013/12/06 13:34:54 markus Exp $
--- a/PROTOCOL.krl
+++ b/PROTOCOL.krl
@ -1,169 +0,0 @@
-This describes the key/certificate revocation list format for OpenSSH.
-
-1. Overall format
-
-The KRL consists of a header and zero or more sections. The header is:
-
-#define KRL_MAGIC		0x5353484b524c0a00ULL  /* "SSHKRL\n\0" */
-#define KRL_FORMAT_VERSION	1
-
-	uint64	KRL_MAGIC
-	uint32	KRL_FORMAT_VERSION
-	uint64	krl_version
-	uint64	generated_date
-	uint64	flags
-	string	reserved
-	string	comment
-
-Where "krl_version" is a version number that increases each time the KRL
-is modified, "generated_date" is the time in seconds since 1970-01-01
-00:00:00 UTC that the KRL was generated, "comment" is an optional comment
-and "reserved" an extension field whose contents are currently ignored.
-No "flags" are currently defined.
-
-Following the header are zero or more sections, each consisting of:
-
-	byte	section_type
-	string	section_data
-
-Where "section_type" indicates the type of the "section_data". An exception
-to this is the KRL_SECTION_SIGNATURE section, that has a slightly different
-format (see below).
-
-The available section types are:
-
-#define KRL_SECTION_CERTIFICATES		1
-#define KRL_SECTION_EXPLICIT_KEY		2
-#define KRL_SECTION_FINGERPRINT_SHA1		3
-#define KRL_SECTION_SIGNATURE			4
-
-2. Certificate section
-
-These sections use type KRL_SECTION_CERTIFICATES to revoke certificates by
-serial number or key ID. The consist of the CA key that issued the
-certificates to be revoked and a reserved field whose contents is currently
-ignored.
-
-	string ca_key
-	string reserved
-
-Where "ca_key" is the standard SSH wire serialisation of the CA's
-public key. Alternately, "ca_key" may be an empty string to indicate
-the certificate section applies to all CAs (this is most useful when
-revoking key IDs).
-
-Followed by one or more sections:
-
-	byte	cert_section_type
-	string	cert_section_data
-
-The certificate section types are:
-
-#define KRL_SECTION_CERT_SERIAL_LIST	0x20
-#define KRL_SECTION_CERT_SERIAL_RANGE	0x21
-#define KRL_SECTION_CERT_SERIAL_BITMAP	0x22
-#define KRL_SECTION_CERT_KEY_ID		0x23
-
-2.1 Certificate serial list section
-
-This section is identified as KRL_SECTION_CERT_SERIAL_LIST. It revokes
-certificates by listing their serial numbers. The cert_section_data in this
-case contains:
-
-	uint64	revoked_cert_serial
-	uint64	...
-
-This section may appear multiple times.
-
-2.2. Certificate serial range section
-
-These sections use type KRL_SECTION_CERT_SERIAL_RANGE and hold
-a range of serial numbers of certificates:
-
-	uint64	serial_min
-	uint64	serial_max
-
-All certificates in the range serial_min <= serial <= serial_max are
-revoked.
-
-This section may appear multiple times.
-
-2.3. Certificate serial bitmap section
-
-Bitmap sections use type KRL_SECTION_CERT_SERIAL_BITMAP and revoke keys
-by listing their serial number in a bitmap.
-
-	uint64	serial_offset
-	mpint	revoked_keys_bitmap
-
-A bit set at index N in the bitmap corresponds to revocation of a keys with
-serial number (serial_offset + N).
-
-This section may appear multiple times.
-
-2.4. Revoked key ID sections
-
-KRL_SECTION_CERT_KEY_ID sections revoke particular certificate "key
-ID" strings. This may be useful in revoking all certificates
-associated with a particular identity, e.g. a host or a user.
-
-	string	key_id[0]
-	...
-
-This section must contain at least one "key_id". This section may appear
-multiple times.
-
-3. Explicit key sections
-
-These sections, identified as KRL_SECTION_EXPLICIT_KEY, revoke keys
-(not certificates). They are less space efficient than serial numbers,
-but are able to revoke plain keys.
-
-	string	public_key_blob[0]
-	....
-
-This section must contain at least one "public_key_blob". The blob
-must be a raw key (i.e. not a certificate).
-
-This section may appear multiple times.
-
-4. SHA1 fingerprint sections
-
-These sections, identified as KRL_SECTION_FINGERPRINT_SHA1, revoke
-plain keys (i.e. not certificates) by listing their SHA1 hashes:
-
-	string	public_key_hash[0]
-	....
-
-This section must contain at least one "public_key_hash". The hash blob
-is obtained by taking the SHA1 hash of the public key blob. Hashes in
-this section must appear in numeric order, treating each hash as a big-
-endian integer.
-
-This section may appear multiple times.
-
-5. KRL signature sections
-
-The KRL_SECTION_SIGNATURE section serves a different purpose to the
-preceeding ones: to provide cryptographic authentication of a KRL that
-is retrieved over a channel that does not provide integrity protection.
-Its format is slightly different to the previously-described sections:
-in order to simplify the signature generation, it includes as a "body"
-two string components instead of one.
-
-	byte	KRL_SECTION_SIGNATURE
-	string	signature_key
-	string	signature
-
-The signature is calculated over the entire KRL from the KRL_MAGIC
-to this subsection's "signature_key", including both and using the
-signature generation rules appropriate for the type of "signature_key".
-
-This section must appear last in the KRL. If multiple signature sections
-appear, they must appear consecutively at the end of the KRL file.
-
-Implementations that retrieve KRLs over untrusted channels must verify
-signatures. Signature sections are optional for KRLs distributed by
-trusted means.
-
-$OpenBSD: PROTOCOL.krl,v 1.3 2015/01/30 01:10:33 djm Exp $
--- a/PROTOCOL.mux
+++ b/PROTOCOL.mux
@ -1,228 +0,0 @@
-This document describes the multiplexing protocol used by ssh(1)'s
-ControlMaster connection-sharing.
-
-Most messages from the client to the server contain a "request id" field.
-This field is returned in replies as "client request id" to facilitate
-matching of responses to requests.
-
-1. Connection setup
-
-When a multiplexing connection is made to a ssh(1) operating as a
-ControlMaster from a ssh(1) in multiplex slave mode, the first
-action of each is to exchange hello messages:
-
-	uint32	MUX_MSG_HELLO
-	uint32  protocol version
-	string  extension name [optional]
-	string  extension value [optional]
-	...
-
-The current version of the mux protocol is 4. A slave should refuse
-to connect to a master that speaks an unsupported protocol version.
-Following the version identifier are zero or more extensions
-represented as a name/value pair. No extensions are currently
-defined.
-
-2. Opening sessions
-
-To open a new multiplexed session, a client may send the following
-request:
-
-	uint32	MUX_C_NEW_SESSION
-	uint32  request id
-	string	reserved
-	bool	want tty flag
-	bool	want X11 forwarding flag
-	bool	want agent flag
-	bool	subsystem flag
-	uint32	escape char
-	string	terminal type
-	string	command
-	string	environment string 0 [optional]
-	...
-
-To disable the use of an escape character, "escape char" may be set
-to 0xffffffff. "terminal type" is generally set to the value of
-$TERM. zero or more environment strings may follow the command.
-
-The client then sends its standard input, output and error file
-descriptors (in that order) using Unix domain socket control messages.
-
-The contents of "reserved" are currently ignored.
-
-If successful, the server will reply with MUX_S_SESSION_OPENED
-
-	uint32	MUX_S_SESSION_OPENED
-	uint32	client request id
-	uint32	session id
-
-Otherwise it will reply with an error: MUX_S_PERMISSION_DENIED or
-MUX_S_FAILURE.
-
-Once the server has received the fds, it will respond with MUX_S_OK
-indicating that the session is up. The client now waits for the
-session to end. When it does, the server will send an exit status
-message:
-
-	uint32	MUX_S_EXIT_MESSAGE
-	uint32	session id
-	uint32	exit value
-
-The client should exit with this value to mimic the behaviour of a
-non-multiplexed ssh(1) connection. Two additional cases that the
-client must cope with are it receiving a signal itself and the
-server disconnecting without sending an exit message.
-
-A master may also send a MUX_S_TTY_ALLOC_FAIL before MUX_S_EXIT_MESSAGE
-if remote TTY allocation was unsuccessful. The client may use this to
-return its local tty to "cooked" mode.
-
-	uint32	MUX_S_TTY_ALLOC_FAIL
-	uint32	session id
-
-3. Health checks
-
-The client may request a health check/PID report from a server:
-
-	uint32	MUX_C_ALIVE_CHECK
-	uint32	request id
-
-The server replies with:
-
-	uint32	MUX_S_ALIVE
-	uint32	client request id
-	uint32	server pid
-
-4. Remotely terminating a master
-
-A client may request that a master terminate immediately:
-
-	uint32	MUX_C_TERMINATE
-	uint32	request id
-
-The server will reply with one of MUX_S_OK or MUX_S_PERMISSION_DENIED.
-
-5. Requesting establishment of port forwards
-
-A client may request the master to establish a port forward:
-
-	uint32	MUX_C_OPEN_FWD
-	uint32	request id
-	uint32	forwarding type
-	string	listen host
-	uint32	listen port
-	string	connect host
-	uint32	connect port
-
-forwarding type may be MUX_FWD_LOCAL, MUX_FWD_REMOTE, MUX_FWD_DYNAMIC.
-
-If listen port is (unsigned int) -2, then the listen host is treated as
-a unix socket path name.
-
-If connect port is (unsigned int) -2, then the connect host is treated
-as a unix socket path name.
-
-A server may reply with a MUX_S_OK, a MUX_S_REMOTE_PORT, a
-MUX_S_PERMISSION_DENIED or a MUX_S_FAILURE.
-
-For dynamically allocated listen port the server replies with
-
-	uint32	MUX_S_REMOTE_PORT
-	uint32	client request id
-	uint32	allocated remote listen port
-
-6. Requesting closure of port forwards
-
-Note: currently unimplemented (server will always reply with MUX_S_FAILURE).
-
-A client may request the master to close a port forward:
-
-	uint32	MUX_C_CLOSE_FWD
-	uint32	request id
-	uint32	forwarding type
-	string	listen host
-	uint32	listen port
-	string	connect host
-	uint32	connect port
-
-A server may reply with a MUX_S_OK, a MUX_S_PERMISSION_DENIED or a
-MUX_S_FAILURE.
-
-7. Requesting stdio forwarding
-
-A client may request the master to establish a stdio forwarding:
-
-	uint32	MUX_C_NEW_STDIO_FWD
-	uint32	request id
-	string	reserved
-	string	connect host
-	string	connect port
-
-The client then sends its standard input and output file descriptors
-(in that order) using Unix domain socket control messages.
-
-The contents of "reserved" are currently ignored.
-
-A server may reply with a MUX_S_SESSION_OPENED, a MUX_S_PERMISSION_DENIED
-or a MUX_S_FAILURE.
-
-8. Requesting shutdown of mux listener
-
-A client may request the master to stop accepting new multiplexing requests
-and remove its listener socket.
-
-	uint32	MUX_C_STOP_LISTENING
-	uint32	request id
-
-A server may reply with a MUX_S_OK, a MUX_S_PERMISSION_DENIED or a
-MUX_S_FAILURE.
-
-9. Status messages
-
-The MUX_S_OK message is empty:
-
-	uint32	MUX_S_OK
-	uint32	client request id
-
-The MUX_S_PERMISSION_DENIED and MUX_S_FAILURE include a reason:
-
-	uint32	MUX_S_PERMISSION_DENIED
-	uint32	client request id
-	string	reason
-
-	uint32	MUX_S_FAILURE
-	uint32	client request id
-	string	reason
-
-10. Protocol numbers
-
-#define MUX_MSG_HELLO		0x00000001
-#define MUX_C_NEW_SESSION	0x10000002
-#define MUX_C_ALIVE_CHECK	0x10000004
-#define MUX_C_TERMINATE		0x10000005
-#define MUX_C_OPEN_FWD		0x10000006
-#define MUX_C_CLOSE_FWD		0x10000007
-#define MUX_C_NEW_STDIO_FWD	0x10000008
-#define MUX_C_STOP_LISTENING	0x10000009
-#define MUX_S_OK		0x80000001
-#define MUX_S_PERMISSION_DENIED	0x80000002
-#define MUX_S_FAILURE		0x80000003
-#define MUX_S_EXIT_MESSAGE	0x80000004
-#define MUX_S_ALIVE		0x80000005
-#define MUX_S_SESSION_OPENED	0x80000006
-#define MUX_S_REMOTE_PORT	0x80000007
-#define MUX_S_TTY_ALLOC_FAIL	0x80000008
-
-#define MUX_FWD_LOCAL	1
-#define MUX_FWD_REMOTE	2
-#define MUX_FWD_DYNAMIC	3
-
-XXX TODO
-XXX extended status (e.g. report open channels / forwards)
-XXX lock (maybe)
-XXX watch in/out traffic (pre/post crypto)
-XXX inject packet (what about replies)
-XXX server->client error/warning notifications
-XXX send signals via mux
-
-$OpenBSD: PROTOCOL.mux,v 1.10 2015/07/17 03:04:27 djm Exp $
--- a/69
+++ b/69
@ -1,69 +0,0 @@
-See http://www.openssh.com/txt/release-7.1 for the release notes.
-
-Please read http://www.openssh.com/report.html for bug reporting
-instructions and note that we do not use Github for bug reporting or
-patch/pull-request management.
-
- A Japanese translation of this document and of the OpenSSH FAQ is
- available at http://www.unixuser.org/~haruyama/security/openssh/index.html
- Thanks to HARUYAMA Seigo <haruyama@unixuser.org>
-
-This is the port of OpenBSD's excellent OpenSSH[0] to Linux and other
-Unices.
-
-OpenSSH is based on the last free version of Tatu Ylonen's sample
-implementation with all patent-encumbered algorithms removed (to
-external libraries), all known security bugs fixed, new features
-reintroduced and many other clean-ups.  OpenSSH has been created by
-Aaron Campbell, Bob Beck, Markus Friedl, Niels Provos, Theo de Raadt,
-and Dug Song. It has a homepage at http://www.openssh.com/
-
-This port consists of the re-introduction of autoconf support, PAM
-support, EGD[1]/PRNGD[2] support and replacements for OpenBSD library
-functions that are (regrettably) absent from other unices. This port
-has been best tested on AIX, Cygwin, HP-UX, Linux, MacOS/X,
-NetBSD, OpenBSD, OpenServer, Solaris, Unicos, and UnixWare.
-
-This version actively tracks changes in the OpenBSD CVS repository.
-
-The PAM support is now more functional than the popular packages of
-commercial ssh-1.2.x. It checks "account" and "session" modules for
-all logins, not just when using password authentication.
-
-OpenSSH depends on Zlib[3], OpenSSL[4] and optionally PAM[5].
-
-There is now several mailing lists for this port of OpenSSH. Please
-refer to http://www.openssh.com/list.html for details on how to join.
-
-Please send bug reports and patches to the mailing list
-openssh-unix-dev@mindrot.org. The list is open to posting by
-unsubscribed users.Code contribution are welcomed, but please follow the 
-OpenBSD style guidelines[6].
-
-Please refer to the INSTALL document for information on how to install
-OpenSSH on your system. There are a number of differences between this
-port of OpenSSH and F-Secure SSH 1.x, please refer to the OpenSSH FAQ[7]
-for details and general tips.
-
-Damien Miller <djm@mindrot.org>
-
-Miscellania -
-
-This version of OpenSSH is based upon code retrieved from the OpenBSD
-CVS repository which in turn was based on the last free sample
-implementation released by Tatu Ylonen.
-
-References -
-
-[0] http://www.openssh.com/faq.html
-[1] http://www.lothar.com/tech/crypto/
-[2] http://www.aet.tu-cottbus.de/personen/jaenicke/postfix_tls/prngd.html
-[3] http://www.gzip.org/zlib/
-[4] http://www.openssl.org/
-[5] http://www.openpam.org
-    http://www.kernel.org/pub/linux/libs/pam/ 
-    (PAM also is standard on Solaris and HP-UX 11)
-[6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
-[7] http://www.openssh.com/faq.html
-
-$Id: README,v 1.87 2014/08/10 01:35:06 djm Exp $
--- a/README.dns
+++ b/README.dns
@ -1,47 +0,0 @@
-How to verify host keys using OpenSSH and DNS
---------------------------------------------
-
-OpenSSH contains support for verifying host keys using DNS as described in
-draft-ietf-secsh-dns-05.txt. The document contains very brief instructions
-on how to use this feature. Configuring DNS is out of the scope of this
-document.
-
-
-(1) Server: Generate and publish the DNS RR
-
-To create a DNS resource record (RR) containing a fingerprint of the
-public host key, use the following command:
-
-	ssh-keygen -r hostname -f keyfile -g
-
-where "hostname" is your fully qualified hostname and "keyfile" is the
-file containing the public host key file. If you have multiple keys,
-you should generate one RR for each key.
-
-In the example above, ssh-keygen will print the fingerprint in a
-generic DNS RR format parsable by most modern name server
-implementations. If your nameserver has support for the SSHFP RR
-you can omit the -g flag and ssh-keygen will print a standard SSHFP RR.
-
-To publish the fingerprint using the DNS you must add the generated RR
-to your DNS zone file and sign your zone.
-
-
-(2) Client: Enable ssh to verify host keys using DNS
-
-To enable the ssh client to verify host keys using DNS, you have to
-add the following option to the ssh configuration file
-($HOME/.ssh/config or /etc/ssh/ssh_config):
-
-    VerifyHostKeyDNS yes
-
-Upon connection the client will try to look up the fingerprint RR
-using DNS. If the fingerprint received from the DNS server matches
-the remote host key, the user will be notified.
-
-
-	Jakob Schlyter
-	Wesley Griffin
-
-
-$OpenBSD: README.dns,v 1.2 2003/10/14 19:43:23 jakob Exp $
--- a/README.md
+++ b/README.md
@ -1,2 +1,34 @@
-# OpenSSH
-Win32 port of OpenSSH
+As of Nov 1st 2016, active development on "Windows for OpenSSH" is being done in https://github.com/PowerShell/openssh-portable.
+
+This repo (https://github.com/PowerShell/Win32-OpenSSH) is being maintained to keep track of releases and issues
+and because it contains the [wiki](https://github.com/PowerShell/Win32-OpenSSH/wiki)
+which has instructions for [building](https://github.com/PowerShell/Win32-OpenSSH/wiki/Building-OpenSSH-for-Windows-(using-LibreSSL-crypto)).
+
+### Release History
+
+| Date | Version | Release with source |
+|---|---|---|
+| 7/26/2018 | 7.7.2.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v7.7.2.0 |
+| 1/11/2019 | 7.9.0.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v7.9.0.0 |
+| 6/23/2019 | 8.0.0.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v8.0.0.0 |
+| 12/17/2019 | 8.1.0.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v8.1.0.0 |
+| 05/26/2021 | 8.6.0.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v8.6.0.0 |
+| 03/17/2022 | 8.9.0.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v8.9.0.0 |
+| 03/22/2022 | 8.9.1.0 | https://github.com/PowerShell/openssh-portable/releases/tag/V8.9.1.0 |
+| 12/13/2022 | 9.1.0.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v9.1.0.0 |
+| 02/21/2023 | 9.2.0.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v9.2.0.0 |
+| 04/17/2023 | 9.2.2.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v9.2.2.0 |
+| 10/10/2023 | 9.4.0.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v9.4.0.0 |
+| 12/18/2023 | 9.5.0.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v9.5.0.0 |
+| 10/08/2024 | 9.8.0.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v9.8.0.0 |
+| 10/10/2024 | 9.8.1.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v9.8.1.0 |
+| 04/08/2025 | 9.8.2.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v9.8.2.0 |
+| 04/18/2025 | 9.8.3.0 | https://github.com/PowerShell/openssh-portable/releases/tag/v9.8.3.0 |
+
+## Code of Conduct
+
+Please see our [Code of Conduct](.github/CODE_OF_CONDUCT.md) before participating in this project.
+
+## Security Policy
+
+For any security issues, please see our [Security Policy](.github/SECURITY.md).
--- a/README.platform
+++ b/README.platform
@ -1,96 +0,0 @@
-This file contains notes about OpenSSH on specific platforms.
-
-AIX
---
-As of OpenSSH 3.8p1, sshd will now honour an accounts password expiry
-settings, where previously it did not.  Because of this, it's possible for
-sites that have used OpenSSH's sshd exclusively to have accounts which
-have passwords expired longer than the inactive time (ie the "Weeks between
-password EXPIRATION and LOCKOUT" setting in SMIT or the maxexpired
-chuser attribute).
-
-Accounts in this state must have their passwords reset manually by the
-administrator.  As a precaution, it is recommended that the administrative
-passwords be reset before upgrading from OpenSSH <3.8.
-
-As of OpenSSH 4.0, configure will attempt to detect if your version
-and maintenance level of AIX has a working getaddrinfo, and will use it
-if found.  This will enable IPv6 support.  If for some reason configure
-gets it wrong, or if you want to build binaries to work on earlier MLs
-than the build host then you can add "-DBROKEN_GETADDRINFO" to CFLAGS
-to force the previous IPv4-only behaviour.
-
-IPv6 known to work: 5.1ML7 5.2ML2 5.2ML5
-IPv6 known broken: 4.3.3ML11 5.1ML4
-
-If you wish to use dynamic libraries that aren't in the normal system
-locations (eg IBM's OpenSSL and zlib packages) then you will need to
-define the environment variable blibpath before running configure, eg
-
-blibpath=/lib:/usr/lib:/opt/freeware/lib ./configure \
-  --with-ssl-dir=/opt/freeware --with-zlib=/opt/freeware
-
-If sshd is built with the WITH_AIXAUTHENTICATE option (which is enabled
-by default) then sshd checks that users are permitted via the
-loginrestrictions() function, in particular that the user has the
-"rlogin" attribute set.  This check is not done for the root account,
-instead the PermitRootLogin setting in sshd_config is used.
-
-
-Cygwin
------
-To build on Cygwin, OpenSSH requires the following packages:
-gcc, gcc-mingw-core, mingw-runtime, binutils, make, openssl,
-openssl-devel, zlib, minres, minires-devel.
-
-
-Darwin and MacOS X
------------------
-Darwin does not provide a tun(4) driver required for OpenSSH-based
-virtual private networks. The BSD manpage still exists, but the driver
-has been removed in recent releases of Darwin and MacOS X.
-
-Nevertheless, tunnel support is known to work with Darwin 8 and
-MacOS X 10.4 in Point-to-Point (Layer 3) and Ethernet (Layer 2) mode
-using a third party driver. More information is available at:
-	http://www-user.rhrk.uni-kl.de/~nissler/tuntap/
-
-
-Linux
-----
-
-Some Linux distributions (including Red Hat/Fedora/CentOS) include
-headers and library links in the -devel RPMs rather than the main
-binary RPMs. If you get an error about headers, or complaining about a
-missing prerequisite then you may need to install the equivalent
-development packages.  On Redhat based distros these may be openssl-devel,
-zlib-devel and pam-devel, on Debian based distros these may be
-libssl-dev, libz-dev and libpam-dev.
-
-
-Solaris
-------
-If you enable BSM auditing on Solaris, you need to update audit_event(4)
-for praudit(1m) to give sensible output.  The following line needs to be
-added to /etc/security/audit_event:
-
-	32800:AUE_openssh:OpenSSH login:lo
-
-The BSM audit event range available for third party TCB applications is
-32768 - 65535.  Event number 32800 has been choosen for AUE_openssh.
-There is no official registry of 3rd party event numbers, so if this
-number is already in use on your system, you may change it at build time
-by configure'ing --with-cflags=-DAUE_openssh=32801 then rebuilding.
-
-
-Platforms using PAM
-------------------
-As of OpenSSH 4.3p1, sshd will no longer check /etc/nologin itself when
-PAM is enabled.  To maintain existing behaviour, pam_nologin should be
-added to sshd's session stack which will prevent users from starting shell
-sessions.  Alternatively, pam_nologin can be added to either the auth or
-account stacks which will prevent authentication entirely, but will still
-return the output from pam_nologin to the client.
-
-
-$Id: README.platform,v 1.10 2009/08/28 23:14:48 dtucker Exp $
--- a/README.privsep
+++ b/README.privsep
@ -1,63 +0,0 @@
-Privilege separation, or privsep, is method in OpenSSH by which
-operations that require root privilege are performed by a separate
-privileged monitor process.  Its purpose is to prevent privilege
-escalation by containing corruption to an unprivileged process.
-More information is available at:
-	http://www.citi.umich.edu/u/provos/ssh/privsep.html
-
-Privilege separation is now enabled by default; see the
-UsePrivilegeSeparation option in sshd_config(5).
-
-On systems which lack mmap or anonymous (MAP_ANON) memory mapping,
-compression must be disabled in order for privilege separation to
-function.
-
-When privsep is enabled, during the pre-authentication phase sshd will
-chroot(2) to "/var/empty" and change its privileges to the "sshd" user
-and its primary group.  sshd is a pseudo-account that should not be
-used by other daemons, and must be locked and should contain a
-"nologin" or invalid shell.
-
-You should do something like the following to prepare the privsep
-preauth environment:
-
-	# mkdir /var/empty
-	# chown root:sys /var/empty
-	# chmod 755 /var/empty
-	# groupadd sshd
-	# useradd -g sshd -c 'sshd privsep' -d /var/empty -s /bin/false sshd
-
-/var/empty should not contain any files.
-
-configure supports the following options to change the default
-privsep user and chroot directory:
-
-  --with-privsep-path=xxx Path for privilege separation chroot
-  --with-privsep-user=user Specify non-privileged user for privilege separation
-
-Privsep requires operating system support for file descriptor passing.
-Compression will be disabled on systems without a working mmap MAP_ANON.
-
-PAM-enabled OpenSSH is known to function with privsep on AIX, FreeBSD, 
-HP-UX (including Trusted Mode), Linux, NetBSD and Solaris.
-
-On Cygwin, Tru64 Unix, OpenServer, and Unicos only the pre-authentication
-part of privsep is supported.  Post-authentication privsep is disabled
-automatically (so you won't see the additional process mentioned below).
-
-Note that for a normal interactive login with a shell, enabling privsep
-will require 1 additional process per login session.
-
-Given the following process listing (from HP-UX):
-
-     UID   PID  PPID  C    STIME TTY       TIME COMMAND
-    root  1005     1  0 10:45:17 ?         0:08 /opt/openssh/sbin/sshd -u0
-    root  6917  1005  0 15:19:16 ?         0:00 sshd: stevesk [priv]
- stevesk  6919  6917  0 15:19:17 ?         0:03 sshd: stevesk@2
- stevesk  6921  6919  0 15:19:17 pts/2     0:00 -bash
-
-process 1005 is the sshd process listening for new connections.
-process 6917 is the privileged monitor process, 6919 is the user owned
-sshd process and 6921 is the shell process.
-
-$Id: README.privsep,v 1.16 2005/06/04 23:21:41 djm Exp $
--- a/README.tun
+++ b/README.tun
@ -1,132 +0,0 @@
-How to use OpenSSH-based virtual private networks
-------------------------------------------------
-
-OpenSSH contains support for VPN tunneling using the tun(4) network
-tunnel pseudo-device which is available on most platforms, either for
-layer 2 or 3 traffic.
-
-The following brief instructions on how to use this feature use
-a network configuration specific to the OpenBSD operating system.
-
-(1) Server: Enable support for SSH tunneling
-
-To enable the ssh server to accept tunnel requests from the client, you
-have to add the following option to the ssh server configuration file
-(/etc/ssh/sshd_config):
-
-	PermitTunnel yes
-
-Restart the server or send the hangup signal (SIGHUP) to let the server
-reread it's configuration.
-
-(2) Server: Restrict client access and assign the tunnel
-
-The OpenSSH server simply uses the file /root/.ssh/authorized_keys to
-restrict the client to connect to a specified tunnel and to
-automatically start the related interface configuration command. These
-settings are optional but recommended:
-
-	tunnel="1",command="sh /etc/netstart tun1" ssh-rsa ... reyk@openbsd.org
-
-(3) Client: Configure the local network tunnel interface
-
-Use the hostname.if(5) interface-specific configuration file to set up
-the network tunnel configuration with OpenBSD. For example, use the
-following configuration in /etc/hostname.tun0 to set up the layer 3
-tunnel on the client:
-
-	inet 192.168.5.1 255.255.255.252 192.168.5.2
-
-OpenBSD also supports layer 2 tunneling over the tun device by adding
-the link0 flag:
-
-	inet 192.168.1.78 255.255.255.0 192.168.1.255 link0
-
-Layer 2 tunnels can be used in combination with an Ethernet bridge(4)
-interface, like the following example for /etc/bridgename.bridge0:
-
-	add tun0
-	add sis0
-	up
-
-(4) Client: Configure the OpenSSH client
-
-To establish tunnel forwarding for connections to a specified
-remote host by default, use the following ssh client configuration for
-the privileged user (in /root/.ssh/config):
-
-	Host sshgateway
-		Tunnel yes
-		TunnelDevice 0:any
-		PermitLocalCommand yes
-	        LocalCommand sh /etc/netstart tun0
-
-A more complicated configuration is possible to establish a tunnel to
-a remote host which is not directly accessible by the client.
-The following example describes a client configuration to connect to
-the remote host over two ssh hops in between. It uses the OpenSSH
-ProxyCommand in combination with the nc(1) program to forward the final
-ssh tunnel destination over multiple ssh sessions.
-
-	Host access.somewhere.net
-	        User puffy
-	Host dmzgw
-	        User puffy
-	        ProxyCommand ssh access.somewhere.net nc dmzgw 22
-	Host sshgateway
-	        Tunnel Ethernet
-	        TunnelDevice 0:any
-	        PermitLocalCommand yes
-	        LocalCommand sh /etc/netstart tun0
-	        ProxyCommand ssh dmzgw nc sshgateway 22
-
-The following network plan illustrates the previous configuration in
-combination with layer 2 tunneling and Ethernet bridging.
-
-+--------+       (          )      +----------------------+
-| Client |------(  Internet  )-----| access.somewhere.net |
-+--------+       (          )      +----------------------+
-    : 192.168.1.78                             |
-    :.............................         +-------+
-     Forwarded ssh connection    :         | dmzgw |
-     Layer 2 tunnel              :         +-------+
-                                 :             |
-                                 :             |
-                                 :      +------------+
-                                 :......| sshgateway |
-                                      | +------------+
--- real connection                 Bridge ->  |          +----------+
-... "virtual connection"                     [ X ]--------| somehost |
-[X] switch                                                +----------+
-                                                          192.168.1.25
-
-(5) Client: Connect to the server and establish the tunnel
-
-Finally connect to the OpenSSH server to establish the tunnel by using
-the following command:
-
-	ssh sshgateway
-
-It is also possible to tell the client to fork into the background after
-the connection has been successfully established:
-
-	ssh -f sshgateway true
-
-Without the ssh configuration done in step (4), it is also possible
-to use the following command lines:
-
-	ssh -fw 0:1 sshgateway true
-	ifconfig tun0 192.168.5.1 192.168.5.2 netmask 255.255.255.252
-
-Using OpenSSH tunnel forwarding is a simple way to establish secure
-and ad hoc virtual private networks. Possible fields of application
-could be wireless networks or administrative VPN tunnels.
-
-Nevertheless, ssh tunneling requires some packet header overhead and
-runs on top of TCP. It is still suggested to use the IP Security
-Protocol (IPSec) for robust and permanent VPN connections and to
-interconnect corporate networks.
-
-	Reyk Floeter
-
-$OpenBSD: README.tun,v 1.4 2006/03/28 00:12:31 deraadt Exp $
--- a/README.win32
+++ b/README.win32
@ -1,180 +0,0 @@
-README.win32
-
-openssh-5.9p1-win32-3
-
- Added the INSTALL.win32 to the package. It provides installation
-  instructions for the OpenSSH win32 port.
-
-openssh-5.9p1-win32-2
-
- Adjusted sources to compile with mingw-gcc 4.7.
-
-openssh-5.9p1-win32-1
-
-Implemented:
-
- Ported statvfs and fstatvfs extensions in sftp-server on
-   Windows.
-
- Added support for Windows domain accounts.
-
- Added support for network logon if interactive one failed on Windows.
-
- Implemented Kerberos authentication using MIT/Kerberos and native
-   SSPI/Kerberos.
-
- Disabled stdin echo while reading password on Windows.
-
- sshd doesn't need lsa, when target user is owner of sshd
-   process on Windows.
-
- integrated ssh-lsa with openssh tree.
-
-Bug fixes:
-
- Fixed resource leaks in sshd on Windows.
-
- Fixed possible hang up in ssh on Windows.
-
- Fixed clean up of Winsta0 DACL on server side.
-
- Added 'PamLibrary' option to sshd_config. This option changes
-   default path to libpam.so. if no specified default path is used.
-
- Ported -oAuthorizedKeysFile to Windows.
-
- Fixed path expanding under SYSTEM account on Windows.
-
- Fixed block issue when the same socket used for stdin and stdout in
-   sftp-server on Windows.
-
- Fixed possible heap corruption on file copying in sftp-server.
-
- Fixed possible connection drop, when copying big files in
-   sftp-server on Windows.
-
- Removed one redundant code page conversion in sftp-server on Windows.
-
- Fixed access to root directory in sftp-server on Windows.
-
- Fixed wrong exit code in SERVICE_CONTROL_STOP handler on Windows.
-
- Changed encoding local characters while formatting error messages on
-   Windows.
-
- Speeded up retreving HANDLE's type, when socket used on Windows.
-
- Set stdout to binary mode as default if pipe is used in ssh on
-   Windows.
-
-openssh-5.9p1-win32
-
- Updated to OpenSSH version 5.9p1.
-
- The openSSH SFTP client has been ported to Win 32.
-
-openssh-4.7p1-win32-1
-
- The following tools have been ported to Win32: ssh-agent, ssh-add,
-  sftp-server program and ssh-keygen. All the basic functionalities
-  related to the creation of the key-pairs are fully supported. The
-  managing of the known_hosts file is missing.
-
- Added support to SSH client for MIT Kerberos for Windows and for
-  authorization based on smartcard devices.
-
- Updated SSH server to support login also when the account doesn't
-  have administrative privileges.
-
- Added support for native RSA/DSA key authorization via ssh-lsa.
-  Installing this tool requires administrative privileges and
-  a reboot of the machine.
-
- The ProxyCommand option is now supported on Win32.
-
- Added support for installing SSHD as a service by means of sc.exe
-  command line tool for Windows. Since command line parameters are not
-  passed to the SSHD process, a default sshd_config file is searched
-  in the following locations: in the installation directory where
-  sshd.exe is located (e.g. C:\sshd); the directory 'etc' under
-  the installation directory (e.g. C:\sshd\etc), and the directory 'etc'  
-  in the installation directory (e.g C:\etc).
-
- Improved SSH server to be fully operative on Windows Vista. SSHD can
-  work on Windows XP without SP1.
-
- Improved logging facilities of SSHD: now all instances of the SSH
-  server log to the same file and SSHD creates a minidump file if a
-  crash occurs.
-
- Solved problem with processes that may be left running when the SSHD
-  service is stopped or after an abnormal closure of the SSH session.
-
- Fixed some memory leaks.
-
- Fixed possible crashes of SSHD when a great number of connections is
-  established.
-
- Fixed possible hanging of the SSHD service that may occurr when the
-  SSH session is closing and when reading a passphrase.
-
- Fixed logging behavior of SSH client. Now when the client is run in
-  debug mode, output of packet dumps can be redirected to a file.
-  Solved other issues occurring when packet dumps when standard error
-  is redirected.
-
- Fixed a problem related to the inheritance of handles in SSHD.
-
- Fixed a bug in the session_get() function causing a segmentation
-  fault of SSHD.
-
- Fixed the closure of startup pipes. This solves a problem which was
-  limiting the number of sessions to 10.
-
- Fixed a problem causing a delay in establishing the connection when
-  SSHD is started as a Win32 service. Speeded-up login.
-
- Disabled the privilege separation on Win32.
-
- Solved issues preventing the correct detection of home directory
-  either on Windows 7 and when the user domain is set to NULL.
-
- Fixed a segmentation fault of SSHD on Windows 7 at 64bit.
-
- Added the setting of the USERPROFILE variable to the value detected
-  just after a successful login.
-
-openssh-5.4p1-win32
-
- Updated to OpenSSH version 5.4p1.
-
-openssh-4.7p1-win32
-
- Added the Win32 compat layer.
-
- The Win32 layer provides support for: User identity and password
-  management functions like getuid(),setuid(),getpw*() and others;
-  string management functions like strcasecmp(), strncasecmp() and
-  other functions such as gettimeofday() and gethomedir(); management
-  of file descriptors, file handlers and sockets in an unified way;
-  file descriptor and sockets functions such as fstat(), fdopen(),
-  open(), dup(),dup2(), pipe(),create(),shutdown(),accept(),read(),
-  write(),close(), socket(), setsockopt(),getsockopt(), getpeername(),
-  getsockname(), ioctlsocket(), listen(),bind(),connect(), and others;
-  the select() function which can work on sockets, files, pipes and
-  console handlers; Windows users authentication.
-
- Introduced some changes to the OpenSSH code for: supporting the
-  CreateProcess() function replacing fork() and allowing compilation
-  on Win32 platform.
-
- Open Issues: SSHD cannot be installed as a Windows service by means
-  of Win32 administrative tools; if SSHD is running as a Windows
-  service, it requires that property 'Allow service to interact with
-  desktop' is set; to allow the connecting user to be authenticated by
-  SSHD, it is necessary that the user belongs to the 'Administrators'
-  group; if the connecting user has been authorized with public key
-  authentication, the GetUserName() function always returns 'SYSTEM'
-  instead of the username; possible crashes may occur during autho-
-  rization phase when SSHD is running on Vista; port of the ssh-keygen
-  tool is not available in this version.
--- a/86
+++ b/86
@ -1,86 +0,0 @@
-Documentation:
-
- Update the docs
-  - Update README
-  - Update INSTALL
-  - Merge INSTALL & README.privsep
-
- Install FAQ?
-
- General FAQ on S/Key, TIS, RSA, RSA2, DSA, etc and suggestions on when it
-  would be best to use them.
-
- Create a Documentation/ directory?
-
-Programming:
-
- Grep for 'XXX' comments and fix
-
- Link order is incorrect for some systems using Kerberos 4 and AFS. Result
-  is multiple inclusion of DES symbols. Holger Trapp
-  <holger.trapp@hrz.tu-chemnitz.de> reports that changing the configure
-  generated link order from:
-	-lresolv -lkrb -lz -lnsl  -lutil -lkafs -lkrb -ldes -lcrypto
-  to:
-	-lresolv -lkrb -lz -lnsl  -lutil -lcrypto -lkafs -lkrb -ldes
-  fixing the problem.
-
- Write a test program that calls stat() to search for EGD/PRNGd socket
-  rather than use the (non-portable) "test -S".
-
- More platforms for for setproctitle() emulation (testing needed)
-
- Improve PAM ChallengeResponseAuthentication
- - Informational messages
- - Use different PAM service name for kbdint vs regular auth (suggest from
-   Solar Designer)
- - Ability to select which ChallengeResponseAuthentications may be used
-   and order to try them in e.g. "ChallengeResponseAuthentication skey, pam"
-
- Complete Tru64 SIA support
- - It looks like we could merge it into the password auth code to cut down
-   on diff size. Maybe PAM password auth too?
-
- Finish integrating kernel-level auditing code for IRIX and SOLARIS
-  (Gilbert.r.loomis@saic.com)
-
- 64-bit builds on HP-UX 11.X (stevesk@pobox.com):
-  - utmp/wtmp get corrupted (something in loginrec?)
-  - can't build with PAM (no 64-bit libpam yet)
-
-Clean up configure/makefiles:
- Clean up configure.ac - There are a few double #defined variables
-  left to do.  HAVE_LOGIN is one of them.  Consider NOT looking for
-  information in wtmpx or utmpx or any of that stuff if it's not detected
-  from the start
-
- Replace the whole u_intXX_t evilness in acconfig.h with something better???
- - Do it in configure.ac
-
- Consider splitting the u_intXX_t test for sys/bitype.h  into seperate test
-  to allow people to (right/wrongfully) link against Bind directly.
-
- Consider splitting configure.ac into seperate files which do logically
-  similar tests. E.g move all the type detection stuff into one file,
-  entropy related stuff into another.
-
-Packaging:
- HP-UX: Provide DEPOT package scripts.
-  (gilbert.r.loomis@saic.com)
-
-PrivSep Issues:
- mmap() issues.
-  + /dev/zero solution (Solaris)
-  + No/broken MAP_ANON (Irix)
-  + broken /dev/zero parse (Linux)
- PAM
-  + See above PAM notes
- AIX
-  + usrinfo() does not set TTY, but only required for legacy systems.  Works
-    with PrivSep.
- OSF
-  + SIA is broken
- Cygwin
-  + Privsep for Pre-auth only (no fd passing)
-
-$Id: TODO,v 1.58 2004/12/06 11:40:11 dtucker Exp $
--- a/aclocal.m4
+++ b/aclocal.m4
@ -1,94 +0,0 @@
-dnl $Id: aclocal.m4,v 1.8 2011/05/20 01:45:25 djm Exp $
-dnl
-dnl OpenSSH-specific autoconf macros
-dnl
-
-dnl OSSH_CHECK_CFLAG_COMPILE(check_flag[, define_flag])
-dnl Check that $CC accepts a flag 'check_flag'. If it is supported append
-dnl 'define_flag' to $CFLAGS. If 'define_flag' is not specified, then append
-dnl 'check_flag'.
-AC_DEFUN([OSSH_CHECK_CFLAG_COMPILE], [{
-	AC_MSG_CHECKING([if $CC supports $1])
-	saved_CFLAGS="$CFLAGS"
-	CFLAGS="$CFLAGS $1"
-	_define_flag="$2"
-	test "x$_define_flag" = "x" && _define_flag="$1"
-	AC_COMPILE_IFELSE([AC_LANG_SOURCE([[int main(void) { return 0; }]])],
-		[ AC_MSG_RESULT([yes])
-		  CFLAGS="$saved_CFLAGS $_define_flag"],
-		[ AC_MSG_RESULT([no])
-		  CFLAGS="$saved_CFLAGS" ]
-	)
-}])
-
-
-dnl OSSH_CHECK_HEADER_FOR_FIELD(field, header, symbol)
-dnl Does AC_EGREP_HEADER on 'header' for the string 'field'
-dnl If found, set 'symbol' to be defined. Cache the result.
-dnl TODO: This is not foolproof, better to compile and read from there
-AC_DEFUN(OSSH_CHECK_HEADER_FOR_FIELD, [
-# look for field '$1' in header '$2'
-	dnl This strips characters illegal to m4 from the header filename
-	ossh_safe=`echo "$2" | sed 'y%./+-%__p_%'`
-	dnl
-	ossh_varname="ossh_cv_$ossh_safe""_has_"$1
-	AC_MSG_CHECKING(for $1 field in $2)
-	AC_CACHE_VAL($ossh_varname, [
-		AC_EGREP_HEADER($1, $2, [ dnl
-			eval "$ossh_varname=yes" dnl
-		], [ dnl
-			eval "$ossh_varname=no" dnl
-		]) dnl
-	])
-	ossh_result=`eval 'echo $'"$ossh_varname"`
-	if test -n "`echo $ossh_varname`"; then
-		AC_MSG_RESULT($ossh_result)
-		if test "x$ossh_result" = "xyes"; then
-			AC_DEFINE($3, 1, [Define if you have $1 in $2])
-		fi
-	else
-		AC_MSG_RESULT(no)
-	fi
-])
-
-dnl Check for socklen_t: historically on BSD it is an int, and in
-dnl POSIX 1g it is a type of its own, but some platforms use different
-dnl types for the argument to getsockopt, getpeername, etc.  So we
-dnl have to test to find something that will work.
-AC_DEFUN([TYPE_SOCKLEN_T],
-[
-   AC_CHECK_TYPE([socklen_t], ,[
-      AC_MSG_CHECKING([for socklen_t equivalent])
-      AC_CACHE_VAL([curl_cv_socklen_t_equiv],
-      [
-	 # Systems have either "struct sockaddr *" or
-	 # "void *" as the second argument to getpeername
-	 curl_cv_socklen_t_equiv=
-	 for arg2 in "struct sockaddr" void; do
-	    for t in int size_t unsigned long "unsigned long"; do
-	       AC_TRY_COMPILE([
-		  #include <sys/types.h>
-		  #include <sys/socket.h>
-
-		  int getpeername (int, $arg2 *, $t *);
-	       ],[
-		  $t len;
-		  getpeername(0,0,&len);
-	       ],[
-		  curl_cv_socklen_t_equiv="$t"
-		  break
-	       ])
-	    done
-	 done
-
-	 if test "x$curl_cv_socklen_t_equiv" = x; then
-	    AC_MSG_ERROR([Cannot find a type to use in place of socklen_t])
-	 fi
-      ])
-      AC_MSG_RESULT($curl_cv_socklen_t_equiv)
-      AC_DEFINE_UNQUOTED(socklen_t, $curl_cv_socklen_t_equiv,
-			[type to use in place of socklen_t if not defined])],
-      [#include <sys/types.h>
-#include <sys/socket.h>])
-])
-
--- a/acss.c
+++ b/acss.c
@ -1,267 +0,0 @@
-/*	$Id: acss.c,v 1.4 2006/07/24 04:51:01 djm Exp $ */
-/*
- * Copyright (c) 2004 The OpenBSD project
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <string.h>
-
-#include <openssl/evp.h>
-
-#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00906000L)
-
-#include "acss.h"
-
-/* decryption sbox */
-static unsigned char sboxdec[] = {
-	0x33, 0x73, 0x3b, 0x26, 0x63, 0x23, 0x6b, 0x76,
-	0x3e, 0x7e, 0x36, 0x2b, 0x6e, 0x2e, 0x66, 0x7b,
-	0xd3, 0x93, 0xdb, 0x06, 0x43, 0x03, 0x4b, 0x96,
-	0xde, 0x9e, 0xd6, 0x0b, 0x4e, 0x0e, 0x46, 0x9b,
-	0x57, 0x17, 0x5f, 0x82, 0xc7, 0x87, 0xcf, 0x12,
-	0x5a, 0x1a, 0x52, 0x8f, 0xca, 0x8a, 0xc2, 0x1f,
-	0xd9, 0x99, 0xd1, 0x00, 0x49, 0x09, 0x41, 0x90,
-	0xd8, 0x98, 0xd0, 0x01, 0x48, 0x08, 0x40, 0x91,
-	0x3d, 0x7d, 0x35, 0x24, 0x6d, 0x2d, 0x65, 0x74,
-	0x3c, 0x7c, 0x34, 0x25, 0x6c, 0x2c, 0x64, 0x75,
-	0xdd, 0x9d, 0xd5, 0x04, 0x4d, 0x0d, 0x45, 0x94,
-	0xdc, 0x9c, 0xd4, 0x05, 0x4c, 0x0c, 0x44, 0x95,
-	0x59, 0x19, 0x51, 0x80, 0xc9, 0x89, 0xc1, 0x10,
-	0x58, 0x18, 0x50, 0x81, 0xc8, 0x88, 0xc0, 0x11,
-	0xd7, 0x97, 0xdf, 0x02, 0x47, 0x07, 0x4f, 0x92,
-	0xda, 0x9a, 0xd2, 0x0f, 0x4a, 0x0a, 0x42, 0x9f,
-	0x53, 0x13, 0x5b, 0x86, 0xc3, 0x83, 0xcb, 0x16,
-	0x5e, 0x1e, 0x56, 0x8b, 0xce, 0x8e, 0xc6, 0x1b,
-	0xb3, 0xf3, 0xbb, 0xa6, 0xe3, 0xa3, 0xeb, 0xf6,
-	0xbe, 0xfe, 0xb6, 0xab, 0xee, 0xae, 0xe6, 0xfb,
-	0x37, 0x77, 0x3f, 0x22, 0x67, 0x27, 0x6f, 0x72,
-	0x3a, 0x7a, 0x32, 0x2f, 0x6a, 0x2a, 0x62, 0x7f,
-	0xb9, 0xf9, 0xb1, 0xa0, 0xe9, 0xa9, 0xe1, 0xf0,
-	0xb8, 0xf8, 0xb0, 0xa1, 0xe8, 0xa8, 0xe0, 0xf1,
-	0x5d, 0x1d, 0x55, 0x84, 0xcd, 0x8d, 0xc5, 0x14,
-	0x5c, 0x1c, 0x54, 0x85, 0xcc, 0x8c, 0xc4, 0x15,
-	0xbd, 0xfd, 0xb5, 0xa4, 0xed, 0xad, 0xe5, 0xf4,
-	0xbc, 0xfc, 0xb4, 0xa5, 0xec, 0xac, 0xe4, 0xf5,
-	0x39, 0x79, 0x31, 0x20, 0x69, 0x29, 0x61, 0x70,
-	0x38, 0x78, 0x30, 0x21, 0x68, 0x28, 0x60, 0x71,
-	0xb7, 0xf7, 0xbf, 0xa2, 0xe7, 0xa7, 0xef, 0xf2,
-	0xba, 0xfa, 0xb2, 0xaf, 0xea, 0xaa, 0xe2, 0xff
-};
-
-/* encryption sbox */
-static unsigned char sboxenc[] = {
-	0x33, 0x3b, 0x73, 0x15, 0x53, 0x5b, 0x13, 0x75,
-	0x3d, 0x35, 0x7d, 0x1b, 0x5d, 0x55, 0x1d, 0x7b,
-	0x67, 0x6f, 0x27, 0x81, 0xc7, 0xcf, 0x87, 0x21,
-	0x69, 0x61, 0x29, 0x8f, 0xc9, 0xc1, 0x89, 0x2f,
-	0xe3, 0xeb, 0xa3, 0x05, 0x43, 0x4b, 0x03, 0xa5,
-	0xed, 0xe5, 0xad, 0x0b, 0x4d, 0x45, 0x0d, 0xab,
-	0xea, 0xe2, 0xaa, 0x00, 0x4a, 0x42, 0x0a, 0xa0,
-	0xe8, 0xe0, 0xa8, 0x02, 0x48, 0x40, 0x08, 0xa2,
-	0x3e, 0x36, 0x7e, 0x14, 0x5e, 0x56, 0x1e, 0x74,
-	0x3c, 0x34, 0x7c, 0x16, 0x5c, 0x54, 0x1c, 0x76,
-	0x6a, 0x62, 0x2a, 0x80, 0xca, 0xc2, 0x8a, 0x20,
-	0x68, 0x60, 0x28, 0x82, 0xc8, 0xc0, 0x88, 0x22,
-	0xee, 0xe6, 0xae, 0x04, 0x4e, 0x46, 0x0e, 0xa4,
-	0xec, 0xe4, 0xac, 0x06, 0x4c, 0x44, 0x0c, 0xa6,
-	0xe7, 0xef, 0xa7, 0x01, 0x47, 0x4f, 0x07, 0xa1,
-	0xe9, 0xe1, 0xa9, 0x0f, 0x49, 0x41, 0x09, 0xaf,
-	0x63, 0x6b, 0x23, 0x85, 0xc3, 0xcb, 0x83, 0x25,
-	0x6d, 0x65, 0x2d, 0x8b, 0xcd, 0xc5, 0x8d, 0x2b,
-	0x37, 0x3f, 0x77, 0x11, 0x57, 0x5f, 0x17, 0x71,
-	0x39, 0x31, 0x79, 0x1f, 0x59, 0x51, 0x19, 0x7f,
-	0xb3, 0xbb, 0xf3, 0x95, 0xd3, 0xdb, 0x93, 0xf5,
-	0xbd, 0xb5, 0xfd, 0x9b, 0xdd, 0xd5, 0x9d, 0xfb,
-	0xba, 0xb2, 0xfa, 0x90, 0xda, 0xd2, 0x9a, 0xf0,
-	0xb8, 0xb0, 0xf8, 0x92, 0xd8, 0xd0, 0x98, 0xf2,
-	0x6e, 0x66, 0x2e, 0x84, 0xce, 0xc6, 0x8e, 0x24,
-	0x6c, 0x64, 0x2c, 0x86, 0xcc, 0xc4, 0x8c, 0x26,
-	0x3a, 0x32, 0x7a, 0x10, 0x5a, 0x52, 0x1a, 0x70,
-	0x38, 0x30, 0x78, 0x12, 0x58, 0x50, 0x18, 0x72,
-	0xbe, 0xb6, 0xfe, 0x94, 0xde, 0xd6, 0x9e, 0xf4,
-	0xbc, 0xb4, 0xfc, 0x96, 0xdc, 0xd4, 0x9c, 0xf6,
-	0xb7, 0xbf, 0xf7, 0x91, 0xd7, 0xdf, 0x97, 0xf1,
-	0xb9, 0xb1, 0xf9, 0x9f, 0xd9, 0xd1, 0x99, 0xff
-};
-
-static unsigned char reverse[] = {
-	0x00, 0x80, 0x40, 0xc0, 0x20, 0xa0, 0x60, 0xe0,
-	0x10, 0x90, 0x50, 0xd0, 0x30, 0xb0, 0x70, 0xf0,
-	0x08, 0x88, 0x48, 0xc8, 0x28, 0xa8, 0x68, 0xe8,
-	0x18, 0x98, 0x58, 0xd8, 0x38, 0xb8, 0x78, 0xf8,
-	0x04, 0x84, 0x44, 0xc4, 0x24, 0xa4, 0x64, 0xe4,
-	0x14, 0x94, 0x54, 0xd4, 0x34, 0xb4, 0x74, 0xf4,
-	0x0c, 0x8c, 0x4c, 0xcc, 0x2c, 0xac, 0x6c, 0xec,
-	0x1c, 0x9c, 0x5c, 0xdc, 0x3c, 0xbc, 0x7c, 0xfc,
-	0x02, 0x82, 0x42, 0xc2, 0x22, 0xa2, 0x62, 0xe2,
-	0x12, 0x92, 0x52, 0xd2, 0x32, 0xb2, 0x72, 0xf2,
-	0x0a, 0x8a, 0x4a, 0xca, 0x2a, 0xaa, 0x6a, 0xea,
-	0x1a, 0x9a, 0x5a, 0xda, 0x3a, 0xba, 0x7a, 0xfa,
-	0x06, 0x86, 0x46, 0xc6, 0x26, 0xa6, 0x66, 0xe6,
-	0x16, 0x96, 0x56, 0xd6, 0x36, 0xb6, 0x76, 0xf6,
-	0x0e, 0x8e, 0x4e, 0xce, 0x2e, 0xae, 0x6e, 0xee,
-	0x1e, 0x9e, 0x5e, 0xde, 0x3e, 0xbe, 0x7e, 0xfe,
-	0x01, 0x81, 0x41, 0xc1, 0x21, 0xa1, 0x61, 0xe1,
-	0x11, 0x91, 0x51, 0xd1, 0x31, 0xb1, 0x71, 0xf1,
-	0x09, 0x89, 0x49, 0xc9, 0x29, 0xa9, 0x69, 0xe9,
-	0x19, 0x99, 0x59, 0xd9, 0x39, 0xb9, 0x79, 0xf9,
-	0x05, 0x85, 0x45, 0xc5, 0x25, 0xa5, 0x65, 0xe5,
-	0x15, 0x95, 0x55, 0xd5, 0x35, 0xb5, 0x75, 0xf5,
-	0x0d, 0x8d, 0x4d, 0xcd, 0x2d, 0xad, 0x6d, 0xed,
-	0x1d, 0x9d, 0x5d, 0xdd, 0x3d, 0xbd, 0x7d, 0xfd,
-	0x03, 0x83, 0x43, 0xc3, 0x23, 0xa3, 0x63, 0xe3,
-	0x13, 0x93, 0x53, 0xd3, 0x33, 0xb3, 0x73, 0xf3,
-	0x0b, 0x8b, 0x4b, 0xcb, 0x2b, 0xab, 0x6b, 0xeb,
-	0x1b, 0x9b, 0x5b, 0xdb, 0x3b, 0xbb, 0x7b, 0xfb,
-	0x07, 0x87, 0x47, 0xc7, 0x27, 0xa7, 0x67, 0xe7,
-	0x17, 0x97, 0x57, 0xd7, 0x37, 0xb7, 0x77, 0xf7,
-	0x0f, 0x8f, 0x4f, 0xcf, 0x2f, 0xaf, 0x6f, 0xef,
-	0x1f, 0x9f, 0x5f, 0xdf, 0x3f, 0xbf, 0x7f, 0xff
-};
-
-/*
- * Two linear feedback shift registers are used:
- *
- * lfsr17:  polynomial of degree 17, primitive modulo 2 (listed in Schneier)
- *          x^15 + x + 1
- * lfsr25:  polynomial of degree 25, not know if primitive modulo 2
- *          x^13 + x^5 + x^4 + x^1 + 1
- *
- * Output bits are discarded, instead the feedback bits are added to produce
- * the cipher stream.  Depending on the mode, feedback bytes may be inverted
- * bit-wise before addition.
- *
- * The lfsrs are seeded with bytes from the raw key:
- *
- * lfsr17:  byte 0[0:7] at bit 9
- *          byte 1[0:7] at bit 0
- *
- * lfsr25:  byte 2[0:4] at bit 16
- *          byte 2[5:7] at bit 22
- *          byte 3[0:7] at bit 8
- *          byte 4[0:7] at bit 0
- *
- * To prevent 0 cycles, 1's are inject at bit 8 in lfrs17 and bit 21 in
- * lfsr25.
- *
- */
-
-int
-acss(ACSS_KEY *key, unsigned long len, const unsigned char *in,
-    unsigned char *out)
-{
-	unsigned long i;
-	unsigned long lfsr17tmp, lfsr25tmp, lfsrsumtmp;
-
-	lfsrsumtmp = lfsr17tmp = lfsr25tmp = 0;
-
-	/* keystream is sum of lfsrs */
-	for (i = 0; i < len; i++) {
-		lfsr17tmp = key->lfsr17 ^ (key->lfsr17 >> 14);
-		key->lfsr17 = (key->lfsr17 >> 8)
-			^ (lfsr17tmp << 9)
-			^ (lfsr17tmp << 12)
-			^ (lfsr17tmp << 15);
-		key->lfsr17 &= 0x1ffff;	/* 17 bit LFSR */
-
-		lfsr25tmp = key->lfsr25
-			^ (key->lfsr25 >> 3)
-			^ (key->lfsr25 >> 4)
-			^ (key->lfsr25 >> 12);
-		key->lfsr25 = (key->lfsr25 >> 8) ^ (lfsr25tmp << 17);
-		key->lfsr25 &= 0x1ffffff;	/* 25 bit LFSR */
-
-		lfsrsumtmp = key->lfsrsum;
-
-		/* addition */
-		switch (key->mode) {
-		case ACSS_AUTHENTICATE:
-		case ACSS_DATA:
-			key->lfsrsum = 0xff & ~(key->lfsr17 >> 9);
-			key->lfsrsum += key->lfsr25 >> 17;
-			break;
-		case ACSS_SESSIONKEY:
-			key->lfsrsum = key->lfsr17 >> 9;
-			key->lfsrsum += key->lfsr25 >> 17;
-			break;
-		case ACSS_TITLEKEY:
-			key->lfsrsum = key->lfsr17 >> 9;
-			key->lfsrsum += 0xff & ~(key->lfsr25 >> 17);
-			break;
-		default:
-			return 1;
-		}
-		key->lfsrsum += (lfsrsumtmp >> 8);
-
-		if (key->encrypt) {
-			out[i] = sboxenc[(in[i] ^ key->lfsrsum) & 0xff];
-		} else {
-			out[i] = (sboxdec[in[i]] ^ key->lfsrsum) & 0xff;
-		}
-	}
-
-	return 0;
-}
-
-static void
-acss_seed(ACSS_KEY *key)
-{
-	int i;
-
-	/* if available, mangle with subkey */
-	if (key->subkey_avilable) {
-		for (i = 0; i < ACSS_KEYSIZE; i++)
-			key->seed[i] = reverse[key->data[i] ^ key->subkey[i]];
-	} else {
-		for (i = 0; i < ACSS_KEYSIZE; i++)
-			key->seed[i] = reverse[key->data[i]];
-	}
-
-	/* seed lfsrs */
-	key->lfsr17 = key->seed[1]
-		| (key->seed[0] << 9)
-		| (1 << 8);	/* inject 1 at bit 9 */
-	key->lfsr25 = key->seed[4]
-		| (key->seed[3] << 8)
-		| ((key->seed[2] & 0x1f) << 16)
-		| ((key->seed[2] & 0xe0) << 17)
-			| (1 << 21);	/* inject 1 at bit 22 */
-
-	key->lfsrsum = 0;
-}
-
-void
-acss_setkey(ACSS_KEY *key, const unsigned char *data, int enc, int mode)
-{
-	memcpy(key->data, data, sizeof(key->data));
-	memset(key->subkey, 0, sizeof(key->subkey));
-
-	if (enc != -1)
-		key->encrypt = enc;
-	key->mode = mode;
-	key->subkey_avilable = 0;
-
-	acss_seed(key);
-}
-
-void
-acss_setsubkey(ACSS_KEY *key, const unsigned char *subkey)
-{
-	memcpy(key->subkey, subkey, sizeof(key->subkey));
-	key->subkey_avilable = 1;
-	acss_seed(key);
-}
-#endif
--- a/acss.h
+++ b/acss.h
@ -1,47 +0,0 @@
-/*	$Id: acss.h,v 1.2 2004/02/06 04:22:43 dtucker Exp $ */
-/*
- * Copyright (c) 2004 The OpenBSD project
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _ACSS_H_
-#define _ACSS_H_
-
-/* 40bit key */
-#define ACSS_KEYSIZE		5
-
-/* modes of acss */
-#define ACSS_AUTHENTICATE	0
-#define ACSS_SESSIONKEY		1
-#define ACSS_TITLEKEY		2
-#define ACSS_DATA		3
-
-typedef struct acss_key_st {
-	unsigned int	lfsr17;		/* current state of lfsrs */
-	unsigned int	lfsr25;
-	unsigned int	lfsrsum;
-	unsigned char	seed[ACSS_KEYSIZE];
-	unsigned char	data[ACSS_KEYSIZE];
-	unsigned char	subkey[ACSS_KEYSIZE];
-	int		encrypt;	/* XXX make these bit flags? */
-	int		mode;
-	int		seeded;
-	int		subkey_avilable;
-} ACSS_KEY;
-
-void acss_setkey(ACSS_KEY *, const unsigned char *, int, int);
-void acss_setsubkey(ACSS_KEY *, const unsigned char *);
-int acss(ACSS_KEY *, unsigned long, const unsigned char *, unsigned char *);
-
-#endif /* ifndef _ACSS_H_ */
--- a/addrmatch.c
+++ b/addrmatch.c
@ -1,499 +0,0 @@
-/*	$OpenBSD: addrmatch.c,v 1.10 2015/07/08 19:04:21 markus Exp $ */
-
-/*
- * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <netdb.h>
-#include <string.h>
-#include <stdlib.h>
-#include <stdio.h>
-#include <stdarg.h>
-
-#include "match.h"
-#include "log.h"
-
-struct xaddr {
-	sa_family_t	af;
-	union {
-		struct in_addr		v4;
-		struct in6_addr		v6;
-		u_int8_t		addr8[16];
-		u_int32_t		addr32[4];
-	} xa;		    /* 128-bit address */
-	u_int32_t	scope_id;	/* iface scope id for v6 */
-#define v4	xa.v4
-#define v6	xa.v6
-#define addr8	xa.addr8
-#define addr32	xa.addr32
-};
-
-static int
-addr_unicast_masklen(int af)
-{
-	switch (af) {
-	case AF_INET:
-		return 32;
-	case AF_INET6:
-		return 128;
-	default:
-		return -1;
-	}
-}
-
-static inline int
-masklen_valid(int af, u_int masklen)
-{
-	switch (af) {
-	case AF_INET:
-		return masklen <= 32 ? 0 : -1;
-	case AF_INET6:
-		return masklen <= 128 ? 0 : -1;
-	default:
-		return -1;
-	}
-}
-
-/*
- * Convert struct sockaddr to struct xaddr
- * Returns 0 on success, -1 on failure.
- */
-static int
-addr_sa_to_xaddr(struct sockaddr *sa, socklen_t slen, struct xaddr *xa)
-{
-	struct sockaddr_in *in4 = (struct sockaddr_in *)sa;
-	struct sockaddr_in6 *in6 = (struct sockaddr_in6 *)sa;
-
-	memset(xa, '\0', sizeof(*xa));
-
-	switch (sa->sa_family) {
-	case AF_INET:
-		if (slen < (socklen_t)sizeof(*in4))
-			return -1;
-		xa->af = AF_INET;
-		memcpy(&xa->v4, &in4->sin_addr, sizeof(xa->v4));
-		break;
-	case AF_INET6:
-		if (slen < (socklen_t)sizeof(*in6))
-			return -1;
-		xa->af = AF_INET6;
-		memcpy(&xa->v6, &in6->sin6_addr, sizeof(xa->v6));
-#ifdef HAVE_STRUCT_SOCKADDR_IN6_SIN6_SCOPE_ID
-		xa->scope_id = in6->sin6_scope_id;
-#endif
-		break;
-	default:
-		return -1;
-	}
-
-	return 0;
-}
-
-/*
- * Calculate a netmask of length 'l' for address family 'af' and
- * store it in 'n'.
- * Returns 0 on success, -1 on failure.
- */
-static int
-addr_netmask(int af, u_int l, struct xaddr *n)
-{
-	int i;
-
-	if (masklen_valid(af, l) != 0 || n == NULL)
-		return -1;
-
-	memset(n, '\0', sizeof(*n));
-	switch (af) {
-	case AF_INET:
-		n->af = AF_INET;
-		if (l == 0)
-			return 0;
-		n->v4.s_addr = htonl((0xffffffff << (32 - l)) & 0xffffffff);
-		return 0;
-	case AF_INET6:
-		n->af = AF_INET6;
-		for (i = 0; i < 4 && l >= 32; i++, l -= 32)
-			n->addr32[i] = 0xffffffffU;
-		if (i < 4 && l != 0)
-			n->addr32[i] = htonl((0xffffffff << (32 - l)) &
-			    0xffffffff);
-		return 0;
-	default:
-		return -1;
-	}
-}
-
-/*
- * Perform logical AND of addresses 'a' and 'b', storing result in 'dst'.
- * Returns 0 on success, -1 on failure.
- */
-static int
-addr_and(struct xaddr *dst, const struct xaddr *a, const struct xaddr *b)
-{
-	int i;
-
-	if (dst == NULL || a == NULL || b == NULL || a->af != b->af)
-		return -1;
-
-	memcpy(dst, a, sizeof(*dst));
-	switch (a->af) {
-	case AF_INET:
-		dst->v4.s_addr &= b->v4.s_addr;
-		return 0;
-	case AF_INET6:
-		dst->scope_id = a->scope_id;
-		for (i = 0; i < 4; i++)
-			dst->addr32[i] &= b->addr32[i];
-		return 0;
-	default:
-		return -1;
-	}
-}
-
-/*
- * Compare addresses 'a' and 'b'
- * Return 0 if addresses are identical, -1 if (a < b) or 1 if (a > b)
- */
-static int
-addr_cmp(const struct xaddr *a, const struct xaddr *b)
-{
-	int i;
-
-	if (a->af != b->af)
-		return a->af == AF_INET6 ? 1 : -1;
-
-	switch (a->af) {
-	case AF_INET:
-		if (a->v4.s_addr == b->v4.s_addr)
-			return 0;
-		return ntohl(a->v4.s_addr) > ntohl(b->v4.s_addr) ? 1 : -1;
-	case AF_INET6:
-		for (i = 0; i < 16; i++)
-			if (a->addr8[i] - b->addr8[i] != 0)
-				return a->addr8[i] > b->addr8[i] ? 1 : -1;
-		if (a->scope_id == b->scope_id)
-			return 0;
-		return a->scope_id > b->scope_id ? 1 : -1;
-	default:
-		return -1;
-	}
-}
-
-/*
- * Parse string address 'p' into 'n'
- * Returns 0 on success, -1 on failure.
- */
-static int
-addr_pton(const char *p, struct xaddr *n)
-{
-	struct addrinfo hints, *ai;
-
-	memset(&hints, '\0', sizeof(hints));
-	hints.ai_flags = AI_NUMERICHOST;
-
-	if (p == NULL || getaddrinfo(p, NULL, &hints, &ai) != 0)
-		return -1;
-
-	if (ai == NULL || ai->ai_addr == NULL)
-		return -1;
-
-	if (n != NULL &&
-	    addr_sa_to_xaddr(ai->ai_addr, ai->ai_addrlen, n) == -1) {
-		freeaddrinfo(ai);
-		return -1;
-	}
-
-	freeaddrinfo(ai);
-	return 0;
-}
-
-/*
- * Perform bitwise negation of address
- * Returns 0 on success, -1 on failure.
- */
-static int
-addr_invert(struct xaddr *n)
-{
-	int i;
-
-	if (n == NULL)
-		return (-1);
-
-	switch (n->af) {
-	case AF_INET:
-		n->v4.s_addr = ~n->v4.s_addr;
-		return (0);
-	case AF_INET6:
-		for (i = 0; i < 4; i++)
-			n->addr32[i] = ~n->addr32[i];
-		return (0);
-	default:
-		return (-1);
-	}
-}
-
-/*
- * Calculate a netmask of length 'l' for address family 'af' and
- * store it in 'n'.
- * Returns 0 on success, -1 on failure.
- */
-static int
-addr_hostmask(int af, u_int l, struct xaddr *n)
-{
-	if (addr_netmask(af, l, n) == -1 || addr_invert(n) == -1)
-		return (-1);
-	return (0);
-}
-
-/*
- * Test whether address 'a' is all zeros (i.e. 0.0.0.0 or ::)
- * Returns 0 on if address is all-zeros, -1 if not all zeros or on failure.
- */
-static int
-addr_is_all0s(const struct xaddr *a)
-{
-	int i;
-
-	switch (a->af) {
-	case AF_INET:
-		return (a->v4.s_addr == 0 ? 0 : -1);
-	case AF_INET6:;
-		for (i = 0; i < 4; i++)
-			if (a->addr32[i] != 0)
-				return (-1);
-		return (0);
-	default:
-		return (-1);
-	}
-}
-
-/*
- * Test whether host portion of address 'a', as determined by 'masklen'
- * is all zeros.
- * Returns 0 on if host portion of address is all-zeros,
- * -1 if not all zeros or on failure.
- */
-static int
-addr_host_is_all0s(const struct xaddr *a, u_int masklen)
-{
-	struct xaddr tmp_addr, tmp_mask, tmp_result;
-
-	memcpy(&tmp_addr, a, sizeof(tmp_addr));
-	if (addr_hostmask(a->af, masklen, &tmp_mask) == -1)
-		return (-1);
-	if (addr_and(&tmp_result, &tmp_addr, &tmp_mask) == -1)
-		return (-1);
-	return (addr_is_all0s(&tmp_result));
-}
-
-/*
- * Parse a CIDR address (x.x.x.x/y or xxxx:yyyy::/z).
- * Return -1 on parse error, -2 on inconsistency or 0 on success.
- */
-static int
-addr_pton_cidr(const char *p, struct xaddr *n, u_int *l)
-{
-	struct xaddr tmp;
-	long unsigned int masklen = 999;
-	char addrbuf[64], *mp, *cp;
-
-	/* Don't modify argument */
-	if (p == NULL || strlcpy(addrbuf, p, sizeof(addrbuf)) >= sizeof(addrbuf))
-		return -1;
-
-	if ((mp = strchr(addrbuf, '/')) != NULL) {
-		*mp = '\0';
-		mp++;
-		masklen = strtoul(mp, &cp, 10);
-		if (*mp == '\0' || *cp != '\0' || masklen > 128)
-			return -1;
-	}
-
-	if (addr_pton(addrbuf, &tmp) == -1)
-		return -1;
-
-	if (mp == NULL)
-		masklen = addr_unicast_masklen(tmp.af);
-	if (masklen_valid(tmp.af, masklen) == -1)
-		return -2;
-	if (addr_host_is_all0s(&tmp, masklen) != 0)
-		return -2;
-
-	if (n != NULL)
-		memcpy(n, &tmp, sizeof(*n));
-	if (l != NULL)
-		*l = masklen;
-
-	return 0;
-}
-
-static int
-addr_netmatch(const struct xaddr *host, const struct xaddr *net, u_int masklen)
-{
-	struct xaddr tmp_mask, tmp_result;
-
-	if (host->af != net->af)
-		return -1;
-
-	if (addr_netmask(host->af, masklen, &tmp_mask) == -1)
-		return -1;
-	if (addr_and(&tmp_result, host, &tmp_mask) == -1)
-		return -1;
-	return addr_cmp(&tmp_result, net);
-}
-
-/*
- * Match "addr" against list pattern list "_list", which may contain a
- * mix of CIDR addresses and old-school wildcards.
- *
- * If addr is NULL, then no matching is performed, but _list is parsed
- * and checked for well-formedness.
- *
- * Returns 1 on match found (never returned when addr == NULL).
- * Returns 0 on if no match found, or no errors found when addr == NULL.
- * Returns -1 on negated match found (never returned when addr == NULL).
- * Returns -2 on invalid list entry.
- */
-int
-addr_match_list(const char *addr, const char *_list)
-{
-	char *list, *cp, *o;
-	struct xaddr try_addr, match_addr;
-	u_int masklen, neg;
-	int ret = 0, r;
-
-	if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
-		debug2("%s: couldn't parse address %.100s", __func__, addr);
-		return 0;
-	}
-	if ((o = list = strdup(_list)) == NULL)
-		return -1;
-	while ((cp = strsep(&list, ",")) != NULL) {
-		neg = *cp == '!';
-		if (neg)
-			cp++;
-		if (*cp == '\0') {
-			ret = -2;
-			break;
-		}
-		/* Prefer CIDR address matching */
-		r = addr_pton_cidr(cp, &match_addr, &masklen);
-		if (r == -2) {
-			error("Inconsistent mask length for "
-			    "network \"%.100s\"", cp);
-			ret = -2;
-			break;
-		} else if (r == 0) {
-			if (addr != NULL && addr_netmatch(&try_addr,
-                           &match_addr, masklen) == 0) {
- foundit:
-				if (neg) {
-					ret = -1;
-					break;
-				}
-				ret = 1;
-			}
-			continue;
-		} else {
-			/* If CIDR parse failed, try wildcard string match */
-			if (addr != NULL && match_pattern(addr, cp) == 1)
-				goto foundit;
-		}
-	}
-	free(o);
-
-	return ret;
-}
-
-/*
- * Match "addr" against list CIDR list "_list". Lexical wildcards and
- * negation are not supported. If "addr" == NULL, will verify structure
- * of "_list".
- *
- * Returns 1 on match found (never returned when addr == NULL).
- * Returns 0 on if no match found, or no errors found when addr == NULL.
- * Returns -1 on error
- */
-int
-addr_match_cidr_list(const char *addr, const char *_list)
-{
-	char *list, *cp, *o;
-	struct xaddr try_addr, match_addr;
-	u_int masklen;
-	int ret = 0, r;
-
-	if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
-		debug2("%s: couldn't parse address %.100s", __func__, addr);
-		return 0;
-	}
-	if ((o = list = strdup(_list)) == NULL)
-		return -1;
-	while ((cp = strsep(&list, ",")) != NULL) {
-		if (*cp == '\0') {
-			error("%s: empty entry in list \"%.100s\"",
-			    __func__, o);
-			ret = -1;
-			break;
-		}
-
-		/*
-		 * NB. This function is called in pre-auth with untrusted data,
-		 * so be extra paranoid about junk reaching getaddrino (via
-		 * addr_pton_cidr).
-		 */
-
-		/* Stop junk from reaching getaddrinfo. +3 is for masklen */
-		if (strlen(cp) > INET6_ADDRSTRLEN + 3) {
-			error("%s: list entry \"%.100s\" too long",
-			    __func__, cp);
-			ret = -1;
-			break;
-		}
-#define VALID_CIDR_CHARS "0123456789abcdefABCDEF.:/"
-		if (strspn(cp, VALID_CIDR_CHARS) != strlen(cp)) {
-			error("%s: list entry \"%.100s\" contains invalid "
-			    "characters", __func__, cp);
-			ret = -1;
-		}
-
-		/* Prefer CIDR address matching */
-		r = addr_pton_cidr(cp, &match_addr, &masklen);
-		if (r == -1) {
-			error("Invalid network entry \"%.100s\"", cp);
-			ret = -1;
-			break;
-		} else if (r == -2) {
-			error("Inconsistent mask length for "
-			    "network \"%.100s\"", cp);
-			ret = -1;
-			break;
-		} else if (r == 0 && addr != NULL) {
-			if (addr_netmatch(&try_addr, &match_addr,
-			    masklen) == 0)
-				ret = 1;
-			continue;
-		}
-	}
-	free(o);
-
-	return ret;
-}
--- a/atomicio.c
+++ b/atomicio.c
@ -1,170 +0,0 @@
-/* $OpenBSD: atomicio.c,v 1.27 2015/01/16 06:40:12 deraadt Exp $ */
-/*
- * Copyright (c) 2006 Damien Miller. All rights reserved.
- * Copyright (c) 2005 Anil Madhavapeddy. All rights reserved.
- * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/param.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#ifdef HAVE_POLL_H
-#include <poll.h>
-#else
-# ifdef HAVE_SYS_POLL_H
-#  include <sys/poll.h>
-# endif
-#endif
-#include <string.h>
-#include <unistd.h>
-#include <limits.h>
-
-#include "atomicio.h"
-
-/*
- * ensure all of data on socket comes through. f==read || f==vwrite
- */
-size_t
-atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
-    int (*cb)(void *, size_t), void *cb_arg)
-{
-	char *s = _s;
-	size_t pos = 0;
-	ssize_t res;
-	struct pollfd pfd;
-
-#ifndef BROKEN_READ_COMPARISON
-	pfd.fd = fd;
-	pfd.events = f == read ? POLLIN : POLLOUT;
-#endif
-	while (n > pos) {
-		res = (f) (fd, s + pos, n - pos);
-		switch (res) {
-		case -1:
-			if (errno == EINTR)
-				continue;
-			if (errno == EAGAIN || errno == EWOULDBLOCK) {
-#ifndef BROKEN_READ_COMPARISON
-				(void)poll(&pfd, 1, -1);
-#endif
-				continue;
-			}
-			return 0;
-		case 0:
-			errno = EPIPE;
-			return pos;
-		default:
-			pos += (size_t)res;
-			if (cb != NULL && cb(cb_arg, (size_t)res) == -1) {
-				errno = EINTR;
-				return pos;
-			}
-		}
-	}
-	return pos;
-}
-
-size_t
-atomicio(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n)
-{
-	return atomicio6(f, fd, _s, n, NULL, NULL);
-}
-
-/*
- * ensure all of data on socket comes through. f==readv || f==writev
- */
-size_t
-atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
-    const struct iovec *_iov, int iovcnt,
-    int (*cb)(void *, size_t), void *cb_arg)
-{
-	size_t pos = 0, rem;
-	ssize_t res;
-	struct iovec iov_array[IOV_MAX], *iov = iov_array;
-	struct pollfd pfd;
-
-	if (iovcnt > IOV_MAX) {
-		errno = EINVAL;
-		return 0;
-	}
-	/* Make a copy of the iov array because we may modify it below */
-	memcpy(iov, _iov, iovcnt * sizeof(*_iov));
-
-#ifndef BROKEN_READV_COMPARISON
-	pfd.fd = fd;
-	pfd.events = f == readv ? POLLIN : POLLOUT;
-#endif
-	for (; iovcnt > 0 && iov[0].iov_len > 0;) {
-		res = (f) (fd, iov, iovcnt);
-		switch (res) {
-		case -1:
-			if (errno == EINTR)
-				continue;
-			if (errno == EAGAIN || errno == EWOULDBLOCK) {
-#ifndef BROKEN_READV_COMPARISON
-				(void)poll(&pfd, 1, -1);
-#endif
-				continue;
-			}
-			return 0;
-		case 0:
-			errno = EPIPE;
-			return pos;
-		default:
-			rem = (size_t)res;
-			pos += rem;
-			/* skip completed iov entries */
-			while (iovcnt > 0 && rem >= iov[0].iov_len) {
-				rem -= iov[0].iov_len;
-				iov++;
-				iovcnt--;
-			}
-			/* This shouldn't happen... */
-			if (rem > 0 && (iovcnt <= 0 || rem > iov[0].iov_len)) {
-				errno = EFAULT;
-				return 0;
-			}
-			if (iovcnt == 0)
-				break;
-			/* update pointer in partially complete iov */
-			iov[0].iov_base = ((char *)iov[0].iov_base) + rem;
-			iov[0].iov_len -= rem;
-		}
-		if (cb != NULL && cb(cb_arg, (size_t)res) == -1) {
-			errno = EINTR;
-			return pos;
-		}
-	}
-	return pos;
-}
-
-size_t
-atomiciov(ssize_t (*f) (int, const struct iovec *, int), int fd,
-    const struct iovec *_iov, int iovcnt)
-{
-	return atomiciov6(f, fd, _iov, iovcnt, NULL, NULL);
-}
--- a/atomicio.h
+++ b/atomicio.h
@ -1,51 +0,0 @@
-/* $OpenBSD: atomicio.h,v 1.11 2010/09/22 22:58:51 djm Exp $ */
-
-/*
- * Copyright (c) 2006 Damien Miller.  All rights reserved.
- * Copyright (c) 1995,1999 Theo de Raadt.  All rights reserved.
- * All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _ATOMICIO_H
-#define _ATOMICIO_H
-
-/*
- * Ensure all of data on socket comes through. f==read || f==vwrite
- */
-size_t
-atomicio6(ssize_t (*f) (int, void *, size_t), int fd, void *_s, size_t n,
-    int (*cb)(void *, size_t), void *);
-size_t	atomicio(ssize_t (*)(int, void *, size_t), int, void *, size_t);
-
-#define vwrite (ssize_t (*)(int, void *, size_t))write
-
-/*
- * ensure all of data on socket comes through. f==readv || f==writev
- */
-size_t
-atomiciov6(ssize_t (*f) (int, const struct iovec *, int), int fd,
-    const struct iovec *_iov, int iovcnt, int (*cb)(void *, size_t), void *);
-size_t	atomiciov(ssize_t (*)(int, const struct iovec *, int),
-    int, const struct iovec *, int);
-
-#endif /* _ATOMICIO_H */
--- a/audit-bsm.c
+++ b/audit-bsm.c
@ -1,467 +0,0 @@
-/* $Id: audit-bsm.c,v 1.8 2012/02/23 23:40:43 dtucker Exp $ */
-
-/*
- * TODO
- *
- * - deal with overlap between this and sys_auth_allowed_user
- *   sys_auth_record_login and record_failed_login.
- */
-
-/*
- * Copyright 1988-2002 Sun Microsystems, Inc.  All rights reserved.
- * Use is subject to license terms.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-/* #pragma ident	"@(#)bsmaudit.c	1.1	01/09/17 SMI" */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#if defined(USE_BSM_AUDIT)
-
-#include <sys/types.h>
-
-#include <errno.h>
-#include <netdb.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#ifdef BROKEN_BSM_API
-#include <libscf.h>
-#endif
-
-#include "ssh.h"
-#include "log.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "xmalloc.h"
-
-#ifndef AUE_openssh
-# define AUE_openssh     32800
-#endif
-#include <bsm/audit.h>
-#include <bsm/libbsm.h>
-#include <bsm/audit_uevents.h>
-#include <bsm/audit_record.h>
-#include <locale.h>
-
-#if defined(HAVE_GETAUDIT_ADDR)
-#define	AuditInfoStruct		auditinfo_addr
-#define AuditInfoTermID		au_tid_addr_t
-#define SetAuditFunc(a,b)	setaudit_addr((a),(b))
-#define SetAuditFuncText	"setaudit_addr"
-#define AUToSubjectFunc		au_to_subject_ex
-#define AUToReturnFunc(a,b)	au_to_return32((a), (int32_t)(b))
-#else
-#define	AuditInfoStruct		auditinfo
-#define AuditInfoTermID		au_tid_t
-#define SetAuditFunc(a,b)	setaudit(a)
-#define SetAuditFuncText	"setaudit"
-#define AUToSubjectFunc		au_to_subject
-#define AUToReturnFunc(a,b)	au_to_return((a), (u_int)(b))
-#endif
-
-#ifndef cannot_audit
-extern int	cannot_audit(int);
-#endif
-extern void	aug_init(void);
-extern void	aug_save_auid(au_id_t);
-extern void	aug_save_uid(uid_t);
-extern void	aug_save_euid(uid_t);
-extern void	aug_save_gid(gid_t);
-extern void	aug_save_egid(gid_t);
-extern void	aug_save_pid(pid_t);
-extern void	aug_save_asid(au_asid_t);
-extern void	aug_save_tid(dev_t, unsigned int);
-extern void	aug_save_tid_ex(dev_t, u_int32_t *, u_int32_t);
-extern int	aug_save_me(void);
-extern int	aug_save_namask(void);
-extern void	aug_save_event(au_event_t);
-extern void	aug_save_sorf(int);
-extern void	aug_save_text(char *);
-extern void	aug_save_text1(char *);
-extern void	aug_save_text2(char *);
-extern void	aug_save_na(int);
-extern void	aug_save_user(char *);
-extern void	aug_save_path(char *);
-extern int	aug_save_policy(void);
-extern void	aug_save_afunc(int (*)(int));
-extern int	aug_audit(void);
-extern int	aug_na_selected(void);
-extern int	aug_selected(void);
-extern int	aug_daemon_session(void);
-
-#ifndef HAVE_GETTEXT
-# define gettext(a)	(a)
-#endif
-
-extern Authctxt *the_authctxt;
-static AuditInfoTermID ssh_bsm_tid;
-
-#ifdef BROKEN_BSM_API
-/* For some reason this constant is no longer defined
-   in Solaris 11. */
-#define BSM_TEXTBUFSZ 256
-#endif
-
-/* Below is the low-level BSM interface code */
-
-/*
- * aug_get_machine is only required on IPv6 capable machines, we use a
- * different mechanism in audit_connection_from() for IPv4-only machines.
- * getaudit_addr() is only present on IPv6 capable machines.
- */
-#if defined(HAVE_AUG_GET_MACHINE) || !defined(HAVE_GETAUDIT_ADDR)
-extern int 	aug_get_machine(char *, u_int32_t *, u_int32_t *);
-#else
-static int
-aug_get_machine(char *host, u_int32_t *addr, u_int32_t *type)
-{
-	struct addrinfo *ai; 
-	struct sockaddr_in *in4;
-	struct sockaddr_in6 *in6;
-	int ret = 0, r;
-
-	if ((r = getaddrinfo(host, NULL, NULL, &ai)) != 0) {
-		error("BSM audit: getaddrinfo failed for %.100s: %.100s", host,
-		    r == EAI_SYSTEM ? strerror(errno) : gai_strerror(r));
-		return -1;
-	}
-	
-	switch (ai->ai_family) {
-	case AF_INET:
-		in4 = (struct sockaddr_in *)ai->ai_addr;
-		*type = AU_IPv4;
-		memcpy(addr, &in4->sin_addr, sizeof(struct in_addr));
-		break;
-#ifdef AU_IPv6
-	case AF_INET6: 
-		in6 = (struct sockaddr_in6 *)ai->ai_addr;
-		*type = AU_IPv6;
-		memcpy(addr, &in6->sin6_addr, sizeof(struct in6_addr));
-		break;
-#endif
-	default:
-		error("BSM audit: unknown address family for %.100s: %d",
-		    host, ai->ai_family);
-		ret = -1;
-	}
-	freeaddrinfo(ai);
-	return ret;
-}
-#endif
-
-#ifdef BROKEN_BSM_API
-/*
-  In Solaris 11 the audit daemon has been moved to SMF. In the process
-  they simply dropped getacna() from the API, since it read from a now
-  non-existent config file. This function re-implements getacna() to
-  read from the SMF repository instead.
- */
-int
-getacna(char *auditstring, int len)
-{
-	scf_handle_t *handle = NULL;
-	scf_property_t *property = NULL;
-	scf_value_t *value = NULL;
-	int ret = 0;
-
-	handle = scf_handle_create(SCF_VERSION);
-	if (handle == NULL) 
-	        return -2; /* The man page for getacna on Solaris 10 states
-			      we should return -2 in case of error and set
-			      errno to indicate the error. We don't bother
-			      with errno here, though, since the only use
-			      of this function below doesn't check for errors
-			      anyway. 
-			   */
-
-	ret = scf_handle_bind(handle);
-	if (ret == -1) 
-	        return -2;
-
-	property = scf_property_create(handle);
-	if (property == NULL) 
-	        return -2;
-
-	ret = scf_handle_decode_fmri(handle, 
-	     "svc:/system/auditd:default/:properties/preselection/naflags",
-				     NULL, NULL, NULL, NULL, property, 0);
-	if (ret == -1) 
-	        return -2;
-
-	value = scf_value_create(handle);
-	if (value == NULL) 
-	        return -2;
-
-	ret = scf_property_get_value(property, value);
-	if (ret == -1) 
-	        return -2;
-
-	ret = scf_value_get_astring(value, auditstring, len);
-	if (ret == -1) 
-	        return -2;
-
-	scf_value_destroy(value);
-	scf_property_destroy(property);
-	scf_handle_destroy(handle);
-
-	return 0;
-}
-#endif
-
-/*
- * Check if the specified event is selected (enabled) for auditing.
- * Returns 1 if the event is selected, 0 if not and -1 on failure.
- */
-static int
-selected(char *username, uid_t uid, au_event_t event, int sf)
-{
-	int rc, sorf;
-	char naflags[512];
-	struct au_mask mask;
-
-	mask.am_success = mask.am_failure = 0;
-	if (uid < 0) {
-		/* get flags for non-attributable (to a real user) events */
-		rc = getacna(naflags, sizeof(naflags));
-		if (rc == 0)
-			(void) getauditflagsbin(naflags, &mask);
-	} else
-		rc = au_user_mask(username, &mask);
-
-	sorf = (sf == 0) ? AU_PRS_SUCCESS : AU_PRS_FAILURE;
-	return(au_preselect(event, &mask, sorf, AU_PRS_REREAD));
-}
-
-static void
-bsm_audit_record(int typ, char *string, au_event_t event_no)
-{
-	int		ad, rc, sel;
-	uid_t		uid = -1;
-	gid_t		gid = -1;
-	pid_t		pid = getpid();
-	AuditInfoTermID	tid = ssh_bsm_tid;
-
-	if (the_authctxt != NULL && the_authctxt->valid) {
-		uid = the_authctxt->pw->pw_uid;
-		gid = the_authctxt->pw->pw_gid;
-	}
-
-	rc = (typ == 0) ? 0 : -1;
-	sel = selected(the_authctxt->user, uid, event_no, rc);
-	debug3("BSM audit: typ %d rc %d \"%s\"", typ, rc, string);
-	if (!sel)
-		return;	/* audit event does not match mask, do not write */
-
-	debug3("BSM audit: writing audit new record");
-	ad = au_open();
-
-	(void) au_write(ad, AUToSubjectFunc(uid, uid, gid, uid, gid,
-	    pid, pid, &tid));
-	(void) au_write(ad, au_to_text(string));
-	(void) au_write(ad, AUToReturnFunc(typ, rc));
-
-#ifdef BROKEN_BSM_API
-	/* The last argument is the event modifier flags. For
-	   some seemingly undocumented reason it was added in
-	   Solaris 11. */
-	rc = au_close(ad, AU_TO_WRITE, event_no, 0);
-#else
-	rc = au_close(ad, AU_TO_WRITE, event_no);
-#endif
-
-	if (rc < 0)
-		error("BSM audit: %s failed to write \"%s\" record: %s",
-		    __func__, string, strerror(errno));
-}
-
-static void
-bsm_audit_session_setup(void)
-{
-	int rc;
-	struct AuditInfoStruct info;
-	au_mask_t mask;
-
-	if (the_authctxt == NULL) {
-		error("BSM audit: session setup internal error (NULL ctxt)");
-		return;
-	}
-
-	if (the_authctxt->valid)
-		info.ai_auid = the_authctxt->pw->pw_uid;
-	else
-		info.ai_auid = -1;
-	info.ai_asid = getpid();
-	mask.am_success = 0;
-	mask.am_failure = 0;
-
-	(void) au_user_mask(the_authctxt->user, &mask);
-
-	info.ai_mask.am_success  = mask.am_success;
-	info.ai_mask.am_failure  = mask.am_failure;
-
-	info.ai_termid = ssh_bsm_tid;
-
-	rc = SetAuditFunc(&info, sizeof(info));
-	if (rc < 0)
-		error("BSM audit: %s: %s failed: %s", __func__,
-		    SetAuditFuncText, strerror(errno));
-}
-
-static void
-bsm_audit_bad_login(const char *what)
-{
-	char textbuf[BSM_TEXTBUFSZ];
-
-	if (the_authctxt->valid) {
-		(void) snprintf(textbuf, sizeof (textbuf),
-			gettext("invalid %s for user %s"),
-			    what, the_authctxt->user);
-		bsm_audit_record(4, textbuf, AUE_openssh);
-	} else {
-		(void) snprintf(textbuf, sizeof (textbuf),
-			gettext("invalid user name \"%s\""),
-			    the_authctxt->user);
-		bsm_audit_record(3, textbuf, AUE_openssh);
-	}
-}
-
-/* Below is the sshd audit API code */
-
-void
-audit_connection_from(const char *host, int port)
-{
-	AuditInfoTermID *tid = &ssh_bsm_tid;
-	char buf[1024];
-
-	if (cannot_audit(0))
-		return;
-	debug3("BSM audit: connection from %.100s port %d", host, port);
-
-	/* populate our terminal id structure */
-#if defined(HAVE_GETAUDIT_ADDR)
-	tid->at_port = (dev_t)port;
-	aug_get_machine((char *)host, &(tid->at_addr[0]), &(tid->at_type));
-	snprintf(buf, sizeof(buf), "%08x %08x %08x %08x", tid->at_addr[0],
-	    tid->at_addr[1], tid->at_addr[2], tid->at_addr[3]);
-	debug3("BSM audit: iptype %d machine ID %s", (int)tid->at_type, buf);
-#else
-	/* this is used on IPv4-only machines */
-	tid->port = (dev_t)port;
-	tid->machine = inet_addr(host);
-	snprintf(buf, sizeof(buf), "%08x", tid->machine);
-	debug3("BSM audit: machine ID %s", buf);
-#endif
-}
-
-void
-audit_run_command(const char *command)
-{
-	/* not implemented */
-}
-
-void
-audit_session_open(struct logininfo *li)
-{
-	/* not implemented */
-}
-
-void
-audit_session_close(struct logininfo *li)
-{
-	/* not implemented */
-}
-
-void
-audit_event(ssh_audit_event_t event)
-{
-	char    textbuf[BSM_TEXTBUFSZ];
-	static int logged_in = 0;
-	const char *user = the_authctxt ? the_authctxt->user : "(unknown user)";
-
-	if (cannot_audit(0))
-		return;
-
-	switch(event) {
-	case SSH_AUTH_SUCCESS:
-		logged_in = 1;
-		bsm_audit_session_setup();
-		snprintf(textbuf, sizeof(textbuf),
-		    gettext("successful login %s"), user);
-		bsm_audit_record(0, textbuf, AUE_openssh);
-		break;
-
-	case SSH_CONNECTION_CLOSE:
-		/*
-		 * We can also get a close event if the user attempted auth
-		 * but never succeeded.
-		 */
-		if (logged_in) {
-			snprintf(textbuf, sizeof(textbuf),
-			    gettext("sshd logout %s"), the_authctxt->user);
-			bsm_audit_record(0, textbuf, AUE_logout);
-		} else {
-			debug("%s: connection closed without authentication",
-			    __func__);
-		}
-		break;
-
-	case SSH_NOLOGIN:
-		bsm_audit_record(1,
-		    gettext("logins disabled by /etc/nologin"), AUE_openssh);
-		break;
-
-	case SSH_LOGIN_EXCEED_MAXTRIES:
-		snprintf(textbuf, sizeof(textbuf),
-		    gettext("too many tries for user %s"), the_authctxt->user);
-		bsm_audit_record(1, textbuf, AUE_openssh);
-		break;
-
-	case SSH_LOGIN_ROOT_DENIED:
-		bsm_audit_record(2, gettext("not_console"), AUE_openssh);
-		break;
-
-	case SSH_AUTH_FAIL_PASSWD:
-		bsm_audit_bad_login("password");
-		break;
-
-	case SSH_AUTH_FAIL_KBDINT:
-		bsm_audit_bad_login("interactive password entry");
-		break;
-
-	default:
-		debug("%s: unhandled event %d", __func__, event);
-	}
-}
-#endif /* BSM */
--- a/audit-linux.c
+++ b/audit-linux.c
@ -1,126 +0,0 @@
-/* $Id: audit-linux.c,v 1.1 2011/01/17 10:15:30 dtucker Exp $ */
-
-/*
- * Copyright 2010 Red Hat, Inc.  All rights reserved.
- * Use is subject to license terms.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
- */
-
-#include "includes.h"
-#if defined(USE_LINUX_AUDIT)
-#include <libaudit.h>
-#include <unistd.h>
-#include <string.h>
-
-#include "log.h"
-#include "audit.h"
-#include "canohost.h"
-
-const char* audit_username(void);
-
-int
-linux_audit_record_event(int uid, const char *username,
-    const char *hostname, const char *ip, const char *ttyn, int success)
-{
-	int audit_fd, rc, saved_errno;
-
-	audit_fd = audit_open();
-	if (audit_fd < 0) {
-		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
-		    errno == EAFNOSUPPORT)
-			return 1; /* No audit support in kernel */
-		else
-			return 0; /* Must prevent login */
-	}
-	rc = audit_log_acct_message(audit_fd, AUDIT_USER_LOGIN,
-	    NULL, "login", username ? username : "(unknown)",
-	    username == NULL ? uid : -1, hostname, ip, ttyn, success);
-	saved_errno = errno;
-	close(audit_fd);
-	/*
-	 * Do not report error if the error is EPERM and sshd is run as non
-	 * root user.
-	 */
-	if ((rc == -EPERM) && (geteuid() != 0))
-		rc = 0;
-	errno = saved_errno;
-	return (rc >= 0);
-}
-
-/* Below is the sshd audit API code */
-
-void
-audit_connection_from(const char *host, int port)
-{
-}
-	/* not implemented */
-
-void
-audit_run_command(const char *command)
-{
-	/* not implemented */
-}
-
-void
-audit_session_open(struct logininfo *li)
-{
-	if (linux_audit_record_event(li->uid, NULL, li->hostname,
-	    NULL, li->line, 1) == 0)
-		fatal("linux_audit_write_entry failed: %s", strerror(errno));
-}
-
-void
-audit_session_close(struct logininfo *li)
-{
-	/* not implemented */
-}
-
-void
-audit_event(ssh_audit_event_t event)
-{
-	switch(event) {
-	case SSH_AUTH_SUCCESS:
-	case SSH_CONNECTION_CLOSE:
-	case SSH_NOLOGIN:
-	case SSH_LOGIN_EXCEED_MAXTRIES:
-	case SSH_LOGIN_ROOT_DENIED:
-		break;
-
-	case SSH_AUTH_FAIL_NONE:
-	case SSH_AUTH_FAIL_PASSWD:
-	case SSH_AUTH_FAIL_KBDINT:
-	case SSH_AUTH_FAIL_PUBKEY:
-	case SSH_AUTH_FAIL_HOSTBASED:
-	case SSH_AUTH_FAIL_GSSAPI:
-	case SSH_INVALID_USER:
-		linux_audit_record_event(-1, audit_username(), NULL,
-			get_remote_ipaddr(), "sshd", 0);
-		break;
-
-	default:
-		debug("%s: unhandled event %d", __func__, event);
-	}
-}
-
-#endif /* USE_LINUX_AUDIT */
--- a/audit.c
+++ b/audit.c
@ -1,195 +0,0 @@
-/* $Id: audit.c,v 1.6 2011/01/17 10:15:30 dtucker Exp $ */
-
-/*
- * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#include <stdarg.h>
-#include <string.h>
-
-#ifdef SSH_AUDIT_EVENTS
-
-#include "audit.h"
-#include "log.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-
-/*
- * Care must be taken when using this since it WILL NOT be initialized when
- * audit_connection_from() is called and MAY NOT be initialized when
- * audit_event(CONNECTION_ABANDON) is called.  Test for NULL before using.
- */
-extern Authctxt *the_authctxt;
-
-/* Maybe add the audit class to struct Authmethod? */
-ssh_audit_event_t
-audit_classify_auth(const char *method)
-{
-	if (strcmp(method, "none") == 0)
-		return SSH_AUTH_FAIL_NONE;
-	else if (strcmp(method, "password") == 0)
-		return SSH_AUTH_FAIL_PASSWD;
-	else if (strcmp(method, "publickey") == 0 ||
-	    strcmp(method, "rsa") == 0)
-		return SSH_AUTH_FAIL_PUBKEY;
-	else if (strncmp(method, "keyboard-interactive", 20) == 0 ||
-	    strcmp(method, "challenge-response") == 0)
-		return SSH_AUTH_FAIL_KBDINT;
-	else if (strcmp(method, "hostbased") == 0 ||
-	    strcmp(method, "rhosts-rsa") == 0)
-		return SSH_AUTH_FAIL_HOSTBASED;
-	else if (strcmp(method, "gssapi-with-mic") == 0)
-		return SSH_AUTH_FAIL_GSSAPI;
-	else
-		return SSH_AUDIT_UNKNOWN;
-}
-
-/* helper to return supplied username */
-const char *
-audit_username(void)
-{
-	static const char unknownuser[] = "(unknown user)";
-	static const char invaliduser[] = "(invalid user)";
-
-	if (the_authctxt == NULL || the_authctxt->user == NULL)
-		return (unknownuser);
-	if (!the_authctxt->valid)
-		return (invaliduser);
-	return (the_authctxt->user);
-}
-
-const char *
-audit_event_lookup(ssh_audit_event_t ev)
-{
-	int i;
-	static struct event_lookup_struct {
-		ssh_audit_event_t event;
-		const char *name;
-	} event_lookup[] = {
-		{SSH_LOGIN_EXCEED_MAXTRIES,	"LOGIN_EXCEED_MAXTRIES"},
-		{SSH_LOGIN_ROOT_DENIED,		"LOGIN_ROOT_DENIED"},
-		{SSH_AUTH_SUCCESS,		"AUTH_SUCCESS"},
-		{SSH_AUTH_FAIL_NONE,		"AUTH_FAIL_NONE"},
-		{SSH_AUTH_FAIL_PASSWD,		"AUTH_FAIL_PASSWD"},
-		{SSH_AUTH_FAIL_KBDINT,		"AUTH_FAIL_KBDINT"},
-		{SSH_AUTH_FAIL_PUBKEY,		"AUTH_FAIL_PUBKEY"},
-		{SSH_AUTH_FAIL_HOSTBASED,	"AUTH_FAIL_HOSTBASED"},
-		{SSH_AUTH_FAIL_GSSAPI,		"AUTH_FAIL_GSSAPI"},
-		{SSH_INVALID_USER,		"INVALID_USER"},
-		{SSH_NOLOGIN,			"NOLOGIN"},
-		{SSH_CONNECTION_CLOSE,		"CONNECTION_CLOSE"},
-		{SSH_CONNECTION_ABANDON,	"CONNECTION_ABANDON"},
-		{SSH_AUDIT_UNKNOWN,		"AUDIT_UNKNOWN"}
-	};
-
-	for (i = 0; event_lookup[i].event != SSH_AUDIT_UNKNOWN; i++)
-		if (event_lookup[i].event == ev)
-			break;
-	return(event_lookup[i].name);
-}
-
-# ifndef CUSTOM_SSH_AUDIT_EVENTS
-/*
- * Null implementations of audit functions.
- * These get used if SSH_AUDIT_EVENTS is defined but no audit module is enabled.
- */
-
-/*
- * Called after a connection has been accepted but before any authentication
- * has been attempted.
- */
-void
-audit_connection_from(const char *host, int port)
-{
-	debug("audit connection from %s port %d euid %d", host, port,
-	    (int)geteuid());
-}
-
-/*
- * Called when various events occur (see audit.h for a list of possible
- * events and what they mean).
- */
-void
-audit_event(ssh_audit_event_t event)
-{
-	debug("audit event euid %d user %s event %d (%s)", geteuid(),
-	    audit_username(), event, audit_event_lookup(event));
-}
-
-/*
- * Called when a user session is started.  Argument is the tty allocated to
- * the session, or NULL if no tty was allocated.
- *
- * Note that this may be called multiple times if multiple sessions are used
- * within a single connection.
- */
-void
-audit_session_open(struct logininfo *li)
-{
-	const char *t = li->line ? li->line : "(no tty)";
-
-	debug("audit session open euid %d user %s tty name %s", geteuid(),
-	    audit_username(), t);
-}
-
-/*
- * Called when a user session is closed.  Argument is the tty allocated to
- * the session, or NULL if no tty was allocated.
- *
- * Note that this may be called multiple times if multiple sessions are used
- * within a single connection.
- */
-void
-audit_session_close(struct logininfo *li)
-{
-	const char *t = li->line ? li->line : "(no tty)";
-
-	debug("audit session close euid %d user %s tty name %s", geteuid(),
-	    audit_username(), t);
-}
-
-/*
- * This will be called when a user runs a non-interactive command.  Note that
- * it may be called multiple times for a single connection since SSH2 allows
- * multiple sessions within a single connection.
- */
-void
-audit_run_command(const char *command)
-{
-	debug("audit run command euid %d user %s command '%.200s'", geteuid(),
-	    audit_username(), command);
-}
-# endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
-#endif /* SSH_AUDIT_EVENTS */
--- a/audit.h
+++ b/audit.h
@ -1,57 +0,0 @@
-/* $Id: audit.h,v 1.4 2011/01/17 10:15:30 dtucker Exp $ */
-
-/*
- * Copyright (c) 2004, 2005 Darren Tucker.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef _SSH_AUDIT_H
-# define _SSH_AUDIT_H
-
-#include "loginrec.h"
-
-enum ssh_audit_event_type {
-	SSH_LOGIN_EXCEED_MAXTRIES,
-	SSH_LOGIN_ROOT_DENIED,
-	SSH_AUTH_SUCCESS,
-	SSH_AUTH_FAIL_NONE,
-	SSH_AUTH_FAIL_PASSWD,
-	SSH_AUTH_FAIL_KBDINT,	/* keyboard-interactive or challenge-response */
-	SSH_AUTH_FAIL_PUBKEY,	/* ssh2 pubkey or ssh1 rsa */
-	SSH_AUTH_FAIL_HOSTBASED,	/* ssh2 hostbased or ssh1 rhostsrsa */
-	SSH_AUTH_FAIL_GSSAPI,
-	SSH_INVALID_USER,
-	SSH_NOLOGIN,		/* denied by /etc/nologin, not implemented */
-	SSH_CONNECTION_CLOSE,	/* closed after attempting auth or session */
-	SSH_CONNECTION_ABANDON,	/* closed without completing auth */
-	SSH_AUDIT_UNKNOWN
-};
-typedef enum ssh_audit_event_type ssh_audit_event_t;
-
-void	audit_connection_from(const char *, int);
-void	audit_event(ssh_audit_event_t);
-void	audit_session_open(struct logininfo *);
-void	audit_session_close(struct logininfo *);
-void	audit_run_command(const char *);
-ssh_audit_event_t audit_classify_auth(const char *);
-
-#endif /* _SSH_AUDIT_H */
--- a/auth-bsdauth.c
+++ b/auth-bsdauth.c
@ -1,153 +0,0 @@
-/* $OpenBSD: auth-bsdauth.c,v 1.13 2014/06/24 01:13:21 djm Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#include <sys/types.h>
-#include <stdarg.h>
-#include <stdio.h>
-
-#include <stdarg.h>
-
-#ifdef BSD_AUTH
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "log.h"
-#include "buffer.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-static void *
-bsdauth_init_ctx(Authctxt *authctxt)
-{
-	return authctxt;
-}
-
-int
-bsdauth_query(void *ctx, char **name, char **infotxt,
-   u_int *numprompts, char ***prompts, u_int **echo_on)
-{
-	Authctxt *authctxt = ctx;
-	char *challenge = NULL;
-
-	*infotxt = NULL;
-	*numprompts = 0;
-	*prompts = NULL;
-	*echo_on = NULL;
-
-	if (authctxt->as != NULL) {
-		debug2("bsdauth_query: try reuse session");
-		challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
-		if (challenge == NULL) {
-			auth_close(authctxt->as);
-			authctxt->as = NULL;
-		}
-	}
-
-	if (challenge == NULL) {
-		debug2("bsdauth_query: new bsd auth session");
-		debug3("bsdauth_query: style %s",
-		    authctxt->style ? authctxt->style : "<default>");
-		authctxt->as = auth_userchallenge(authctxt->user,
-		    authctxt->style, "auth-ssh", &challenge);
-		if (authctxt->as == NULL)
-			challenge = NULL;
-		debug2("bsdauth_query: <%s>", challenge ? challenge : "empty");
-	}
-
-	if (challenge == NULL)
-		return -1;
-
-	*name = xstrdup("");
-	*infotxt = xstrdup("");
-	*numprompts = 1;
-	*prompts = xcalloc(*numprompts, sizeof(char *));
-	*echo_on = xcalloc(*numprompts, sizeof(u_int));
-	(*prompts)[0] = xstrdup(challenge);
-
-	return 0;
-}
-
-int
-bsdauth_respond(void *ctx, u_int numresponses, char **responses)
-{
-	Authctxt *authctxt = ctx;
-	int authok;
-
-	if (!authctxt->valid)
-		return -1;
-
-	if (authctxt->as == 0)
-		error("bsdauth_respond: no bsd auth session");
-
-	if (numresponses != 1)
-		return -1;
-
-	authok = auth_userresponse(authctxt->as, responses[0], 0);
-	authctxt->as = NULL;
-	debug3("bsdauth_respond: <%s> = <%d>", responses[0], authok);
-
-	return (authok == 0) ? -1 : 0;
-}
-
-static void
-bsdauth_free_ctx(void *ctx)
-{
-	Authctxt *authctxt = ctx;
-
-	if (authctxt && authctxt->as) {
-		auth_close(authctxt->as);
-		authctxt->as = NULL;
-	}
-}
-
-KbdintDevice bsdauth_device = {
-	"bsdauth",
-	bsdauth_init_ctx,
-	bsdauth_query,
-	bsdauth_respond,
-	bsdauth_free_ctx
-};
-
-KbdintDevice mm_bsdauth_device = {
-	"bsdauth",
-	bsdauth_init_ctx,
-	mm_bsdauth_query,
-	mm_bsdauth_respond,
-	bsdauth_free_ctx
-};
-#endif
--- a/auth-chall.c
+++ b/auth-chall.c
@ -1,125 +0,0 @@
-/* $OpenBSD: auth-chall.c,v 1.14 2014/06/24 01:13:21 djm Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <stdio.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "log.h"
-#include "misc.h"
-#include "servconf.h"
-
-/* limited protocol v1 interface to kbd-interactive authentication */
-
-extern KbdintDevice *devices[];
-static KbdintDevice *device;
-extern ServerOptions options;
-
-char *
-get_challenge(Authctxt *authctxt)
-{
-	char *challenge, *name, *info, **prompts;
-	u_int i, numprompts;
-	u_int *echo_on;
-
-#ifdef USE_PAM
-	if (!options.use_pam)
-		remove_kbdint_device("pam");
-#endif
-
-	device = devices[0]; /* we always use the 1st device for protocol 1 */
-	if (device == NULL)
-		return NULL;
-	if ((authctxt->kbdintctxt = device->init_ctx(authctxt)) == NULL)
-		return NULL;
-	if (device->query(authctxt->kbdintctxt, &name, &info,
-	    &numprompts, &prompts, &echo_on)) {
-		device->free_ctx(authctxt->kbdintctxt);
-		authctxt->kbdintctxt = NULL;
-		return NULL;
-	}
-	if (numprompts < 1)
-		fatal("get_challenge: numprompts < 1");
-	challenge = xstrdup(prompts[0]);
-	for (i = 0; i < numprompts; i++)
-		free(prompts[i]);
-	free(prompts);
-	free(name);
-	free(echo_on);
-	free(info);
-
-	return (challenge);
-}
-int
-verify_response(Authctxt *authctxt, const char *response)
-{
-	char *resp[1], *name, *info, **prompts;
-	u_int i, numprompts, *echo_on;
-	int authenticated = 0;
-
-	if (device == NULL)
-		return 0;
-	if (authctxt->kbdintctxt == NULL)
-		return 0;
-	resp[0] = (char *)response;
-	switch (device->respond(authctxt->kbdintctxt, 1, resp)) {
-	case 0: /* Success */
-		authenticated = 1;
-		break;
-	case 1: /* Postponed - retry with empty query for PAM */
-		if ((device->query(authctxt->kbdintctxt, &name, &info,
-		    &numprompts, &prompts, &echo_on)) != 0)
-			break;
-		if (numprompts == 0 &&
-		    device->respond(authctxt->kbdintctxt, 0, resp) == 0)
-			authenticated = 1;
-
-		for (i = 0; i < numprompts; i++)
-			free(prompts[i]);
-		free(prompts);
-		free(name);
-		free(echo_on);
-		free(info);
-		break;
-	}
-	device->free_ctx(authctxt->kbdintctxt);
-	authctxt->kbdintctxt = NULL;
-	return authenticated;
-}
-void
-abandon_challenge_response(Authctxt *authctxt)
-{
-	if (authctxt->kbdintctxt != NULL) {
-		device->free_ctx(authctxt->kbdintctxt);
-		authctxt->kbdintctxt = NULL;
-	}
-}
--- a/auth-krb5.c
+++ b/auth-krb5.c
@ -1,282 +0,0 @@
-/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
-/*
- *    Kerberos v5 authentication and ticket-passing routines.
- *
- * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
- */
-/*
- * Copyright (c) 2002 Daniel Kouril.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#include <sys/types.h>
-#include <pwd.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "ssh1.h"
-#include "packet.h"
-#include "log.h"
-#include "buffer.h"
-#include "misc.h"
-#include "servconf.h"
-#include "uidswap.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-
-#ifdef KRB5
-#include <errno.h>
-#include <unistd.h>
-#include <string.h>
-#include <krb5.h>
-
-extern ServerOptions	 options;
-
-static int
-krb5_init(void *context)
-{
-	Authctxt *authctxt = (Authctxt *)context;
-	krb5_error_code problem;
-
-	if (authctxt->krb5_ctx == NULL) {
-		problem = krb5_init_context(&authctxt->krb5_ctx);
-		if (problem)
-			return (problem);
-	}
-	return (0);
-}
-
-int
-auth_krb5_password(Authctxt *authctxt, const char *password)
-{
-#ifndef HEIMDAL
-	krb5_creds creds;
-	krb5_principal server;
-#endif
-	krb5_error_code problem;
-	krb5_ccache ccache = NULL;
-	int len;
-	char *client, *platform_client;
-	const char *errmsg;
-
-	/* get platform-specific kerberos client principal name (if it exists) */
-	platform_client = platform_krb5_get_principal_name(authctxt->pw->pw_name);
-	client = platform_client ? platform_client : authctxt->pw->pw_name;
-
-	temporarily_use_uid(authctxt->pw);
-
-	problem = krb5_init(authctxt);
-	if (problem)
-		goto out;
-
-	problem = krb5_parse_name(authctxt->krb5_ctx, client,
-		    &authctxt->krb5_user);
-	if (problem)
-		goto out;
-
-#ifdef HEIMDAL
-# ifdef HAVE_KRB5_CC_NEW_UNIQUE
-	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
-	     krb5_mcc_ops.prefix, NULL, &ccache);
-# else
-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_mcc_ops, &ccache);
-# endif
-	if (problem)
-		goto out;
-
-	problem = krb5_cc_initialize(authctxt->krb5_ctx, ccache,
-		authctxt->krb5_user);
-	if (problem)
-		goto out;
-
-	restore_uid();
-
-	problem = krb5_verify_user(authctxt->krb5_ctx, authctxt->krb5_user,
-	    ccache, password, 1, NULL);
-
-	temporarily_use_uid(authctxt->pw);
-
-	if (problem)
-		goto out;
-
-# ifdef HAVE_KRB5_CC_NEW_UNIQUE
-	problem = krb5_cc_new_unique(authctxt->krb5_ctx,
-	     krb5_fcc_ops.prefix, NULL, &authctxt->krb5_fwd_ccache);
-# else
-	problem = krb5_cc_gen_new(authctxt->krb5_ctx, &krb5_fcc_ops,
-	    &authctxt->krb5_fwd_ccache);
-# endif
-	if (problem)
-		goto out;
-
-	problem = krb5_cc_copy_cache(authctxt->krb5_ctx, ccache,
-	    authctxt->krb5_fwd_ccache);
-	krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-	ccache = NULL;
-	if (problem)
-		goto out;
-
-#else
-	problem = krb5_get_init_creds_password(authctxt->krb5_ctx, &creds,
-	    authctxt->krb5_user, (char *)password, NULL, NULL, 0, NULL, NULL);
-	if (problem)
-		goto out;
-
-	problem = krb5_sname_to_principal(authctxt->krb5_ctx, NULL, NULL,
-	    KRB5_NT_SRV_HST, &server);
-	if (problem)
-		goto out;
-
-	restore_uid();
-	problem = krb5_verify_init_creds(authctxt->krb5_ctx, &creds, server,
-	    NULL, NULL, NULL);
-	krb5_free_principal(authctxt->krb5_ctx, server);
-	temporarily_use_uid(authctxt->pw);
-	if (problem)
-		goto out;
-
-	if (!krb5_kuserok(authctxt->krb5_ctx, authctxt->krb5_user,
-	    authctxt->pw->pw_name)) {
-		problem = -1;
-		goto out;
-	}
-
-	problem = ssh_krb5_cc_gen(authctxt->krb5_ctx, &authctxt->krb5_fwd_ccache);
-	if (problem)
-		goto out;
-
-	problem = krb5_cc_initialize(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
-				     authctxt->krb5_user);
-	if (problem)
-		goto out;
-
-	problem= krb5_cc_store_cred(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache,
-				 &creds);
-	if (problem)
-		goto out;
-#endif
-
-	authctxt->krb5_ticket_file = (char *)krb5_cc_get_name(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-
-	len = strlen(authctxt->krb5_ticket_file) + 6;
-	authctxt->krb5_ccname = xmalloc(len);
-	snprintf(authctxt->krb5_ccname, len, "FILE:%s",
-	    authctxt->krb5_ticket_file);
-
-#ifdef USE_PAM
-	if (options.use_pam)
-		do_pam_putenv("KRB5CCNAME", authctxt->krb5_ccname);
-#endif
-
- out:
-	restore_uid();
-	
-	free(platform_client);
-
-	if (problem) {
-		if (ccache)
-			krb5_cc_destroy(authctxt->krb5_ctx, ccache);
-
-		if (authctxt->krb5_ctx != NULL && problem!=-1) {
-			errmsg = krb5_get_error_message(authctxt->krb5_ctx,
-			    problem);
- 			debug("Kerberos password authentication failed: %s",
-			    errmsg);
-			krb5_free_error_message(authctxt->krb5_ctx, errmsg);
-		} else
-			debug("Kerberos password authentication failed: %d",
-			    problem);
-
-		krb5_cleanup_proc(authctxt);
-
-		if (options.kerberos_or_local_passwd)
-			return (-1);
-		else
-			return (0);
-	}
-	return (authctxt->valid ? 1 : 0);
-}
-
-void
-krb5_cleanup_proc(Authctxt *authctxt)
-{
-	debug("krb5_cleanup_proc called");
-	if (authctxt->krb5_fwd_ccache) {
-		krb5_cc_destroy(authctxt->krb5_ctx, authctxt->krb5_fwd_ccache);
-		authctxt->krb5_fwd_ccache = NULL;
-	}
-	if (authctxt->krb5_user) {
-		krb5_free_principal(authctxt->krb5_ctx, authctxt->krb5_user);
-		authctxt->krb5_user = NULL;
-	}
-	if (authctxt->krb5_ctx) {
-		krb5_free_context(authctxt->krb5_ctx);
-		authctxt->krb5_ctx = NULL;
-	}
-}
-
-#ifndef HEIMDAL
-krb5_error_code
-ssh_krb5_cc_gen(krb5_context ctx, krb5_ccache *ccache) {
-	int tmpfd, ret, oerrno;
-	char ccname[40];
-	mode_t old_umask;
-
-	ret = snprintf(ccname, sizeof(ccname),
-	    "FILE:/tmp/krb5cc_%d_XXXXXXXXXX", geteuid());
-	if (ret < 0 || (size_t)ret >= sizeof(ccname))
-		return ENOMEM;
-
-	old_umask = umask(0177);
-	tmpfd = mkstemp(ccname + strlen("FILE:"));
-	oerrno = errno;
-	umask(old_umask);
-	if (tmpfd == -1) {
-		logit("mkstemp(): %.100s", strerror(oerrno));
-		return oerrno;
-	}
-
-	if (fchmod(tmpfd,S_IRUSR | S_IWUSR) == -1) {
-		oerrno = errno;
-		logit("fchmod(): %.100s", strerror(oerrno));
-		close(tmpfd);
-		return oerrno;
-	}
-	close(tmpfd);
-
-	return (krb5_cc_resolve(ctx, ccname, ccache));
-}
-#endif /* !HEIMDAL */
-#endif /* KRB5 */
--- a/auth-options.c
+++ b/auth-options.c
@ -1,629 +0,0 @@
-/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#include <sys/types.h>
-
-#include <netdb.h>
-#include <pwd.h>
-#include <string.h>
-#include <stdio.h>
-#include <stdarg.h>
-
-#include "openbsd-compat/sys-queue.h"
-
-#include "key.h"	/* XXX for typedef */
-#include "buffer.h"	/* XXX for typedef */
-#include "xmalloc.h"
-#include "match.h"
-#include "ssherr.h"
-#include "log.h"
-#include "canohost.h"
-#include "sshbuf.h"
-#include "misc.h"
-#include "channels.h"
-#include "servconf.h"
-#include "sshkey.h"
-#include "auth-options.h"
-#include "hostfile.h"
-#include "auth.h"
-
-/* Flags set authorized_keys flags */
-int no_port_forwarding_flag = 0;
-int no_agent_forwarding_flag = 0;
-int no_x11_forwarding_flag = 0;
-int no_pty_flag = 0;
-int no_user_rc = 0;
-int key_is_cert_authority = 0;
-
-/* "command=" option. */
-char *forced_command = NULL;
-
-/* "environment=" options. */
-struct envstring *custom_environment = NULL;
-
-/* "tunnel=" option. */
-int forced_tun_device = -1;
-
-/* "principals=" option. */
-char *authorized_principals = NULL;
-
-extern ServerOptions options;
-
-void
-auth_clear_options(void)
-{
-	no_agent_forwarding_flag = 0;
-	no_port_forwarding_flag = 0;
-	no_pty_flag = 0;
-	no_x11_forwarding_flag = 0;
-	no_user_rc = 0;
-	key_is_cert_authority = 0;
-	while (custom_environment) {
-		struct envstring *ce = custom_environment;
-		custom_environment = ce->next;
-		free(ce->s);
-		free(ce);
-	}
-	if (forced_command) {
-		free(forced_command);
-		forced_command = NULL;
-	}
-	if (authorized_principals) {
-		free(authorized_principals);
-		authorized_principals = NULL;
-	}
-	forced_tun_device = -1;
-	channel_clear_permitted_opens();
-}
-
-/*
- * return 1 if access is granted, 0 if not.
- * side effect: sets key option flags
- */
-int
-auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
-{
-	const char *cp;
-	int i;
-
-	/* reset options */
-	auth_clear_options();
-
-	if (!opts)
-		return 1;
-
-	while (*opts && *opts != ' ' && *opts != '\t') {
-		cp = "cert-authority";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			key_is_cert_authority = 1;
-			opts += strlen(cp);
-			goto next_option;
-		}
-		cp = "no-port-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Port forwarding disabled.");
-			no_port_forwarding_flag = 1;
-			opts += strlen(cp);
-			goto next_option;
-		}
-		cp = "no-agent-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Agent forwarding disabled.");
-			no_agent_forwarding_flag = 1;
-			opts += strlen(cp);
-			goto next_option;
-		}
-		cp = "no-X11-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("X11 forwarding disabled.");
-			no_x11_forwarding_flag = 1;
-			opts += strlen(cp);
-			goto next_option;
-		}
-		cp = "no-pty";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Pty allocation disabled.");
-			no_pty_flag = 1;
-			opts += strlen(cp);
-			goto next_option;
-		}
-		cp = "no-user-rc";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("User rc file execution disabled.");
-			no_user_rc = 1;
-			opts += strlen(cp);
-			goto next_option;
-		}
-		cp = "command=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			opts += strlen(cp);
-			if (forced_command != NULL)
-				free(forced_command);
-			forced_command = xmalloc(strlen(opts) + 1);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				if (*opts == '\\' && opts[1] == '"') {
-					opts += 2;
-					forced_command[i++] = '"';
-					continue;
-				}
-				forced_command[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				free(forced_command);
-				forced_command = NULL;
-				goto bad_option;
-			}
-			forced_command[i] = '\0';
-			auth_debug_add("Forced command.");
-			opts++;
-			goto next_option;
-		}
-		cp = "principals=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			opts += strlen(cp);
-			if (authorized_principals != NULL)
-				free(authorized_principals);
-			authorized_principals = xmalloc(strlen(opts) + 1);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				if (*opts == '\\' && opts[1] == '"') {
-					opts += 2;
-					authorized_principals[i++] = '"';
-					continue;
-				}
-				authorized_principals[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				free(authorized_principals);
-				authorized_principals = NULL;
-				goto bad_option;
-			}
-			authorized_principals[i] = '\0';
-			auth_debug_add("principals: %.900s",
-			    authorized_principals);
-			opts++;
-			goto next_option;
-		}
-		cp = "environment=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			char *s;
-			struct envstring *new_envstring;
-
-			opts += strlen(cp);
-			s = xmalloc(strlen(opts) + 1);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				if (*opts == '\\' && opts[1] == '"') {
-					opts += 2;
-					s[i++] = '"';
-					continue;
-				}
-				s[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				free(s);
-				goto bad_option;
-			}
-			s[i] = '\0';
-			opts++;
-			if (options.permit_user_env) {
-				auth_debug_add("Adding to environment: "
-				    "%.900s", s);
-				debug("Adding to environment: %.900s", s);
-				new_envstring = xcalloc(1,
-				    sizeof(*new_envstring));
-				new_envstring->s = s;
-				new_envstring->next = custom_environment;
-				custom_environment = new_envstring;
-				s = NULL;
-			}
-			free(s);
-			goto next_option;
-		}
-		cp = "from=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			const char *remote_ip = get_remote_ipaddr();
-			const char *remote_host = get_canonical_hostname(
-			    options.use_dns);
-			char *patterns = xmalloc(strlen(opts) + 1);
-
-			opts += strlen(cp);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				if (*opts == '\\' && opts[1] == '"') {
-					opts += 2;
-					patterns[i++] = '"';
-					continue;
-				}
-				patterns[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				free(patterns);
-				goto bad_option;
-			}
-			patterns[i] = '\0';
-			opts++;
-			switch (match_host_and_ip(remote_host, remote_ip,
-			    patterns)) {
-			case 1:
-				free(patterns);
-				/* Host name matches. */
-				goto next_option;
-			case -1:
-				debug("%.100s, line %lu: invalid criteria",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: "
-				    "invalid criteria", file, linenum);
-				/* FALLTHROUGH */
-			case 0:
-				free(patterns);
-				logit("Authentication tried for %.100s with "
-				    "correct key but not from a permitted "
-				    "host (host=%.200s, ip=%.200s).",
-				    pw->pw_name, remote_host, remote_ip);
-				auth_debug_add("Your host '%.200s' is not "
-				    "permitted to use this key for login.",
-				    remote_host);
-				break;
-			}
-			/* deny access */
-			return 0;
-		}
-		cp = "permitopen=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			char *host, *p;
-			int port;
-			char *patterns = xmalloc(strlen(opts) + 1);
-
-			opts += strlen(cp);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				if (*opts == '\\' && opts[1] == '"') {
-					opts += 2;
-					patterns[i++] = '"';
-					continue;
-				}
-				patterns[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing "
-				    "end quote", file, linenum);
-				free(patterns);
-				goto bad_option;
-			}
-			patterns[i] = '\0';
-			opts++;
-			p = patterns;
-			/* XXX - add streamlocal support */
-			host = hpdelim(&p);
-			if (host == NULL || strlen(host) >= NI_MAXHOST) {
-				debug("%.100s, line %lu: Bad permitopen "
-				    "specification <%.100s>", file, linenum,
-				    patterns);
-				auth_debug_add("%.100s, line %lu: "
-				    "Bad permitopen specification", file,
-				    linenum);
-				free(patterns);
-				goto bad_option;
-			}
-			host = cleanhostname(host);
-			if (p == NULL || (port = permitopen_port(p)) < 0) {
-				debug("%.100s, line %lu: Bad permitopen port "
-				    "<%.100s>", file, linenum, p ? p : "");
-				auth_debug_add("%.100s, line %lu: "
-				    "Bad permitopen port", file, linenum);
-				free(patterns);
-				goto bad_option;
-			}
-			if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0)
-				channel_add_permitted_opens(host, port);
-			free(patterns);
-			goto next_option;
-		}
-		cp = "tunnel=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			char *tun = NULL;
-			opts += strlen(cp);
-			tun = xmalloc(strlen(opts) + 1);
-			i = 0;
-			while (*opts) {
-				if (*opts == '"')
-					break;
-				tun[i++] = *opts++;
-			}
-			if (!*opts) {
-				debug("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: missing end quote",
-				    file, linenum);
-				free(tun);
-				forced_tun_device = -1;
-				goto bad_option;
-			}
-			tun[i] = '\0';
-			forced_tun_device = a2tun(tun, NULL);
-			free(tun);
-			if (forced_tun_device == SSH_TUNID_ERR) {
-				debug("%.100s, line %lu: invalid tun device",
-				    file, linenum);
-				auth_debug_add("%.100s, line %lu: invalid tun device",
-				    file, linenum);
-				forced_tun_device = -1;
-				goto bad_option;
-			}
-			auth_debug_add("Forced tun device: %d", forced_tun_device);
-			opts++;
-			goto next_option;
-		}
-next_option:
-		/*
-		 * Skip the comma, and move to the next option
-		 * (or break out if there are no more).
-		 */
-		if (!*opts)
-			fatal("Bugs in auth-options.c option processing.");
-		if (*opts == ' ' || *opts == '\t')
-			break;		/* End of options. */
-		if (*opts != ',')
-			goto bad_option;
-		opts++;
-		/* Process the next option. */
-	}
-
-	/* grant access */
-	return 1;
-
-bad_option:
-	logit("Bad options in %.100s file, line %lu: %.50s",
-	    file, linenum, opts);
-	auth_debug_add("Bad options in %.100s file, line %lu: %.50s",
-	    file, linenum, opts);
-
-	/* deny access */
-	return 0;
-}
-
-#define OPTIONS_CRITICAL	1
-#define OPTIONS_EXTENSIONS	2
-static int
-parse_option_list(struct sshbuf *oblob, struct passwd *pw,
-    u_int which, int crit,
-    int *cert_no_port_forwarding_flag,
-    int *cert_no_agent_forwarding_flag,
-    int *cert_no_x11_forwarding_flag,
-    int *cert_no_pty_flag,
-    int *cert_no_user_rc,
-    char **cert_forced_command,
-    int *cert_source_address_done)
-{
-	char *command, *allowed;
-	const char *remote_ip;
-	char *name = NULL;
-	struct sshbuf *c = NULL, *data = NULL;
-	int r, ret = -1, result, found;
-
-	if ((c = sshbuf_fromb(oblob)) == NULL) {
-		error("%s: sshbuf_fromb failed", __func__);
-		goto out;
-	}
-
-	while (sshbuf_len(c) > 0) {
-		sshbuf_free(data);
-		data = NULL;
-		if ((r = sshbuf_get_cstring(c, &name, NULL)) != 0 ||
-		    (r = sshbuf_froms(c, &data)) != 0) {
-			error("Unable to parse certificate options: %s",
-			    ssh_err(r));
-			goto out;
-		}
-		debug3("found certificate option \"%.100s\" len %zu",
-		    name, sshbuf_len(data));
-		found = 0;
-		if ((which & OPTIONS_EXTENSIONS) != 0) {
-			if (strcmp(name, "permit-X11-forwarding") == 0) {
-				*cert_no_x11_forwarding_flag = 0;
-				found = 1;
-			} else if (strcmp(name,
-			    "permit-agent-forwarding") == 0) {
-				*cert_no_agent_forwarding_flag = 0;
-				found = 1;
-			} else if (strcmp(name,
-			    "permit-port-forwarding") == 0) {
-				*cert_no_port_forwarding_flag = 0;
-				found = 1;
-			} else if (strcmp(name, "permit-pty") == 0) {
-				*cert_no_pty_flag = 0;
-				found = 1;
-			} else if (strcmp(name, "permit-user-rc") == 0) {
-				*cert_no_user_rc = 0;
-				found = 1;
-			}
-		}
-		if (!found && (which & OPTIONS_CRITICAL) != 0) {
-			if (strcmp(name, "force-command") == 0) {
-				if ((r = sshbuf_get_cstring(data, &command,
-				    NULL)) != 0) {
-					error("Unable to parse \"%s\" "
-					    "section: %s", name, ssh_err(r));
-					goto out;
-				}
-				if (*cert_forced_command != NULL) {
-					error("Certificate has multiple "
-					    "force-command options");
-					free(command);
-					goto out;
-				}
-				*cert_forced_command = command;
-				found = 1;
-			}
-			if (strcmp(name, "source-address") == 0) {
-				if ((r = sshbuf_get_cstring(data, &allowed,
-				    NULL)) != 0) {
-					error("Unable to parse \"%s\" "
-					    "section: %s", name, ssh_err(r));
-					goto out;
-				}
-				if ((*cert_source_address_done)++) {
-					error("Certificate has multiple "
-					    "source-address options");
-					free(allowed);
-					goto out;
-				}
-				remote_ip = get_remote_ipaddr();
-				result = addr_match_cidr_list(remote_ip,
-				    allowed);
-				free(allowed);
-				switch (result) {
-				case 1:
-					/* accepted */
-					break;
-				case 0:
-					/* no match */
-					logit("Authentication tried for %.100s "
-					    "with valid certificate but not "
-					    "from a permitted host "
-					    "(ip=%.200s).", pw->pw_name,
-					    remote_ip);
-					auth_debug_add("Your address '%.200s' "
-					    "is not permitted to use this "
-					    "certificate for login.",
-					    remote_ip);
-					goto out;
-				case -1:
-				default:
-					error("Certificate source-address "
-					    "contents invalid");
-					goto out;
-				}
-				found = 1;
-			}
-		}
-
-		if (!found) {
-			if (crit) {
-				error("Certificate critical option \"%s\" "
-				    "is not supported", name);
-				goto out;
-			} else {
-				logit("Certificate extension \"%s\" "
-				    "is not supported", name);
-			}
-		} else if (sshbuf_len(data) != 0) {
-			error("Certificate option \"%s\" corrupt "
-			    "(extra data)", name);
-			goto out;
-		}
-		free(name);
-		name = NULL;
-	}
-	/* successfully parsed all options */
-	ret = 0;
-
- out:
-	if (ret != 0 &&
-	    cert_forced_command != NULL &&
-	    *cert_forced_command != NULL) {
-		free(*cert_forced_command);
-		*cert_forced_command = NULL;
-	}
-	if (name != NULL)
-		free(name);
-	sshbuf_free(data);
-	sshbuf_free(c);
-	return ret;
-}
-
-/*
- * Set options from critical certificate options. These supersede user key
- * options so this must be called after auth_parse_options().
- */
-int
-auth_cert_options(struct sshkey *k, struct passwd *pw)
-{
-	int cert_no_port_forwarding_flag = 1;
-	int cert_no_agent_forwarding_flag = 1;
-	int cert_no_x11_forwarding_flag = 1;
-	int cert_no_pty_flag = 1;
-	int cert_no_user_rc = 1;
-	char *cert_forced_command = NULL;
-	int cert_source_address_done = 0;
-
-	/* Separate options and extensions for v01 certs */
-	if (parse_option_list(k->cert->critical, pw,
-	    OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
-	    &cert_forced_command,
-	    &cert_source_address_done) == -1)
-		return -1;
-	if (parse_option_list(k->cert->extensions, pw,
-	    OPTIONS_EXTENSIONS, 0,
-	    &cert_no_port_forwarding_flag,
-	    &cert_no_agent_forwarding_flag,
-	    &cert_no_x11_forwarding_flag,
-	    &cert_no_pty_flag,
-	    &cert_no_user_rc,
-	    NULL, NULL) == -1)
-		return -1;
-
-	no_port_forwarding_flag |= cert_no_port_forwarding_flag;
-	no_agent_forwarding_flag |= cert_no_agent_forwarding_flag;
-	no_x11_forwarding_flag |= cert_no_x11_forwarding_flag;
-	no_pty_flag |= cert_no_pty_flag;
-	no_user_rc |= cert_no_user_rc;
-	/* CA-specified forced command supersedes key option */
-	if (cert_forced_command != NULL) {
-		if (forced_command != NULL)
-			free(forced_command);
-		forced_command = cert_forced_command;
-	}
-	return 0;
-}
-
--- a/auth-options.h
+++ b/auth-options.h
@ -1,40 +0,0 @@
-/* $OpenBSD: auth-options.h,v 1.21 2015/01/14 10:30:34 markus Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef AUTH_OPTIONS_H
-#define AUTH_OPTIONS_H
-
-/* Linked list of custom environment strings */
-struct envstring {
-	struct envstring *next;
-	char   *s;
-};
-
-/* Flags that may be set in authorized_keys options. */
-extern int no_port_forwarding_flag;
-extern int no_agent_forwarding_flag;
-extern int no_x11_forwarding_flag;
-extern int no_pty_flag;
-extern int no_user_rc;
-extern char *forced_command;
-extern struct envstring *custom_environment;
-extern int forced_tun_device;
-extern int key_is_cert_authority;
-extern char *authorized_principals;
-
-int	auth_parse_options(struct passwd *, char *, char *, u_long);
-void	auth_clear_options(void);
-int	auth_cert_options(struct sshkey *, struct passwd *);
-
-#endif
--- a/auth-pam.c
+++ b/auth-pam.c
--- a/auth-pam.h
+++ b/auth-pam.h
@ -1,50 +0,0 @@
-/* $Id: auth-pam.h,v 1.27 2004/09/11 12:17:26 dtucker Exp $ */
-
-/*
- * Copyright (c) 2000 Damien Miller.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-#ifdef USE_PAM
-
-#if !defined(SSHD_PAM_SERVICE)
-# define SSHD_PAM_SERVICE		__progname
-#endif
-
-void start_pam(Authctxt *);
-void finish_pam(void);
-u_int do_pam_account(void);
-void do_pam_session(void);
-void do_pam_set_tty(const char *);
-void do_pam_setcred(int );
-void do_pam_chauthtok(void);
-int do_pam_putenv(char *, char *);
-char ** fetch_pam_environment(void);
-char ** fetch_pam_child_environment(void);
-void free_pam_environment(char **);
-void sshpam_thread_cleanup(void);
-void sshpam_cleanup(void);
-int sshpam_auth_passwd(Authctxt *, const char *);
-int is_pam_session_open(void);
-
-#endif /* USE_PAM */
--- a/auth-passwd.c
+++ b/auth-passwd.c
@ -1,378 +0,0 @@
-/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Password authentication.  This file contains the functions to check whether
- * the password is valid for the user.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 1999 Dug Song.  All rights reserved.
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include "xmalloc.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#include <sys/types.h>
-
-#include <pwd.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "misc.h"
-#include "servconf.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "auth-options.h"
-
-extern Buffer loginmsg;
-extern ServerOptions options;
-
-#ifdef HAVE_LOGIN_CAP
-extern login_cap_t *lc;
-#endif
-
-
-#define DAY		(24L * 60 * 60) /* 1 day in seconds */
-#define TWO_WEEKS	(2L * 7 * DAY)	/* 2 weeks in seconds */
-
-void
-disable_forwarding(void)
-{
-	no_port_forwarding_flag = 1;
-	no_agent_forwarding_flag = 1;
-	no_x11_forwarding_flag = 1;
-}
-
-/*
- * Tries to authenticate the user using password.  Returns true if
- * authentication succeeds.
- */
-int
-auth_password(Authctxt *authctxt, const char *password)
-{
-	struct passwd * pw = authctxt->pw;
-	int result, ok = authctxt->valid;
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-	static int expire_checked = 0;
-#endif
-
-#ifndef HAVE_CYGWIN
-	if (pw->pw_uid == 0 && options.permit_root_login != PERMIT_YES)
-		ok = 0;
-#endif
-	if (*password == '\0' && options.permit_empty_passwd == 0)
-		return 0;
-
-#ifdef KRB5
-	if (options.kerberos_authentication == 1) {
-		int ret = auth_krb5_password(authctxt, password);
-		if (ret == 1 || ret == 0)
-			return ret && ok;
-		/* Fall back to ordinary passwd authentication. */
-	}
-#endif
-#ifdef HAVE_CYGWIN
-	{
-		HANDLE hToken = cygwin_logon_user(pw, password);
-
-		if (hToken == INVALID_HANDLE_VALUE)
-			return 0;
-		cygwin_set_impersonation_token(hToken);
-		return ok;
-	}
-#endif
-#ifdef USE_PAM
-	if (options.use_pam)
-		return (sshpam_auth_passwd(authctxt, password) && ok);
-#endif
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-	if (!expire_checked) {
-		expire_checked = 1;
-		if (auth_shadow_pwexpired(authctxt))
-			authctxt->force_pwchange = 1;
-	}
-#endif
-	result = sys_auth_passwd(authctxt, password);
-	if (authctxt->force_pwchange)
-		disable_forwarding();
-	return (result && ok);
-}
-
-#ifdef BSD_AUTH
-static void
-warn_expiry(Authctxt *authctxt, auth_session_t *as)
-{
-	char buf[256];
-	quad_t pwtimeleft, actimeleft, daysleft, pwwarntime, acwarntime;
-
-	pwwarntime = acwarntime = TWO_WEEKS;
-
-	pwtimeleft = auth_check_change(as);
-	actimeleft = auth_check_expire(as);
-#ifdef HAVE_LOGIN_CAP
-	if (authctxt->valid) {
-		pwwarntime = login_getcaptime(lc, "password-warn", TWO_WEEKS,
-		    TWO_WEEKS);
-		acwarntime = login_getcaptime(lc, "expire-warn", TWO_WEEKS,
-		    TWO_WEEKS);
-	}
-#endif
-	if (pwtimeleft != 0 && pwtimeleft < pwwarntime) {
-		daysleft = pwtimeleft / DAY + 1;
-		snprintf(buf, sizeof(buf),
-		    "Your password will expire in %lld day%s.\n",
-		    daysleft, daysleft == 1 ? "" : "s");
-		buffer_append(&loginmsg, buf, strlen(buf));
-	}
-	if (actimeleft != 0 && actimeleft < acwarntime) {
-		daysleft = actimeleft / DAY + 1;
-		snprintf(buf, sizeof(buf),
-		    "Your account will expire in %lld day%s.\n",
-		    daysleft, daysleft == 1 ? "" : "s");
-		buffer_append(&loginmsg, buf, strlen(buf));
-	}
-}
-
-int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
-{
-	struct passwd *pw = authctxt->pw;
-	auth_session_t *as;
-	static int expire_checked = 0;
-
-	as = auth_usercheck(pw->pw_name, authctxt->style, "auth-ssh",
-	    (char *)password);
-	if (as == NULL)
-		return (0);
-	if (auth_getstate(as) & AUTH_PWEXPIRED) {
-		auth_close(as);
-		disable_forwarding();
-		authctxt->force_pwchange = 1;
-		return (1);
-	} else {
-		if (!expire_checked) {
-			expire_checked = 1;
-			warn_expiry(authctxt, as);
-		}
-		return (auth_close(as));
-	}
-}
-
-#elif defined(WIN32_FIXME)
-int sys_auth_passwd(Authctxt *authctxt, const char *password)
-{
-  /* 
-   * Authenticate on Windows 
-   */
-   
-  struct passwd *pw = authctxt -> pw;
-
-  HANDLE hToken = INVALID_HANDLE_VALUE;
-  
-  BOOL worked = FALSE;
-  
-  LPWSTR user_UTF16     = NULL;
-  LPWSTR password_UTF16 = NULL;
-  LPWSTR domain_UTF16   = NULL;
-
-  int buffer_size = 0;
-  
-  /*
-   * Identify domain or local login.
-   */
-   
-  domain_UTF16 = strchr(authctxt -> user, '@') ? NULL : L".";
-  
-  authctxt -> methoddata = hToken;
- 
-  if (domain_UTF16 == NULL)
-  {
-    debug3("Using domain logon...");
-  }
-  
-  /*
-   * Convert username from UTF-8 to UTF-16
-   */
- 
-  buffer_size = MultiByteToWideChar(CP_UTF8, 0, authctxt -> user, -1, NULL, 0);
-
-  if (buffer_size > 0)
-  {
-    user_UTF16 = xmalloc(4 * buffer_size);
-  }
-  else
-  {
-    return 0;
-  }
-  
-  if (0 == MultiByteToWideChar(CP_UTF8, 0, authctxt -> user,
-                                   -1, user_UTF16, buffer_size))
-  {
-    free(user_UTF16);
-
-    return 0;
-  }
-
-  /*
-   * Convert password from UTF-8 to UTF-16
-   */
-  
-  buffer_size = MultiByteToWideChar(CP_UTF8, 0, password, -1, NULL, 0);
-
-  if (buffer_size > 0)
-  {
-    password_UTF16 = xmalloc(4 * buffer_size);
-  }
-  else
-  {
-    return 0;
-  }
-  
-  if (0 == MultiByteToWideChar(CP_UTF8, 0, password, -1, 
-                                   password_UTF16 , buffer_size))
-  {
-    free(password_UTF16 );
-
-    return 0;
-  }
-
-  /*
-   * First, try logon in INTERACTIVE mode.
-   */
-  
-  worked = LogonUserW(user_UTF16, domain_UTF16, password_UTF16,
-                         LOGON32_LOGON_INTERACTIVE, 
-                             LOGON32_PROVIDER_DEFAULT, &hToken);
-                             
-  /*
-   * If no success, try NETWORK mode.
-   */
-   
-  if (!worked)
-  {
-    HANDLE weakToken = INVALID_HANDLE_VALUE;
-    
-    debug3("Netork login attemp [%s][%ls]...", 
-               authctxt -> user, domain_UTF16);
-    
-    worked = LogonUserW(user_UTF16, domain_UTF16, password_UTF16,
-                           LOGON32_LOGON_NETWORK,
-                               LOGON32_PROVIDER_DEFAULT, &weakToken);
-
-    if (worked)
-    {
-      debug("Duplicating token...");
-  
-      debug3(DuplicateTokenEx(weakToken, MAXIMUM_ALLOWED,
-                                  NULL, SecurityImpersonation,
-                                      TokenPrimary, &hToken) == 0);
-    }                                  
-  }
-  
-  free(user_UTF16);
-  free(password_UTF16);
-  
-  /*
-   * If login still fails, go out.
-   */
-   
-  if (!worked || hToken == INVALID_HANDLE_VALUE)
-  {
-    return 0;
-  }
-
-  /*
-   * Make sure this can be inherited for when 
-   * we start shells or commands.
-   */
-  
-  worked = SetHandleInformation(hToken, HANDLE_FLAG_INHERIT, HANDLE_FLAG_INHERIT);
-  
-  if (!worked)
-  {
-    CloseHandle(hToken);
-    
-    hToken = INVALID_HANDLE_VALUE;
-    
-    authctxt -> methoddata = hToken;
-
-    return 0;
-  }
-
-  /*
-   * Save the handle (or invalid handle) as method-specific data.
-   */
-   
-  authctxt -> methoddata = hToken;
-
-  return 1;
-}
-
-#elif !defined(CUSTOM_SYS_AUTH_PASSWD)
-int
-sys_auth_passwd(Authctxt *authctxt, const char *password)
-{
-	struct passwd *pw = authctxt->pw;
-	char *encrypted_password;
-
-	/* Just use the supplied fake password if authctxt is invalid */
-	char *pw_password = authctxt->valid ? shadow_pw(pw) : pw->pw_passwd;
-
-	/* Check for users with no password. */
-	if (strcmp(pw_password, "") == 0 && strcmp(password, "") == 0)
-		return (1);
-
-	/* Encrypt the candidate password using the proper salt. */
-	encrypted_password = xcrypt(password,
-	    (pw_password[0] && pw_password[1]) ? pw_password : "xx");
-
-	/*
-	 * Authentication is accepted if the encrypted passwords
-	 * are identical.
-	 */
-	return encrypted_password != NULL &&
-	    strcmp(encrypted_password, pw_password) == 0;
-}
-#endif
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@ -1,113 +0,0 @@
-/* $OpenBSD: auth-rh-rsa.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Rhosts or /etc/hosts.equiv authentication combined with RSA host
- * authentication.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#ifdef WITH_SSH1
-
-#include <sys/types.h>
-
-#include <pwd.h>
-#include <stdarg.h>
-
-#include "packet.h"
-#include "uidswap.h"
-#include "log.h"
-#include "buffer.h"
-#include "misc.h"
-#include "servconf.h"
-#include "key.h"
-#include "hostfile.h"
-#include "pathnames.h"
-#include "auth.h"
-#include "canohost.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-
-int
-auth_rhosts_rsa_key_allowed(struct passwd *pw, char *cuser, char *chost,
-    Key *client_host_key)
-{
-	HostStatus host_status;
-
-	if (auth_key_is_revoked(client_host_key))
-		return 0;
-
-	/* Check if we would accept it using rhosts authentication. */
-	if (!auth_rhosts(pw, cuser))
-		return 0;
-
-	host_status = check_key_in_hostfiles(pw, client_host_key,
-	    chost, _PATH_SSH_SYSTEM_HOSTFILE,
-	    options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
-
-	return (host_status == HOST_OK);
-}
-
-/*
- * Tries to authenticate the user using the .rhosts file and the host using
- * its host key.  Returns true if authentication succeeds.
- */
-int
-auth_rhosts_rsa(Authctxt *authctxt, char *cuser, Key *client_host_key)
-{
-	char *chost;
-	struct passwd *pw = authctxt->pw;
-
-	debug("Trying rhosts with RSA host authentication for client user %.100s",
-	    cuser);
-
-	if (!authctxt->valid || client_host_key == NULL ||
-	    client_host_key->rsa == NULL)
-		return 0;
-
-	chost = (char *)get_canonical_hostname(options.use_dns);
-	debug("Rhosts RSA authentication: canonical host %.900s", chost);
-
-	if (!PRIVSEP(auth_rhosts_rsa_key_allowed(pw, cuser, chost, client_host_key))) {
-		debug("Rhosts with RSA host authentication denied: unknown or invalid host key");
-		packet_send_debug("Your host key cannot be verified: unknown or invalid host key.");
-		return 0;
-	}
-	/* A matching host key was found and is known. */
-
-	/* Perform the challenge-response dialog with the client for the host key. */
-	if (!auth_rsa_challenge_dialog(client_host_key)) {
-		logit("Client on %.800s failed to respond correctly to host authentication.",
-		    chost);
-		return 0;
-	}
-	/*
-	 * We have authenticated the user using .rhosts or /etc/hosts.equiv,
-	 * and the host using RSA. We accept the authentication.
-	 */
-
-	verbose("Rhosts with RSA host authentication accepted for %.100s, %.100s on %.700s.",
-	    pw->pw_name, cuser, chost);
-	packet_send_debug("Rhosts with RSA host authentication accepted.");
-	return 1;
-}
-
-#endif /* WITH_SSH1 */
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@ -1,355 +0,0 @@
-/* $OpenBSD: auth-rhosts.c,v 1.46 2014/12/23 22:42:48 djm Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Rhosts authentication.  This file contains code to check whether to admit
- * the login based on rhosts authentication.  This file also processes
- * /etc/hosts.equiv.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#ifdef HAVE_NETGROUP_H
-# include <netgroup.h>
-#endif
-#include <pwd.h>
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-#include <fcntl.h>
-#include <unistd.h>
-
-#include "packet.h"
-#include "buffer.h"
-#include "uidswap.h"
-#include "pathnames.h"
-#include "log.h"
-#include "misc.h"
-#include "servconf.h"
-#include "canohost.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-
-/* import */
-extern ServerOptions options;
-extern int use_privsep;
-
-/*
- * This function processes an rhosts-style file (.rhosts, .shosts, or
- * /etc/hosts.equiv).  This returns true if authentication can be granted
- * based on the file, and returns zero otherwise.
- */
-
-static int
-check_rhosts_file(const char *filename, const char *hostname,
-		  const char *ipaddr, const char *client_user,
-		  const char *server_user)
-{
-#ifndef WIN32_FIXME
-	FILE *f;
-#define RBUFLN 1024
-	char buf[RBUFLN];/* Must not be larger than host, user, dummy below. */
-	int fd;
-	struct stat st;
-
-	/* Open the .rhosts file, deny if unreadable */
-	if ((fd = open(filename, O_RDONLY|O_NONBLOCK)) == -1)
-		return 0;
-	if (fstat(fd, &st) == -1) {
-		close(fd);
-		return 0;
-	}
-	if (!S_ISREG(st.st_mode)) {
-		logit("User %s hosts file %s is not a regular file",
-		    server_user, filename);
-		close(fd);
-		return 0;
-	}
-	unset_nonblock(fd);
-	if ((f = fdopen(fd, "r")) == NULL) {
-		close(fd);
-		return 0;
-	}
-	while (fgets(buf, sizeof(buf), f)) {
-		/* All three must have length >= buf to avoid overflows. */
-		char hostbuf[RBUFLN], userbuf[RBUFLN], dummy[RBUFLN];
-		char *host, *user, *cp;
-		int negated;
-
-		for (cp = buf; *cp == ' ' || *cp == '\t'; cp++)
-			;
-		if (*cp == '#' || *cp == '\n' || !*cp)
-			continue;
-
-		/*
-		 * NO_PLUS is supported at least on OSF/1.  We skip it (we
-		 * don't ever support the plus syntax).
-		 */
-		if (strncmp(cp, "NO_PLUS", 7) == 0)
-			continue;
-
-		/*
-		 * This should be safe because each buffer is as big as the
-		 * whole string, and thus cannot be overwritten.
-		 */
-		switch (sscanf(buf, "%1023s %1023s %1023s", hostbuf, userbuf,
-		    dummy)) {
-		case 0:
-			auth_debug_add("Found empty line in %.100s.", filename);
-			continue;
-		case 1:
-			/* Host name only. */
-			strlcpy(userbuf, server_user, sizeof(userbuf));
-			break;
-		case 2:
-			/* Got both host and user name. */
-			break;
-		case 3:
-			auth_debug_add("Found garbage in %.100s.", filename);
-			continue;
-		default:
-			/* Weird... */
-			continue;
-		}
-
-		host = hostbuf;
-		user = userbuf;
-		negated = 0;
-
-		/* Process negated host names, or positive netgroups. */
-		if (host[0] == '-') {
-			negated = 1;
-			host++;
-		} else if (host[0] == '+')
-			host++;
-
-		if (user[0] == '-') {
-			negated = 1;
-			user++;
-		} else if (user[0] == '+')
-			user++;
-
-		/* Check for empty host/user names (particularly '+'). */
-		if (!host[0] || !user[0]) {
-			/* We come here if either was '+' or '-'. */
-			auth_debug_add("Ignoring wild host/user names "
-			    "in %.100s.", filename);
-			continue;
-		}
-		/* Verify that host name matches. */
-		if (host[0] == '@') {
-			if (!innetgr(host + 1, hostname, NULL, NULL) &&
-			    !innetgr(host + 1, ipaddr, NULL, NULL))
-				continue;
-		} else if (strcasecmp(host, hostname) &&
-		    strcmp(host, ipaddr) != 0)
-			continue;	/* Different hostname. */
-
-		/* Verify that user name matches. */
-		if (user[0] == '@') {
-			if (!innetgr(user + 1, NULL, client_user, NULL))
-				continue;
-		} else if (strcmp(user, client_user) != 0)
-			continue;	/* Different username. */
-
-		/* Found the user and host. */
-		fclose(f);
-
-		/* If the entry was negated, deny access. */
-		if (negated) {
-			auth_debug_add("Matched negative entry in %.100s.",
-			    filename);
-			return 0;
-		}
-		/* Accept authentication. */
-		return 1;
-	}
-
-	/* Authentication using this file denied. */
-	fclose(f);
-	return 0;
-
-#else
-  return 1;
-#endif
-}
-
-/*
- * Tries to authenticate the user using the .shosts or .rhosts file. Returns
- * true if authentication succeeds.  If ignore_rhosts is true, only
- * /etc/hosts.equiv will be considered (.rhosts and .shosts are ignored).
- */
-
-int
-auth_rhosts(struct passwd *pw, const char *client_user)
-{
-	const char *hostname, *ipaddr;
-
-	hostname = get_canonical_hostname(options.use_dns);
-	ipaddr = get_remote_ipaddr();
-	return auth_rhosts2(pw, client_user, hostname, ipaddr);
-}
-
-static int
-auth_rhosts2_raw(struct passwd *pw, const char *client_user, const char *hostname,
-    const char *ipaddr)
-{
-	char buf[1024];
-	struct stat st;
-	static const char *rhosts_files[] = {".shosts", ".rhosts", NULL};
-	u_int rhosts_file_index;
-
-	debug2("auth_rhosts2: clientuser %s hostname %s ipaddr %s",
-	    client_user, hostname, ipaddr);
-
-	/* Switch to the user's uid. */
-	temporarily_use_uid(pw);
-	/*
-	 * Quick check: if the user has no .shosts or .rhosts files and
-	 * no system hosts.equiv/shosts.equiv files exist then return
-	 * failure immediately without doing costly lookups from name
-	 * servers.
-	 */
-	for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
-	    rhosts_file_index++) {
-		/* Check users .rhosts or .shosts. */
-		snprintf(buf, sizeof buf, "%.500s/%.100s",
-			 pw->pw_dir, rhosts_files[rhosts_file_index]);
-		if (stat(buf, &st) >= 0)
-			break;
-	}
-	/* Switch back to privileged uid. */
-	restore_uid();
-
-	/*
-	 * Deny if The user has no .shosts or .rhosts file and there
-	 * are no system-wide files.
-	 */
-	if (!rhosts_files[rhosts_file_index] &&
-	    stat(_PATH_RHOSTS_EQUIV, &st) < 0 &&
-	    stat(_PATH_SSH_HOSTS_EQUIV, &st) < 0) {
-		debug3("%s: no hosts access files exist", __func__);
-		return 0;
-	}
-
-	/*
-	 * If not logging in as superuser, try /etc/hosts.equiv and
-	 * shosts.equiv.
-	 */
-	if (pw->pw_uid == 0)
-		debug3("%s: root user, ignoring system hosts files", __func__);
-	else {
-		if (check_rhosts_file(_PATH_RHOSTS_EQUIV, hostname, ipaddr,
-		    client_user, pw->pw_name)) {
-			auth_debug_add("Accepted for %.100s [%.100s] by "
-			    "/etc/hosts.equiv.", hostname, ipaddr);
-			return 1;
-		}
-		if (check_rhosts_file(_PATH_SSH_HOSTS_EQUIV, hostname, ipaddr,
-		    client_user, pw->pw_name)) {
-			auth_debug_add("Accepted for %.100s [%.100s] by "
-			    "%.100s.", hostname, ipaddr, _PATH_SSH_HOSTS_EQUIV);
-			return 1;
-		}
-	}
-
-	/*
-	 * Check that the home directory is owned by root or the user, and is
-	 * not group or world writable.
-	 */
-	if (stat(pw->pw_dir, &st) < 0) {
-		logit("Rhosts authentication refused for %.100s: "
-		    "no home directory %.200s", pw->pw_name, pw->pw_dir);
-		auth_debug_add("Rhosts authentication refused for %.100s: "
-		    "no home directory %.200s", pw->pw_name, pw->pw_dir);
-		return 0;
-	}
-	if (options.strict_modes &&
-	    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-	    (st.st_mode & 022) != 0)) {
-		logit("Rhosts authentication refused for %.100s: "
-		    "bad ownership or modes for home directory.", pw->pw_name);
-		auth_debug_add("Rhosts authentication refused for %.100s: "
-		    "bad ownership or modes for home directory.", pw->pw_name);
-		return 0;
-	}
-	/* Temporarily use the user's uid. */
-	temporarily_use_uid(pw);
-
-	/* Check all .rhosts files (currently .shosts and .rhosts). */
-	for (rhosts_file_index = 0; rhosts_files[rhosts_file_index];
-	    rhosts_file_index++) {
-		/* Check users .rhosts or .shosts. */
-		snprintf(buf, sizeof buf, "%.500s/%.100s",
-			 pw->pw_dir, rhosts_files[rhosts_file_index]);
-		if (stat(buf, &st) < 0)
-			continue;
-
-		/*
-		 * Make sure that the file is either owned by the user or by
-		 * root, and make sure it is not writable by anyone but the
-		 * owner.  This is to help avoid novices accidentally
-		 * allowing access to their account by anyone.
-		 */
-		if (options.strict_modes &&
-		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-		    (st.st_mode & 022) != 0)) {
-			logit("Rhosts authentication refused for %.100s: bad modes for %.200s",
-			    pw->pw_name, buf);
-			auth_debug_add("Bad file modes for %.200s", buf);
-			continue;
-		}
-		/*
-		 * Check if we have been configured to ignore .rhosts
-		 * and .shosts files.
-		 */
-		if (options.ignore_rhosts) {
-			auth_debug_add("Server has been configured to "
-			    "ignore %.100s.", rhosts_files[rhosts_file_index]);
-			continue;
-		}
-		/* Check if authentication is permitted by the file. */
-		if (check_rhosts_file(buf, hostname, ipaddr,
-		    client_user, pw->pw_name)) {
-			auth_debug_add("Accepted by %.100s.",
-			    rhosts_files[rhosts_file_index]);
-			/* Restore the privileged uid. */
-			restore_uid();
-			auth_debug_add("Accepted host %s ip %s client_user "
-			    "%s server_user %s", hostname, ipaddr,
-			    client_user, pw->pw_name);
-			return 1;
-		}
-	}
-
-	/* Restore the privileged uid. */
-	restore_uid();
-	return 0;
-}
-
-int
-auth_rhosts2(struct passwd *pw, const char *client_user, const char *hostname,
-    const char *ipaddr)
-{
-       return auth_rhosts2_raw(pw, client_user, hostname, ipaddr);
-}
--- a/auth-rsa.c
+++ b/auth-rsa.c
@ -1,358 +0,0 @@
-/* $OpenBSD: auth-rsa.c,v 1.90 2015/01/28 22:36:00 djm Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * RSA-based authentication.  This code determines whether to admit a login
- * based on RSA authentication.  This file also contains functions to check
- * validity of the host key.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#ifdef WITH_SSH1
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <openssl/rsa.h>
-
-#include <pwd.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "rsa.h"
-#include "packet.h"
-#include "ssh1.h"
-#include "uidswap.h"
-#include "match.h"
-#include "buffer.h"
-#include "pathnames.h"
-#include "log.h"
-#include "misc.h"
-#include "servconf.h"
-#include "key.h"
-#include "auth-options.h"
-#include "hostfile.h"
-#include "auth.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "ssh.h"
-
-#include "digest.h"
-
-/* import */
-extern ServerOptions options;
-
-/*
- * Session identifier that is used to bind key exchange and authentication
- * responses to a particular session.
- */
-extern u_char session_id[16];
-
-/*
- * The .ssh/authorized_keys file contains public keys, one per line, in the
- * following format:
- *   options bits e n comment
- * where bits, e and n are decimal numbers,
- * and comment is any string of characters up to newline.  The maximum
- * length of a line is SSH_MAX_PUBKEY_BYTES characters.  See sshd(8) for a
- * description of the options.
- */
-
-BIGNUM *
-auth_rsa_generate_challenge(Key *key)
-{
-	BIGNUM *challenge;
-	BN_CTX *ctx;
-
-	if ((challenge = BN_new()) == NULL)
-		fatal("auth_rsa_generate_challenge: BN_new() failed");
-	/* Generate a random challenge. */
-	if (BN_rand(challenge, 256, 0, 0) == 0)
-		fatal("auth_rsa_generate_challenge: BN_rand failed");
-	if ((ctx = BN_CTX_new()) == NULL)
-		fatal("auth_rsa_generate_challenge: BN_CTX_new failed");
-	if (BN_mod(challenge, challenge, key->rsa->n, ctx) == 0)
-		fatal("auth_rsa_generate_challenge: BN_mod failed");
-	BN_CTX_free(ctx);
-
-	return challenge;
-}
-
-int
-auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
-{
-	u_char buf[32], mdbuf[16];
-	struct ssh_digest_ctx *md;
-	int len;
-
-	/* don't allow short keys */
-	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-		error("%s: RSA modulus too small: %d < minimum %d bits",
-		    __func__,
-		    BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
-		return (0);
-	}
-
-	/* The response is MD5 of decrypted challenge plus session id. */
-	len = BN_num_bytes(challenge);
-	if (len <= 0 || len > 32)
-		fatal("%s: bad challenge length %d", __func__, len);
-	memset(buf, 0, 32);
-	BN_bn2bin(challenge, buf + 32 - len);
-	if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
-	    ssh_digest_update(md, buf, 32) < 0 ||
-	    ssh_digest_update(md, session_id, 16) < 0 ||
-	    ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
-		fatal("%s: md5 failed", __func__);
-	ssh_digest_free(md);
-
-	/* Verify that the response is the original challenge. */
-	if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
-		/* Wrong answer. */
-		return (0);
-	}
-	/* Correct answer. */
-	return (1);
-}
-
-/*
- * Performs the RSA authentication challenge-response dialog with the client,
- * and returns true (non-zero) if the client gave the correct answer to
- * our challenge; returns zero if the client gives a wrong answer.
- */
-
-int
-auth_rsa_challenge_dialog(Key *key)
-{
-	BIGNUM *challenge, *encrypted_challenge;
-	u_char response[16];
-	int i, success;
-
-	if ((encrypted_challenge = BN_new()) == NULL)
-		fatal("auth_rsa_challenge_dialog: BN_new() failed");
-
-	challenge = PRIVSEP(auth_rsa_generate_challenge(key));
-
-	/* Encrypt the challenge with the public key. */
-	if (rsa_public_encrypt(encrypted_challenge, challenge, key->rsa) != 0)
-		fatal("%s: rsa_public_encrypt failed", __func__);
-
-	/* Send the encrypted challenge to the client. */
-	packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
-	packet_put_bignum(encrypted_challenge);
-	packet_send();
-	BN_clear_free(encrypted_challenge);
-	packet_write_wait();
-
-	/* Wait for a response. */
-	packet_read_expect(SSH_CMSG_AUTH_RSA_RESPONSE);
-	for (i = 0; i < 16; i++)
-		response[i] = (u_char)packet_get_char();
-	packet_check_eom();
-
-	success = PRIVSEP(auth_rsa_verify_response(key, challenge, response));
-	BN_clear_free(challenge);
-	return (success);
-}
-
-static int
-rsa_key_allowed_in_file(struct passwd *pw, char *file,
-    const BIGNUM *client_n, Key **rkey)
-{
-	char *fp, line[SSH_MAX_PUBKEY_BYTES];
-	int allowed = 0, bits;
-	FILE *f;
-	u_long linenum = 0;
-	Key *key;
-
-	debug("trying public RSA key file %s", file);
-	if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
-		return 0;
-
-	/*
-	 * Go though the accepted keys, looking for the current key.  If
-	 * found, perform a challenge-response dialog to verify that the
-	 * user really has the corresponding private key.
-	 */
-	key = key_new(KEY_RSA1);
-	while (read_keyfile_line(f, file, line, sizeof(line), &linenum) != -1) {
-		char *cp;
-		char *key_options;
-		int keybits;
-
-		/* Skip leading whitespace, empty and comment lines. */
-		for (cp = line; *cp == ' ' || *cp == '\t'; cp++)
-			;
-		if (!*cp || *cp == '\n' || *cp == '#')
-			continue;
-
-		/*
-		 * Check if there are options for this key, and if so,
-		 * save their starting address and skip the option part
-		 * for now.  If there are no options, set the starting
-		 * address to NULL.
-		 */
-		if (*cp < '0' || *cp > '9') {
-			int quoted = 0;
-			key_options = cp;
-			for (; *cp && (quoted || (*cp != ' ' && *cp != '\t')); cp++) {
-				if (*cp == '\\' && cp[1] == '"')
-					cp++;	/* Skip both */
-				else if (*cp == '"')
-					quoted = !quoted;
-			}
-		} else
-			key_options = NULL;
-
-		/* Parse the key from the line. */
-		if (hostfile_read_key(&cp, &bits, key) == 0) {
-			debug("%.100s, line %lu: non ssh1 key syntax",
-			    file, linenum);
-			continue;
-		}
-		/* cp now points to the comment part. */
-
-		/*
-		 * Check if the we have found the desired key (identified
-		 * by its modulus).
-		 */
-		if (BN_cmp(key->rsa->n, client_n) != 0)
-			continue;
-
-		/* check the real bits  */
-		keybits = BN_num_bits(key->rsa->n);
-		if (keybits < 0 || bits != keybits)
-			logit("Warning: %s, line %lu: keysize mismatch: "
-			    "actual %d vs. announced %d.",
-			    file, linenum, BN_num_bits(key->rsa->n), bits);
-
-		if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
-		    SSH_FP_DEFAULT)) == NULL)
-			continue;
-		debug("matching key found: file %s, line %lu %s %s",
-		    file, linenum, key_type(key), fp);
-		free(fp);
-
-		/* Never accept a revoked key */
-		if (auth_key_is_revoked(key))
-			break;
-
-		/* We have found the desired key. */
-		/*
-		 * If our options do not allow this key to be used,
-		 * do not send challenge.
-		 */
-		if (!auth_parse_options(pw, key_options, file, linenum))
-			continue;
-		if (key_is_cert_authority)
-			continue;
-		/* break out, this key is allowed */
-		allowed = 1;
-		break;
-	}
-
-	/* Close the file. */
-	fclose(f);
-
-	/* return key if allowed */
-	if (allowed && rkey != NULL)
-		*rkey = key;
-	else
-		key_free(key);
-
-	return allowed;
-}
-
-/*
- * check if there's user key matching client_n,
- * return key if login is allowed, NULL otherwise
- */
-
-int
-auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
-{
-	char *file;
-	u_int i, allowed = 0;
-
-	temporarily_use_uid(pw);
-
-	for (i = 0; !allowed && i < options.num_authkeys_files; i++) {
-		if (strcasecmp(options.authorized_keys_files[i], "none") == 0)
-			continue;
-		file = expand_authorized_keys(
-		    options.authorized_keys_files[i], pw);
-		allowed = rsa_key_allowed_in_file(pw, file, client_n, rkey);
-		free(file);
-	}
-
-	restore_uid();
-
-	return allowed;
-}
-
-/*
- * Performs the RSA authentication dialog with the client.  This returns
- * 0 if the client could not be authenticated, and 1 if authentication was
- * successful.  This may exit if there is a serious protocol violation.
- */
-int
-auth_rsa(Authctxt *authctxt, BIGNUM *client_n)
-{
-	Key *key;
-	struct passwd *pw = authctxt->pw;
-
-	/* no user given */
-	if (!authctxt->valid)
-		return 0;
-
-	if (!PRIVSEP(auth_rsa_key_allowed(pw, client_n, &key))) {
-		auth_clear_options();
-		return (0);
-	}
-
-	/* Perform the challenge-response dialog for this key. */
-	if (!auth_rsa_challenge_dialog(key)) {
-		/* Wrong response. */
-		verbose("Wrong response to RSA authentication challenge.");
-		packet_send_debug("Wrong response to RSA authentication challenge.");
-		/*
-		 * Break out of the loop. Otherwise we might send
-		 * another challenge and break the protocol.
-		 */
-		key_free(key);
-		return (0);
-	}
-	/*
-	 * Correct response.  The client has been successfully
-	 * authenticated. Note that we have not yet processed the
-	 * options; this will be reset if the options cause the
-	 * authentication to be rejected.
-	 */
-	pubkey_auth_info(authctxt, key, NULL);
-
-	packet_send_debug("RSA authentication accepted.");
-	return (1);
-}
-
-#endif /* WITH_SSH1 */
--- a/auth-shadow.c
+++ b/auth-shadow.c
@ -1,142 +0,0 @@
-/*
- * Copyright (c) 2004 Darren Tucker.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-#include <shadow.h>
-#include <stdarg.h>
-#include <string.h>
-#include <time.h>
-
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "buffer.h"
-#include "log.h"
-
-#ifdef DAY
-# undef DAY
-#endif
-#define DAY	(24L * 60 * 60) /* 1 day in seconds */
-
-extern Buffer loginmsg;
-
-/*
- * For the account and password expiration functions, we assume the expiry
- * occurs the day after the day specified.
- */
-
-/*
- * Check if specified account is expired.  Returns 1 if account is expired,
- * 0 otherwise.
- */
-int
-auth_shadow_acctexpired(struct spwd *spw)
-{
-	time_t today;
-	int daysleft;
-	char buf[256];
-
-	today = time(NULL) / DAY;
-	daysleft = spw->sp_expire - today;
-	debug3("%s: today %d sp_expire %d days left %d", __func__, (int)today,
-	    (int)spw->sp_expire, daysleft);
-
-	if (spw->sp_expire == -1) {
-		debug3("account expiration disabled");
-	} else if (daysleft < 0) {
-		logit("Account %.100s has expired", spw->sp_namp);
-		return 1;
-	} else if (daysleft <= spw->sp_warn) {
-		debug3("account will expire in %d days", daysleft);
-		snprintf(buf, sizeof(buf),
-		    "Your account will expire in %d day%s.\n", daysleft,
-		    daysleft == 1 ? "" : "s");
-		buffer_append(&loginmsg, buf, strlen(buf));
-	}
-
-	return 0;
-}
-
-/*
- * Checks password expiry for platforms that use shadow passwd files.
- * Returns: 1 = password expired, 0 = password not expired
- */
-int
-auth_shadow_pwexpired(Authctxt *ctxt)
-{
-	struct spwd *spw = NULL;
-	const char *user = ctxt->pw->pw_name;
-	char buf[256];
-	time_t today;
-	int daysleft, disabled = 0;
-
-	if ((spw = getspnam((char *)user)) == NULL) {
-		error("Could not get shadow information for %.100s", user);
-		return 0;
-	}
-
-	today = time(NULL) / DAY;
-	debug3("%s: today %d sp_lstchg %d sp_max %d", __func__, (int)today,
-	    (int)spw->sp_lstchg, (int)spw->sp_max);
-
-#if defined(__hpux) && !defined(HAVE_SECUREWARE)
-	if (iscomsec()) {
-		struct pr_passwd *pr;
-
-		pr = getprpwnam((char *)user);
-
-		/* Test for Trusted Mode expiry disabled */
-		if (pr != NULL && pr->ufld.fd_min == 0 &&
-		    pr->ufld.fd_lifetime == 0 && pr->ufld.fd_expire == 0 &&
-		    pr->ufld.fd_pw_expire_warning == 0 &&
-		    pr->ufld.fd_schange != 0)
-			disabled = 1;
-	}
-#endif
-
-	/* TODO: check sp_inact */
-	daysleft = spw->sp_lstchg + spw->sp_max - today;
-	if (disabled) {
-		debug3("password expiration disabled");
-	} else if (spw->sp_lstchg == 0) {
-		logit("User %.100s password has expired (root forced)", user);
-		return 1;
-	} else if (spw->sp_max == -1) {
-		debug3("password expiration disabled");
-	} else if (daysleft < 0) {
-		logit("User %.100s password has expired (password aged)", user);
-		return 1;
-	} else if (daysleft <= spw->sp_warn) {
-		debug3("password will expire in %d days", daysleft);
-		snprintf(buf, sizeof(buf),
-		    "Your password will expire in %d day%s.\n", daysleft,
-		    daysleft == 1 ? "" : "s");
-		buffer_append(&loginmsg, buf, strlen(buf));
-	}
-
-	return 0;
-}
-#endif	/* USE_SHADOW && HAS_SHADOW_EXPIRE */
--- a/auth-sia.c
+++ b/auth-sia.c
@ -1,114 +0,0 @@
-/*
- * Copyright (c) 2002 Chris Adams.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef HAVE_OSF_SIA
-#include <sia.h>
-#include <siad.h>
-#include <pwd.h>
-#include <signal.h>
-#include <setjmp.h>
-#include <sys/resource.h>
-#include <unistd.h>
-#include <stdarg.h>
-#include <string.h>
-
-#include "ssh.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "auth-sia.h"
-#include "log.h"
-#include "servconf.h"
-#include "canohost.h"
-#include "uidswap.h"
-
-extern ServerOptions options;
-extern int saved_argc;
-extern char **saved_argv;
-
-int
-sys_auth_passwd(Authctxt *authctxt, const char *pass)
-{
-	int ret;
-	SIAENTITY *ent = NULL;
-	const char *host;
-
-	host = get_canonical_hostname(options.use_dns);
-
-	if (!authctxt->user || pass == NULL || pass[0] == '\0')
-		return (0);
-
-	if (sia_ses_init(&ent, saved_argc, saved_argv, host, authctxt->user,
-	    NULL, 0, NULL) != SIASUCCESS)
-		return (0);
-
-	if ((ret = sia_ses_authent(NULL, pass, ent)) != SIASUCCESS) {
-		error("Couldn't authenticate %s from %s",
-		    authctxt->user, host);
-		if (ret & SIASTOP)
-			sia_ses_release(&ent);
-
-		return (0);
-	}
-
-	sia_ses_release(&ent);
-
-	return (1);
-}
-
-void
-session_setup_sia(struct passwd *pw, char *tty)
-{
-	SIAENTITY *ent = NULL;
-	const char *host;
-
-	host = get_canonical_hostname(options.use_dns);
-
-	if (sia_ses_init(&ent, saved_argc, saved_argv, host, pw->pw_name,
-	    tty, 0, NULL) != SIASUCCESS)
-		fatal("sia_ses_init failed");
-
-	if (sia_make_entity_pwd(pw, ent) != SIASUCCESS) {
-		sia_ses_release(&ent);
-		fatal("sia_make_entity_pwd failed");
-	}
-
-	ent->authtype = SIA_A_NONE;
-	if (sia_ses_estab(sia_collect_trm, ent) != SIASUCCESS)
-		fatal("Couldn't establish session for %s from %s",
-		    pw->pw_name, host);
-
-	if (sia_ses_launch(sia_collect_trm, ent) != SIASUCCESS)
-		fatal("Couldn't launch session for %s from %s",
-		    pw->pw_name, host);
-
-	sia_ses_release(&ent);
-
-	setuid(0);
-	permanently_set_uid(pw);
-}
-
-#endif /* HAVE_OSF_SIA */
--- a/auth-sia.h
+++ b/auth-sia.h
@ -1,31 +0,0 @@
-/*
- * Copyright (c) 2002 Chris Adams.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef HAVE_OSF_SIA
-
-void	session_setup_sia(struct passwd *, char *);
-
-#endif /* HAVE_OSF_SIA */
--- a/auth-skey.c
+++ b/auth-skey.c
@ -1,117 +0,0 @@
-/* $OpenBSD: auth-skey.c,v 1.27 2007/01/21 01:41:54 stevesk Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#ifdef SKEY
-
-#include <sys/types.h>
-
-#include <pwd.h>
-#include <stdio.h>
-
-#include <skey.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "ssh-gss.h"
-#include "log.h"
-#include "monitor_wrap.h"
-
-static void *
-skey_init_ctx(Authctxt *authctxt)
-{
-	return authctxt;
-}
-
-int
-skey_query(void *ctx, char **name, char **infotxt,
-    u_int* numprompts, char ***prompts, u_int **echo_on)
-{
-	Authctxt *authctxt = ctx;
-	char challenge[1024];
-	struct skey skey;
-
-	if (_compat_skeychallenge(&skey, authctxt->user, challenge,
-	    sizeof(challenge)) == -1)
-		return -1;
-
-	*name = xstrdup("");
-	*infotxt = xstrdup("");
-	*numprompts = 1;
-	*prompts = xcalloc(*numprompts, sizeof(char *));
-	*echo_on = xcalloc(*numprompts, sizeof(u_int));
-
-	xasprintf(*prompts, "%s%s", challenge, SKEY_PROMPT);
-
-	return 0;
-}
-
-int
-skey_respond(void *ctx, u_int numresponses, char **responses)
-{
-	Authctxt *authctxt = ctx;
-
-	if (authctxt->valid &&
-	    numresponses == 1 &&
-	    skey_haskey(authctxt->pw->pw_name) == 0 &&
-	    skey_passcheck(authctxt->pw->pw_name, responses[0]) != -1)
-	    return 0;
-	return -1;
-}
-
-static void
-skey_free_ctx(void *ctx)
-{
-	/* we don't have a special context */
-}
-
-KbdintDevice skey_device = {
-	"skey",
-	skey_init_ctx,
-	skey_query,
-	skey_respond,
-	skey_free_ctx
-};
-
-KbdintDevice mm_skey_device = {
-	"skey",
-	skey_init_ctx,
-	mm_skey_query,
-	mm_skey_respond,
-	skey_free_ctx
-};
-#endif /* SKEY */
--- a/auth.c
+++ b/auth.c
@ -1,874 +0,0 @@
-/* $OpenBSD: auth.c,v 1.113 2015/08/21 03:42:19 djm Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-
-#include <netinet/in.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#ifdef HAVE_PATHS_H
-# include <paths.h>
-#endif
-#include <pwd.h>
-#ifdef HAVE_LOGIN_H
-#include <login.h>
-#endif
-#ifdef USE_SHADOW
-#include <shadow.h>
-#endif
-#ifdef HAVE_LIBGEN_H
-#include <libgen.h>
-#endif
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <limits.h>
-
-#include "xmalloc.h"
-#include "match.h"
-#include "groupaccess.h"
-#include "log.h"
-#include "buffer.h"
-#include "misc.h"
-#include "servconf.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "auth-options.h"
-#include "canohost.h"
-#include "uidswap.h"
-#include "packet.h"
-#include "loginrec.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "authfile.h"
-#include "monitor_wrap.h"
-#include "authfile.h"
-#include "ssherr.h"
-#include "compat.h"
-
-/* import */
-extern ServerOptions options;
-extern int use_privsep;
-extern Buffer loginmsg;
-extern struct passwd *privsep_pw;
-
-/* Debugging messages */
-Buffer auth_debug;
-int auth_debug_init;
-
-/*
- * Check if the user is allowed to log in via ssh. If user is listed
- * in DenyUsers or one of user's groups is listed in DenyGroups, false
- * will be returned. If AllowUsers isn't empty and user isn't listed
- * there, or if AllowGroups isn't empty and one of user's groups isn't
- * listed there, false will be returned.
- * If the user's shell is not executable, false will be returned.
- * Otherwise true is returned.
- */
-int
-allowed_user(struct passwd * pw)
-{
-	struct stat st;
-	const char *hostname = NULL, *ipaddr = NULL, *passwd = NULL;
-	u_int i;
-#ifdef USE_SHADOW
-	struct spwd *spw = NULL;
-#endif
-
-	/* Shouldn't be called if pw is NULL, but better safe than sorry... */
-	if (!pw || !pw->pw_name)
-		return 0;
-
-#ifdef USE_SHADOW
-	if (!options.use_pam)
-		spw = getspnam(pw->pw_name);
-#ifdef HAS_SHADOW_EXPIRE
-	if (!options.use_pam && spw != NULL && auth_shadow_acctexpired(spw))
-		return 0;
-#endif /* HAS_SHADOW_EXPIRE */
-#endif /* USE_SHADOW */
-
-	/* grab passwd field for locked account check */
-	passwd = pw->pw_passwd;
-#ifdef USE_SHADOW
-	if (spw != NULL)
-#ifdef USE_LIBIAF
-		passwd = get_iaf_password(pw);
-#else
-		passwd = spw->sp_pwdp;
-#endif /* USE_LIBIAF */
-#endif
-
-	/* check for locked account */
-	if (!options.use_pam && passwd && *passwd) {
-		int locked = 0;
-
-#ifdef LOCKED_PASSWD_STRING
-		if (strcmp(passwd, LOCKED_PASSWD_STRING) == 0)
-			 locked = 1;
-#endif
-#ifdef LOCKED_PASSWD_PREFIX
-		if (strncmp(passwd, LOCKED_PASSWD_PREFIX,
-		    strlen(LOCKED_PASSWD_PREFIX)) == 0)
-			 locked = 1;
-#endif
-#ifdef LOCKED_PASSWD_SUBSTR
-		if (strstr(passwd, LOCKED_PASSWD_SUBSTR))
-			locked = 1;
-#endif
-#ifdef USE_LIBIAF
-		free((void *) passwd);
-#endif /* USE_LIBIAF */
-		if (locked) {
-			logit("User %.100s not allowed because account is locked",
-			    pw->pw_name);
-			return 0;
-		}
-	}
-
-	/*
-	 * Deny if shell does not exist or is not executable unless we
-	 * are chrooting.
-	 */
-	if (options.chroot_directory == NULL ||
-	    strcasecmp(options.chroot_directory, "none") == 0) {
-		char *shell = xstrdup((pw->pw_shell[0] == '\0') ?
-		    _PATH_BSHELL : pw->pw_shell); /* empty = /bin/sh */
-
-		if (stat(shell, &st) != 0) {
-			logit("User %.100s not allowed because shell %.100s "
-			    "does not exist", pw->pw_name, shell);
-			free(shell);
-			return 0;
-		}
-#ifndef WIN32_FIXME
-		if (S_ISREG(st.st_mode) == 0 ||
-		    (st.st_mode & (S_IXOTH|S_IXUSR|S_IXGRP)) == 0) {
-			logit("User %.100s not allowed because shell %.100s "
-			    "is not executable", pw->pw_name, shell);
-			free(shell);
-			return 0;
-		}
-#endif
-		free(shell);
-	}
-
-	if (options.num_deny_users > 0 || options.num_allow_users > 0 ||
-	    options.num_deny_groups > 0 || options.num_allow_groups > 0) {
-		hostname = get_canonical_hostname(options.use_dns);
-		ipaddr = get_remote_ipaddr();
-	}
-
-	/* Return false if user is listed in DenyUsers */
-	if (options.num_deny_users > 0) {
-		for (i = 0; i < options.num_deny_users; i++)
-			if (match_user(pw->pw_name, hostname, ipaddr,
-			    options.deny_users[i])) {
-				logit("User %.100s from %.100s not allowed "
-				    "because listed in DenyUsers",
-				    pw->pw_name, hostname);
-				return 0;
-			}
-	}
-	/* Return false if AllowUsers isn't empty and user isn't listed there */
-	if (options.num_allow_users > 0) {
-		for (i = 0; i < options.num_allow_users; i++)
-			if (match_user(pw->pw_name, hostname, ipaddr,
-			    options.allow_users[i]))
-				break;
-		/* i < options.num_allow_users iff we break for loop */
-		if (i >= options.num_allow_users) {
-			logit("User %.100s from %.100s not allowed because "
-			    "not listed in AllowUsers", pw->pw_name, hostname);
-			return 0;
-		}
-	}
-	if (options.num_deny_groups > 0 || options.num_allow_groups > 0) {
-		/* Get the user's group access list (primary and supplementary) */
-		if (ga_init(pw->pw_name, pw->pw_gid) == 0) {
-			logit("User %.100s from %.100s not allowed because "
-			    "not in any group", pw->pw_name, hostname);
-			return 0;
-		}
-
-		/* Return false if one of user's groups is listed in DenyGroups */
-		if (options.num_deny_groups > 0)
-			if (ga_match(options.deny_groups,
-			    options.num_deny_groups)) {
-				ga_free();
-				logit("User %.100s from %.100s not allowed "
-				    "because a group is listed in DenyGroups",
-				    pw->pw_name, hostname);
-				return 0;
-			}
-		/*
-		 * Return false if AllowGroups isn't empty and one of user's groups
-		 * isn't listed there
-		 */
-		if (options.num_allow_groups > 0)
-			if (!ga_match(options.allow_groups,
-			    options.num_allow_groups)) {
-				ga_free();
-				logit("User %.100s from %.100s not allowed "
-				    "because none of user's groups are listed "
-				    "in AllowGroups", pw->pw_name, hostname);
-				return 0;
-			}
-		ga_free();
-	}
-
-#ifdef CUSTOM_SYS_AUTH_ALLOWED_USER
-	if (!sys_auth_allowed_user(pw, &loginmsg))
-		return 0;
-#endif
-
-	/* We found no reason not to let this user try to log on... */
-	return 1;
-}
-
-void
-auth_info(Authctxt *authctxt, const char *fmt, ...)
-{
-	va_list ap;
-        int i;
-
-	free(authctxt->info);
-	authctxt->info = NULL;
-
-	va_start(ap, fmt);
-	i = vasprintf(&authctxt->info, fmt, ap);
-	va_end(ap);
-
-	if (i < 0 || authctxt->info == NULL)
-		fatal("vasprintf failed");
-}
-
-void
-auth_log(Authctxt *authctxt, int authenticated, int partial,
-    const char *method, const char *submethod)
-{
-	void (*authlog) (const char *fmt,...) = verbose;
-	char *authmsg;
-
-	if (use_privsep && !mm_is_monitor() && !authctxt->postponed)
-		return;
-
-	/* Raise logging level */
-	if (authenticated == 1 ||
-	    !authctxt->valid ||
-	    authctxt->failures >= options.max_authtries / 2 ||
-	    strcmp(method, "password") == 0)
-		authlog = logit;
-
-	if (authctxt->postponed)
-		authmsg = "Postponed";
-	else if (partial)
-		authmsg = "Partial";
-	else
-		authmsg = authenticated ? "Accepted" : "Failed";
-
-	authlog("%s %s%s%s for %s%.100s from %.200s port %d %s%s%s",
-	    authmsg,
-	    method,
-	    submethod != NULL ? "/" : "", submethod == NULL ? "" : submethod,
-	    authctxt->valid ? "" : "invalid user ",
-	    authctxt->user,
-	    get_remote_ipaddr(),
-	    get_remote_port(),
-	    compat20 ? "ssh2" : "ssh1",
-	    authctxt->info != NULL ? ": " : "",
-	    authctxt->info != NULL ? authctxt->info : "");
-	free(authctxt->info);
-	authctxt->info = NULL;
-
-#ifdef CUSTOM_FAILED_LOGIN
-	if (authenticated == 0 && !authctxt->postponed &&
-	    (strcmp(method, "password") == 0 ||
-	    strncmp(method, "keyboard-interactive", 20) == 0 ||
-	    strcmp(method, "challenge-response") == 0))
-		record_failed_login(authctxt->user,
-		    get_canonical_hostname(options.use_dns), "ssh");
-# ifdef WITH_AIXAUTHENTICATE
-	if (authenticated)
-		sys_auth_record_login(authctxt->user,
-		    get_canonical_hostname(options.use_dns), "ssh", &loginmsg);
-# endif
-#endif
-#ifdef SSH_AUDIT_EVENTS
-	if (authenticated == 0 && !authctxt->postponed)
-		audit_event(audit_classify_auth(method));
-#endif
-}
-
-
-void
-auth_maxtries_exceeded(Authctxt *authctxt)
-{
-	error("maximum authentication attempts exceeded for "
-	    "%s%.100s from %.200s port %d %s",
-	    authctxt->valid ? "" : "invalid user ",
-	    authctxt->user,
-	    get_remote_ipaddr(),
-	    get_remote_port(),
-	    compat20 ? "ssh2" : "ssh1");
-	packet_disconnect("Too many authentication failures");
-	/* NOTREACHED */
-}
-
-/*
- * Check whether root logins are disallowed.
- */
-int
-auth_root_allowed(const char *method)
-{
-	switch (options.permit_root_login) {
-	case PERMIT_YES:
-		return 1;
-	case PERMIT_NO_PASSWD:
-		if (strcmp(method, "publickey") == 0 ||
-		    strcmp(method, "hostbased") == 0 ||
-		    strcmp(method, "gssapi-with-mic") == 0)
-			return 1;
-		break;
-	case PERMIT_FORCED_ONLY:
-		if (forced_command) {
-			logit("Root login accepted for forced command.");
-			return 1;
-		}
-		break;
-	}
-	logit("ROOT LOGIN REFUSED FROM %.200s", get_remote_ipaddr());
-	return 0;
-}
-
-
-/*
- * Given a template and a passwd structure, build a filename
- * by substituting % tokenised options. Currently, %% becomes '%',
- * %h becomes the home directory and %u the username.
- *
- * This returns a buffer allocated by xmalloc.
- */
- 
-/*
- * Win32 implementation uses UTF16 names.
- */
- 
-#ifdef WIN32_FIXME
-
-wchar_t *expand_authorized_keys(const wchar_t *filename, struct passwd *pw)
-{
-  wchar_t *file_w, ret[MAXPATHLEN], pw_name_w[MAXPATHLEN], filename_w[MAXPATHLEN];
-
-  int i;
-  
-  wchar_t *slash;
-  
-  i = MultiByteToWideChar(CP_UTF8, 0, filename, -1, filename_w, MAXPATHLEN);
-  
-  if (i == 0)
-  {
-    fatal("expand_authorized_keys: unable to convert path to UTF-16");
-  }  
-  
-  MultiByteToWideChar(CP_UTF8, 0, pw -> pw_name, -1, pw_name_w, MAXPATHLEN);
-  
-  if (i == 0)
-  {
-    fatal("expand_authorized_keys: unable to convert path to UTF-16");
-  }
-  
-  file_w = percent_expand_w(filename_w, L"h", pw -> pw_dir,
-                                L"u", pw_name_w, (char *) NULL);
-  
-  /*
-   * Replace '/'  with '\'
-   */
-
-  slash = file_w; 
-  
-  while ((slash = wcschr(slash, L'/')))
-  {
-    *slash = L'\\';
-  }
-  
-  /*
-   * Absolute path given.
-   */
-   
-  if (wcschr(file_w, ':'))
-  {
-    i = _snwprintf(ret, sizeof(ret), L"%ls", file_w);
-  }
-   
-  /*
-   * Relative path given. Expand to user homedir.
-   */
-   
-  else
-  {
-    i = _snwprintf(ret, sizeof(ret), L"%ls\\%ls", pw->pw_dir, file_w);
-  }  
-  
-  if (i < 0 || (size_t) i >= sizeof(ret))
-  {  
-    fatal("expand_authorized_keys: path too long");
-  }  
-
-  free(file_w);
-  
-  return (_wcsdup(ret));
-}
-
-#else /* WIN32_FIXME */
-
-char *
-expand_authorized_keys(const char *filename, struct passwd *pw)
-{
-	char *file, ret[PATH_MAX];
-	int i;
-
-	file = percent_expand(filename, "h", pw->pw_dir,
-	    "u", pw->pw_name, (char *)NULL);
-
-	/*
-	 * Ensure that filename starts anchored. If not, be backward
-	 * compatible and prepend the '%h/'
-	 */
-	if (*file == '/')
-		return (file);
-
-	i = snprintf(ret, sizeof(ret), "%s/%s", pw->pw_dir, file);
-	if (i < 0 || (size_t)i >= sizeof(ret))
-		fatal("expand_authorized_keys: path too long");
-	free(file);
-	return (xstrdup(ret));
-}
-#endif /* WIN32_FIXME */
-
-char *
-authorized_principals_file(struct passwd *pw)
-{
-	if (options.authorized_principals_file == NULL)
-		return NULL;
-	return expand_authorized_keys(options.authorized_principals_file, pw);
-}
-
-/* return ok if key exists in sysfile or userfile */
-HostStatus
-check_key_in_hostfiles(struct passwd *pw, Key *key, const char *host,
-    const char *sysfile, const char *userfile)
-{
-	char *user_hostfile;
-	struct stat st;
-	HostStatus host_status;
-	struct hostkeys *hostkeys;
-	const struct hostkey_entry *found;
-
-	hostkeys = init_hostkeys();
-	load_hostkeys(hostkeys, host, sysfile);
-	if (userfile != NULL) {
-		user_hostfile = tilde_expand_filename(userfile, pw->pw_uid);
-		if (options.strict_modes &&
-		    (stat(user_hostfile, &st) == 0) &&
-		    ((st.st_uid != 0 && st.st_uid != pw->pw_uid) ||
-		    (st.st_mode & 022) != 0)) {
-			logit("Authentication refused for %.100s: "
-			    "bad owner or modes for %.200s",
-			    pw->pw_name, user_hostfile);
-			auth_debug_add("Ignored %.200s: bad ownership or modes",
-			    user_hostfile);
-		} else {
-			temporarily_use_uid(pw);
-			load_hostkeys(hostkeys, host, user_hostfile);
-			restore_uid();
-		}
-		free(user_hostfile);
-	}
-	host_status = check_key_in_hostkeys(hostkeys, key, &found);
-	if (host_status == HOST_REVOKED)
-		error("WARNING: revoked key for %s attempted authentication",
-		    found->host);
-	else if (host_status == HOST_OK)
-		debug("%s: key for %s found at %s:%ld", __func__,
-		    found->host, found->file, found->line);
-	else
-		debug("%s: key for host %s not found", __func__, host);
-
-	free_hostkeys(hostkeys);
-
-	return host_status;
-}
-
-/*
- * Check a given path for security. This is defined as all components
- * of the path to the file must be owned by either the owner of
- * of the file or root and no directories must be group or world writable.
- *
- * XXX Should any specific check be done for sym links ?
- *
- * Takes a file name, its stat information (preferably from fstat() to
- * avoid races), the uid of the expected owner, their home directory and an
- * error buffer plus max size as arguments.
- *
- * Returns 0 on success and -1 on failure
- */
-int
-auth_secure_path(const char *name, struct stat *stp, const char *pw_dir,
-    uid_t uid, char *err, size_t errlen)
-{
-#ifndef WIN32_FIXME
-	char buf[PATH_MAX], homedir[PATH_MAX];
-	char *cp;
-	int comparehome = 0;
-	struct stat st;
-
-	if (realpath(name, buf) == NULL) {
-		snprintf(err, errlen, "realpath %s failed: %s", name,
-		    strerror(errno));
-		return -1;
-	}
-	if (pw_dir != NULL && realpath(pw_dir, homedir) != NULL)
-		comparehome = 1;
-
-	if (!S_ISREG(stp->st_mode)) {
-		snprintf(err, errlen, "%s is not a regular file", buf);
-		return -1;
-	}
-	if ((!platform_sys_dir_uid(stp->st_uid) && stp->st_uid != uid) ||
-	    (stp->st_mode & 022) != 0) {
-		snprintf(err, errlen, "bad ownership or modes for file %s",
-		    buf);
-		return -1;
-	}
-
-	/* for each component of the canonical path, walking upwards */
-	for (;;) {
-		if ((cp = dirname(buf)) == NULL) {
-			snprintf(err, errlen, "dirname() failed");
-			return -1;
-		}
-		strlcpy(buf, cp, sizeof(buf));
-
-		if (stat(buf, &st) < 0 ||
-		    (!platform_sys_dir_uid(st.st_uid) && st.st_uid != uid) ||
-		    (st.st_mode & 022) != 0) {
-			snprintf(err, errlen,
-			    "bad ownership or modes for directory %s", buf);
-			return -1;
-		}
-
-		/* If are past the homedir then we can stop */
-		if (comparehome && strcmp(homedir, buf) == 0)
-			break;
-
-		/*
-		 * dirname should always complete with a "/" path,
-		 * but we can be paranoid and check for "." too
-		 */
-		if ((strcmp("/", buf) == 0) || (strcmp(".", buf) == 0))
-			break;
-	}
-	return 0;
-#else
-  return 0;
-#endif 
-}
-
-/*
- * Version of secure_path() that accepts an open file descriptor to
- * avoid races.
- *
- * Returns 0 on success and -1 on failure
- */
-static int
-secure_filename(FILE *f, const char *file, struct passwd *pw,
-    char *err, size_t errlen)
-{
-#ifndef WIN32_FIXME
-	struct stat st;
-
-	/* check the open file to avoid races */
-	if (fstat(fileno(f), &st) < 0) {
-		snprintf(err, errlen, "cannot stat file %s: %s",
-		    file, strerror(errno));
-		return -1;
-	}
-	return auth_secure_path(file, &st, pw->pw_dir, pw->pw_uid, err, errlen);
-#else
-  return 0;
-#endif 
-}
-
-static FILE *
-auth_openfile(const char *file, struct passwd *pw, int strict_modes,
-    int log_missing, char *file_type)
-{
-	char line[1024];
-	struct stat st;
-	int fd;
-	FILE *f;
-	
-#ifdef WIN32_FIXME
-    if ((fd = WSHELPwopen(file, O_RDONLY|O_NONBLOCK)) == -1) {
-#else
-	if ((fd = open(file, O_RDONLY|O_NONBLOCK)) == -1) {
-#endif
-		if (log_missing || errno != ENOENT)
-			debug("Could not open %s '%s': %s", file_type, file,
-			   strerror(errno));
-		return NULL;
-	}
-
-	if (fstat(fd, &st) < 0) {
-		close(fd);
-		return NULL;
-	}
-	if (!S_ISREG(st.st_mode)) {
-		logit("User %s %s %s is not a regular file",
-		    pw->pw_name, file_type, file);
-		close(fd);
-		return NULL;
-	}
-#ifndef WIN32_FIXME
-	unset_nonblock(fd);
-#endif
-	if ((f = fdopen(fd, "r")) == NULL) {
-		close(fd);
-		return NULL;
-	}
-	if (strict_modes &&
-	    secure_filename(f, file, pw, line, sizeof(line)) != 0) {
-		fclose(f);
-		logit("Authentication refused: %s", line);
-		auth_debug_add("Ignored %s: %s", file_type, line);
-		return NULL;
-	}
-
-	return f;
-}
-
-
-FILE *
-auth_openkeyfile(const char *file, struct passwd *pw, int strict_modes)
-{
-	return auth_openfile(file, pw, strict_modes, 1, "authorized keys");
-}
-
-FILE *
-auth_openprincipals(const char *file, struct passwd *pw, int strict_modes)
-{
-	return auth_openfile(file, pw, strict_modes, 0,
-	    "authorized principals");
-}
-
-struct passwd *
-getpwnamallow(const char *user)
-{
-#ifdef HAVE_LOGIN_CAP
-	extern login_cap_t *lc;
-#ifdef BSD_AUTH
-	auth_session_t *as;
-#endif
-#endif
-	struct passwd *pw;
-	struct connection_info *ci = get_connection_info(1, options.use_dns);
-
-	ci->user = user;
-	parse_server_match_config(&options, ci);
-
-#if defined(_AIX) && defined(HAVE_SETAUTHDB)
-	aix_setauthdb(user);
-#endif
-
-	pw = getpwnam(user);
-
-#if defined(_AIX) && defined(HAVE_SETAUTHDB)
-	aix_restoreauthdb();
-#endif
-#ifdef HAVE_CYGWIN
-	/*
-	 * Windows usernames are case-insensitive.  To avoid later problems
-	 * when trying to match the username, the user is only allowed to
-	 * login if the username is given in the same case as stored in the
-	 * user database.
-	 */
-	if (pw != NULL && strcmp(user, pw->pw_name) != 0) {
-		logit("Login name %.100s does not match stored username %.100s",
-		    user, pw->pw_name);
-		pw = NULL;
-	}
-#endif
-	if (pw == NULL) {
-		logit("Invalid user %.100s from %.100s",
-		    user, get_remote_ipaddr());
-#ifdef CUSTOM_FAILED_LOGIN
-		record_failed_login(user,
-		    get_canonical_hostname(options.use_dns), "ssh");
-#endif
-#ifdef SSH_AUDIT_EVENTS
-		audit_event(SSH_INVALID_USER);
-#endif /* SSH_AUDIT_EVENTS */
-		return (NULL);
-	}
-	if (!allowed_user(pw))
-		return (NULL);
-#ifdef HAVE_LOGIN_CAP
-	if ((lc = login_getclass(pw->pw_class)) == NULL) {
-		debug("unable to get login class: %s", user);
-		return (NULL);
-	}
-#ifdef BSD_AUTH
-	if ((as = auth_open()) == NULL || auth_setpwd(as, pw) != 0 ||
-	    auth_approval(as, lc, pw->pw_name, "ssh") <= 0) {
-		debug("Approval failure for %s", user);
-		pw = NULL;
-	}
-	if (as != NULL)
-		auth_close(as);
-#endif
-#endif
-	if (pw != NULL)
-		return (pwcopy(pw));
-	return (NULL);
-}
-
-/* Returns 1 if key is revoked by revoked_keys_file, 0 otherwise */
-int
-auth_key_is_revoked(Key *key)
-{
-	char *fp = NULL;
-	int r;
-
-	if (options.revoked_keys_file == NULL)
-		return 0;
-	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
-	    SSH_FP_DEFAULT)) == NULL) {
-		r = SSH_ERR_ALLOC_FAIL;
-		error("%s: fingerprint key: %s", __func__, ssh_err(r));
-		goto out;
-	}
-
-	r = sshkey_check_revoked(key, options.revoked_keys_file);
-	switch (r) {
-	case 0:
-		break; /* not revoked */
-	case SSH_ERR_KEY_REVOKED:
-		error("Authentication key %s %s revoked by file %s",
-		    sshkey_type(key), fp, options.revoked_keys_file);
-		goto out;
-	default:
-		error("Error checking authentication key %s %s in "
-		    "revoked keys file %s: %s", sshkey_type(key), fp,
-		    options.revoked_keys_file, ssh_err(r));
-		goto out;
-	}
-
-	/* Success */
-	r = 0;
-
- out:
-	free(fp);
-	return r == 0 ? 0 : 1;
-}
-
-void
-auth_debug_add(const char *fmt,...)
-{
-	char buf[1024];
-	va_list args;
-
-	if (!auth_debug_init)
-		return;
-
-	va_start(args, fmt);
-	vsnprintf(buf, sizeof(buf), fmt, args);
-	va_end(args);
-	buffer_put_cstring(&auth_debug, buf);
-}
-
-void
-auth_debug_send(void)
-{
-	char *msg;
-
-	if (!auth_debug_init)
-		return;
-	while (buffer_len(&auth_debug)) {
-		msg = buffer_get_string(&auth_debug, NULL);
-		packet_send_debug("%s", msg);
-		free(msg);
-	}
-}
-
-void
-auth_debug_reset(void)
-{
-	if (auth_debug_init)
-		buffer_clear(&auth_debug);
-	else {
-		buffer_init(&auth_debug);
-		auth_debug_init = 1;
-	}
-}
-
-struct passwd *
-fakepw(void)
-{
-	static struct passwd fake;
-
-	memset(&fake, 0, sizeof(fake));
-	fake.pw_name = "NOUSER";
-	fake.pw_passwd =
-	    "$2a$06$r3.juUaHZDlIbQaO2dS9FuYxL1W9M81R1Tc92PoSNmzvpEqLkLGrK";
-#ifdef HAVE_STRUCT_PASSWD_PW_GECOS
-	fake.pw_gecos = "NOUSER";
-#endif
-	fake.pw_uid = privsep_pw == NULL ? (uid_t)-1 : privsep_pw->pw_uid;
-	fake.pw_gid = privsep_pw == NULL ? (gid_t)-1 : privsep_pw->pw_gid;
-#ifdef HAVE_STRUCT_PASSWD_PW_CLASS
-	fake.pw_class = "";
-#endif
-	fake.pw_dir = "/nonexist";
-	fake.pw_shell = "/nonexist";
-
-	return (&fake);
-}
--- a/auth.h
+++ b/auth.h
@ -1,246 +0,0 @@
-/* $OpenBSD: auth.h,v 1.84 2015/05/08 06:41:56 djm Exp $ */
-
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- *
- */
-
-#ifndef AUTH_H
-#define AUTH_H
-
-#include <signal.h>
-
-#include <openssl/rsa.h>
-
-#ifdef HAVE_LOGIN_CAP
-#include <login_cap.h>
-#endif
-#ifdef BSD_AUTH
-#include <bsd_auth.h>
-#endif
-#ifdef KRB5
-#include <krb5.h>
-#endif
-
-#ifdef WIN32_FIXME
-
-  #include <windows.h>
-
-#endif
-
-struct ssh;
-struct sshkey;
-
-typedef struct Authctxt Authctxt;
-typedef struct Authmethod Authmethod;
-typedef struct KbdintDevice KbdintDevice;
-
-struct Authctxt {
-	sig_atomic_t	 success;
-	int		 authenticated;	/* authenticated and alarms cancelled */
-	int		 postponed;	/* authentication needs another step */
-	int		 valid;		/* user exists and is allowed to login */
-	int		 attempt;
-	int		 failures;
-	int		 server_caused_failure;
-	int		 force_pwchange;
-	char		*user;		/* username sent by the client */
-	char		*service;
-	struct passwd	*pw;		/* set if 'valid' */
-	char		*style;
-	void		*kbdintctxt;
-	char		*info;		/* Extra info for next auth_log */
-#ifdef BSD_AUTH
-	auth_session_t	*as;
-#endif
-	char		**auth_methods;	/* modified from server config */
-	u_int		 num_auth_methods;
-#ifdef KRB5
-	krb5_context	 krb5_ctx;
-	krb5_ccache	 krb5_fwd_ccache;
-	krb5_principal	 krb5_user;
-	char		*krb5_ticket_file;
-	char		*krb5_ccname;
-#endif
-	Buffer		*loginmsg;
-	void		*methoddata;
-
-	struct sshkey	**prev_userkeys;
-	u_int		 nprev_userkeys;
-  #ifdef WIN32_FIXME
-
-    HANDLE hTokenLsa_;
-    HANDLE currentToken_;
-
-  #endif
-};
-/*
- * Every authentication method has to handle authentication requests for
- * non-existing users, or for users that are not allowed to login. In this
- * case 'valid' is set to 0, but 'user' points to the username requested by
- * the client.
- */
-
-struct Authmethod {
-	char	*name;
-	int	(*userauth)(Authctxt *authctxt);
-	int	*enabled;
-};
-
-/*
- * Keyboard interactive device:
- * init_ctx	returns: non NULL upon success
- * query	returns: 0 - success, otherwise failure
- * respond	returns: 0 - success, 1 - need further interaction,
- *		otherwise - failure
- */
-struct KbdintDevice
-{
-	const char *name;
-	void*	(*init_ctx)(Authctxt*);
-	int	(*query)(void *ctx, char **name, char **infotxt,
-		    u_int *numprompts, char ***prompts, u_int **echo_on);
-	int	(*respond)(void *ctx, u_int numresp, char **responses);
-	void	(*free_ctx)(void *ctx);
-};
-
-int      auth_rhosts(struct passwd *, const char *);
-int
-auth_rhosts2(struct passwd *, const char *, const char *, const char *);
-
-int	 auth_rhosts_rsa(Authctxt *, char *, Key *);
-int      auth_password(Authctxt *, const char *);
-int      auth_rsa(Authctxt *, BIGNUM *);
-int      auth_rsa_challenge_dialog(Key *);
-BIGNUM	*auth_rsa_generate_challenge(Key *);
-int	 auth_rsa_verify_response(Key *, BIGNUM *, u_char[]);
-int	 auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
-
-int	 auth_rhosts_rsa_key_allowed(struct passwd *, char *, char *, Key *);
-int	 hostbased_key_allowed(struct passwd *, const char *, char *, Key *);
-int	 user_key_allowed(struct passwd *, Key *, int);
-void	 pubkey_auth_info(Authctxt *, const Key *, const char *, ...)
-	    __attribute__((__format__ (printf, 3, 4)));
-void	 auth2_record_userkey(Authctxt *, struct sshkey *);
-int	 auth2_userkey_already_used(Authctxt *, struct sshkey *);
-
-struct stat;
-int	 auth_secure_path(const char *, struct stat *, const char *, uid_t,
-    char *, size_t);
-
-#ifdef KRB5
-int	auth_krb5(Authctxt *authctxt, krb5_data *auth, char **client, krb5_data *);
-int	auth_krb5_tgt(Authctxt *authctxt, krb5_data *tgt);
-int	auth_krb5_password(Authctxt *authctxt, const char *password);
-void	krb5_cleanup_proc(Authctxt *authctxt);
-#endif /* KRB5 */
-
-#if defined(USE_SHADOW) && defined(HAS_SHADOW_EXPIRE)
-#include <shadow.h>
-int auth_shadow_acctexpired(struct spwd *);
-int auth_shadow_pwexpired(Authctxt *);
-#endif
-
-#include "auth-pam.h"
-#include "audit.h"
-void remove_kbdint_device(const char *);
-
-void disable_forwarding(void);
-
-void	do_authentication(Authctxt *);
-void	do_authentication2(Authctxt *);
-
-void	auth_info(Authctxt *authctxt, const char *, ...)
-	    __attribute__((__format__ (printf, 2, 3)))
-	    __attribute__((__nonnull__ (2)));
-void	auth_log(Authctxt *, int, int, const char *, const char *);
-void	auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
-void	userauth_finish(Authctxt *, int, const char *, const char *);
-int	auth_root_allowed(const char *);
-
-void	userauth_send_banner(const char *);
-
-char	*auth2_read_banner(void);
-int	 auth2_methods_valid(const char *, int);
-int	 auth2_update_methods_lists(Authctxt *, const char *, const char *);
-int	 auth2_setup_methods_lists(Authctxt *);
-int	 auth2_method_allowed(Authctxt *, const char *, const char *);
-
-void	privsep_challenge_enable(void);
-
-int	auth2_challenge(Authctxt *, char *);
-void	auth2_challenge_stop(Authctxt *);
-int	bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
-int	bsdauth_respond(void *, u_int, char **);
-int	skey_query(void *, char **, char **, u_int *, char ***, u_int **);
-int	skey_respond(void *, u_int, char **);
-
-int	allowed_user(struct passwd *);
-struct passwd * getpwnamallow(const char *user);
-
-char	*get_challenge(Authctxt *);
-int	verify_response(Authctxt *, const char *);
-void	abandon_challenge_response(Authctxt *);
-
-#ifndef WIN32_FIXME
-char	*expand_authorized_keys(const char *, struct passwd *pw);
-#else
-wchar_t *expand_authorized_keys(const wchar_t *filename, struct passwd *pw);
-#endif
-
-char	*authorized_principals_file(struct passwd *);
-
-FILE	*auth_openkeyfile(const char *, struct passwd *, int);
-FILE	*auth_openprincipals(const char *, struct passwd *, int);
-int	 auth_key_is_revoked(Key *);
-
-HostStatus
-check_key_in_hostfiles(struct passwd *, Key *, const char *,
-    const char *, const char *);
-
-/* hostkey handling */
-Key	*get_hostkey_by_index(int);
-Key	*get_hostkey_public_by_index(int, struct ssh *);
-Key	*get_hostkey_public_by_type(int, int, struct ssh *);
-Key	*get_hostkey_private_by_type(int, int, struct ssh *);
-int	 get_hostkey_index(Key *, int, struct ssh *);
-int	 ssh1_session_key(BIGNUM *);
-int	 sshd_hostkey_sign(Key *, Key *, u_char **, size_t *,
-	     const u_char *, size_t, u_int);
-
-/* debug messages during authentication */
-void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));
-void	 auth_debug_send(void);
-void	 auth_debug_reset(void);
-
-struct passwd *fakepw(void);
-
-int	 sys_auth_passwd(Authctxt *, const char *);
-
-#define SKEY_PROMPT "\nS/Key Password: "
-
-#if defined(KRB5) && !defined(HEIMDAL)
-#include <krb5.h>
-krb5_error_code ssh_krb5_cc_gen(krb5_context, krb5_ccache *);
-#endif
-#endif
--- a/auth1.c
+++ b/auth1.c
@ -1,454 +0,0 @@
-/* $OpenBSD: auth1.c,v 1.82 2014/07/15 15:54:14 millert Exp $ */
-/*
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-
-#ifdef WITH_SSH1
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-#include <unistd.h>
-#include <pwd.h>
-
-#include "openbsd-compat/sys-queue.h"
-#include "xmalloc.h"
-#include "rsa.h"
-#include "ssh1.h"
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "misc.h"
-#include "servconf.h"
-#include "compat.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "channels.h"
-#include "session.h"
-#include "uidswap.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "buffer.h"
-
-/* import */
-extern ServerOptions options;
-extern Buffer loginmsg;
-
-static int auth1_process_password(Authctxt *);
-static int auth1_process_rsa(Authctxt *);
-static int auth1_process_rhosts_rsa(Authctxt *);
-static int auth1_process_tis_challenge(Authctxt *);
-static int auth1_process_tis_response(Authctxt *);
-
-static char *client_user = NULL;    /* Used to fill in remote user for PAM */
-
-struct AuthMethod1 {
-	int type;
-	char *name;
-	int *enabled;
-	int (*method)(Authctxt *);
-};
-
-const struct AuthMethod1 auth1_methods[] = {
-	{
-		SSH_CMSG_AUTH_PASSWORD, "password",
-		&options.password_authentication, auth1_process_password
-	},
-	{
-		SSH_CMSG_AUTH_RSA, "rsa",
-		&options.rsa_authentication, auth1_process_rsa
-	},
-	{
-		SSH_CMSG_AUTH_RHOSTS_RSA, "rhosts-rsa",
-		&options.rhosts_rsa_authentication, auth1_process_rhosts_rsa
-	},
-	{
-		SSH_CMSG_AUTH_TIS, "challenge-response",
-		&options.challenge_response_authentication,
-		auth1_process_tis_challenge
-	},
-	{
-		SSH_CMSG_AUTH_TIS_RESPONSE, "challenge-response",
-		&options.challenge_response_authentication,
-		auth1_process_tis_response
-	},
-	{ -1, NULL, NULL, NULL}
-};
-
-static const struct AuthMethod1
-*lookup_authmethod1(int type)
-{
-	int i;
-
-	for (i = 0; auth1_methods[i].name != NULL; i++)
-		if (auth1_methods[i].type == type)
-			return (&(auth1_methods[i]));
-
-	return (NULL);
-}
-
-static char *
-get_authname(int type)
-{
-	const struct AuthMethod1 *a;
-	static char buf[64];
-
-	if ((a = lookup_authmethod1(type)) != NULL)
-		return (a->name);
-	snprintf(buf, sizeof(buf), "bad-auth-msg-%d", type);
-	return (buf);
-}
-
-/*ARGSUSED*/
-static int
-auth1_process_password(Authctxt *authctxt)
-{
-	int authenticated = 0;
-	char *password;
-	u_int dlen;
-
-	/*
-	 * Read user password.  It is in plain text, but was
-	 * transmitted over the encrypted channel so it is
-	 * not visible to an outside observer.
-	 */
-	password = packet_get_string(&dlen);
-	packet_check_eom();
-
-	/* Try authentication with the password. */
-	authenticated = PRIVSEP(auth_password(authctxt, password));
-
-	explicit_bzero(password, dlen);
-	free(password);
-
-	return (authenticated);
-}
-
-/*ARGSUSED*/
-static int
-auth1_process_rsa(Authctxt *authctxt)
-{
-	int authenticated = 0;
-	BIGNUM *n;
-
-	/* RSA authentication requested. */
-	if ((n = BN_new()) == NULL)
-		fatal("do_authloop: BN_new failed");
-	packet_get_bignum(n);
-	packet_check_eom();
-	authenticated = auth_rsa(authctxt, n);
-	BN_clear_free(n);
-
-	return (authenticated);
-}
-
-/*ARGSUSED*/
-static int
-auth1_process_rhosts_rsa(Authctxt *authctxt)
-{
-	int keybits, authenticated = 0;
-	u_int bits;
-	Key *client_host_key;
-	u_int ulen;
-
-	/*
-	 * Get client user name.  Note that we just have to
-	 * trust the client; root on the client machine can
-	 * claim to be any user.
-	 */
-	client_user = packet_get_cstring(&ulen);
-
-	/* Get the client host key. */
-	client_host_key = key_new(KEY_RSA1);
-	bits = packet_get_int();
-	packet_get_bignum(client_host_key->rsa->e);
-	packet_get_bignum(client_host_key->rsa->n);
-
-	keybits = BN_num_bits(client_host_key->rsa->n);
-	if (keybits < 0 || bits != (u_int)keybits) {
-		verbose("Warning: keysize mismatch for client_host_key: "
-		    "actual %d, announced %d",
-		    BN_num_bits(client_host_key->rsa->n), bits);
-	}
-	packet_check_eom();
-
-	authenticated = auth_rhosts_rsa(authctxt, client_user,
-	    client_host_key);
-	key_free(client_host_key);
-
-	auth_info(authctxt, "ruser %.100s", client_user);
-
-	return (authenticated);
-}
-
-/*ARGSUSED*/
-static int
-auth1_process_tis_challenge(Authctxt *authctxt)
-{
-	char *challenge;
-
-	if ((challenge = get_challenge(authctxt)) == NULL)
-		return (0);
-
-	debug("sending challenge '%s'", challenge);
-	packet_start(SSH_SMSG_AUTH_TIS_CHALLENGE);
-	packet_put_cstring(challenge);
-	free(challenge);
-	packet_send();
-	packet_write_wait();
-
-	return (-1);
-}
-
-/*ARGSUSED*/
-static int
-auth1_process_tis_response(Authctxt *authctxt)
-{
-	int authenticated = 0;
-	char *response;
-	u_int dlen;
-
-	response = packet_get_string(&dlen);
-	packet_check_eom();
-	authenticated = verify_response(authctxt, response);
-	explicit_bzero(response, dlen);
-	free(response);
-
-	return (authenticated);
-}
-
-/*
- * read packets, try to authenticate the user and
- * return only if authentication is successful
- */
-static void
-do_authloop(Authctxt *authctxt)
-{
-	int authenticated = 0;
-	int prev = 0, type = 0;
-	const struct AuthMethod1 *meth;
-
-	debug("Attempting authentication for %s%.100s.",
-	    authctxt->valid ? "" : "invalid user ", authctxt->user);
-
-	/* If the user has no password, accept authentication immediately. */
-	if (options.permit_empty_passwd && options.password_authentication &&
-#ifdef KRB5
-	    (!options.kerberos_authentication || options.kerberos_or_local_passwd) &&
-#endif
-	    PRIVSEP(auth_password(authctxt, ""))) {
-#ifdef USE_PAM
-		if (options.use_pam && (PRIVSEP(do_pam_account())))
-#endif
-		{
-			auth_log(authctxt, 1, 0, "without authentication",
-			    NULL);
-			return;
-		}
-	}
-
-	/* Indicate that authentication is needed. */
-	packet_start(SSH_SMSG_FAILURE);
-	packet_send();
-	packet_write_wait();
-
-	for (;;) {
-		/* default to fail */
-		authenticated = 0;
-
-
-		/* Get a packet from the client. */
-		prev = type;
-		type = packet_read();
-
-		/*
-		 * If we started challenge-response authentication but the
-		 * next packet is not a response to our challenge, release
-		 * the resources allocated by get_challenge() (which would
-		 * normally have been released by verify_response() had we
-		 * received such a response)
-		 */
-		if (prev == SSH_CMSG_AUTH_TIS &&
-		    type != SSH_CMSG_AUTH_TIS_RESPONSE)
-			abandon_challenge_response(authctxt);
-
-		if (authctxt->failures >= options.max_authtries)
-			goto skip;
-		if ((meth = lookup_authmethod1(type)) == NULL) {
-			logit("Unknown message during authentication: "
-			    "type %d", type);
-			goto skip;
-		}
-
-		if (!*(meth->enabled)) {
-			verbose("%s authentication disabled.", meth->name);
-			goto skip;
-		}
-
-		authenticated = meth->method(authctxt);
-		if (authenticated == -1)
-			continue; /* "postponed" */
-
-#ifdef BSD_AUTH
-		if (authctxt->as) {
-			auth_close(authctxt->as);
-			authctxt->as = NULL;
-		}
-#endif
-		if (!authctxt->valid && authenticated)
-			fatal("INTERNAL ERROR: authenticated invalid user %s",
-			    authctxt->user);
-
-#ifdef _UNICOS
-		if (authenticated && cray_access_denied(authctxt->user)) {
-			authenticated = 0;
-			fatal("Access denied for user %s.",authctxt->user);
-		}
-#endif /* _UNICOS */
-
-#ifndef HAVE_CYGWIN
-		/* Special handling for root */
-		if (authenticated && authctxt->pw->pw_uid == 0 &&
-		    !auth_root_allowed(meth->name)) {
- 			authenticated = 0;
-# ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
-# endif
-		}
-#endif
-
-#ifdef USE_PAM
-		if (options.use_pam && authenticated &&
-		    !PRIVSEP(do_pam_account())) {
-			char *msg;
-			size_t len;
-
-			error("Access denied for user %s by PAM account "
-			    "configuration", authctxt->user);
-			len = buffer_len(&loginmsg);
-			buffer_append(&loginmsg, "\0", 1);
-			msg = buffer_ptr(&loginmsg);
-			/* strip trailing newlines */
-			if (len > 0)
-				while (len > 0 && msg[--len] == '\n')
-					msg[len] = '\0';
-			else
-				msg = "Access denied.";
-			packet_disconnect("%s", msg);
-		}
-#endif
-
- skip:
-		/* Log before sending the reply */
-		auth_log(authctxt, authenticated, 0, get_authname(type), NULL);
-
-		free(client_user);
-		client_user = NULL;
-
-		if (authenticated)
-			return;
-
-		if (++authctxt->failures >= options.max_authtries) {
-#ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
-#endif
-			auth_maxtries_exceeded(authctxt);
-		}
-
-		packet_start(SSH_SMSG_FAILURE);
-		packet_send();
-		packet_write_wait();
-	}
-}
-
-/*
- * Performs authentication of an incoming connection.  Session key has already
- * been exchanged and encryption is enabled.
- */
-void
-do_authentication(Authctxt *authctxt)
-{
-	u_int ulen;
-	char *user, *style = NULL;
-
-	/* Get the name of the user that we wish to log in as. */
-	packet_read_expect(SSH_CMSG_USER);
-
-	/* Get the user name. */
-	user = packet_get_cstring(&ulen);
-	packet_check_eom();
-
-	if ((style = strchr(user, ':')) != NULL)
-		*style++ = '\0';
-
-	authctxt->user = user;
-	authctxt->style = style;
-
-	/* Verify that the user is a valid user. */
-	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-		authctxt->valid = 1;
-	else {
-		debug("do_authentication: invalid user %s", user);
-		authctxt->pw = fakepw();
-	}
-
-	/* Configuration may have changed as a result of Match */
-	if (options.num_auth_methods != 0)
-		fatal("AuthenticationMethods is not supported with SSH "
-		    "protocol 1");
-
-	setproctitle("%s%s", authctxt->valid ? user : "unknown",
-	    use_privsep ? " [net]" : "");
-
-#ifdef USE_PAM
-	if (options.use_pam)
-		PRIVSEP(start_pam(authctxt));
-#endif
-
-	/*
-	 * If we are not running as root, the user must have the same uid as
-	 * the server.
-	 */
-#ifndef HAVE_CYGWIN
-	if (!use_privsep && getuid() != 0 && authctxt->pw &&
-	    authctxt->pw->pw_uid != getuid())
-		packet_disconnect("Cannot change user when server not running as root.");
-#endif
-
-	/*
-	 * Loop until the user has been authenticated or the connection is
-	 * closed, do_authloop() returns only if authentication is successful
-	 */
-	do_authloop(authctxt);
-
-	/* The user has been authenticated and accepted. */
-	packet_start(SSH_SMSG_SUCCESS);
-	packet_send();
-	packet_write_wait();
-}
-
-#endif /* WITH_SSH1 */
--- a/auth2-chall.c
+++ b/auth2-chall.c
@ -1,381 +0,0 @@
-/* $OpenBSD: auth2-chall.c,v 1.43 2015/07/18 07:57:14 djm Exp $ */
-/*
- * Copyright (c) 2001 Markus Friedl.  All rights reserved.
- * Copyright (c) 2001 Per Allansson.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <stdio.h>
-#include <string.h>
-
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "buffer.h"
-#include "packet.h"
-#include "dispatch.h"
-#include "log.h"
-#include "misc.h"
-#include "servconf.h"
-
-/* import */
-extern ServerOptions options;
-
-static int auth2_challenge_start(Authctxt *);
-static int send_userauth_info_request(Authctxt *);
-static int input_userauth_info_response(int, u_int32_t, void *);
-
-#ifdef BSD_AUTH
-extern KbdintDevice bsdauth_device;
-#else
-#ifdef USE_PAM
-extern KbdintDevice sshpam_device;
-#endif
-#ifdef SKEY
-extern KbdintDevice skey_device;
-#endif
-#endif
-
-KbdintDevice *devices[] = {
-#ifdef BSD_AUTH
-	&bsdauth_device,
-#else
-#ifdef USE_PAM
-	&sshpam_device,
-#endif
-#ifdef SKEY
-	&skey_device,
-#endif
-#endif
-	NULL
-};
-
-typedef struct KbdintAuthctxt KbdintAuthctxt;
-struct KbdintAuthctxt
-{
-	char *devices;
-	void *ctxt;
-	KbdintDevice *device;
-	u_int nreq;
-	u_int devices_done;
-};
-
-#ifdef USE_PAM
-void
-remove_kbdint_device(const char *devname)
-{
-	int i, j;
-
-	for (i = 0; devices[i] != NULL; i++)
-		if (strcmp(devices[i]->name, devname) == 0) {
-			for (j = i; devices[j] != NULL; j++)
-				devices[j] = devices[j+1];
-			i--;
-		}
-}
-#endif
-
-static KbdintAuthctxt *
-kbdint_alloc(const char *devs)
-{
-	KbdintAuthctxt *kbdintctxt;
-	Buffer b;
-	int i;
-
-#ifdef USE_PAM
-	if (!options.use_pam)
-		remove_kbdint_device("pam");
-#endif
-
-	kbdintctxt = xcalloc(1, sizeof(KbdintAuthctxt));
-	if (strcmp(devs, "") == 0) {
-		buffer_init(&b);
-		for (i = 0; devices[i]; i++) {
-			if (buffer_len(&b) > 0)
-				buffer_append(&b, ",", 1);
-			buffer_append(&b, devices[i]->name,
-			    strlen(devices[i]->name));
-		}
-		buffer_append(&b, "\0", 1);
-		kbdintctxt->devices = xstrdup(buffer_ptr(&b));
-		buffer_free(&b);
-	} else {
-		kbdintctxt->devices = xstrdup(devs);
-	}
-	debug("kbdint_alloc: devices '%s'", kbdintctxt->devices);
-	kbdintctxt->ctxt = NULL;
-	kbdintctxt->device = NULL;
-	kbdintctxt->nreq = 0;
-
-	return kbdintctxt;
-}
-static void
-kbdint_reset_device(KbdintAuthctxt *kbdintctxt)
-{
-	if (kbdintctxt->ctxt) {
-		kbdintctxt->device->free_ctx(kbdintctxt->ctxt);
-		kbdintctxt->ctxt = NULL;
-	}
-	kbdintctxt->device = NULL;
-}
-static void
-kbdint_free(KbdintAuthctxt *kbdintctxt)
-{
-	if (kbdintctxt->device)
-		kbdint_reset_device(kbdintctxt);
-	free(kbdintctxt->devices);
-	explicit_bzero(kbdintctxt, sizeof(*kbdintctxt));
-	free(kbdintctxt);
-}
-/* get next device */
-static int
-kbdint_next_device(Authctxt *authctxt, KbdintAuthctxt *kbdintctxt)
-{
-	size_t len;
-	char *t;
-	int i;
-
-	if (kbdintctxt->device)
-		kbdint_reset_device(kbdintctxt);
-	do {
-		len = kbdintctxt->devices ?
-		    strcspn(kbdintctxt->devices, ",") : 0;
-
-		if (len == 0)
-			break;
-		for (i = 0; devices[i]; i++) {
-			if ((kbdintctxt->devices_done & (1 << i)) != 0 ||
-			    !auth2_method_allowed(authctxt,
-			    "keyboard-interactive", devices[i]->name))
-				continue;
-			if (strncmp(kbdintctxt->devices, devices[i]->name,
-			    len) == 0) {
-				kbdintctxt->device = devices[i];
-				kbdintctxt->devices_done |= 1 << i;
-			}
-		}
-		t = kbdintctxt->devices;
-		kbdintctxt->devices = t[len] ? xstrdup(t+len+1) : NULL;
-		free(t);
-		debug2("kbdint_next_device: devices %s", kbdintctxt->devices ?
-		    kbdintctxt->devices : "<empty>");
-	} while (kbdintctxt->devices && !kbdintctxt->device);
-
-	return kbdintctxt->device ? 1 : 0;
-}
-
-/*
- * try challenge-response, set authctxt->postponed if we have to
- * wait for the response.
- */
-int
-auth2_challenge(Authctxt *authctxt, char *devs)
-{
-	debug("auth2_challenge: user=%s devs=%s",
-	    authctxt->user ? authctxt->user : "<nouser>",
-	    devs ? devs : "<no devs>");
-
-	if (authctxt->user == NULL || !devs)
-		return 0;
-	if (authctxt->kbdintctxt == NULL)
-		authctxt->kbdintctxt = kbdint_alloc(devs);
-	return auth2_challenge_start(authctxt);
-}
-
-/* unregister kbd-int callbacks and context */
-void
-auth2_challenge_stop(Authctxt *authctxt)
-{
-	/* unregister callback */
-	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE, NULL);
-	if (authctxt->kbdintctxt != NULL) {
-		kbdint_free(authctxt->kbdintctxt);
-		authctxt->kbdintctxt = NULL;
-	}
-}
-
-/* side effect: sets authctxt->postponed if a reply was sent*/
-static int
-auth2_challenge_start(Authctxt *authctxt)
-{
-	KbdintAuthctxt *kbdintctxt = authctxt->kbdintctxt;
-
-	debug2("auth2_challenge_start: devices %s",
-	    kbdintctxt->devices ?  kbdintctxt->devices : "<empty>");
-
-	if (kbdint_next_device(authctxt, kbdintctxt) == 0) {
-		auth2_challenge_stop(authctxt);
-		return 0;
-	}
-	debug("auth2_challenge_start: trying authentication method '%s'",
-	    kbdintctxt->device->name);
-
-	if ((kbdintctxt->ctxt = kbdintctxt->device->init_ctx(authctxt)) == NULL) {
-		auth2_challenge_stop(authctxt);
-		return 0;
-	}
-	if (send_userauth_info_request(authctxt) == 0) {
-		auth2_challenge_stop(authctxt);
-		return 0;
-	}
-	dispatch_set(SSH2_MSG_USERAUTH_INFO_RESPONSE,
-	    &input_userauth_info_response);
-
-	authctxt->postponed = 1;
-	return 0;
-}
-
-static int
-send_userauth_info_request(Authctxt *authctxt)
-{
-	KbdintAuthctxt *kbdintctxt;
-	char *name, *instr, **prompts;
-	u_int i, *echo_on;
-
-	kbdintctxt = authctxt->kbdintctxt;
-	if (kbdintctxt->device->query(kbdintctxt->ctxt,
-	    &name, &instr, &kbdintctxt->nreq, &prompts, &echo_on))
-		return 0;
-
-	packet_start(SSH2_MSG_USERAUTH_INFO_REQUEST);
-	packet_put_cstring(name);
-	packet_put_cstring(instr);
-	packet_put_cstring("");		/* language not used */
-	packet_put_int(kbdintctxt->nreq);
-	for (i = 0; i < kbdintctxt->nreq; i++) {
-		packet_put_cstring(prompts[i]);
-		packet_put_char(echo_on[i]);
-	}
-	packet_send();
-	packet_write_wait();
-
-	for (i = 0; i < kbdintctxt->nreq; i++)
-		free(prompts[i]);
-	free(prompts);
-	free(echo_on);
-	free(name);
-	free(instr);
-	return 1;
-}
-
-static int
-input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	KbdintAuthctxt *kbdintctxt;
-	int authenticated = 0, res;
-	u_int i, nresp;
-	const char *devicename = NULL;
-	char **response = NULL;
-
-	if (authctxt == NULL)
-		fatal("input_userauth_info_response: no authctxt");
-	kbdintctxt = authctxt->kbdintctxt;
-	if (kbdintctxt == NULL || kbdintctxt->ctxt == NULL)
-		fatal("input_userauth_info_response: no kbdintctxt");
-	if (kbdintctxt->device == NULL)
-		fatal("input_userauth_info_response: no device");
-
-	authctxt->postponed = 0;	/* reset */
-	nresp = packet_get_int();
-	if (nresp != kbdintctxt->nreq)
-		fatal("input_userauth_info_response: wrong number of replies");
-	if (nresp > 100)
-		fatal("input_userauth_info_response: too many replies");
-	if (nresp > 0) {
-		response = xcalloc(nresp, sizeof(char *));
-		for (i = 0; i < nresp; i++)
-			response[i] = packet_get_string(NULL);
-	}
-	packet_check_eom();
-
-	res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
-
-	for (i = 0; i < nresp; i++) {
-		explicit_bzero(response[i], strlen(response[i]));
-		free(response[i]);
-	}
-	free(response);
-
-	switch (res) {
-	case 0:
-		/* Success! */
-		authenticated = authctxt->valid ? 1 : 0;
-		break;
-	case 1:
-		/* Authentication needs further interaction */
-		if (send_userauth_info_request(authctxt) == 1)
-			authctxt->postponed = 1;
-		break;
-	default:
-		/* Failure! */
-		break;
-	}
-	devicename = kbdintctxt->device->name;
-	if (!authctxt->postponed) {
-		if (authenticated) {
-			auth2_challenge_stop(authctxt);
-		} else {
-			/* start next device */
-			/* may set authctxt->postponed */
-			auth2_challenge_start(authctxt);
-		}
-	}
-	userauth_finish(authctxt, authenticated, "keyboard-interactive",
-	    devicename);
-	return 0;
-}
-
-void
-privsep_challenge_enable(void)
-{
-#if defined(BSD_AUTH) || defined(USE_PAM) || defined(SKEY)
-	int n = 0;
-#endif
-#ifdef BSD_AUTH
-	extern KbdintDevice mm_bsdauth_device;
-#endif
-#ifdef USE_PAM
-	extern KbdintDevice mm_sshpam_device;
-#endif
-#ifdef SKEY
-	extern KbdintDevice mm_skey_device;
-#endif
-
-#ifdef BSD_AUTH
-	devices[n++] = &mm_bsdauth_device;
-#else
-#ifdef USE_PAM
-	devices[n++] = &mm_sshpam_device;
-#endif
-#ifdef SKEY
-	devices[n++] = &mm_skey_device;
-#endif
-#endif
-}
--- a/auth2-gss.c
+++ b/auth2-gss.c
@ -1,308 +0,0 @@
-/* $OpenBSD: auth2-gss.c,v 1.22 2015/01/19 20:07:45 markus Exp $ */
-
-/*
- * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#ifdef GSSAPI
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "ssh2.h"
-#include "log.h"
-#include "dispatch.h"
-#include "buffer.h"
-#include "misc.h"
-#include "servconf.h"
-#include "packet.h"
-#include "ssh-gss.h"
-#include "monitor_wrap.h"
-
-extern ServerOptions options;
-
-static int input_gssapi_token(int type, u_int32_t plen, void *ctxt);
-static int input_gssapi_mic(int type, u_int32_t plen, void *ctxt);
-static int input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt);
-static int input_gssapi_errtok(int, u_int32_t, void *);
-
-/*
- * We only support those mechanisms that we know about (ie ones that we know
- * how to check local user kuserok and the like)
- */
-static int
-userauth_gssapi(Authctxt *authctxt)
-{
-	gss_OID_desc goid = {0, NULL};
-	Gssctxt *ctxt = NULL;
-	int mechs;
-	int present;
-	OM_uint32 ms;
-	u_int len;
-	u_char *doid = NULL;
-
-	if (!authctxt->valid || authctxt->user == NULL)
-		return (0);
-
-	mechs = packet_get_int();
-	if (mechs == 0) {
-		debug("Mechanism negotiation is not supported");
-		return (0);
-	}
-
-	do {
-		mechs--;
-
-		free(doid);
-
-		present = 0;
-		doid = packet_get_string(&len);
-
-		if (len > 2 && doid[0] == SSH_GSS_OIDTYPE &&
-		    doid[1] == len - 2) {
-			goid.elements = doid + 2;
-			goid.length   = len - 2;
-			ssh_gssapi_test_oid_supported(&ms, &goid, &present);
-		} else {
-			logit("Badly formed OID received");
-		}
-	} while (mechs > 0 && !present);
-
-	if (!present) {
-		free(doid);
-		authctxt->server_caused_failure = 1;
-		return (0);
-	}
-
-	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, &goid)))) {
-		if (ctxt != NULL)
-			ssh_gssapi_delete_ctx(&ctxt);
-		free(doid);
-		authctxt->server_caused_failure = 1;
-		return (0);
-	}
-
-	authctxt->methoddata = (void *)ctxt;
-
-	packet_start(SSH2_MSG_USERAUTH_GSSAPI_RESPONSE);
-
-	/* Return the OID that we received */
-	packet_put_string(doid, len);
-
-	packet_send();
-	free(doid);
-
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, &input_gssapi_token);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, &input_gssapi_errtok);
-	authctxt->postponed = 1;
-
-	return (0);
-}
-
-static int
-input_gssapi_token(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
-	gss_buffer_desc recv_tok;
-	OM_uint32 maj_status, min_status, flags;
-	u_int len;
-
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-		fatal("No authentication or GSSAPI context");
-
-	gssctxt = authctxt->methoddata;
-	recv_tok.value = packet_get_string(&len);
-	recv_tok.length = len; /* u_int vs. size_t */
-
-	packet_check_eom();
-
-	maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
-	    &send_tok, &flags));
-
-	free(recv_tok.value);
-
-	if (GSS_ERROR(maj_status)) {
-		if (send_tok.length != 0) {
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK);
-			packet_put_string(send_tok.value, send_tok.length);
-			packet_send();
-		}
-		authctxt->postponed = 0;
-		dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-		userauth_finish(authctxt, 0, "gssapi-with-mic", NULL);
-	} else {
-		if (send_tok.length != 0) {
-			packet_start(SSH2_MSG_USERAUTH_GSSAPI_TOKEN);
-			packet_put_string(send_tok.value, send_tok.length);
-			packet_send();
-		}
-		if (maj_status == GSS_S_COMPLETE) {
-			dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-			if (flags & GSS_C_INTEG_FLAG)
-				dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC,
-				    &input_gssapi_mic);
-			else
-				dispatch_set(
-				    SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE,
-				    &input_gssapi_exchange_complete);
-		}
-	}
-
-	gss_release_buffer(&min_status, &send_tok);
-	return 0;
-}
-
-static int
-input_gssapi_errtok(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	gss_buffer_desc send_tok = GSS_C_EMPTY_BUFFER;
-	gss_buffer_desc recv_tok;
-	OM_uint32 maj_status;
-	u_int len;
-
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-		fatal("No authentication or GSSAPI context");
-
-	gssctxt = authctxt->methoddata;
-	recv_tok.value = packet_get_string(&len);
-	recv_tok.length = len;
-
-	packet_check_eom();
-
-	/* Push the error token into GSSAPI to see what it says */
-	maj_status = PRIVSEP(ssh_gssapi_accept_ctx(gssctxt, &recv_tok,
-	    &send_tok, NULL));
-
-	free(recv_tok.value);
-
-	/* We can't return anything to the client, even if we wanted to */
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
-
-	/* The client will have already moved on to the next auth */
-
-	gss_release_buffer(&maj_status, &send_tok);
-	return 0;
-}
-
-/*
- * This is called when the client thinks we've completed authentication.
- * It should only be enabled in the dispatch handler by the function above,
- * which only enables it once the GSSAPI exchange is complete.
- */
-
-static int
-input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	int authenticated;
-
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-		fatal("No authentication or GSSAPI context");
-
-	/*
-	 * We don't need to check the status, because we're only enabled in
-	 * the dispatcher once the exchange is complete
-	 */
-
-	packet_check_eom();
-
-	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-
-	authctxt->postponed = 0;
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
-	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
-	return 0;
-}
-
-static int
-input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Gssctxt *gssctxt;
-	int authenticated = 0;
-	Buffer b;
-	gss_buffer_desc mic, gssbuf;
-	u_int len;
-
-	if (authctxt == NULL || (authctxt->methoddata == NULL && !use_privsep))
-		fatal("No authentication or GSSAPI context");
-
-	gssctxt = authctxt->methoddata;
-
-	mic.value = packet_get_string(&len);
-	mic.length = len;
-
-	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
-	    "gssapi-with-mic");
-
-	gssbuf.value = buffer_ptr(&b);
-	gssbuf.length = buffer_len(&b);
-
-	if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
-		authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
-	else
-		logit("GSSAPI MIC check failed");
-
-	buffer_free(&b);
-	free(mic.value);
-
-	authctxt->postponed = 0;
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_ERRTOK, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_MIC, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
-	userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
-	return 0;
-}
-
-Authmethod method_gssapi = {
-	"gssapi-with-mic",
-	userauth_gssapi,
-	&options.gss_authentication
-};
-
-#endif /* GSSAPI */
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@ -1,259 +0,0 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.25 2015/05/04 06:10:48 djm Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#include <sys/types.h>
-
-#include <pwd.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "packet.h"
-#include "buffer.h"
-#include "log.h"
-#include "misc.h"
-#include "servconf.h"
-#include "compat.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "canohost.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "pathnames.h"
-#include "match.h"
-
-/* import */
-extern ServerOptions options;
-extern u_char *session_id2;
-extern u_int session_id2_len;
-
-static int
-userauth_hostbased(Authctxt *authctxt)
-{
-	Buffer b;
-	Key *key = NULL;
-	char *pkalg, *cuser, *chost, *service;
-	u_char *pkblob, *sig;
-	u_int alen, blen, slen;
-	int pktype;
-	int authenticated = 0;
-
-	if (!authctxt->valid) {
-		debug2("userauth_hostbased: disabled because of invalid user");
-		return 0;
-	}
-	pkalg = packet_get_string(&alen);
-	pkblob = packet_get_string(&blen);
-	chost = packet_get_string(NULL);
-	cuser = packet_get_string(NULL);
-	sig = packet_get_string(&slen);
-
-	debug("userauth_hostbased: cuser %s chost %s pkalg %s slen %d",
-	    cuser, chost, pkalg, slen);
-#ifdef DEBUG_PK
-	debug("signature:");
-	buffer_init(&b);
-	buffer_append(&b, sig, slen);
-	buffer_dump(&b);
-	buffer_free(&b);
-#endif
-	pktype = key_type_from_name(pkalg);
-	if (pktype == KEY_UNSPEC) {
-		/* this is perfectly legal */
-		logit("userauth_hostbased: unsupported "
-		    "public key algorithm: %s", pkalg);
-		goto done;
-	}
-	key = key_from_blob(pkblob, blen);
-	if (key == NULL) {
-		error("userauth_hostbased: cannot decode key: %s", pkalg);
-		goto done;
-	}
-	if (key->type != pktype) {
-		error("userauth_hostbased: type mismatch for decoded key "
-		    "(received %d, expected %d)", key->type, pktype);
-		goto done;
-	}
-	if (key_type_plain(key->type) == KEY_RSA &&
-	    (datafellows & SSH_BUG_RSASIGMD5) != 0) {
-		error("Refusing RSA key because peer uses unsafe "
-		    "signature format");
-		goto done;
-	}
-	if (match_pattern_list(sshkey_ssh_name(key),
-	    options.hostbased_key_types, 0) != 1) {
-		logit("%s: key type %s not in HostbasedAcceptedKeyTypes",
-		    __func__, sshkey_type(key));
-		goto done;
-	}
-
-	service = datafellows & SSH_BUG_HBSERVICE ? "ssh-userauth" :
-	    authctxt->service;
-	buffer_init(&b);
-	buffer_put_string(&b, session_id2, session_id2_len);
-	/* reconstruct packet */
-	buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-	buffer_put_cstring(&b, authctxt->user);
-	buffer_put_cstring(&b, service);
-	buffer_put_cstring(&b, "hostbased");
-	buffer_put_string(&b, pkalg, alen);
-	buffer_put_string(&b, pkblob, blen);
-	buffer_put_cstring(&b, chost);
-	buffer_put_cstring(&b, cuser);
-#ifdef DEBUG_PK
-	buffer_dump(&b);
-#endif
-
-	pubkey_auth_info(authctxt, key,
-	    "client user \"%.100s\", client host \"%.100s\"", cuser, chost);
-
-	/* test for allowed key and correct signature */
-	authenticated = 0;
-	if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
-	    PRIVSEP(key_verify(key, sig, slen, buffer_ptr(&b),
-			buffer_len(&b))) == 1)
-		authenticated = 1;
-
-	buffer_free(&b);
-done:
-	debug2("userauth_hostbased: authenticated %d", authenticated);
-	if (key != NULL)
-		key_free(key);
-	free(pkalg);
-	free(pkblob);
-	free(cuser);
-	free(chost);
-	free(sig);
-	return authenticated;
-}
-
-/* return 1 if given hostkey is allowed */
-int
-hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
-    Key *key)
-{
-	const char *resolvedname, *ipaddr, *lookup, *reason;
-	HostStatus host_status;
-	int len;
-	char *fp;
-
-	if (auth_key_is_revoked(key))
-		return 0;
-
-	resolvedname = get_canonical_hostname(options.use_dns);
-	ipaddr = get_remote_ipaddr();
-
-	debug2("%s: chost %s resolvedname %s ipaddr %s", __func__,
-	    chost, resolvedname, ipaddr);
-
-	if (((len = strlen(chost)) > 0) && chost[len - 1] == '.') {
-		debug2("stripping trailing dot from chost %s", chost);
-		chost[len - 1] = '\0';
-	}
-
-	if (options.hostbased_uses_name_from_packet_only) {
-		if (auth_rhosts2(pw, cuser, chost, chost) == 0) {
-			debug2("%s: auth_rhosts2 refused "
-			    "user \"%.100s\" host \"%.100s\" (from packet)",
-			    __func__, cuser, chost);
-			return 0;
-		}
-		lookup = chost;
-	} else {
-		if (strcasecmp(resolvedname, chost) != 0)
-			logit("userauth_hostbased mismatch: "
-			    "client sends %s, but we resolve %s to %s",
-			    chost, ipaddr, resolvedname);
-		if (auth_rhosts2(pw, cuser, resolvedname, ipaddr) == 0) {
-			debug2("%s: auth_rhosts2 refused "
-			    "user \"%.100s\" host \"%.100s\" addr \"%.100s\"",
-			    __func__, cuser, resolvedname, ipaddr);
-			return 0;
-		}
-		lookup = resolvedname;
-	}
-	debug2("%s: access allowed by auth_rhosts2", __func__);
-
-	if (key_is_cert(key) && 
-	    key_cert_check_authority(key, 1, 0, lookup, &reason)) {
-		error("%s", reason);
-		auth_debug_add("%s", reason);
-		return 0;
-	}
-
-	host_status = check_key_in_hostfiles(pw, key, lookup,
-	    _PATH_SSH_SYSTEM_HOSTFILE,
-	    options.ignore_user_known_hosts ? NULL : _PATH_SSH_USER_HOSTFILE);
-
-	/* backward compat if no key has been found. */
-	if (host_status == HOST_NEW) {
-		host_status = check_key_in_hostfiles(pw, key, lookup,
-		    _PATH_SSH_SYSTEM_HOSTFILE2,
-		    options.ignore_user_known_hosts ? NULL :
-		    _PATH_SSH_USER_HOSTFILE2);
-	}
-
-	if (host_status == HOST_OK) {
-		if (key_is_cert(key)) {
-			if ((fp = sshkey_fingerprint(key->cert->signature_key,
-			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
-				fatal("%s: sshkey_fingerprint fail", __func__);
-			verbose("Accepted certificate ID \"%s\" signed by "
-			    "%s CA %s from %s@%s", key->cert->key_id,
-			    key_type(key->cert->signature_key), fp,
-			    cuser, lookup);
-		} else {
-			if ((fp = sshkey_fingerprint(key,
-			    options.fingerprint_hash, SSH_FP_DEFAULT)) == NULL)
-				fatal("%s: sshkey_fingerprint fail", __func__);
-			verbose("Accepted %s public key %s from %s@%s",
-			    key_type(key), fp, cuser, lookup);
-		}
-		free(fp);
-	}
-
-	return (host_status == HOST_OK);
-}
-
-Authmethod method_hostbased = {
-	"hostbased",
-	userauth_hostbased,
-	&options.hostbased_authentication
-};
--- a/auth2-jpake.c
+++ b/auth2-jpake.c
@ -1,563 +0,0 @@
-/* $OpenBSD: auth2-jpake.c,v 1.4 2010/08/31 11:54:45 djm Exp $ */
-/*
- * Copyright (c) 2008 Damien Miller.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Server side of zero-knowledge password auth using J-PAKE protocol
- * as described in:
- *
- * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
- * 16th Workshop on Security Protocols, Cambridge, April 2008
- *
- * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
- */
-
-#ifdef JPAKE
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <pwd.h>
-#include <stdio.h>
-#include <string.h>
-#include <login_cap.h>
-
-#include <openssl/bn.h>
-#include <openssl/evp.h>
-
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "buffer.h"
-#include "packet.h"
-#include "dispatch.h"
-#include "log.h"
-#include "servconf.h"
-#include "auth-options.h"
-#include "canohost.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-#include "schnorr.h"
-#include "jpake.h"
-
-/*
- * XXX options->permit_empty_passwd (at the moment, they will be refused
- * anyway because they will mismatch on fake salt.
- */
-
-/* Dispatch handlers */
-static void input_userauth_jpake_client_step1(int, u_int32_t, void *);
-static void input_userauth_jpake_client_step2(int, u_int32_t, void *);
-static void input_userauth_jpake_client_confirm(int, u_int32_t, void *);
-
-static int auth2_jpake_start(Authctxt *);
-
-/* import */
-extern ServerOptions options;
-extern u_char *session_id2;
-extern u_int session_id2_len;
-
-/*
- * Attempt J-PAKE authentication.
- */
-static int
-userauth_jpake(Authctxt *authctxt)
-{
-	int authenticated = 0;
-
-	packet_check_eom();
-
-	debug("jpake-01@openssh.com requested");
-
-	if (authctxt->user != NULL) {
-		if (authctxt->jpake_ctx == NULL)
-			authctxt->jpake_ctx = jpake_new();
-		if (options.zero_knowledge_password_authentication)
-			authenticated = auth2_jpake_start(authctxt);
-	}
-
-	return authenticated;
-}
-
-Authmethod method_jpake = {
-	"jpake-01@openssh.com",
-	userauth_jpake,
-	&options.zero_knowledge_password_authentication
-};
-
-/* Clear context and callbacks */
-void
-auth2_jpake_stop(Authctxt *authctxt)
-{
-	/* unregister callbacks */
-	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL);
-	if (authctxt->jpake_ctx != NULL) {
-		jpake_free(authctxt->jpake_ctx);
-		authctxt->jpake_ctx = NULL;
-	}
-}
-
-/* Returns 1 if 'c' is a valid crypt(3) salt character, 0 otherwise */
-static int
-valid_crypt_salt(int c)
-{
-	if (c >= 'A' && c <= 'Z')
-		return 1;
-	if (c >= 'a' && c <= 'z')
-		return 1;
-	if (c >= '.' && c <= '9')
-		return 1;
-	return 0;
-}
-
-/*
- * Derive fake salt as H(username || first_private_host_key)
- * This provides relatively stable fake salts for non-existent
- * users and avoids the jpake method becoming an account validity
- * oracle.
- */
-static void
-derive_rawsalt(const char *username, u_char *rawsalt, u_int len)
-{
-	u_char *digest;
-	u_int digest_len;
-	Buffer b;
-	Key *k;
-
-	buffer_init(&b);
-	buffer_put_cstring(&b, username);
-	if ((k = get_hostkey_by_index(0)) == NULL ||
-	    (k->flags & KEY_FLAG_EXT))
-		fatal("%s: no hostkeys", __func__);
-	switch (k->type) {
-	case KEY_RSA1:
-	case KEY_RSA:
-		if (k->rsa->p == NULL || k->rsa->q == NULL)
-			fatal("%s: RSA key missing p and/or q", __func__);
-		buffer_put_bignum2(&b, k->rsa->p);
-		buffer_put_bignum2(&b, k->rsa->q);
-		break;
-	case KEY_DSA:
-		if (k->dsa->priv_key == NULL)
-			fatal("%s: DSA key missing priv_key", __func__);
-		buffer_put_bignum2(&b, k->dsa->priv_key);
-		break;
-	case KEY_ECDSA:
-		if (EC_KEY_get0_private_key(k->ecdsa) == NULL)
-			fatal("%s: ECDSA key missing priv_key", __func__);
-		buffer_put_bignum2(&b, EC_KEY_get0_private_key(k->ecdsa));
-		break;
-	default:
-		fatal("%s: unknown key type %d", __func__, k->type);
-	}
-	if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
-	    &digest, &digest_len) != 0)
-		fatal("%s: hash_buffer", __func__);
-	buffer_free(&b);
-	if (len > digest_len)
-		fatal("%s: not enough bytes for rawsalt (want %u have %u)",
-		    __func__, len, digest_len);
-	memcpy(rawsalt, digest, len);
-	bzero(digest, digest_len);
-	xfree(digest);
-}
-
-/* ASCII an integer [0, 64) for inclusion in a password/salt */
-static char
-pw_encode64(u_int i64)
-{
-	const u_char e64[] =
-	    "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-	return e64[i64 % 64];
-}
-
-/* Generate ASCII salt bytes for user */
-static char *
-makesalt(u_int want, const char *user)
-{
-	u_char rawsalt[32];
-	static char ret[33];
-	u_int i;
-
-	if (want > sizeof(ret) - 1)
-		fatal("%s: want %u", __func__, want);
-
-	derive_rawsalt(user, rawsalt, sizeof(rawsalt));
-	bzero(ret, sizeof(ret));
-	for (i = 0; i < want; i++)
-		ret[i] = pw_encode64(rawsalt[i]);
-	bzero(rawsalt, sizeof(rawsalt));
-
-	return ret;
-}
-
-/*
- * Select the system's default password hashing scheme and generate
- * a stable fake salt under it for use by a non-existent account.
- * Prevents jpake method being used to infer the validity of accounts.
- */
-static void
-fake_salt_and_scheme(Authctxt *authctxt, char **salt, char **scheme)
-{
-	char *rounds_s, *style;
-	long long rounds;
-	login_cap_t *lc;
-
-
-	if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL &&
-	    (lc = login_getclass(NULL)) == NULL)
-		fatal("%s: login_getclass failed", __func__);
-	style = login_getcapstr(lc, "localcipher", NULL, NULL);
-	if (style == NULL)
-		style = xstrdup("blowfish,6");
-	login_close(lc);
-	
-	if ((rounds_s = strchr(style, ',')) != NULL)
-		*rounds_s++ = '\0';
-	rounds = strtonum(rounds_s, 1, 1<<31, NULL);
-	
-	if (strcmp(style, "md5") == 0) {
-		xasprintf(salt, "$1$%s$", makesalt(8, authctxt->user));
-		*scheme = xstrdup("md5");
-	} else if (strcmp(style, "old") == 0) {
-		*salt = xstrdup(makesalt(2, authctxt->user));
-		*scheme = xstrdup("crypt");
-	} else if (strcmp(style, "newsalt") == 0) {
-		rounds = MAX(rounds, 7250);
-		rounds = MIN(rounds, (1<<24) - 1);
-		xasprintf(salt, "_%c%c%c%c%s",
-		    pw_encode64(rounds), pw_encode64(rounds >> 6),
-		    pw_encode64(rounds >> 12), pw_encode64(rounds >> 18),
-		    makesalt(4, authctxt->user));
-		*scheme = xstrdup("crypt-extended");
-	} else {
-		/* Default to blowfish */
-		rounds = MAX(rounds, 3);
-		rounds = MIN(rounds, 31);
-		xasprintf(salt, "$2a$%02lld$%s", rounds,
-		    makesalt(22, authctxt->user));
-		*scheme = xstrdup("bcrypt");
-	}
-	xfree(style);
-	debug3("%s: fake %s salt for user %s: %s",
-	    __func__, *scheme, authctxt->user, *salt);
-}
-
-/*
- * Fetch password hashing scheme, password salt and derive shared secret
- * for user. If user does not exist, a fake but stable and user-unique
- * salt will be returned.
- */
-void
-auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
-    char **hash_scheme, char **salt)
-{
-	char *cp;
-	u_char *secret;
-	u_int secret_len, salt_len;
-
-#ifdef JPAKE_DEBUG
-	debug3("%s: valid %d pw %.5s...", __func__,
-	    authctxt->valid, authctxt->pw->pw_passwd);
-#endif
-
-	*salt = NULL;
-	*hash_scheme = NULL;
-	if (authctxt->valid) {
-		if (strncmp(authctxt->pw->pw_passwd, "$2$", 3) == 0 &&
-		    strlen(authctxt->pw->pw_passwd) > 28) {
-			/*
-			 * old-variant bcrypt:
-			 *     "$2$", 2 digit rounds, "$", 22 bytes salt
-			 */
-			salt_len = 3 + 2 + 1 + 22 + 1;
-			*salt = xmalloc(salt_len);
-			strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
-			*hash_scheme = xstrdup("bcrypt");
-		} else if (strncmp(authctxt->pw->pw_passwd, "$2a$", 4) == 0 &&
-		    strlen(authctxt->pw->pw_passwd) > 29) {
-			/*
-			 * current-variant bcrypt:
-			 *     "$2a$", 2 digit rounds, "$", 22 bytes salt
-			 */
-			salt_len = 4 + 2 + 1 + 22 + 1;
-			*salt = xmalloc(salt_len);
-			strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
-			*hash_scheme = xstrdup("bcrypt");
-		} else if (strncmp(authctxt->pw->pw_passwd, "$1$", 3) == 0 &&
-		    strlen(authctxt->pw->pw_passwd) > 5) {
-			/*
-			 * md5crypt:
-			 *     "$1$", salt until "$"
-			 */
-			cp = strchr(authctxt->pw->pw_passwd + 3, '$');
-			if (cp != NULL) {
-				salt_len = (cp - authctxt->pw->pw_passwd) + 1;
-				*salt = xmalloc(salt_len);
-				strlcpy(*salt, authctxt->pw->pw_passwd,
-				    salt_len);
-				*hash_scheme = xstrdup("md5crypt");
-			}
-		} else if (strncmp(authctxt->pw->pw_passwd, "_", 1) == 0 &&
-		    strlen(authctxt->pw->pw_passwd) > 9) {
-			/*
-			 * BSDI extended crypt:
-			 *     "_", 4 digits count, 4 chars salt
-			 */
-			salt_len = 1 + 4 + 4 + 1;
-			*salt = xmalloc(salt_len);
-			strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
-			*hash_scheme = xstrdup("crypt-extended");
-		} else if (strlen(authctxt->pw->pw_passwd) == 13  &&
-		    valid_crypt_salt(authctxt->pw->pw_passwd[0]) &&
-		    valid_crypt_salt(authctxt->pw->pw_passwd[1])) {
-			/*
-			 * traditional crypt:
-			 *     2 chars salt
-			 */
-			salt_len = 2 + 1;
-			*salt = xmalloc(salt_len);
-			strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
-			*hash_scheme = xstrdup("crypt");
-		}
-		if (*salt == NULL) {
-			debug("%s: unrecognised crypt scheme for user %s",
-			    __func__, authctxt->pw->pw_name);
-		}
-	}
-	if (*salt == NULL)
-		fake_salt_and_scheme(authctxt, salt, hash_scheme);
-
-	if (hash_buffer(authctxt->pw->pw_passwd,
-	    strlen(authctxt->pw->pw_passwd), EVP_sha256(),
-	    &secret, &secret_len) != 0)
-		fatal("%s: hash_buffer", __func__);
-	if ((*s = BN_bin2bn(secret, secret_len, NULL)) == NULL)
-		fatal("%s: BN_bin2bn (secret)", __func__);
-#ifdef JPAKE_DEBUG
-	debug3("%s: salt = %s (len %u)", __func__,
-	    *salt, (u_int)strlen(*salt));
-	debug3("%s: scheme = %s", __func__, *hash_scheme);
-	JPAKE_DEBUG_BN((*s, "%s: s = ", __func__));
-#endif
-	bzero(secret, secret_len);
-	xfree(secret);
-}
-
-/*
- * Begin authentication attempt.
- * Note, sets authctxt->postponed while in subprotocol
- */
-static int
-auth2_jpake_start(Authctxt *authctxt)
-{
-	struct jpake_ctx *pctx = authctxt->jpake_ctx;
-	u_char *x3_proof, *x4_proof;
-	u_int x3_proof_len, x4_proof_len;
-	char *salt, *hash_scheme;
-
-	debug("%s: start", __func__);
-
-	PRIVSEP(jpake_step1(pctx->grp,
-	    &pctx->server_id, &pctx->server_id_len,
-	    &pctx->x3, &pctx->x4, &pctx->g_x3, &pctx->g_x4,
-	    &x3_proof, &x3_proof_len,
-	    &x4_proof, &x4_proof_len));
-
-	PRIVSEP(auth2_jpake_get_pwdata(authctxt, &pctx->s,
-	    &hash_scheme, &salt));
-
-	if (!use_privsep)
-		JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
-
-	packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1);
-	packet_put_cstring(hash_scheme);
-	packet_put_cstring(salt);
-	packet_put_string(pctx->server_id, pctx->server_id_len);
-	packet_put_bignum2(pctx->g_x3);
-	packet_put_bignum2(pctx->g_x4);
-	packet_put_string(x3_proof, x3_proof_len);
-	packet_put_string(x4_proof, x4_proof_len);
-	packet_send();
-	packet_write_wait();
-
-	bzero(hash_scheme, strlen(hash_scheme));
-	bzero(salt, strlen(salt));
-	xfree(hash_scheme);
-	xfree(salt);
-	bzero(x3_proof, x3_proof_len);
-	bzero(x4_proof, x4_proof_len);
-	xfree(x3_proof);
-	xfree(x4_proof);
-
-	/* Expect step 1 packet from peer */
-	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1,
-	    input_userauth_jpake_client_step1);
-
-	authctxt->postponed = 1;
-	return 0;
-}
-
-/* ARGSUSED */
-static void
-input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	struct jpake_ctx *pctx = authctxt->jpake_ctx;
-	u_char *x1_proof, *x2_proof, *x4_s_proof;
-	u_int x1_proof_len, x2_proof_len, x4_s_proof_len;
-
-	/* Disable this message */
-	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL);
-
-	/* Fetch step 1 values */
-	if ((pctx->g_x1 = BN_new()) == NULL ||
-	    (pctx->g_x2 = BN_new()) == NULL)
-		fatal("%s: BN_new", __func__);
-	pctx->client_id = packet_get_string(&pctx->client_id_len);
-	packet_get_bignum2(pctx->g_x1);
-	packet_get_bignum2(pctx->g_x2);
-	x1_proof = packet_get_string(&x1_proof_len);
-	x2_proof = packet_get_string(&x2_proof_len);
-	packet_check_eom();
-
-	if (!use_privsep)
-		JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
-
-	PRIVSEP(jpake_step2(pctx->grp, pctx->s, pctx->g_x3,
-	    pctx->g_x1, pctx->g_x2, pctx->x4,
-	    pctx->client_id, pctx->client_id_len,
-	    pctx->server_id, pctx->server_id_len,
-	    x1_proof, x1_proof_len,
-	    x2_proof, x2_proof_len,
-	    &pctx->b,
-	    &x4_s_proof, &x4_s_proof_len));
-
-	bzero(x1_proof, x1_proof_len);
-	bzero(x2_proof, x2_proof_len);
-	xfree(x1_proof);
-	xfree(x2_proof);
-
-	if (!use_privsep)
-		JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
-
-	/* Send values for step 2 */
-	packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2);
-	packet_put_bignum2(pctx->b);
-	packet_put_string(x4_s_proof, x4_s_proof_len);
-	packet_send();
-	packet_write_wait();
-
-	bzero(x4_s_proof, x4_s_proof_len);
-	xfree(x4_s_proof);
-
-	/* Expect step 2 packet from peer */
-	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2,
-	    input_userauth_jpake_client_step2);
-}
-
-/* ARGSUSED */
-static void
-input_userauth_jpake_client_step2(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	struct jpake_ctx *pctx = authctxt->jpake_ctx;
-	u_char *x2_s_proof;
-	u_int x2_s_proof_len;
-
-	/* Disable this message */
-	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL);
-
-	if ((pctx->a = BN_new()) == NULL)
-		fatal("%s: BN_new", __func__);
-
-	/* Fetch step 2 values */
-	packet_get_bignum2(pctx->a);
-	x2_s_proof = packet_get_string(&x2_s_proof_len);
-	packet_check_eom();
-
-	if (!use_privsep)
-		JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
-
-	/* Derive shared key and calculate confirmation hash */
-	PRIVSEP(jpake_key_confirm(pctx->grp, pctx->s, pctx->a,
-	    pctx->x4, pctx->g_x3, pctx->g_x4, pctx->g_x1, pctx->g_x2,
-	    pctx->server_id, pctx->server_id_len,
-	    pctx->client_id, pctx->client_id_len,
-	    session_id2, session_id2_len,
-	    x2_s_proof, x2_s_proof_len,
-	    &pctx->k,
-	    &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len));
-
-	bzero(x2_s_proof, x2_s_proof_len);
-	xfree(x2_s_proof);
-
-	if (!use_privsep)
-		JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
-
-	/* Send key confirmation proof */
-	packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM);
-	packet_put_string(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
-	packet_send();
-	packet_write_wait();
-
-	/* Expect confirmation from peer */
-	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM,
-	    input_userauth_jpake_client_confirm);
-}
-
-/* ARGSUSED */
-static void
-input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	struct jpake_ctx *pctx = authctxt->jpake_ctx;
-	int authenticated = 0;
-
-	/* Disable this message */
-	dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL);
-
-	pctx->h_k_cid_sessid = packet_get_string(&pctx->h_k_cid_sessid_len);
-	packet_check_eom();
-
-	if (!use_privsep)
-		JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
-
-	/* Verify expected confirmation hash */
-	if (PRIVSEP(jpake_check_confirm(pctx->k,
-	    pctx->client_id, pctx->client_id_len,
-	    session_id2, session_id2_len,
-	    pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len)) == 1)
-		authenticated = authctxt->valid ? 1 : 0;
-	else
-		debug("%s: confirmation mismatch", __func__);
-		
-	/* done */
-	authctxt->postponed = 0;
-	jpake_free(authctxt->jpake_ctx);
-	authctxt->jpake_ctx = NULL;
-	userauth_finish(authctxt, authenticated, method_jpake.name);
-}
-
-#endif /* JPAKE */
-
--- a/auth2-kbdint.c
+++ b/auth2-kbdint.c
@ -1,69 +0,0 @@
-/* $OpenBSD: auth2-kbdint.c,v 1.7 2014/07/15 15:54:14 millert Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "packet.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "log.h"
-#include "buffer.h"
-#include "misc.h"
-#include "servconf.h"
-
-/* import */
-extern ServerOptions options;
-
-static int
-userauth_kbdint(Authctxt *authctxt)
-{
-	int authenticated = 0;
-	char *lang, *devs;
-
-	lang = packet_get_string(NULL);
-	devs = packet_get_string(NULL);
-	packet_check_eom();
-
-	debug("keyboard-interactive devs %s", devs);
-
-	if (options.challenge_response_authentication)
-		authenticated = auth2_challenge(authctxt, devs);
-
-	free(devs);
-	free(lang);
-	return authenticated;
-}
-
-Authmethod method_kbdint = {
-	"keyboard-interactive",
-	userauth_kbdint,
-	&options.kbd_interactive_authentication
-};
--- a/auth2-none.c
+++ b/auth2-none.c
@ -1,84 +0,0 @@
-/* $OpenBSD: auth2-none.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/uio.h>
-
-#include <fcntl.h>
-#include <string.h>
-#include <unistd.h>
-#include <stdarg.h>
-#include <stdio.h>
-
-#include "atomicio.h"
-#include "xmalloc.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "packet.h"
-#include "log.h"
-#include "buffer.h"
-#include "misc.h"
-#include "servconf.h"
-#include "compat.h"
-#include "ssh2.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-
-/* "none" is allowed only one time */
-static int none_enabled = 1;
-
-static int
-userauth_none(Authctxt *authctxt)
-{
-	none_enabled = 0;
-	packet_check_eom();
-	if (options.permit_empty_passwd && options.password_authentication)
-		return (PRIVSEP(auth_password(authctxt, "")));
-	return (0);
-}
-
-Authmethod method_none = {
-	"none",
-	userauth_none,
-	&none_enabled
-};
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@ -1,81 +0,0 @@
-/* $OpenBSD: auth2-passwd.c,v 1.12 2014/07/15 15:54:14 millert Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
-#include "packet.h"
-#include "log.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "buffer.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-#include "misc.h"
-#include "servconf.h"
-
-/* import */
-extern ServerOptions options;
-
-static int
-userauth_passwd(Authctxt *authctxt)
-{
-	char *password, *newpass;
-	int authenticated = 0;
-	int change;
-	u_int len, newlen;
-
-	change = packet_get_char();
-	password = packet_get_string(&len);
-	if (change) {
-		/* discard new password from packet */
-		newpass = packet_get_string(&newlen);
-		explicit_bzero(newpass, newlen);
-		free(newpass);
-	}
-	packet_check_eom();
-
-	if (change)
-		logit("password change not supported");
-	else if (PRIVSEP(auth_password(authctxt, password)) == 1)
-		authenticated = 1;
-	explicit_bzero(password, len);
-	free(password);
-	return authenticated;
-}
-
-Authmethod method_passwd = {
-	"password",
-	userauth_passwd,
-	&options.password_authentication
-};
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
--- a/auth2.c
+++ b/auth2.c
@ -1,628 +0,0 @@
-/* $OpenBSD: auth2.c,v 1.135 2015/01/19 20:07:45 markus Exp $ */
-/*
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-/*
- * We support only client side kerberos on Windows.
- */
-
-#ifdef WIN32_FIXME
-  #undef GSSAPI
-  #undef KRB5
-#endif
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/uio.h>
-
-#include <fcntl.h>
-#include <pwd.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-
-#include "atomicio.h"
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "packet.h"
-#include "log.h"
-#include "buffer.h"
-#include "misc.h"
-#include "servconf.h"
-#include "compat.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "dispatch.h"
-#include "pathnames.h"
-#include "buffer.h"
-
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-/* import */
-extern ServerOptions options;
-extern u_char *session_id2;
-extern u_int session_id2_len;
-extern Buffer loginmsg;
-
-/* methods */
-
-extern Authmethod method_none;
-extern Authmethod method_pubkey;
-extern Authmethod method_passwd;
-extern Authmethod method_kbdint;
-extern Authmethod method_hostbased;
-#ifdef GSSAPI
-extern Authmethod method_gssapi;
-#endif
-
-Authmethod *authmethods[] = {
-	&method_none,
-	&method_pubkey,
-#ifdef GSSAPI
-	&method_gssapi,
-#endif
-	&method_passwd,
-	&method_kbdint,
-	&method_hostbased,
-	NULL
-};
-
-/* protocol */
-
-static int input_service_request(int, u_int32_t, void *);
-static int input_userauth_request(int, u_int32_t, void *);
-
-/* helper */
-static Authmethod *authmethod_lookup(Authctxt *, const char *);
-static char *authmethods_get(Authctxt *authctxt);
-
-#define MATCH_NONE	0	/* method or submethod mismatch */
-#define MATCH_METHOD	1	/* method matches (no submethod specified) */
-#define MATCH_BOTH	2	/* method and submethod match */
-#define MATCH_PARTIAL	3	/* method matches, submethod can't be checked */
-static int list_starts_with(const char *, const char *, const char *);
-
-char *
-auth2_read_banner(void)
-{
-	struct stat st;
-	char *banner = NULL;
-	size_t len, n;
-	int fd;
-
-	if ((fd = open(options.banner, O_RDONLY)) == -1)
-		return (NULL);
-	if (fstat(fd, &st) == -1) {
-		close(fd);
-		return (NULL);
-	}
-	if (st.st_size <= 0 || st.st_size > 1*1024*1024) {
-		close(fd);
-		return (NULL);
-	}
-
-	len = (size_t)st.st_size;		/* truncate */
-	banner = xmalloc(len + 1);
-	n = atomicio(read, fd, banner, len);
-	close(fd);
-
-	if (n != len) {
-		free(banner);
-		return (NULL);
-	}
-	banner[n] = '\0';
-
-	return (banner);
-}
-
-void
-userauth_send_banner(const char *msg)
-{
-	if (datafellows & SSH_BUG_BANNER)
-		return;
-
-	packet_start(SSH2_MSG_USERAUTH_BANNER);
-	packet_put_cstring(msg);
-	packet_put_cstring("");		/* language, unused */
-	packet_send();
-	debug("%s: sent", __func__);
-}
-
-static void
-userauth_banner(void)
-{
-	char *banner = NULL;
-
-	if (options.banner == NULL || (datafellows & SSH_BUG_BANNER) != 0)
-		return;
-
-	if ((banner = PRIVSEP(auth2_read_banner())) == NULL)
-		goto done;
-	userauth_send_banner(banner);
-
-done:
-	free(banner);
-}
-
-/*
- * loop until authctxt->success == TRUE
- */
-void
-do_authentication2(Authctxt *authctxt)
-{
-	dispatch_init(&dispatch_protocol_error);
-	dispatch_set(SSH2_MSG_SERVICE_REQUEST, &input_service_request);
-	dispatch_run(DISPATCH_BLOCK, &authctxt->success, authctxt);
-}
-
-/*ARGSUSED*/
-static int
-input_service_request(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	u_int len;
-	int acceptit = 0;
-	char *service = packet_get_cstring(&len);
-	packet_check_eom();
-
-	if (authctxt == NULL)
-		fatal("input_service_request: no authctxt");
-
-	if (strcmp(service, "ssh-userauth") == 0) {
-		if (!authctxt->success) {
-			acceptit = 1;
-			/* now we can handle user-auth requests */
-			dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &input_userauth_request);
-		}
-	}
-	/* XXX all other service requests are denied */
-
-	if (acceptit) {
-		packet_start(SSH2_MSG_SERVICE_ACCEPT);
-		packet_put_cstring(service);
-		packet_send();
-		packet_write_wait();
-	} else {
-		debug("bad service request %s", service);
-		packet_disconnect("bad service request %s", service);
-	}
-	free(service);
-	return 0;
-}
-
-/*ARGSUSED*/
-static int
-input_userauth_request(int type, u_int32_t seq, void *ctxt)
-{
-	Authctxt *authctxt = ctxt;
-	Authmethod *m = NULL;
-	char *user, *service, *method, *style = NULL;
-	int authenticated = 0;
-
-	if (authctxt == NULL)
-		fatal("input_userauth_request: no authctxt");
-
-	user = packet_get_cstring(NULL);
-	service = packet_get_cstring(NULL);
-	method = packet_get_cstring(NULL);
-	debug("userauth-request for user %s service %s method %s", user, service, method);
-	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
-
-	if ((style = strchr(user, ':')) != NULL)
-		*style++ = 0;
-
-	if (authctxt->attempt++ == 0) {
-		/* setup auth context */
-		authctxt->pw = PRIVSEP(getpwnamallow(user));
-		authctxt->user = xstrdup(user);
-		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
-			authctxt->valid = 1;
-			debug2("input_userauth_request: setting up authctxt for %s", user);
-		} else {
-			logit("input_userauth_request: invalid user %s", user);
-			authctxt->pw = fakepw();
-#ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(SSH_INVALID_USER));
-#endif
-		}
-#ifdef USE_PAM
-		if (options.use_pam)
-			PRIVSEP(start_pam(authctxt));
-#endif
-		setproctitle("%s%s", authctxt->valid ? user : "unknown",
-		    use_privsep ? " [net]" : "");
-		authctxt->service = xstrdup(service);
-		authctxt->style = style ? xstrdup(style) : NULL;
-		if (use_privsep)
-			mm_inform_authserv(service, style);
-		userauth_banner();
-		if (auth2_setup_methods_lists(authctxt) != 0)
-			packet_disconnect("no authentication methods enabled");
-	} else if (strcmp(user, authctxt->user) != 0 ||
-	    strcmp(service, authctxt->service) != 0) {
-		packet_disconnect("Change of username or service not allowed: "
-		    "(%s,%s) -> (%s,%s)",
-		    authctxt->user, authctxt->service, user, service);
-	}
-	/* reset state */
-	auth2_challenge_stop(authctxt);
-
-#ifdef GSSAPI
-	/* XXX move to auth2_gssapi_stop() */
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-	dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_EXCHANGE_COMPLETE, NULL);
-#endif
-
-	authctxt->postponed = 0;
-	authctxt->server_caused_failure = 0;
-
-	/* try to authenticate user */
-	m = authmethod_lookup(authctxt, method);
-	if (m != NULL && authctxt->failures < options.max_authtries) {
-		debug2("input_userauth_request: try method %s", method);
-		authenticated =	m->userauth(authctxt);
-	}
-	userauth_finish(authctxt, authenticated, method, NULL);
-
-	free(service);
-	free(user);
-	free(method);
-	return 0;
-}
-
-void
-userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
-    const char *submethod)
-{
-	char *methods;
-	int partial = 0;
-
-	if (!authctxt->valid && authenticated)
-		fatal("INTERNAL ERROR: authenticated invalid user %s",
-		    authctxt->user);
-	if (authenticated && authctxt->postponed)
-		fatal("INTERNAL ERROR: authenticated and postponed");
-
-	/* Special handling for root */
-	if (authenticated && authctxt->pw->pw_uid == 0 &&
-	    !auth_root_allowed(method)) {
-		authenticated = 0;
-#ifdef SSH_AUDIT_EVENTS
-		PRIVSEP(audit_event(SSH_LOGIN_ROOT_DENIED));
-#endif
-	}
-
-	if (authenticated && options.num_auth_methods != 0) {
-		if (!auth2_update_methods_lists(authctxt, method, submethod)) {
-			authenticated = 0;
-			partial = 1;
-		}
-	}
-
-	/* Log before sending the reply */
-	auth_log(authctxt, authenticated, partial, method, submethod);
-
-	if (authctxt->postponed)
-		return;
-
-#ifdef USE_PAM
-	if (options.use_pam && authenticated) {
-		if (!PRIVSEP(do_pam_account())) {
-			/* if PAM returned a message, send it to the user */
-			if (buffer_len(&loginmsg) > 0) {
-				buffer_append(&loginmsg, "\0", 1);
-				userauth_send_banner(buffer_ptr(&loginmsg));
-				packet_write_wait();
-			}
-			fatal("Access denied for user %s by PAM account "
-			    "configuration", authctxt->user);
-		}
-	}
-#endif
-
-#ifdef _UNICOS
-	if (authenticated && cray_access_denied(authctxt->user)) {
-		authenticated = 0;
-		fatal("Access denied for user %s.", authctxt->user);
-	}
-#endif /* _UNICOS */
-
-	if (authenticated == 1) {
-		/* turn off userauth */
-		dispatch_set(SSH2_MSG_USERAUTH_REQUEST, &dispatch_protocol_ignore);
-		packet_start(SSH2_MSG_USERAUTH_SUCCESS);
-		packet_send();
-		packet_write_wait();
-		/* now we can break out */
-		authctxt->success = 1;
-	} else {
-
-		/* Allow initial try of "none" auth without failure penalty */
-		if (!partial && !authctxt->server_caused_failure &&
-		    (authctxt->attempt > 1 || strcmp(method, "none") != 0))
-			authctxt->failures++;
-		if (authctxt->failures >= options.max_authtries) {
-#ifdef SSH_AUDIT_EVENTS
-			PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
-#endif
-			auth_maxtries_exceeded(authctxt);
-		}
-		methods = authmethods_get(authctxt);
-		debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
-		    partial, methods);
-		packet_start(SSH2_MSG_USERAUTH_FAILURE);
-		packet_put_cstring(methods);
-		packet_put_char(partial);
-		packet_send();
-		packet_write_wait();
-		free(methods);
-	}
-}
-
-/*
- * Checks whether method is allowed by at least one AuthenticationMethods
- * methods list. Returns 1 if allowed, or no methods lists configured.
- * 0 otherwise.
- */
-int
-auth2_method_allowed(Authctxt *authctxt, const char *method,
-    const char *submethod)
-{
-	u_int i;
-
-	/*
-	 * NB. authctxt->num_auth_methods might be zero as a result of
-	 * auth2_setup_methods_lists(), so check the configuration.
-	 */
-	if (options.num_auth_methods == 0)
-		return 1;
-	for (i = 0; i < authctxt->num_auth_methods; i++) {
-		if (list_starts_with(authctxt->auth_methods[i], method,
-		    submethod) != MATCH_NONE)
-			return 1;
-	}
-	return 0;
-}
-
-static char *
-authmethods_get(Authctxt *authctxt)
-{
-	Buffer b;
-	char *list;
-	u_int i;
-
-	buffer_init(&b);
-	for (i = 0; authmethods[i] != NULL; i++) {
-		if (strcmp(authmethods[i]->name, "none") == 0)
-			continue;
-		if (authmethods[i]->enabled == NULL ||
-		    *(authmethods[i]->enabled) == 0)
-			continue;
-		if (!auth2_method_allowed(authctxt, authmethods[i]->name,
-		    NULL))
-			continue;
-		if (buffer_len(&b) > 0)
-			buffer_append(&b, ",", 1);
-		buffer_append(&b, authmethods[i]->name,
-		    strlen(authmethods[i]->name));
-	}
-	buffer_append(&b, "\0", 1);
-	list = xstrdup(buffer_ptr(&b));
-	buffer_free(&b);
-	return list;
-}
-
-static Authmethod *
-authmethod_lookup(Authctxt *authctxt, const char *name)
-{
-	int i;
-
-	if (name != NULL)
-		for (i = 0; authmethods[i] != NULL; i++)
-			if (authmethods[i]->enabled != NULL &&
-			    *(authmethods[i]->enabled) != 0 &&
-			    strcmp(name, authmethods[i]->name) == 0 &&
-			    auth2_method_allowed(authctxt,
-			    authmethods[i]->name, NULL))
-				return authmethods[i];
-	debug2("Unrecognized authentication method name: %s",
-	    name ? name : "NULL");
-	return NULL;
-}
-
-/*
- * Check a comma-separated list of methods for validity. Is need_enable is
- * non-zero, then also require that the methods are enabled.
- * Returns 0 on success or -1 if the methods list is invalid.
- */
-int
-auth2_methods_valid(const char *_methods, int need_enable)
-{
-	char *methods, *omethods, *method, *p;
-	u_int i, found;
-	int ret = -1;
-
-	if (*_methods == '\0') {
-		error("empty authentication method list");
-		return -1;
-	}
-	omethods = methods = xstrdup(_methods);
-	while ((method = strsep(&methods, ",")) != NULL) {
-		for (found = i = 0; !found && authmethods[i] != NULL; i++) {
-			if ((p = strchr(method, ':')) != NULL)
-				*p = '\0';
-			if (strcmp(method, authmethods[i]->name) != 0)
-				continue;
-			if (need_enable) {
-				if (authmethods[i]->enabled == NULL ||
-				    *(authmethods[i]->enabled) == 0) {
-					error("Disabled method \"%s\" in "
-					    "AuthenticationMethods list \"%s\"",
-					    method, _methods);
-					goto out;
-				}
-			}
-			found = 1;
-			break;
-		}
-		if (!found) {
-			error("Unknown authentication method \"%s\" in list",
-			    method);
-			goto out;
-		}
-	}
-	ret = 0;
- out:
-	free(omethods);
-	return ret;
-}
-
-/*
- * Prune the AuthenticationMethods supplied in the configuration, removing
- * any methods lists that include disabled methods. Note that this might
- * leave authctxt->num_auth_methods == 0, even when multiple required auth
- * has been requested. For this reason, all tests for whether multiple is
- * enabled should consult options.num_auth_methods directly.
- */
-int
-auth2_setup_methods_lists(Authctxt *authctxt)
-{
-	u_int i;
-
-	if (options.num_auth_methods == 0)
-		return 0;
-	debug3("%s: checking methods", __func__);
-	authctxt->auth_methods = xcalloc(options.num_auth_methods,
-	    sizeof(*authctxt->auth_methods));
-	authctxt->num_auth_methods = 0;
-	for (i = 0; i < options.num_auth_methods; i++) {
-		if (auth2_methods_valid(options.auth_methods[i], 1) != 0) {
-			logit("Authentication methods list \"%s\" contains "
-			    "disabled method, skipping",
-			    options.auth_methods[i]);
-			continue;
-		}
-		debug("authentication methods list %d: %s",
-		    authctxt->num_auth_methods, options.auth_methods[i]);
-		authctxt->auth_methods[authctxt->num_auth_methods++] =
-		    xstrdup(options.auth_methods[i]);
-	}
-	if (authctxt->num_auth_methods == 0) {
-		error("No AuthenticationMethods left after eliminating "
-		    "disabled methods");
-		return -1;
-	}
-	return 0;
-}
-
-static int
-list_starts_with(const char *methods, const char *method,
-    const char *submethod)
-{
-	size_t l = strlen(method);
-	int match;
-	const char *p;
-
-	if (strncmp(methods, method, l) != 0)
-		return MATCH_NONE;
-	p = methods + l;
-	match = MATCH_METHOD;
-	if (*p == ':') {
-		if (!submethod)
-			return MATCH_PARTIAL;
-		l = strlen(submethod);
-		p += 1;
-		if (strncmp(submethod, p, l))
-			return MATCH_NONE;
-		p += l;
-		match = MATCH_BOTH;
-	}
-	if (*p != ',' && *p != '\0')
-		return MATCH_NONE;
-	return match;
-}
-
-/*
- * Remove method from the start of a comma-separated list of methods.
- * Returns 0 if the list of methods did not start with that method or 1
- * if it did.
- */
-static int
-remove_method(char **methods, const char *method, const char *submethod)
-{
-	char *omethods = *methods, *p;
-	size_t l = strlen(method);
-	int match;
-
-	match = list_starts_with(omethods, method, submethod);
-	if (match != MATCH_METHOD && match != MATCH_BOTH)
-		return 0;
-	p = omethods + l;
-	if (submethod && match == MATCH_BOTH)
-		p += 1 + strlen(submethod); /* include colon */
-	if (*p == ',')
-		p++;
-	*methods = xstrdup(p);
-	free(omethods);
-	return 1;
-}
-
-/*
- * Called after successful authentication. Will remove the successful method
- * from the start of each list in which it occurs. If it was the last method
- * in any list, then authentication is deemed successful.
- * Returns 1 if the method completed any authentication list or 0 otherwise.
- */
-int
-auth2_update_methods_lists(Authctxt *authctxt, const char *method,
-    const char *submethod)
-{
-	u_int i, found = 0;
-
-	debug3("%s: updating methods list after \"%s\"", __func__, method);
-	for (i = 0; i < authctxt->num_auth_methods; i++) {
-		if (!remove_method(&(authctxt->auth_methods[i]), method,
-		    submethod))
-			continue;
-		found = 1;
-		if (*authctxt->auth_methods[i] == '\0') {
-			debug2("authentication methods list %d complete", i);
-			return 1;
-		}
-		debug3("authentication methods list %d remaining: \"%s\"",
-		    i, authctxt->auth_methods[i]);
-	}
-	/* This should not happen, but would be bad if it did */
-	if (!found)
-		fatal("%s: method not in AuthenticationMethods", __func__);
-	return 0;
-}
-
-
--- a/authfd.c
+++ b/authfd.c
@ -1,710 +0,0 @@
-/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for connecting the local authentication agent.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * SSH2 implementation,
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/un.h>
-#include <sys/socket.h>
-
-#include <fcntl.h>
-#include <stdlib.h>
-#include <signal.h>
-#include <stdarg.h>
-#include <string.h>
-#include <unistd.h>
-#include <errno.h>
-
-#include "xmalloc.h"
-#include "ssh.h"
-#include "rsa.h"
-#include "sshbuf.h"
-#include "sshkey.h"
-#include "authfd.h"
-#include "cipher.h"
-#include "compat.h"
-#include "log.h"
-#include "atomicio.h"
-#include "misc.h"
-#include "ssherr.h"
-
-#define MAX_AGENT_IDENTITIES	2048		/* Max keys in agent reply */
-#define MAX_AGENT_REPLY_LEN	(256 * 1024) 	/* Max bytes in agent reply */
-
-/* macro to check for "agent failure" message */
-#define agent_failed(x) \
-    ((x == SSH_AGENT_FAILURE) || \
-    (x == SSH_COM_AGENT2_FAILURE) || \
-    (x == SSH2_AGENT_FAILURE))
-
-/* Convert success/failure response from agent to a err.h status */
-static int
-decode_reply(u_char type)
-{
-	if (agent_failed(type))
-		return SSH_ERR_AGENT_FAILURE;
-	else if (type == SSH_AGENT_SUCCESS)
-		return 0;
-	else
-		return SSH_ERR_INVALID_FORMAT;
-}
-
-/* Returns the number of the authentication fd, or -1 if there is none. */
-int
-ssh_get_authentication_socket(int *fdp)
-{
-	const char *authsocket;
-	int sock, oerrno;
-	struct sockaddr_un sunaddr;
-
-	if (fdp != NULL)
-		*fdp = -1;
-
-	authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
-	if (!authsocket)
-		return SSH_ERR_AGENT_NOT_PRESENT;
-
-	memset(&sunaddr, 0, sizeof(sunaddr));
-	sunaddr.sun_family = AF_UNIX;
-	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
-
-	if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
-		return SSH_ERR_SYSTEM_ERROR;
-
-#ifndef WIN32_FIXME
-	/* close on exec */
-	if (fcntl(sock, F_SETFD, FD_CLOEXEC) == -1 ||
-	    connect(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
-		oerrno = errno;
-		close(sock);
-		errno = oerrno;
-		return SSH_ERR_SYSTEM_ERROR;
-	}
-#endif /* #ifndef WIN32_FIXME */
-
-	if (fdp != NULL)
-		*fdp = sock;
-	else
-		close(sock);
-	return 0;
-}
-
-/* Communicate with agent: send request and read reply */
-static int
-ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
-{
-	int r;
-	size_t l, len;
-	char buf[1024];
-
-	/* Get the length of the message, and format it in the buffer. */
-	len = sshbuf_len(request);
-	put_u32(buf, len);
-
-	/* Send the length and then the packet to the agent. */
-	if (atomicio(vwrite, sock, buf, 4) != 4 ||
-	    atomicio(vwrite, sock, (u_char *)sshbuf_ptr(request),
-	    sshbuf_len(request)) != sshbuf_len(request))
-		return SSH_ERR_AGENT_COMMUNICATION;
-	/*
-	 * Wait for response from the agent.  First read the length of the
-	 * response packet.
-	 */
-	if (atomicio(read, sock, buf, 4) != 4)
-	    return SSH_ERR_AGENT_COMMUNICATION;
-
-	/* Extract the length, and check it for sanity. */
-	len = get_u32(buf);
-	if (len > MAX_AGENT_REPLY_LEN)
-		return SSH_ERR_INVALID_FORMAT;
-
-	/* Read the rest of the response in to the buffer. */
-	sshbuf_reset(reply);
-	while (len > 0) {
-		l = len;
-		if (l > sizeof(buf))
-			l = sizeof(buf);
-		if (atomicio(read, sock, buf, l) != l)
-			return SSH_ERR_AGENT_COMMUNICATION;
-		if ((r = sshbuf_put(reply, buf, l)) != 0)
-			return r;
-		len -= l;
-	}
-	return 0;
-}
-
-/*
- * Closes the agent socket if it should be closed (depends on how it was
- * obtained).  The argument must have been returned by
- * ssh_get_authentication_socket().
- */
-void
-ssh_close_authentication_socket(int sock)
-{
-	if (getenv(SSH_AUTHSOCKET_ENV_NAME))
-		close(sock);
-}
-
-/* Lock/unlock agent */
-int
-ssh_lock_agent(int sock, int lock, const char *password)
-{
-	int r;
-	u_char type = lock ? SSH_AGENTC_LOCK : SSH_AGENTC_UNLOCK;
-	struct sshbuf *msg;
-
-	if ((msg = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshbuf_put_u8(msg, type)) != 0 ||
-	    (r = sshbuf_put_cstring(msg, password)) != 0)
-		goto out;
-	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
-		goto out;
-	if ((r = sshbuf_get_u8(msg, &type)) != 0)
-		goto out;
-	r = decode_reply(type);
- out:
-	sshbuf_free(msg);
-	return r;
-}
-
-#ifdef WITH_SSH1
-static int
-deserialise_identity1(struct sshbuf *ids, struct sshkey **keyp, char **commentp)
-{
-	struct sshkey *key;
-	int r, keybits;
-	u_int32_t bits;
-	char *comment = NULL;
-
-	if ((key = sshkey_new(KEY_RSA1)) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshbuf_get_u32(ids, &bits)) != 0 ||
-	    (r = sshbuf_get_bignum1(ids, key->rsa->e)) != 0 ||
-	    (r = sshbuf_get_bignum1(ids, key->rsa->n)) != 0 ||
-	    (r = sshbuf_get_cstring(ids, &comment, NULL)) != 0)
-		goto out;
-	keybits = BN_num_bits(key->rsa->n);
-	/* XXX previously we just warned here. I think we should be strict */
-	if (keybits < 0 || bits != (u_int)keybits) {
-		r = SSH_ERR_KEY_BITS_MISMATCH;
-		goto out;
-	}
-	if (keyp != NULL) {
-		*keyp = key;
-		key = NULL;
-	}
-	if (commentp != NULL) {
-		*commentp = comment;
-		comment = NULL;
-	}
-	r = 0;
- out:
-	sshkey_free(key);
-	free(comment);
-	return r;
-}
-#endif
-
-static int
-deserialise_identity2(struct sshbuf *ids, struct sshkey **keyp, char **commentp)
-{
-	int r;
-	char *comment = NULL;
-	const u_char *blob;
-	size_t blen;
-
-	if ((r = sshbuf_get_string_direct(ids, &blob, &blen)) != 0 ||
-	    (r = sshbuf_get_cstring(ids, &comment, NULL)) != 0)
-		goto out;
-	if ((r = sshkey_from_blob(blob, blen, keyp)) != 0)
-		goto out;
-	if (commentp != NULL) {
-		*commentp = comment;
-		comment = NULL;
-	}
-	r = 0;
- out:
-	free(comment);
-	return r;
-}
-
-/*
- * Fetch list of identities held by the agent.
- */
-int
-ssh_fetch_identitylist(int sock, int version, struct ssh_identitylist **idlp)
-{
-	u_char type, code1 = 0, code2 = 0;
-	u_int32_t num, i;
-	struct sshbuf *msg;
-	struct ssh_identitylist *idl = NULL;
-	int r;
-
-	/* Determine request and expected response types */
-	switch (version) {
-	case 1:
-		code1 = SSH_AGENTC_REQUEST_RSA_IDENTITIES;
-		code2 = SSH_AGENT_RSA_IDENTITIES_ANSWER;
-		break;
-	case 2:
-		code1 = SSH2_AGENTC_REQUEST_IDENTITIES;
-		code2 = SSH2_AGENT_IDENTITIES_ANSWER;
-		break;
-	default:
-		return SSH_ERR_INVALID_ARGUMENT;
-	}
-
-	/*
-	 * Send a message to the agent requesting for a list of the
-	 * identities it can represent.
-	 */
-	if ((msg = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshbuf_put_u8(msg, code1)) != 0)
-		goto out;
-
-	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
-		goto out;
-
-	/* Get message type, and verify that we got a proper answer. */
-	if ((r = sshbuf_get_u8(msg, &type)) != 0)
-		goto out;
-	if (agent_failed(type)) {
-		r = SSH_ERR_AGENT_FAILURE;
-		goto out;
-	} else if (type != code2) {
-		r = SSH_ERR_INVALID_FORMAT;
-		goto out;
-	}
-
-	/* Get the number of entries in the response and check it for sanity. */
-	if ((r = sshbuf_get_u32(msg, &num)) != 0)
-		goto out;
-	if (num > MAX_AGENT_IDENTITIES) {
-		r = SSH_ERR_INVALID_FORMAT;
-		goto out;
-	}
-	if (num == 0) {
-		r = SSH_ERR_AGENT_NO_IDENTITIES;
-		goto out;
-	}
-
-	/* Deserialise the response into a list of keys/comments */
-	if ((idl = calloc(1, sizeof(*idl))) == NULL ||
-	    (idl->keys = calloc(num, sizeof(*idl->keys))) == NULL ||
-	    (idl->comments = calloc(num, sizeof(*idl->comments))) == NULL) {
-		r = SSH_ERR_ALLOC_FAIL;
-		goto out;
-	}
-	for (i = 0; i < num;) {
-		switch (version) {
-		case 1:
-#ifdef WITH_SSH1
-			if ((r = deserialise_identity1(msg,
-			    &(idl->keys[i]), &(idl->comments[i]))) != 0)
-				goto out;
-#endif
-			break;
-		case 2:
-			if ((r = deserialise_identity2(msg,
-			    &(idl->keys[i]), &(idl->comments[i]))) != 0) {
-				if (r == SSH_ERR_KEY_TYPE_UNKNOWN) {
-					/* Gracefully skip unknown key types */
-					num--;
-					continue;
-				} else
-					goto out;
-			}
-			break;
-		}
-		i++;
-	}
-	idl->nkeys = num;
-	*idlp = idl;
-	idl = NULL;
-	r = 0;
- out:
-	sshbuf_free(msg);
-	if (idl != NULL)
-		ssh_free_identitylist(idl);
-	return r;
-}
-
-void
-ssh_free_identitylist(struct ssh_identitylist *idl)
-{
-	size_t i;
-
-	if (idl == NULL)
-		return;
-	for (i = 0; i < idl->nkeys; i++) {
-		if (idl->keys != NULL)
-			sshkey_free(idl->keys[i]);
-		if (idl->comments != NULL)
-			free(idl->comments[i]);
-	}
-	free(idl);
-}
-
-/*
- * Sends a challenge (typically from a server via ssh(1)) to the agent,
- * and waits for a response from the agent.
- * Returns true (non-zero) if the agent gave the correct answer, zero
- * otherwise.
- */
-
-#ifdef WITH_SSH1
-int
-ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
-    u_char session_id[16], u_char response[16])
-{
-	struct sshbuf *msg;
-	int r;
-	u_char type;
-
-	if (key->type != KEY_RSA1)
-		return SSH_ERR_INVALID_ARGUMENT;
-	if ((msg = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshbuf_put_u8(msg, SSH_AGENTC_RSA_CHALLENGE)) != 0 ||
-	    (r = sshbuf_put_u32(msg, BN_num_bits(key->rsa->n))) != 0 ||
-	    (r = sshbuf_put_bignum1(msg, key->rsa->e)) != 0 ||
-	    (r = sshbuf_put_bignum1(msg, key->rsa->n)) != 0 ||
-	    (r = sshbuf_put_bignum1(msg, challenge)) != 0 ||
-	    (r = sshbuf_put(msg, session_id, 16)) != 0 ||
-	    (r = sshbuf_put_u32(msg, 1)) != 0) /* Response type for proto 1.1 */
-		goto out;
-	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
-		goto out;
-	if ((r = sshbuf_get_u8(msg, &type)) != 0)
-		goto out;
-	if (agent_failed(type)) {
-		r = SSH_ERR_AGENT_FAILURE;
-		goto out;
-	} else if (type != SSH_AGENT_RSA_RESPONSE) {
-		r = SSH_ERR_INVALID_FORMAT;
-		goto out;
-	}
-	if ((r = sshbuf_get(msg, response, 16)) != 0)
-		goto out;
-	r = 0;
- out:
-	sshbuf_free(msg);
-	return r;
-}
-#endif
-
-/* ask agent to sign data, returns err.h code on error, 0 on success */
-int
-ssh_agent_sign(int sock, struct sshkey *key,
-    u_char **sigp, size_t *lenp,
-    const u_char *data, size_t datalen, u_int compat)
-{
-	struct sshbuf *msg;
-	u_char *blob = NULL, type;
-	size_t blen = 0, len = 0;
-	u_int flags = 0;
-	int r = SSH_ERR_INTERNAL_ERROR;
-
-	*sigp = NULL;
-	*lenp = 0;
-
-	if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
-		return SSH_ERR_INVALID_ARGUMENT;
-	if (compat & SSH_BUG_SIGBLOB)
-		flags |= SSH_AGENT_OLD_SIGNATURE;
-	if ((msg = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
-		goto out;
-	if ((r = sshbuf_put_u8(msg, SSH2_AGENTC_SIGN_REQUEST)) != 0 ||
-	    (r = sshbuf_put_string(msg, blob, blen)) != 0 ||
-	    (r = sshbuf_put_string(msg, data, datalen)) != 0 ||
-	    (r = sshbuf_put_u32(msg, flags)) != 0)
-		goto out;
-	if ((r = ssh_request_reply(sock, msg, msg) != 0))
-		goto out;
-	if ((r = sshbuf_get_u8(msg, &type)) != 0)
-		goto out;
-	if (agent_failed(type)) {
-		r = SSH_ERR_AGENT_FAILURE;
-		goto out;
-	} else if (type != SSH2_AGENT_SIGN_RESPONSE) {
-		r = SSH_ERR_INVALID_FORMAT;
-		goto out;
-	}
-	if ((r = sshbuf_get_string(msg, sigp, &len)) != 0)
-		goto out;
-	*lenp = len;
-	r = 0;
- out:
-	if (blob != NULL) {
-		explicit_bzero(blob, blen);
-		free(blob);
-	}
-	sshbuf_free(msg);
-	return r;
-}
-
-/* Encode key for a message to the agent. */
-
-#ifdef WITH_SSH1
-static int
-ssh_encode_identity_rsa1(struct sshbuf *b, RSA *key, const char *comment)
-{
-	int r;
-
-	/* To keep within the protocol: p < q for ssh. in SSL p > q */
-	if ((r = sshbuf_put_u32(b, BN_num_bits(key->n))) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->n)) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->e)) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->d)) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->iqmp)) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->q)) != 0 ||
-	    (r = sshbuf_put_bignum1(b, key->p)) != 0 ||
-	    (r = sshbuf_put_cstring(b, comment)) != 0)
-		return r;
-	return 0;
-}
-#endif
-
-static int
-ssh_encode_identity_ssh2(struct sshbuf *b, struct sshkey *key,
-    const char *comment)
-{
-	int r;
-
-	if ((r = sshkey_private_serialize(key, b)) != 0 ||
-	    (r = sshbuf_put_cstring(b, comment)) != 0)
-		return r;
-	return 0;
-}
-
-static int
-encode_constraints(struct sshbuf *m, u_int life, u_int confirm)
-{
-	int r;
-
-	if (life != 0) {
-		if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_LIFETIME)) != 0 ||
-		    (r = sshbuf_put_u32(m, life)) != 0)
-			goto out;
-	}
-	if (confirm != 0) {
-		if ((r = sshbuf_put_u8(m, SSH_AGENT_CONSTRAIN_CONFIRM)) != 0)
-			goto out;
-	}
-	r = 0;
- out:
-	return r;
-}
-
-/*
- * Adds an identity to the authentication server.
- * This call is intended only for use by ssh-add(1) and like applications.
- */
-int
-ssh_add_identity_constrained(int sock, struct sshkey *key, const char *comment,
-    u_int life, u_int confirm)
-{
-	struct sshbuf *msg;
-	int r, constrained = (life || confirm);
-	u_char type;
-
-	if ((msg = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-
-	switch (key->type) {
-#ifdef WITH_SSH1
-	case KEY_RSA1:
-		type = constrained ?
-		    SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
-		    SSH_AGENTC_ADD_RSA_IDENTITY;
-		if ((r = sshbuf_put_u8(msg, type)) != 0 ||
-		    (r = ssh_encode_identity_rsa1(msg, key->rsa, comment)) != 0)
-			goto out;
-		break;
-#endif
-#ifdef WITH_OPENSSL
-	case KEY_RSA:
-	case KEY_RSA_CERT:
-	case KEY_DSA:
-	case KEY_DSA_CERT:
-	case KEY_ECDSA:
-	case KEY_ECDSA_CERT:
-#endif
-	case KEY_ED25519:
-	case KEY_ED25519_CERT:
-		type = constrained ?
-		    SSH2_AGENTC_ADD_ID_CONSTRAINED :
-		    SSH2_AGENTC_ADD_IDENTITY;
-		if ((r = sshbuf_put_u8(msg, type)) != 0 ||
-		    (r = ssh_encode_identity_ssh2(msg, key, comment)) != 0)
-			goto out;
-		break;
-	default:
-		r = SSH_ERR_INVALID_ARGUMENT;
-		goto out;
-	}
-	if (constrained &&
-	    (r = encode_constraints(msg, life, confirm)) != 0)
-		goto out;
-	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
-		goto out;
-	if ((r = sshbuf_get_u8(msg, &type)) != 0)
-		goto out;
-	r = decode_reply(type);
- out:
-	sshbuf_free(msg);
-	return r;
-}
-
-/*
- * Removes an identity from the authentication server.
- * This call is intended only for use by ssh-add(1) and like applications.
- */
-int
-ssh_remove_identity(int sock, struct sshkey *key)
-{
-	struct sshbuf *msg;
-	int r;
-	u_char type, *blob = NULL;
-	size_t blen;
-
-	if ((msg = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-
-#ifdef WITH_SSH1
-	if (key->type == KEY_RSA1) {
-		if ((r = sshbuf_put_u8(msg,
-		    SSH_AGENTC_REMOVE_RSA_IDENTITY)) != 0 ||
-		    (r = sshbuf_put_u32(msg, BN_num_bits(key->rsa->n))) != 0 ||
-		    (r = sshbuf_put_bignum1(msg, key->rsa->e)) != 0 ||
-		    (r = sshbuf_put_bignum1(msg, key->rsa->n)) != 0)
-			goto out;
-	} else
-#endif
-	if (key->type != KEY_UNSPEC) {
-		if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
-			goto out;
-		if ((r = sshbuf_put_u8(msg,
-		    SSH2_AGENTC_REMOVE_IDENTITY)) != 0 ||
-		    (r = sshbuf_put_string(msg, blob, blen)) != 0)
-			goto out;
-	} else {
-		r = SSH_ERR_INVALID_ARGUMENT;
-		goto out;
-	}
-	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
-		goto out;
-	if ((r = sshbuf_get_u8(msg, &type)) != 0)
-		goto out;
-	r = decode_reply(type);
- out:
-	if (blob != NULL) {
-		explicit_bzero(blob, blen);
-		free(blob);
-	}
-	sshbuf_free(msg);
-	return r;
-}
-
-/*
- * Add/remove an token-based identity from the authentication server.
- * This call is intended only for use by ssh-add(1) and like applications.
- */
-int
-ssh_update_card(int sock, int add, const char *reader_id, const char *pin,
-    u_int life, u_int confirm)
-{
-	struct sshbuf *msg;
-	int r, constrained = (life || confirm);
-	u_char type;
-
-	if (add) {
-		type = constrained ?
-		    SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED :
-		    SSH_AGENTC_ADD_SMARTCARD_KEY;
-	} else
-		type = SSH_AGENTC_REMOVE_SMARTCARD_KEY;
-
-	if ((msg = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshbuf_put_u8(msg, type)) != 0 ||
-	    (r = sshbuf_put_cstring(msg, reader_id)) != 0 ||
-	    (r = sshbuf_put_cstring(msg, pin)) != 0)
-		goto out;
-	if (constrained &&
-	    (r = encode_constraints(msg, life, confirm)) != 0)
-		goto out;
-	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
-		goto out;
-	if ((r = sshbuf_get_u8(msg, &type)) != 0)
-		goto out;
-	r = decode_reply(type);
- out:
-	sshbuf_free(msg);
-	return r;
-}
-
-/*
- * Removes all identities from the agent.
- * This call is intended only for use by ssh-add(1) and like applications.
- */
-int
-ssh_remove_all_identities(int sock, int version)
-{
-	struct sshbuf *msg;
-	u_char type = (version == 1) ?
-	    SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES :
-	    SSH2_AGENTC_REMOVE_ALL_IDENTITIES;
-	int r;
-
-	if ((msg = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshbuf_put_u8(msg, type)) != 0)
-		goto out;
-	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
-		goto out;
-	if ((r = sshbuf_get_u8(msg, &type)) != 0)
-		goto out;
-	r = decode_reply(type);
- out:
-	sshbuf_free(msg);
-	return r;
-}
--- a/authfd.h
+++ b/authfd.h
@ -1,90 +0,0 @@
-/* $OpenBSD: authfd.h,v 1.38 2015/01/14 20:05:27 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions to interface with the SSH_AUTHENTICATION_FD socket.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#ifndef AUTHFD_H
-#define AUTHFD_H
-
-/* List of identities returned by ssh_fetch_identitylist() */
-struct ssh_identitylist {
-	size_t nkeys;
-	struct sshkey **keys;
-	char **comments;
-};
-
-int	ssh_get_authentication_socket(int *fdp);
-void	ssh_close_authentication_socket(int sock);
-
-int	ssh_lock_agent(int sock, int lock, const char *password);
-int	ssh_fetch_identitylist(int sock, int version,
-	    struct ssh_identitylist **idlp);
-void	ssh_free_identitylist(struct ssh_identitylist *idl);
-int	ssh_add_identity_constrained(int sock, struct sshkey *key,
-	    const char *comment, u_int life, u_int confirm);
-int	ssh_remove_identity(int sock, struct sshkey *key);
-int	ssh_update_card(int sock, int add, const char *reader_id,
-	    const char *pin, u_int life, u_int confirm);
-int	ssh_remove_all_identities(int sock, int version);
-
-int	ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
-	    u_char session_id[16], u_char response[16]);
-int	ssh_agent_sign(int sock, struct sshkey *key,
-	    u_char **sigp, size_t *lenp,
-	    const u_char *data, size_t datalen, u_int compat);
-
-/* Messages for the authentication agent connection. */
-#define SSH_AGENTC_REQUEST_RSA_IDENTITIES	1
-#define SSH_AGENT_RSA_IDENTITIES_ANSWER		2
-#define SSH_AGENTC_RSA_CHALLENGE		3
-#define SSH_AGENT_RSA_RESPONSE			4
-#define SSH_AGENT_FAILURE			5
-#define SSH_AGENT_SUCCESS			6
-#define SSH_AGENTC_ADD_RSA_IDENTITY		7
-#define SSH_AGENTC_REMOVE_RSA_IDENTITY		8
-#define SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES	9
-
-/* private OpenSSH extensions for SSH2 */
-#define SSH2_AGENTC_REQUEST_IDENTITIES		11
-#define SSH2_AGENT_IDENTITIES_ANSWER		12
-#define SSH2_AGENTC_SIGN_REQUEST		13
-#define SSH2_AGENT_SIGN_RESPONSE		14
-#define SSH2_AGENTC_ADD_IDENTITY		17
-#define SSH2_AGENTC_REMOVE_IDENTITY		18
-#define SSH2_AGENTC_REMOVE_ALL_IDENTITIES	19
-
-/* smartcard */
-#define SSH_AGENTC_ADD_SMARTCARD_KEY		20
-#define SSH_AGENTC_REMOVE_SMARTCARD_KEY		21
-
-/* lock/unlock the agent */
-#define SSH_AGENTC_LOCK				22
-#define SSH_AGENTC_UNLOCK			23
-
-/* add key with constraints */
-#define SSH_AGENTC_ADD_RSA_ID_CONSTRAINED	24
-#define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
-#define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
-
-#define	SSH_AGENT_CONSTRAIN_LIFETIME		1
-#define	SSH_AGENT_CONSTRAIN_CONFIRM		2
-
-/* extended failure messages */
-#define SSH2_AGENT_FAILURE			30
-
-/* additional error code for ssh.com's ssh-agent2 */
-#define SSH_COM_AGENT2_FAILURE			102
-
-#define	SSH_AGENT_OLD_SIGNATURE			0x01
-
-#endif				/* AUTHFD_H */
--- a/authfile.c
+++ b/authfile.c
@ -1,590 +0,0 @@
-/* $OpenBSD: authfile.c,v 1.116 2015/07/09 09:49:46 markus Exp $ */
-/*
- * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/stat.h>
-#include <sys/uio.h>
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdarg.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-#include <limits.h>
-
-#include "cipher.h"
-#include "ssh.h"
-#include "log.h"
-#include "authfile.h"
-#include "rsa.h"
-#include "misc.h"
-#include "atomicio.h"
-#include "sshkey.h"
-#include "sshbuf.h"
-#include "ssherr.h"
-#include "krl.h"
-
-#define MAX_KEY_FILE_SIZE	(1024 * 1024)
-
-/* Save a key blob to a file */
-static int
-sshkey_save_private_blob(struct sshbuf *keybuf, const char *filename)
-{
-	int fd, oerrno;
-
-	if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600)) < 0)
-		return SSH_ERR_SYSTEM_ERROR;
-	if (atomicio(vwrite, fd, (u_char *)sshbuf_ptr(keybuf),
-	    sshbuf_len(keybuf)) != sshbuf_len(keybuf)) {
-		oerrno = errno;
-		close(fd);
-		unlink(filename);
-		errno = oerrno;
-		return SSH_ERR_SYSTEM_ERROR;
-	}
-	close(fd);
-	return 0;
-}
-
-int
-sshkey_save_private(struct sshkey *key, const char *filename,
-    const char *passphrase, const char *comment,
-    int force_new_format, const char *new_format_cipher, int new_format_rounds)
-{
-	struct sshbuf *keyblob = NULL;
-	int r;
-
-	if ((keyblob = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshkey_private_to_fileblob(key, keyblob, passphrase, comment,
-	    force_new_format, new_format_cipher, new_format_rounds)) != 0)
-		goto out;
-	if ((r = sshkey_save_private_blob(keyblob, filename)) != 0)
-		goto out;
-	r = 0;
- out:
-	sshbuf_free(keyblob);
-	return r;
-}
-
-/* Load a key from a fd into a buffer */
-int
-sshkey_load_file(int fd, struct sshbuf *blob)
-{
-	u_char buf[1024];
-	size_t len;
-	struct stat st;
-	int r;
-
-	if (fstat(fd, &st) < 0)
-		return SSH_ERR_SYSTEM_ERROR;
-	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
-	    st.st_size > MAX_KEY_FILE_SIZE)
-		return SSH_ERR_INVALID_FORMAT;
-	for (;;) {
-		if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
-			if (errno == EPIPE)
-				break;
-			r = SSH_ERR_SYSTEM_ERROR;
-			goto out;
-		}
-		if ((r = sshbuf_put(blob, buf, len)) != 0)
-			goto out;
-		if (sshbuf_len(blob) > MAX_KEY_FILE_SIZE) {
-			r = SSH_ERR_INVALID_FORMAT;
-			goto out;
-		}
-	}
-#ifndef WIN32_FIXME
-	if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
-	    st.st_size != (off_t)sshbuf_len(blob)) {
-		r = SSH_ERR_FILE_CHANGED;
-		goto out;
-	}
-#endif
-	r = 0;
-
- out:
-	explicit_bzero(buf, sizeof(buf));
-	if (r != 0)
-		sshbuf_reset(blob);
-	return r;
-}
-
-#ifdef WITH_SSH1
-/*
- * Loads the public part of the ssh v1 key file.  Returns NULL if an error was
- * encountered (the file does not exist or is not readable), and the key
- * otherwise.
- */
-static int
-sshkey_load_public_rsa1(int fd, struct sshkey **keyp, char **commentp)
-{
-	struct sshbuf *b = NULL;
-	int r;
-
-	*keyp = NULL;
-	if (commentp != NULL)
-		*commentp = NULL;
-
-	if ((b = sshbuf_new()) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshkey_load_file(fd, b)) != 0)
-		goto out;
-	if ((r = sshkey_parse_public_rsa1_fileblob(b, keyp, commentp)) != 0)
-		goto out;
-	r = 0;
- out:
-	sshbuf_free(b);
-	return r;
-}
-#endif /* WITH_SSH1 */
-
-/* XXX remove error() calls from here? */
-int
-sshkey_perm_ok(int fd, const char *filename)
-{
-	struct stat st;
-
-	if (fstat(fd, &st) < 0)
-		return SSH_ERR_SYSTEM_ERROR;
-	/*
-	 * if a key owned by the user is accessed, then we check the
-	 * permissions of the file. if the key owned by a different user,
-	 * then we don't care.
-	 */
-#ifdef HAVE_CYGWIN
-	if (check_ntsec(filename))
-#endif
-
-#ifndef WIN32_FIXME
-	if ((st.st_uid == getuid()) && (st.st_mode & 077) != 0) {
-		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-		error("@         WARNING: UNPROTECTED PRIVATE KEY FILE!          @");
-		error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
-		error("Permissions 0%3.3o for '%s' are too open.",
-		    (u_int)st.st_mode & 0777, filename);
-		error("It is required that your private key files are NOT accessible by others.");
-		error("This private key will be ignored.");
-		return SSH_ERR_KEY_BAD_PERMISSIONS;
-	}
-#endif /* ifndef WIN32_FIXME */
-	return 0;
-}
-
-/* XXX kill perm_ok now that we have SSH_ERR_KEY_BAD_PERMISSIONS? */
-int
-sshkey_load_private_type(int type, const char *filename, const char *passphrase,
-    struct sshkey **keyp, char **commentp, int *perm_ok)
-{
-	int fd, r;
-
-	*keyp = NULL;
-	if (commentp != NULL)
-		*commentp = NULL;
-
-#ifdef WIN32_FIXME
-	if ((fd = open(filename, O_RDONLY | O_BINARY)) < 0) {
-#else
-	if ((fd = open(filename, O_RDONLY)) < 0) {
-#endif
-	
-		if (perm_ok != NULL)
-			*perm_ok = 0;
-		return SSH_ERR_SYSTEM_ERROR;
-	}
-	if (sshkey_perm_ok(fd, filename) != 0) {
-		if (perm_ok != NULL)
-			*perm_ok = 0;
-		r = SSH_ERR_KEY_BAD_PERMISSIONS;
-		goto out;
-	}
-	if (perm_ok != NULL)
-		*perm_ok = 1;
-
-	r = sshkey_load_private_type_fd(fd, type, passphrase, keyp, commentp);
- out:
-	close(fd);
-	return r;
-}
-
-int
-sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
-    struct sshkey **keyp, char **commentp)
-{
-	struct sshbuf *buffer = NULL;
-	int r;
-
-	if ((buffer = sshbuf_new()) == NULL) {
-		r = SSH_ERR_ALLOC_FAIL;
-		goto out;
-	}
-	if ((r = sshkey_load_file(fd, buffer)) != 0 ||
-	    (r = sshkey_parse_private_fileblob_type(buffer, type,
-	    passphrase, keyp, commentp)) != 0)
-		goto out;
-
-	/* success */
-	r = 0;
- out:
-	if (buffer != NULL)
-		sshbuf_free(buffer);
-	return r;
-}
-
-/* XXX this is almost identical to sshkey_load_private_type() */
-int
-sshkey_load_private(const char *filename, const char *passphrase,
-    struct sshkey **keyp, char **commentp)
-{
-	struct sshbuf *buffer = NULL;
-	int r, fd;
-
-	*keyp = NULL;
-	if (commentp != NULL)
-		*commentp = NULL;
-
-	if ((fd = open(filename, O_RDONLY)) < 0)
-		return SSH_ERR_SYSTEM_ERROR;
-	if (sshkey_perm_ok(fd, filename) != 0) {
-		r = SSH_ERR_KEY_BAD_PERMISSIONS;
-		goto out;
-	}
-
-	if ((buffer = sshbuf_new()) == NULL) {
-		r = SSH_ERR_ALLOC_FAIL;
-		goto out;
-	}
-	if ((r = sshkey_load_file(fd, buffer)) != 0 ||
-	    (r = sshkey_parse_private_fileblob(buffer, passphrase, filename,
-	    keyp, commentp)) != 0)
-		goto out;
-	r = 0;
- out:
-	close(fd);
-	if (buffer != NULL)
-		sshbuf_free(buffer);
-	return r;
-}
-
-static int
-sshkey_try_load_public(struct sshkey *k, const char *filename, char **commentp)
-{
-	FILE *f;
-	char line[SSH_MAX_PUBKEY_BYTES];
-	char *cp;
-	u_long linenum = 0;
-	int r;
-
-	if (commentp != NULL)
-		*commentp = NULL;
-	if ((f = fopen(filename, "r")) == NULL)
-		return SSH_ERR_SYSTEM_ERROR;
-	while (read_keyfile_line(f, filename, line, sizeof(line),
-		    &linenum) != -1) {
-		cp = line;
-		switch (*cp) {
-		case '#':
-		case '\n':
-		case '\0':
-			continue;
-		}
-		/* Abort loading if this looks like a private key */
-		if (strncmp(cp, "-----BEGIN", 10) == 0 ||
-		    strcmp(cp, "SSH PRIVATE KEY FILE") == 0)
-			break;
-		/* Skip leading whitespace. */
-		for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
-			;
-		if (*cp) {
-			if ((r = sshkey_read(k, &cp)) == 0) {
-				cp[strcspn(cp, "\r\n")] = '\0';
-				if (commentp) {
-					*commentp = strdup(*cp ?
-					    cp : filename);
-					if (*commentp == NULL)
-						r = SSH_ERR_ALLOC_FAIL;
-				}
-				fclose(f);
-				return r;
-			}
-		}
-	}
-	fclose(f);
-	return SSH_ERR_INVALID_FORMAT;
-}
-
-/* load public key from ssh v1 private or any pubkey file */
-int
-sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
-{
-	struct sshkey *pub = NULL;
-	char file[PATH_MAX];
-	int r, fd;
-
-	if (keyp != NULL)
-		*keyp = NULL;
-	if (commentp != NULL)
-		*commentp = NULL;
-
-	/* XXX should load file once and attempt to parse each format */
-
-	if ((fd = open(filename, O_RDONLY)) < 0)
-		goto skip;
-#ifdef WITH_SSH1
-	/* try rsa1 private key */
-	r = sshkey_load_public_rsa1(fd, keyp, commentp);
-	close(fd);
-	switch (r) {
-	case SSH_ERR_INTERNAL_ERROR:
-	case SSH_ERR_ALLOC_FAIL:
-	case SSH_ERR_INVALID_ARGUMENT:
-	case SSH_ERR_SYSTEM_ERROR:
-	case 0:
-		return r;
-	}
-#else /* WITH_SSH1 */
-	close(fd);
-#endif /* WITH_SSH1 */
-
-	/* try ssh2 public key */
-	if ((pub = sshkey_new(KEY_UNSPEC)) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshkey_try_load_public(pub, filename, commentp)) == 0) {
-		if (keyp != NULL)
-			*keyp = pub;
-		return 0;
-	}
-	sshkey_free(pub);
-
-#ifdef WITH_SSH1
-	/* try rsa1 public key */
-	if ((pub = sshkey_new(KEY_RSA1)) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshkey_try_load_public(pub, filename, commentp)) == 0) {
-		if (keyp != NULL)
-			*keyp = pub;
-		return 0;
-	}
-	sshkey_free(pub);
-#endif /* WITH_SSH1 */
-
- skip:
-	/* try .pub suffix */
-	if ((pub = sshkey_new(KEY_UNSPEC)) == NULL)
-		return SSH_ERR_ALLOC_FAIL;
-	r = SSH_ERR_ALLOC_FAIL;	/* in case strlcpy or strlcat fail */
-	if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
-	    (strlcat(file, ".pub", sizeof file) < sizeof(file)) &&
-	    (r = sshkey_try_load_public(pub, file, commentp)) == 0) {
-		if (keyp != NULL)
-			*keyp = pub;
-		return 0;
-	}
-	sshkey_free(pub);
-
-	return r;
-}
-
-/* Load the certificate associated with the named private key */
-int
-sshkey_load_cert(const char *filename, struct sshkey **keyp)
-{
-	struct sshkey *pub = NULL;
-	char *file = NULL;
-	int r = SSH_ERR_INTERNAL_ERROR;
-
-	*keyp = NULL;
-
-	if (asprintf(&file, "%s-cert.pub", filename) == -1)
-		return SSH_ERR_ALLOC_FAIL;
-
-	if ((pub = sshkey_new(KEY_UNSPEC)) == NULL) {
-		goto out;
-	}
-	if ((r = sshkey_try_load_public(pub, file, NULL)) != 0)
-		goto out;
-
-	*keyp = pub;
-	pub = NULL;
-	r = 0;
-
- out:
-	if (file != NULL)
-		free(file);
-	if (pub != NULL)
-		sshkey_free(pub);
-	return r;
-}
-
-/* Load private key and certificate */
-int
-sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
-    struct sshkey **keyp, int *perm_ok)
-{
-	struct sshkey *key = NULL, *cert = NULL;
-	int r;
-
-	*keyp = NULL;
-
-	switch (type) {
-#ifdef WITH_OPENSSL
-	case KEY_RSA:
-	case KEY_DSA:
-	case KEY_ECDSA:
-#endif /* WITH_OPENSSL */
-	case KEY_ED25519:
-	case KEY_UNSPEC:
-		break;
-	default:
-		return SSH_ERR_KEY_TYPE_UNKNOWN;
-	}
-
-	if ((r = sshkey_load_private_type(type, filename,
-	    passphrase, &key, NULL, perm_ok)) != 0 ||
-	    (r = sshkey_load_cert(filename, &cert)) != 0)
-		goto out;
-
-	/* Make sure the private key matches the certificate */
-	if (sshkey_equal_public(key, cert) == 0) {
-		r = SSH_ERR_KEY_CERT_MISMATCH;
-		goto out;
-	}
-
-	if ((r = sshkey_to_certified(key)) != 0 ||
-	    (r = sshkey_cert_copy(cert, key)) != 0)
-		goto out;
-	r = 0;
-	*keyp = key;
-	key = NULL;
- out:
-	if (key != NULL)
-		sshkey_free(key);
-	if (cert != NULL)
-		sshkey_free(cert);
-	return r;
-}
-
-/*
- * Returns success if the specified "key" is listed in the file "filename",
- * SSH_ERR_KEY_NOT_FOUND: if the key is not listed or another error.
- * If "strict_type" is set then the key type must match exactly,
- * otherwise a comparison that ignores certficiate data is performed.
- * If "check_ca" is set and "key" is a certificate, then its CA key is
- * also checked and sshkey_in_file() will return success if either is found.
- */
-int
-sshkey_in_file(struct sshkey *key, const char *filename, int strict_type,
-    int check_ca)
-{
-	FILE *f;
-	char line[SSH_MAX_PUBKEY_BYTES];
-	char *cp;
-	u_long linenum = 0;
-	int r = 0;
-	struct sshkey *pub = NULL;
-	int (*sshkey_compare)(const struct sshkey *, const struct sshkey *) =
-	    strict_type ?  sshkey_equal : sshkey_equal_public;
-
-	if ((f = fopen(filename, "r")) == NULL)
-		return SSH_ERR_SYSTEM_ERROR;
-
-	while (read_keyfile_line(f, filename, line, sizeof(line),
-	    &linenum) != -1) {
-		cp = line;
-
-		/* Skip leading whitespace. */
-		for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
-			;
-
-		/* Skip comments and empty lines */
-		switch (*cp) {
-		case '#':
-		case '\n':
-		case '\0':
-			continue;
-		}
-
-		if ((pub = sshkey_new(KEY_UNSPEC)) == NULL) {
-			r = SSH_ERR_ALLOC_FAIL;
-			goto out;
-		}
-		if ((r = sshkey_read(pub, &cp)) != 0)
-			goto out;
-		if (sshkey_compare(key, pub) ||
-		    (check_ca && sshkey_is_cert(key) &&
-		    sshkey_compare(key->cert->signature_key, pub))) {
-			r = 0;
-			goto out;
-		}
-		sshkey_free(pub);
-		pub = NULL;
-	}
-	r = SSH_ERR_KEY_NOT_FOUND;
- out:
-	if (pub != NULL)
-		sshkey_free(pub);
-	fclose(f);
-	return r;
-}
-
-/*
- * Checks whether the specified key is revoked, returning 0 if not,
- * SSH_ERR_KEY_REVOKED if it is or another error code if something
- * unexpected happened.
- * This will check both the key and, if it is a certificate, its CA key too.
- * "revoked_keys_file" may be a KRL or a one-per-line list of public keys.
- */
-int
-sshkey_check_revoked(struct sshkey *key, const char *revoked_keys_file)
-{
-	int r;
-
-	r = ssh_krl_file_contains_key(revoked_keys_file, key);
-	/* If this was not a KRL to begin with then continue below */
-	if (r != SSH_ERR_KRL_BAD_MAGIC)
-		return r;
-
-	/*
-	 * If the file is not a KRL or we can't handle KRLs then attempt to
-	 * parse the file as a flat list of keys.
-	 */
-	switch ((r = sshkey_in_file(key, revoked_keys_file, 0, 1))) {
-	case 0:
-		/* Key found => revoked */
-		return SSH_ERR_KEY_REVOKED;
-	case SSH_ERR_KEY_NOT_FOUND:
-		/* Key not found => not revoked */
-		return 0;
-	default:
-		/* Some other error occurred */
-		return r;
-	}
-}
-
--- a/authfile.h
+++ b/authfile.h
@ -1,52 +0,0 @@
-/* $OpenBSD: authfile.h,v 1.21 2015/01/08 10:14:08 djm Exp $ */
-
-/*
- * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef AUTHFILE_H
-#define AUTHFILE_H
-
-struct sshbuf;
-struct sshkey;
-
-/* XXX document these */
-/* XXX some of these could probably be merged/retired */
-
-int sshkey_save_private(struct sshkey *, const char *,
-    const char *, const char *, int, const char *, int);
-int sshkey_load_file(int, struct sshbuf *);
-int sshkey_load_cert(const char *, struct sshkey **);
-int sshkey_load_public(const char *, struct sshkey **, char **);
-int sshkey_load_private(const char *, const char *, struct sshkey **, char **);
-int sshkey_load_private_cert(int, const char *, const char *,
-    struct sshkey **, int *);
-int sshkey_load_private_type(int, const char *, const char *,
-    struct sshkey **, char **, int *);
-int sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
-    struct sshkey **keyp, char **commentp);
-int sshkey_perm_ok(int, const char *);
-int sshkey_in_file(struct sshkey *, const char *, int, int);
-int sshkey_check_revoked(struct sshkey *key, const char *revoked_keys_file);
-
-#endif
--- a/bitmap.c
+++ b/bitmap.c
@ -1,212 +0,0 @@
-/*
- * Copyright (c) 2015 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <string.h>
-#include <stdlib.h>
-
-#include "bitmap.h"
-
-#define BITMAP_WTYPE	u_int
-#define BITMAP_MAX	(1<<24)
-#define BITMAP_BYTES	(sizeof(BITMAP_WTYPE))
-#define BITMAP_BITS	(sizeof(BITMAP_WTYPE) * 8)
-#define BITMAP_WMASK	((BITMAP_WTYPE)BITMAP_BITS - 1)
-struct bitmap {
-	BITMAP_WTYPE *d;
-	size_t len; /* number of words allocated */
-	size_t top; /* index of top word allocated */
-};
-
-struct bitmap *
-bitmap_new(void)
-{
-	struct bitmap *ret;
-
-	if ((ret = calloc(1, sizeof(*ret))) == NULL)
-		return NULL;
-	if ((ret->d = calloc(1, BITMAP_BYTES)) == NULL) {
-		free(ret);
-		return NULL;
-	}
-	ret->len = 1;
-	ret->top = 0;
-	return ret;
-}
-
-void
-bitmap_free(struct bitmap *b)
-{
-	if (b != NULL && b->d != NULL) {
-		memset(b->d, 0, b->len);
-		free(b->d);
-	}
-	free(b);
-}
-
-void
-bitmap_zero(struct bitmap *b)
-{
-	memset(b->d, 0, b->len * BITMAP_BYTES);
-	b->top = 0;
-}
-
-int
-bitmap_test_bit(struct bitmap *b, u_int n)
-{
-	if (b->top >= b->len)
-		return 0; /* invalid */
-	if (b->len == 0 || (n / BITMAP_BITS) > b->top)
-		return 0;
-	return (b->d[n / BITMAP_BITS] >> (n & BITMAP_WMASK)) & 1;
-}
-
-static int
-reserve(struct bitmap *b, u_int n)
-{
-	BITMAP_WTYPE *tmp;
-	size_t nlen;
-
-	if (b->top >= b->len || n > BITMAP_MAX)
-		return -1; /* invalid */
-	nlen = (n / BITMAP_BITS) + 1;
-	if (b->len < nlen) {
-		if ((tmp = reallocarray(b->d, nlen, BITMAP_BYTES)) == NULL)
-			return -1;
-		b->d = tmp;
-		memset(b->d + b->len, 0, (nlen - b->len) * BITMAP_BYTES);
-		b->len = nlen;
-	}
-	return 0;
-}
-
-int
-bitmap_set_bit(struct bitmap *b, u_int n)
-{
-	int r;
-	size_t offset;
-
-	if ((r = reserve(b, n)) != 0)
-		return r;
-	offset = n / BITMAP_BITS;
-	if (offset > b->top)
-		b->top = offset;
-	b->d[offset] |= (BITMAP_WTYPE)1 << (n & BITMAP_WMASK);
-	return 0;
-}
-
-/* Resets b->top to point to the most significant bit set in b->d */
-static void
-retop(struct bitmap *b)
-{
-	if (b->top >= b->len)
-		return;
-	while (b->top > 0 && b->d[b->top] == 0)
-		b->top--;
-}
-
-void
-bitmap_clear_bit(struct bitmap *b, u_int n)
-{
-	size_t offset;
-
-	if (b->top >= b->len || n > BITMAP_MAX)
-		return; /* invalid */
-	offset = n / BITMAP_BITS;
-	if (offset > b->top)
-		return;
-	b->d[offset] &= ~((BITMAP_WTYPE)1 << (n & BITMAP_WMASK));
-	/* The top may have changed as a result of the clear */
-	retop(b);
-}
-
-size_t
-bitmap_nbits(struct bitmap *b)
-{
-	size_t bits;
-	BITMAP_WTYPE w;
-
-	retop(b);
-	if (b->top >= b->len)
-		return 0; /* invalid */
-	if (b->len == 0 || (b->top == 0 && b->d[0] == 0))
-		return 0;
-	/* Find MSB set */
-	w = b->d[b->top];
-	bits = (b->top + 1) * BITMAP_BITS;
-	while (!(w & ((BITMAP_WTYPE)1 << (BITMAP_BITS - 1)))) {
-		w <<= 1;
-		bits--;
-	}
-	return bits;
-}
-
-size_t
-bitmap_nbytes(struct bitmap *b)
-{
-	return (bitmap_nbits(b) + 7) / 8;
-}
-
-int
-bitmap_to_string(struct bitmap *b, void *p, size_t l)
-{
-	u_char *s = (u_char *)p;
-	size_t i, j, k, need = bitmap_nbytes(b);
-
-	if (l < need || b->top >= b->len)
-		return -1;
-	if (l > need)
-		l = need;
-	/* Put the bytes from LSB backwards */
-	for (i = k = 0; i < b->top + 1; i++) {
-		for (j = 0; j < BITMAP_BYTES; j++) {
-			if (k >= l)
-				break;
-			s[need - 1 - k++] = (b->d[i] >> (j * 8)) & 0xff;
-		}
-	}
-	return 0;
-}
-
-int
-bitmap_from_string(struct bitmap *b, const void *p, size_t l)
-{
-	int r;
-	size_t i, offset, shift;
-	u_char *s = (u_char *)p;
-
-	if (l > BITMAP_MAX / 8)
-		return -1;
-	if ((r = reserve(b, l * 8)) != 0)
-		return r;
-	bitmap_zero(b);
-	if (l == 0)
-		return 0;
-	b->top = offset = ((l + (BITMAP_BYTES - 1)) / BITMAP_BYTES) - 1;
-	shift = ((l + (BITMAP_BYTES - 1)) % BITMAP_BYTES) * 8;
-	for (i = 0; i < l; i++) {
-		b->d[offset] |= (BITMAP_WTYPE)s[i] << shift;
-		if (shift == 0) {
-			offset--;
-			shift = BITMAP_BITS - 8;
-		} else
-			shift -= 8;
-	}
-	retop(b);
-	return 0;
-}
--- a/bitmap.h
+++ b/bitmap.h
@ -1,56 +0,0 @@
-/*
- * Copyright (c) 2015 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef _BITMAP_H
-#define _BITMAP_H
-
-#include <sys/types.h>
-
-/* Simple bit vector routines */
-
-struct bitmap;
-
-/* Allocate a new bitmap. Returns NULL on allocation failure. */
-struct bitmap *bitmap_new(void);
-
-/* Free a bitmap */
-void bitmap_free(struct bitmap *b);
-
-/* Zero an existing bitmap */
-void bitmap_zero(struct bitmap *b);
-
-/* Test whether a bit is set in a bitmap. */
-int bitmap_test_bit(struct bitmap *b, u_int n);
-
-/* Set a bit in a bitmap. Returns 0 on success or -1 on error */
-int bitmap_set_bit(struct bitmap *b, u_int n);
-
-/* Clear a bit in a bitmap */
-void bitmap_clear_bit(struct bitmap *b, u_int n);
-
-/* Return the number of bits in a bitmap (i.e. the position of the MSB) */
-size_t bitmap_nbits(struct bitmap *b);
-
-/* Return the number of bytes needed to represent a bitmap */
-size_t bitmap_nbytes(struct bitmap *b);
-
-/* Convert a bitmap to a big endian byte string */
-int bitmap_to_string(struct bitmap *b, void *p, size_t l);
-
-/* Convert a big endian byte string to a bitmap */
-int bitmap_from_string(struct bitmap *b, const void *p, size_t l);
-
-#endif /* _BITMAP_H */
--- a/blocks.c
+++ b/blocks.c
@ -1,248 +0,0 @@
-/* $OpenBSD: blocks.c,v 1.3 2013/12/09 11:03:45 markus Exp $ */
-
-/*
- * Public Domain, Author: Daniel J. Bernstein
- * Copied from nacl-20110221/crypto_hashblocks/sha512/ref/blocks.c
- */
-
-#include "includes.h"
-
-#include "crypto_api.h"
-
-typedef unsigned long long uint64;
-
-static uint64 load_bigendian(const unsigned char *x)
-{
-  return
-      (uint64) (x[7]) \
-  | (((uint64) (x[6])) << 8) \
-  | (((uint64) (x[5])) << 16) \
-  | (((uint64) (x[4])) << 24) \
-  | (((uint64) (x[3])) << 32) \
-  | (((uint64) (x[2])) << 40) \
-  | (((uint64) (x[1])) << 48) \
-  | (((uint64) (x[0])) << 56)
-  ;
-}
-
-static void store_bigendian(unsigned char *x,uint64 u)
-{
-  x[7] = u; u >>= 8;
-  x[6] = u; u >>= 8;
-  x[5] = u; u >>= 8;
-  x[4] = u; u >>= 8;
-  x[3] = u; u >>= 8;
-  x[2] = u; u >>= 8;
-  x[1] = u; u >>= 8;
-  x[0] = u;
-}
-
-#define SHR(x,c) ((x) >> (c))
-#define ROTR(x,c) (((x) >> (c)) | ((x) << (64 - (c))))
-
-#define Ch(x,y,z) ((x & y) ^ (~x & z))
-#define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z))
-#define Sigma0(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39))
-#define Sigma1(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41))
-#define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x,7))
-#define sigma1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x,6))
-
-#define M(w0,w14,w9,w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0;
-
-#define EXPAND \
-  M(w0 ,w14,w9 ,w1 ) \
-  M(w1 ,w15,w10,w2 ) \
-  M(w2 ,w0 ,w11,w3 ) \
-  M(w3 ,w1 ,w12,w4 ) \
-  M(w4 ,w2 ,w13,w5 ) \
-  M(w5 ,w3 ,w14,w6 ) \
-  M(w6 ,w4 ,w15,w7 ) \
-  M(w7 ,w5 ,w0 ,w8 ) \
-  M(w8 ,w6 ,w1 ,w9 ) \
-  M(w9 ,w7 ,w2 ,w10) \
-  M(w10,w8 ,w3 ,w11) \
-  M(w11,w9 ,w4 ,w12) \
-  M(w12,w10,w5 ,w13) \
-  M(w13,w11,w6 ,w14) \
-  M(w14,w12,w7 ,w15) \
-  M(w15,w13,w8 ,w0 )
-
-#define F(w,k) \
-  T1 = h + Sigma1(e) + Ch(e,f,g) + k + w; \
-  T2 = Sigma0(a) + Maj(a,b,c); \
-  h = g; \
-  g = f; \
-  f = e; \
-  e = d + T1; \
-  d = c; \
-  c = b; \
-  b = a; \
-  a = T1 + T2;
-
-int crypto_hashblocks_sha512(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen)
-{
-  uint64 state[8];
-  uint64 a;
-  uint64 b;
-  uint64 c;
-  uint64 d;
-  uint64 e;
-  uint64 f;
-  uint64 g;
-  uint64 h;
-  uint64 T1;
-  uint64 T2;
-
-  a = load_bigendian(statebytes +  0); state[0] = a;
-  b = load_bigendian(statebytes +  8); state[1] = b;
-  c = load_bigendian(statebytes + 16); state[2] = c;
-  d = load_bigendian(statebytes + 24); state[3] = d;
-  e = load_bigendian(statebytes + 32); state[4] = e;
-  f = load_bigendian(statebytes + 40); state[5] = f;
-  g = load_bigendian(statebytes + 48); state[6] = g;
-  h = load_bigendian(statebytes + 56); state[7] = h;
-
-  while (inlen >= 128) {
-    uint64 w0  = load_bigendian(in +   0);
-    uint64 w1  = load_bigendian(in +   8);
-    uint64 w2  = load_bigendian(in +  16);
-    uint64 w3  = load_bigendian(in +  24);
-    uint64 w4  = load_bigendian(in +  32);
-    uint64 w5  = load_bigendian(in +  40);
-    uint64 w6  = load_bigendian(in +  48);
-    uint64 w7  = load_bigendian(in +  56);
-    uint64 w8  = load_bigendian(in +  64);
-    uint64 w9  = load_bigendian(in +  72);
-    uint64 w10 = load_bigendian(in +  80);
-    uint64 w11 = load_bigendian(in +  88);
-    uint64 w12 = load_bigendian(in +  96);
-    uint64 w13 = load_bigendian(in + 104);
-    uint64 w14 = load_bigendian(in + 112);
-    uint64 w15 = load_bigendian(in + 120);
-
-    F(w0 ,0x428a2f98d728ae22ULL)
-    F(w1 ,0x7137449123ef65cdULL)
-    F(w2 ,0xb5c0fbcfec4d3b2fULL)
-    F(w3 ,0xe9b5dba58189dbbcULL)
-    F(w4 ,0x3956c25bf348b538ULL)
-    F(w5 ,0x59f111f1b605d019ULL)
-    F(w6 ,0x923f82a4af194f9bULL)
-    F(w7 ,0xab1c5ed5da6d8118ULL)
-    F(w8 ,0xd807aa98a3030242ULL)
-    F(w9 ,0x12835b0145706fbeULL)
-    F(w10,0x243185be4ee4b28cULL)
-    F(w11,0x550c7dc3d5ffb4e2ULL)
-    F(w12,0x72be5d74f27b896fULL)
-    F(w13,0x80deb1fe3b1696b1ULL)
-    F(w14,0x9bdc06a725c71235ULL)
-    F(w15,0xc19bf174cf692694ULL)
-
-    EXPAND
-
-    F(w0 ,0xe49b69c19ef14ad2ULL)
-    F(w1 ,0xefbe4786384f25e3ULL)
-    F(w2 ,0x0fc19dc68b8cd5b5ULL)
-    F(w3 ,0x240ca1cc77ac9c65ULL)
-    F(w4 ,0x2de92c6f592b0275ULL)
-    F(w5 ,0x4a7484aa6ea6e483ULL)
-    F(w6 ,0x5cb0a9dcbd41fbd4ULL)
-    F(w7 ,0x76f988da831153b5ULL)
-    F(w8 ,0x983e5152ee66dfabULL)
-    F(w9 ,0xa831c66d2db43210ULL)
-    F(w10,0xb00327c898fb213fULL)
-    F(w11,0xbf597fc7beef0ee4ULL)
-    F(w12,0xc6e00bf33da88fc2ULL)
-    F(w13,0xd5a79147930aa725ULL)
-    F(w14,0x06ca6351e003826fULL)
-    F(w15,0x142929670a0e6e70ULL)
-
-    EXPAND
-
-    F(w0 ,0x27b70a8546d22ffcULL)
-    F(w1 ,0x2e1b21385c26c926ULL)
-    F(w2 ,0x4d2c6dfc5ac42aedULL)
-    F(w3 ,0x53380d139d95b3dfULL)
-    F(w4 ,0x650a73548baf63deULL)
-    F(w5 ,0x766a0abb3c77b2a8ULL)
-    F(w6 ,0x81c2c92e47edaee6ULL)
-    F(w7 ,0x92722c851482353bULL)
-    F(w8 ,0xa2bfe8a14cf10364ULL)
-    F(w9 ,0xa81a664bbc423001ULL)
-    F(w10,0xc24b8b70d0f89791ULL)
-    F(w11,0xc76c51a30654be30ULL)
-    F(w12,0xd192e819d6ef5218ULL)
-    F(w13,0xd69906245565a910ULL)
-    F(w14,0xf40e35855771202aULL)
-    F(w15,0x106aa07032bbd1b8ULL)
-
-    EXPAND
-
-    F(w0 ,0x19a4c116b8d2d0c8ULL)
-    F(w1 ,0x1e376c085141ab53ULL)
-    F(w2 ,0x2748774cdf8eeb99ULL)
-    F(w3 ,0x34b0bcb5e19b48a8ULL)
-    F(w4 ,0x391c0cb3c5c95a63ULL)
-    F(w5 ,0x4ed8aa4ae3418acbULL)
-    F(w6 ,0x5b9cca4f7763e373ULL)
-    F(w7 ,0x682e6ff3d6b2b8a3ULL)
-    F(w8 ,0x748f82ee5defb2fcULL)
-    F(w9 ,0x78a5636f43172f60ULL)
-    F(w10,0x84c87814a1f0ab72ULL)
-    F(w11,0x8cc702081a6439ecULL)
-    F(w12,0x90befffa23631e28ULL)
-    F(w13,0xa4506cebde82bde9ULL)
-    F(w14,0xbef9a3f7b2c67915ULL)
-    F(w15,0xc67178f2e372532bULL)
-
-    EXPAND
-
-    F(w0 ,0xca273eceea26619cULL)
-    F(w1 ,0xd186b8c721c0c207ULL)
-    F(w2 ,0xeada7dd6cde0eb1eULL)
-    F(w3 ,0xf57d4f7fee6ed178ULL)
-    F(w4 ,0x06f067aa72176fbaULL)
-    F(w5 ,0x0a637dc5a2c898a6ULL)
-    F(w6 ,0x113f9804bef90daeULL)
-    F(w7 ,0x1b710b35131c471bULL)
-    F(w8 ,0x28db77f523047d84ULL)
-    F(w9 ,0x32caab7b40c72493ULL)
-    F(w10,0x3c9ebe0a15c9bebcULL)
-    F(w11,0x431d67c49c100d4cULL)
-    F(w12,0x4cc5d4becb3e42b6ULL)
-    F(w13,0x597f299cfc657e2aULL)
-    F(w14,0x5fcb6fab3ad6faecULL)
-    F(w15,0x6c44198c4a475817ULL)
-
-    a += state[0];
-    b += state[1];
-    c += state[2];
-    d += state[3];
-    e += state[4];
-    f += state[5];
-    g += state[6];
-    h += state[7];
-  
-    state[0] = a;
-    state[1] = b;
-    state[2] = c;
-    state[3] = d;
-    state[4] = e;
-    state[5] = f;
-    state[6] = g;
-    state[7] = h;
-
-    in += 128;
-    inlen -= 128;
-  }
-
-  store_bigendian(statebytes +  0,state[0]);
-  store_bigendian(statebytes +  8,state[1]);
-  store_bigendian(statebytes + 16,state[2]);
-  store_bigendian(statebytes + 24,state[3]);
-  store_bigendian(statebytes + 32,state[4]);
-  store_bigendian(statebytes + 40,state[5]);
-  store_bigendian(statebytes + 48,state[6]);
-  store_bigendian(statebytes + 56,state[7]);
-
-  return inlen;
-}
--- a/bufaux.c
+++ b/bufaux.c
@ -1,318 +0,0 @@
-/* $OpenBSD: bufaux.c,v 1.60 2014/04/30 05:29:56 djm Exp $ */
-/*
- * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include "buffer.h"
-#include "log.h"
-#include "ssherr.h"
-
-int
-buffer_get_short_ret(u_short *v, Buffer *buffer)
-{
-	int ret;
-
-	if ((ret = sshbuf_get_u16(buffer, v)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-u_short
-buffer_get_short(Buffer *buffer)
-{
-	u_short ret;
-
-	if (buffer_get_short_ret(&ret, buffer) == -1)
-		fatal("%s: buffer error", __func__);
-
-	return (ret);
-}
-
-int
-buffer_get_int_ret(u_int *v, Buffer *buffer)
-{
-	int ret;
-
-	if ((ret = sshbuf_get_u32(buffer, v)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-u_int
-buffer_get_int(Buffer *buffer)
-{
-	u_int ret;
-
-	if (buffer_get_int_ret(&ret, buffer) == -1)
-		fatal("%s: buffer error", __func__);
-
-	return (ret);
-}
-
-int
-buffer_get_int64_ret(u_int64_t *v, Buffer *buffer)
-{
-	int ret;
-
-	if ((ret = sshbuf_get_u64(buffer, v)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-u_int64_t
-buffer_get_int64(Buffer *buffer)
-{
-	u_int64_t ret;
-
-	if (buffer_get_int64_ret(&ret, buffer) == -1)
-		fatal("%s: buffer error", __func__);
-
-	return (ret);
-}
-
-void
-buffer_put_short(Buffer *buffer, u_short value)
-{
-	int ret;
-
-	if ((ret = sshbuf_put_u16(buffer, value)) != 0)
-		fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-void
-buffer_put_int(Buffer *buffer, u_int value)
-{
-	int ret;
-
-	if ((ret = sshbuf_put_u32(buffer, value)) != 0)
-		fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-void
-buffer_put_int64(Buffer *buffer, u_int64_t value)
-{
-	int ret;
-
-	if ((ret = sshbuf_put_u64(buffer, value)) != 0)
-		fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-void *
-buffer_get_string_ret(Buffer *buffer, u_int *length_ptr)
-{
-	size_t len;
-	int ret;
-	u_char *value;
-
-	if ((ret = sshbuf_get_string(buffer, &value, &len)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return NULL;
-	}
-	if (length_ptr != NULL)
-		*length_ptr = len;  /* Safe: sshbuf never stores len > 2^31 */
-	return value;
-}
-
-void *
-buffer_get_string(Buffer *buffer, u_int *length_ptr)
-{
-	void *ret;
-
-	if ((ret = buffer_get_string_ret(buffer, length_ptr)) == NULL)
-		fatal("%s: buffer error", __func__);
-	return (ret);
-}
-
-char *
-buffer_get_cstring_ret(Buffer *buffer, u_int *length_ptr)
-{
-	size_t len;
-	int ret;
-	char *value;
-
-	if ((ret = sshbuf_get_cstring(buffer, &value, &len)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return NULL;
-	}
-	if (length_ptr != NULL)
-		*length_ptr = len;  /* Safe: sshbuf never stores len > 2^31 */
-	return value;
-}
-
-char *
-buffer_get_cstring(Buffer *buffer, u_int *length_ptr)
-{
-	char *ret;
-
-	if ((ret = buffer_get_cstring_ret(buffer, length_ptr)) == NULL)
-		fatal("%s: buffer error", __func__);
-	return ret;
-}
-
-const void *
-buffer_get_string_ptr_ret(Buffer *buffer, u_int *length_ptr)
-{
-	size_t len;
-	int ret;
-	const u_char *value;
-
-	if ((ret = sshbuf_get_string_direct(buffer, &value, &len)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return NULL;
-	}
-	if (length_ptr != NULL)
-		*length_ptr = len;  /* Safe: sshbuf never stores len > 2^31 */
-	return value;
-}
-
-const void *
-buffer_get_string_ptr(Buffer *buffer, u_int *length_ptr)
-{
-	const void *ret;
-
-	if ((ret = buffer_get_string_ptr_ret(buffer, length_ptr)) == NULL)
-		fatal("%s: buffer error", __func__);
-	return (ret);
-}
-
-void
-buffer_put_string(Buffer *buffer, const void *buf, u_int len)
-{
-	int ret;
-
-	if ((ret = sshbuf_put_string(buffer, buf, len)) != 0)
-		fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-void
-buffer_put_cstring(Buffer *buffer, const char *s)
-{
-	int ret;
-
-	if ((ret = sshbuf_put_cstring(buffer, s)) != 0)
-		fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-int
-buffer_get_char_ret(char *v, Buffer *buffer)
-{
-	int ret;
-
-	if ((ret = sshbuf_get_u8(buffer, (u_char *)v)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-int
-buffer_get_char(Buffer *buffer)
-{
-	char ch;
-
-	if (buffer_get_char_ret(&ch, buffer) == -1)
-		fatal("%s: buffer error", __func__);
-	return (u_char) ch;
-}
-
-void
-buffer_put_char(Buffer *buffer, int value)
-{
-	int ret;
-
-	if ((ret = sshbuf_put_u8(buffer, value)) != 0)
-		fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-void
-buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
-{
-	int ret;
-
-	if ((ret = sshbuf_put_bignum2_bytes(buffer, s, l)) != 0)
-		fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-#ifdef WIN32_FIXME
-
-/*
- * Pop string UTF8 string from buffer and convert it to Local8.
- * This function guaranty, that data (received in UTF8 from network)
- * are correctly translated to local8 CP used by current thread.
- *
- * WARNING: Returned string MUST be free by caller.
- *
- * b   - Buffer struct to read data (IN).
- * len - length of returned Locla8 string (OUT).
- *
- * RETURNS: Pointer to new allocated Local8 string or NULL if error.
- */
-
-void *buffer_get_string_local8_from_utf8(Buffer *b, u_int *len)
-{
-  char *local8 = NULL;
-  
-  char *utf8 = buffer_get_string(b, len);
-
-  if (utf8)
-  {
-    local8 = CovertUtf8ToLocal8(utf8, -1, len);
-    
-    free(utf8);
-  }
-
-  return local8;
-}  
-
-/*
- * Convert string from Local8 to UTF8 and push it into buffer.
- * This function guaranty, that data stored in local8 CP used by current
- * thread are convert to UTF8 before sent to network.
- *
- * b   - Buffer struct to read data (IN).
- * str - Local8 string to push (IN). 
- * len - size of str size in bytes (IN).      
- *
- */
-  
-void buffer_put_string_local8_to_utf8(Buffer *b, const void *str, u_int len)
-{
-  u_int utf8Len = 0;
-  
-  char *utf8 = ConvertLocal8ToUtf8(str, len, &utf8Len);
-  
-  if (utf8)
-  {
-    buffer_put_string(b, utf8, utf8Len);
-
-    free(utf8);
-  }
-}
-
-
-#endif /* WIN32_FIXME */
-
--- a/bufbn.c
+++ b/bufbn.c
@ -1,109 +0,0 @@
-/* $OpenBSD: bufbn.c,v 1.12 2014/04/30 05:29:56 djm Exp $ */
-
-/*
- * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
-
-#include "includes.h"
-
-#ifdef WITH_OPENSSL
-
-#include <sys/types.h>
-
-#include "buffer.h"
-#include "log.h"
-#include "ssherr.h"
-
-#ifdef WITH_SSH1
-int
-buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
-{
-	int ret;
-
-	if ((ret = sshbuf_put_bignum1(buffer, value)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-void
-buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
-{
-	if (buffer_put_bignum_ret(buffer, value) == -1)
-		fatal("%s: buffer error", __func__);
-}
-
-int
-buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
-{
-	int ret;
-
-	if ((ret = sshbuf_get_bignum1(buffer, value)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-void
-buffer_get_bignum(Buffer *buffer, BIGNUM *value)
-{
-	if (buffer_get_bignum_ret(buffer, value) == -1)
-		fatal("%s: buffer error", __func__);
-}
-#endif /* WITH_SSH1 */
-
-int
-buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
-{
-	int ret;
-
-	if ((ret = sshbuf_put_bignum2(buffer, value)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-void
-buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
-{
-	if (buffer_put_bignum2_ret(buffer, value) == -1)
-		fatal("%s: buffer error", __func__);
-}
-
-int
-buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
-{
-	int ret;
-
-	if ((ret = sshbuf_get_bignum2(buffer, value)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-void
-buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
-{
-	if (buffer_get_bignum2_ret(buffer, value) == -1)
-		fatal("%s: buffer error", __func__);
-}
-
-#endif /* WITH_OPENSSL */
--- a/bufec.c
+++ b/bufec.c
@ -1,74 +0,0 @@
-/* $OpenBSD: bufec.c,v 1.4 2014/04/30 05:29:56 djm Exp $ */
-
-/*
- * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include "buffer.h"
-#include "log.h"
-#include "ssherr.h"
-
-#ifdef OPENSSL_HAS_ECC
-
-int
-buffer_put_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
-    const EC_POINT *point)
-{
-	int ret;
-
-	if ((ret = sshbuf_put_ec(buffer, point, curve)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-void
-buffer_put_ecpoint(Buffer *buffer, const EC_GROUP *curve,
-    const EC_POINT *point)
-{
-	if (buffer_put_ecpoint_ret(buffer, curve, point) == -1)
-		fatal("%s: buffer error", __func__);
-}
-
-int
-buffer_get_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
-    EC_POINT *point)
-{
-	int ret;
-
-	if ((ret = sshbuf_get_ec(buffer, point, curve)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-void
-buffer_get_ecpoint(Buffer *buffer, const EC_GROUP *curve,
-    EC_POINT *point)
-{
-	if (buffer_get_ecpoint_ret(buffer, curve, point) == -1)
-		fatal("%s: buffer error", __func__);
-}
-
-#endif /* OPENSSL_HAS_ECC */
-
--- a/buffer.c
+++ b/buffer.c
@ -1,118 +0,0 @@
-/* $OpenBSD: buffer.c,v 1.36 2014/04/30 05:29:56 djm Exp $ */
-
-/*
- * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include "buffer.h"
-#include "log.h"
-#include "ssherr.h"
-
-void
-buffer_append(Buffer *buffer, const void *data, u_int len)
-{
-	int ret;
-
-	if ((ret = sshbuf_put(buffer, data, len)) != 0)
-		fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-void *
-buffer_append_space(Buffer *buffer, u_int len)
-{
-	int ret;
-	u_char *p;
-
-	if ((ret = sshbuf_reserve(buffer, len, &p)) != 0)
-		fatal("%s: %s", __func__, ssh_err(ret));
-	return p;
-}
-
-int
-buffer_check_alloc(Buffer *buffer, u_int len)
-{
-	int ret = sshbuf_check_reserve(buffer, len);
-
-	if (ret == 0)
-		return 1;
-	if (ret == SSH_ERR_NO_BUFFER_SPACE)
-		return 0;
-	fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-int
-buffer_get_ret(Buffer *buffer, void *buf, u_int len)
-{
-	int ret;
-
-	if ((ret = sshbuf_get(buffer, buf, len)) != 0) {
-		error("%s: %s", __func__, ssh_err(ret));
-		return -1;
-	}
-	return 0;
-}
-
-void
-buffer_get(Buffer *buffer, void *buf, u_int len)
-{
-	if (buffer_get_ret(buffer, buf, len) == -1)
-		fatal("%s: buffer error", __func__);
-}
-
-int
-buffer_consume_ret(Buffer *buffer, u_int bytes)
-{
-	int ret = sshbuf_consume(buffer, bytes);
-
-	if (ret == 0)
-		return 0;
-	if (ret == SSH_ERR_MESSAGE_INCOMPLETE)
-		return -1;
-	fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-void
-buffer_consume(Buffer *buffer, u_int bytes)
-{
-	if (buffer_consume_ret(buffer, bytes) == -1)
-		fatal("%s: buffer error", __func__);
-}
-
-int
-buffer_consume_end_ret(Buffer *buffer, u_int bytes)
-{
-	int ret = sshbuf_consume_end(buffer, bytes);
-
-	if (ret == 0)
-		return 0;
-	if (ret == SSH_ERR_MESSAGE_INCOMPLETE)
-		return -1;
-	fatal("%s: %s", __func__, ssh_err(ret));
-}
-
-void
-buffer_consume_end(Buffer *buffer, u_int bytes)
-{
-	if (buffer_consume_end_ret(buffer, bytes) == -1)
-		fatal("%s: buffer error", __func__);
-}
-
-
--- a/buffer.h
+++ b/buffer.h
@ -1,107 +0,0 @@
-/* $OpenBSD: buffer.h,v 1.25 2014/04/30 05:29:56 djm Exp $ */
-
-/*
- * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
-
-#ifndef BUFFER_H
-#define BUFFER_H
-
-#include "sshbuf.h"
-
-typedef struct sshbuf Buffer;
-
-#define buffer_init(b)		sshbuf_init(b)
-#define buffer_clear(b)		sshbuf_reset(b)
-#define buffer_free(b)		sshbuf_free(b)
-#define buffer_dump(b)		sshbuf_dump(b, stderr)
-
-/* XXX cast is safe: sshbuf never stores more than len 2^31 */
-#define buffer_len(b)		((u_int) sshbuf_len(b))
-#define	buffer_ptr(b)		sshbuf_mutable_ptr(b)
-
-void	 buffer_append(Buffer *, const void *, u_int);
-void	*buffer_append_space(Buffer *, u_int);
-int	 buffer_check_alloc(Buffer *, u_int);
-void	 buffer_get(Buffer *, void *, u_int);
-
-void	 buffer_consume(Buffer *, u_int);
-void	 buffer_consume_end(Buffer *, u_int);
-
-
-int	 buffer_get_ret(Buffer *, void *, u_int);
-int	 buffer_consume_ret(Buffer *, u_int);
-int	 buffer_consume_end_ret(Buffer *, u_int);
-
-#include <openssl/objects.h>
-#include <openssl/bn.h>
-void    buffer_put_bignum(Buffer *, const BIGNUM *);
-void    buffer_put_bignum2(Buffer *, const BIGNUM *);
-void	buffer_get_bignum(Buffer *, BIGNUM *);
-void	buffer_get_bignum2(Buffer *, BIGNUM *);
-void	buffer_put_bignum2_from_string(Buffer *, const u_char *, u_int);
-
-u_short	buffer_get_short(Buffer *);
-void	buffer_put_short(Buffer *, u_short);
-
-u_int	buffer_get_int(Buffer *);
-void    buffer_put_int(Buffer *, u_int);
-
-u_int64_t buffer_get_int64(Buffer *);
-void	buffer_put_int64(Buffer *, u_int64_t);
-
-int     buffer_get_char(Buffer *);
-void    buffer_put_char(Buffer *, int);
-
-void   *buffer_get_string(Buffer *, u_int *);
-const void *buffer_get_string_ptr(Buffer *, u_int *);
-void    buffer_put_string(Buffer *, const void *, u_int);
-char   *buffer_get_cstring(Buffer *, u_int *);
-void	buffer_put_cstring(Buffer *, const char *);
-
-#ifdef WIN32_FIXME
-  
-  void *buffer_get_string_local8_from_utf8(Buffer *, u_int *);
-  
-  void buffer_put_string_local8_to_utf8(Buffer *, const void *, u_int);
-  
-#endif /* WIN32_FIXME */
-
-#define buffer_skip_string(b) (void)buffer_get_string_ptr(b, NULL);
-
-int	buffer_put_bignum_ret(Buffer *, const BIGNUM *);
-int	buffer_get_bignum_ret(Buffer *, BIGNUM *);
-int	buffer_put_bignum2_ret(Buffer *, const BIGNUM *);
-int	buffer_get_bignum2_ret(Buffer *, BIGNUM *);
-int	buffer_get_short_ret(u_short *, Buffer *);
-int	buffer_get_int_ret(u_int *, Buffer *);
-int	buffer_get_int64_ret(u_int64_t *, Buffer *);
-void	*buffer_get_string_ret(Buffer *, u_int *);
-char	*buffer_get_cstring_ret(Buffer *, u_int *);
-const void *buffer_get_string_ptr_ret(Buffer *, u_int *);
-int	buffer_get_char_ret(char *, Buffer *);
-
-#ifdef OPENSSL_HAS_ECC
-#include <openssl/ec.h>
-int	buffer_put_ecpoint_ret(Buffer *, const EC_GROUP *, const EC_POINT *);
-void	buffer_put_ecpoint(Buffer *, const EC_GROUP *, const EC_POINT *);
-int	buffer_get_ecpoint_ret(Buffer *, const EC_GROUP *, EC_POINT *);
-void	buffer_get_ecpoint(Buffer *, const EC_GROUP *, EC_POINT *);
-#endif
-
-#endif	/* BUFFER_H */
-
--- a/build.sh
+++ b/build.sh
@ -1,9 +0,0 @@
-autoreconf
-./configure --build=i686-pc-mingw32 --host=i686-pc-mingw32 --with-ssl-dir=../openssl-1.0.1e  --with-kerberos5 --with-zlib=../zlib-1.2.8
-cat config.h.tail >> config.h
-
-make ssh.exe
-make sshd.exe
-make sftp.exe
-make sftp-server.exe
-make ssh-agent.exe
--- a/buildpkg.sh.in
+++ b/buildpkg.sh.in
@ -1,677 +0,0 @@
-#!/bin/sh
-#
-# Fake Root Solaris/SVR4/SVR5 Build System - Prototype
-#
-# The following code has been provide under Public Domain License.  I really
-# don't care what you use it for.  Just as long as you don't complain to me
-# nor my employer if you break it. - Ben Lindstrom (mouring@eviladmin.org)
-#
-umask 022
-#
-# Options for building the package
-# You can create a openssh-config.local with your customized options
-#
-REMOVE_FAKE_ROOT_WHEN_DONE=yes
-#
-# uncommenting TEST_DIR and using
-# configure --prefix=/var/tmp --with-privsep-path=/var/tmp/empty
-# and
-# PKGNAME=tOpenSSH should allow testing a package without interfering
-# with a real OpenSSH package on a system. This is not needed on systems
-# that support the -R option to pkgadd.
-#TEST_DIR=/var/tmp	# leave commented out for production build
-PKGNAME=OpenSSH
-# revisions within the same version (REV=a)
-#REV=
-SYSVINIT_NAME=opensshd
-AWK=${AWK:="nawk"}
-MAKE=${MAKE:="make"}
-SSHDUID=67	# Default privsep uid
-SSHDGID=67	# Default privsep gid
-# uncomment these next three as needed
-#PERMIT_ROOT_LOGIN=no
-#X11_FORWARDING=yes
-#USR_LOCAL_IS_SYMLINK=yes
-# System V init run levels
-SYSVINITSTART=S98
-SYSVINITSTOPT=K30
-# We will source these if they exist
-POST_MAKE_INSTALL_FIXES=./pkg-post-make-install-fixes.sh
-POST_PROTOTYPE_EDITS=./pkg-post-prototype-edit.sh
-# We'll be one level deeper looking for these
-PKG_PREINSTALL_LOCAL=../pkg-preinstall.local
-PKG_POSTINSTALL_LOCAL=../pkg-postinstall.local
-PKG_PREREMOVE_LOCAL=../pkg-preremove.local
-PKG_POSTREMOVE_LOCAL=../pkg-postremove.local
-PKG_REQUEST_LOCAL=../pkg-request.local
-# end of sourced files
-#
-OPENSSHD=opensshd.init
-OPENSSH_MANIFEST=openssh.xml
-OPENSSH_FMRI=svc:/site/${SYSVINIT_NAME}:default
-SMF_METHOD_DIR=/lib/svc/method/site
-SMF_MANIFEST_DIR=/var/svc/manifest/site
-
-PATH_GROUPADD_PROG=@PATH_GROUPADD_PROG@
-PATH_USERADD_PROG=@PATH_USERADD_PROG@
-PATH_PASSWD_PROG=@PATH_PASSWD_PROG@
-#
-# list of system directories we do NOT want to change owner/group/perms
-# when installing our package
-SYSTEM_DIR="/etc	\
-/etc/init.d		\
-/etc/rcS.d		\
-/etc/rc0.d		\
-/etc/rc1.d		\
-/etc/rc2.d		\
-/etc/opt		\
-/lib			\
-/lib/svc		\
-/lib/svc/method		\
-/lib/svc/method/site	\
-/opt			\
-/opt/bin		\
-/usr			\
-/usr/bin		\
-/usr/lib		\
-/usr/sbin		\
-/usr/share		\
-/usr/share/man		\
-/usr/share/man/man1	\
-/usr/share/man/man8	\
-/usr/local		\
-/usr/local/bin		\
-/usr/local/etc		\
-/usr/local/libexec	\
-/usr/local/man		\
-/usr/local/man/man1	\
-/usr/local/man/man8	\
-/usr/local/sbin		\
-/usr/local/share	\
-/var			\
-/var/opt		\
-/var/run		\
-/var/svc		\
-/var/svc/manifest	\
-/var/svc/manifest/site  \
-/var/tmp		\
-/tmp"
-
-# We may need to build as root so we make sure PATH is set up
-# only set the path if it's not set already
-[ -d /opt/bin ]  &&  {
-	echo $PATH | grep ":/opt/bin"  > /dev/null 2>&1
-	[ $? -ne 0 ] && PATH=$PATH:/opt/bin
-}
-[ -d /usr/local/bin ]  &&  {
-	echo $PATH | grep ":/usr/local/bin"  > /dev/null 2>&1
-	[ $? -ne 0 ] && PATH=$PATH:/usr/local/bin
-}
-[ -d /usr/ccs/bin ]  &&  {
-	echo $PATH | grep ":/usr/ccs/bin"  > /dev/null 2>&1
-	[ $? -ne 0 ] && PATH=$PATH:/usr/ccs/bin
-}
-export PATH
-#
-
-[ -f Makefile ]  ||  {
-	echo "Please run this script from your build directory"
-	exit 1
-}
-
-# we will look for openssh-config.local to override the above options
-[ -s ./openssh-config.local ]  &&  . ./openssh-config.local
-
-START=`pwd`
-FAKE_ROOT=$START/pkg
-
-## Fill in some details, like prefix and sysconfdir
-for confvar in prefix exec_prefix bindir sbindir libexecdir datadir mandir sysconfdir piddir srcdir
-do
-	eval $confvar=`grep "^$confvar=" Makefile | cut -d = -f 2`
-done
-
-## Are we using Solaris' SMF?
-DO_SMF=0
-if egrep "^#define USE_SOLARIS_PROCESS_CONTRACTS" config.h > /dev/null 2>&1
-then
-	DO_SMF=1
-fi
-
-## Collect value of privsep user
-for confvar in SSH_PRIVSEP_USER
-do
-	eval $confvar=`awk '/#define[ \t]'$confvar'/{print $3}' config.h`
-done
-
-## Set privsep defaults if not defined
-if [ -z "$SSH_PRIVSEP_USER" ]
-then
-	SSH_PRIVSEP_USER=sshd
-fi
-
-## Extract common info requires for the 'info' part of the package.
-VERSION=`./ssh -V 2>&1 | sed -e 's/,.*//'`
-
-ARCH=`uname -m`
-DEF_MSG="\n"
-OS_VER=`uname -v`
-SCRIPT_SHELL=/sbin/sh
-UNAME_R=`uname -r`
-UNAME_S=`uname -s`
-case ${UNAME_S} in
-	SunOS)	UNAME_S=Solaris
-		OS_VER=${UNAME_R}
-		ARCH=`uname -p`
-		RCS_D=yes
-		DEF_MSG="(default: n)"
-		;;
-	SCO_SV)	case ${UNAME_R} in
-			3.2)	UNAME_S=OpenServer5
-		OS_VER=`uname -X | grep Release | sed -e 's/^Rel.*3.2v//'`
-				;;
-			5)	UNAME_S=OpenServer6
-				;;
-		esac
-		SCRIPT_SHELL=/bin/sh
-		RC1_D=no
-		DEF_MSG="(default: n)"
-		;;
-esac
-
-case `basename $0` in
-	buildpkg.sh)
-## Start by faking root install
-echo "Faking root install..."
-[ -d $FAKE_ROOT ]  &&  rm -fr $FAKE_ROOT
-mkdir $FAKE_ROOT
-${MAKE} install-nokeys DESTDIR=$FAKE_ROOT
-if [ $? -gt 0 ]
-then
-	echo "Fake root install failed, stopping."
-	exit 1
-fi
-
-## Setup our run level stuff while we are at it.
-if [ $DO_SMF -eq 1 ]
-then
-	# For Solaris' SMF, /lib/svc/method/site is the preferred place
-	# for start/stop scripts that aren't supplied with the OS, and
-	# similarly /var/svc/manifest/site for manifests.
-	mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}
-	mkdir -p $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}
-
-	cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
-	chmod 744 $FAKE_ROOT${TEST_DIR}${SMF_METHOD_DIR}/${SYSVINIT_NAME}
-
-	cat ${OPENSSH_MANIFEST} | \
-	    sed -e "s|__SYSVINIT_NAME__|${SYSVINIT_NAME}|" \
-	    -e "s|__SMF_METHOD_DIR__|${SMF_METHOD_DIR}|" \
-	    > $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
-	chmod 644 $FAKE_ROOT${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
-else
-	mkdir -p $FAKE_ROOT${TEST_DIR}/etc/init.d
-
-	cp ${OPENSSHD} $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
-	chmod 744 $FAKE_ROOT${TEST_DIR}/etc/init.d/${SYSVINIT_NAME}
-fi
-
-[ "${PERMIT_ROOT_LOGIN}" = no ]  &&  \
-	perl -p -i -e "s/#PermitRootLogin yes/PermitRootLogin no/" \
-		$FAKE_ROOT${sysconfdir}/sshd_config
-[ "${X11_FORWARDING}" = yes ]  &&  \
-	perl -p -i -e "s/#X11Forwarding no/X11Forwarding yes/" \
-		$FAKE_ROOT${sysconfdir}/sshd_config
-# fix PrintMotd
-perl -p -i -e "s/#PrintMotd yes/PrintMotd no/" \
-	$FAKE_ROOT${sysconfdir}/sshd_config
-
-# We don't want to overwrite config files on multiple installs
-mv $FAKE_ROOT${sysconfdir}/ssh_config $FAKE_ROOT${sysconfdir}/ssh_config.default
-mv $FAKE_ROOT${sysconfdir}/sshd_config $FAKE_ROOT${sysconfdir}/sshd_config.default
-
-# local tweeks here
-[ -s "${POST_MAKE_INSTALL_FIXES}" ]  &&  . ${POST_MAKE_INSTALL_FIXES}
-
-cd $FAKE_ROOT
-
-## Ok, this is outright wrong, but it will work.  I'm tired of pkgmk
-## whining.
-for i in *; do
-  PROTO_ARGS="$PROTO_ARGS $i=/$i";
-done
-
-## Build info file
-echo "Building pkginfo file..."
-cat > pkginfo << _EOF
-PKG=$PKGNAME
-NAME="OpenSSH Portable for ${UNAME_S}"
-DESC="Secure Shell remote access utility; replaces telnet and rlogin/rsh."
-VENDOR="OpenSSH Portable Team - http://www.openssh.com/portable.html"
-ARCH=$ARCH
-VERSION=$VERSION$REV
-CATEGORY="Security,application"
-BASEDIR=/
-CLASSES="none"
-PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
-_EOF
-
-## Build empty depend file that may get updated by $POST_PROTOTYPE_EDITS
-echo "Building depend file..."
-touch depend
-
-## Build space file
-echo "Building space file..."
-if [ $DO_SMF -eq 1 ]
-then
-	# XXX Is this necessary?  If not, remove space line from mk-proto.awk.
-	touch space
-else
-	cat > space << _EOF
-# extra space required by start/stop links added by installf 
-# in postinstall
-$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1
-$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME} 0 1
-_EOF
-	[ "$RC1_D" = no ]  ||  \
-	echo "$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
-	[ "$RCS_D" = yes ]  &&  \
-	echo "$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME} 0 1" >> space
-fi
-
-## Build preinstall file
-echo "Building preinstall file..."
-cat > preinstall << _EOF
-#! ${SCRIPT_SHELL}
-#
-_EOF
-
-# local preinstall changes here
-[ -s "${PKG_PREINSTALL_LOCAL}" ]  &&  . ${PKG_PREINSTALL_LOCAL}
-
-cat >> preinstall << _EOF
-#
-if [ "\${PRE_INS_STOP}" = "yes" ]
-then
-	if [ $DO_SMF -eq 1 ] 
-	then
-		svcadm disable $OPENSSH_FMRI
-	else
-		${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
-	fi
-fi
-
-exit 0
-_EOF
-
-## Build postinstall file
-echo "Building postinstall file..."
-cat > postinstall << _EOF
-#! ${SCRIPT_SHELL}
-#
-[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config ]  ||  \\
-	cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config.default \\
-		\${PKG_INSTALL_ROOT}${sysconfdir}/ssh_config
-[ -f \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config ]  ||  \\
-	cp -p \${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config.default \\
-		\${PKG_INSTALL_ROOT}${sysconfdir}/sshd_config
-
-# make rc?.d dirs only if we are doing a test install
-[ -n "${TEST_DIR}" ]  &&  [ $DO_SMF -ne 1 ] && {
-	[ "$RCS_D" = yes ]  &&  mkdir -p ${TEST_DIR}/etc/rcS.d
-	mkdir -p ${TEST_DIR}/etc/rc0.d
-	[ "$RC1_D" = no ]  ||  mkdir -p ${TEST_DIR}/etc/rc1.d
-	mkdir -p ${TEST_DIR}/etc/rc2.d
-}
-
-if [ $DO_SMF -eq 1 ]
-then
-	# Delete the existing service, if it exists, then import the 
-	# new one.
-	if svcs $OPENSSH_FMRI > /dev/null 2>&1
-	then
-		svccfg delete -f $OPENSSH_FMRI
-	fi
-	# NOTE, The manifest disables sshd by default.
-	svccfg import ${TEST_DIR}${SMF_MANIFEST_DIR}/${SYSVINIT_NAME}.xml
-else
-	if [ "\${USE_SYM_LINKS}" = yes ]
-	then
-		[ "$RCS_D" = yes ]  &&  \
-	installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-		[ "$RC1_D" = no ]  ||  \
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=../init.d/${SYSVINIT_NAME} s
-	else
-		[ "$RCS_D" = yes ]  &&  \
-	installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rcS.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc0.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-		[ "$RC1_D" = no ]  ||  \
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc1.d/${SYSVINITSTOPT}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-		installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR/etc/rc2.d/${SYSVINITSTART}${SYSVINIT_NAME}=\${PKG_INSTALL_ROOT}$TEST_DIR/etc/init.d/${SYSVINIT_NAME} l
-	fi
-fi
-
-# If piddir doesn't exist we add it. (Ie. --with-pid-dir=/var/opt/ssh)
-[ -d $piddir ]  ||  installf ${PKGNAME} \${PKG_INSTALL_ROOT}$TEST_DIR$piddir d 0755 root sys
-
-_EOF
-
-# local postinstall changes here
-[ -s "${PKG_POSTINSTALL_LOCAL}" ]  &&  . ${PKG_POSTINSTALL_LOCAL}
-
-cat >> postinstall << _EOF
-installf -f ${PKGNAME}
-
-# Use chroot to handle PKG_INSTALL_ROOT
-if [ ! -z "\${PKG_INSTALL_ROOT}" ]
-then
-	chroot="chroot \${PKG_INSTALL_ROOT}"
-fi
-# If this is a test build, we will skip the groupadd/useradd/passwd commands
-if [ ! -z "${TEST_DIR}" ]
-then
-	chroot=echo
-fi
-
-	echo "PrivilegeSeparation user always required."
-	if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSH_PRIVSEP_USER'\$' >/dev/null
-	then
-		echo "PrivSep user $SSH_PRIVSEP_USER already exists."
-		SSH_PRIVSEP_GROUP=\`grep "^$SSH_PRIVSEP_USER:" \${PKG_INSTALL_ROOT}/etc/passwd | awk -F: '{print \$4}'\`
-		SSH_PRIVSEP_GROUP=\`grep ":\$SSH_PRIVSEP_GROUP:" \${PKG_INSTALL_ROOT}/etc/group | awk -F: '{print \$1}'\`
-	else
-		DO_PASSWD=yes
-	fi
-	[ -z "\$SSH_PRIVSEP_GROUP" ]  &&  SSH_PRIVSEP_GROUP=$SSH_PRIVSEP_USER
-
-	# group required?
-	if cut -f1 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'\$SSH_PRIVSEP_GROUP'\$' >/dev/null
-	then
-		echo "PrivSep group \$SSH_PRIVSEP_GROUP already exists."
-	else
-		DO_GROUP=yes
-	fi
-
-	# create group if required
-	[ "\$DO_GROUP" = yes ]  &&  {
-		# Use gid of 67 if possible
-		if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/group | egrep '^'$SSHDGID'\$' >/dev/null
-		then
-			:
-		else
-			sshdgid="-g $SSHDGID"
-		fi
-		echo "Creating PrivSep group \$SSH_PRIVSEP_GROUP."
-		\$chroot ${PATH_GROUPADD_PROG} \$sshdgid \$SSH_PRIVSEP_GROUP
-	}
-
-	# Create user if required
-	[ "\$DO_PASSWD" = yes ]  &&  {
-		# Use uid of 67 if possible
-		if cut -f3 -d: \${PKG_INSTALL_ROOT}/etc/passwd | egrep '^'$SSHDUID'\$' >/dev/null
-		then
-			:
-		else
-			sshduid="-u $SSHDUID"
-		fi
-		echo "Creating PrivSep user $SSH_PRIVSEP_USER."
-		\$chroot ${PATH_USERADD_PROG} -c 'SSHD PrivSep User' -s /bin/false -g $SSH_PRIVSEP_USER \$sshduid $SSH_PRIVSEP_USER
-		\$chroot ${PATH_PASSWD_PROG} -l $SSH_PRIVSEP_USER
-	}
-
-if [ "\${POST_INS_START}" = "yes" ]
-then
-	if [ $DO_SMF -eq 1 ]
-	then
-		svcadm enable $OPENSSH_FMRI
-	else
-		${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} start
-	fi
-fi
-exit 0
-_EOF
-
-## Build preremove file
-echo "Building preremove file..."
-cat > preremove << _EOF
-#! ${SCRIPT_SHELL}
-#
-if [ $DO_SMF -eq 1 ] 
-then
-	svcadm disable $OPENSSH_FMRI
-else
-	${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} stop
-fi
-_EOF
-
-# local preremove changes here
-[ -s "${PKG_PREREMOVE_LOCAL}" ]  &&  . ${PKG_PREREMOVE_LOCAL}
-
-cat >> preremove << _EOF
-exit 0
-_EOF
-
-## Build postremove file
-echo "Building postremove file..."
-cat > postremove << _EOF
-#! ${SCRIPT_SHELL}
-#
-if [ $DO_SMF -eq 1 ]
-then
-	if svcs $OPENSSH_FMRI > /dev/null 2>&1
-	then
-		svccfg delete -f $OPENSSH_FMRI
-	fi
-fi
-_EOF
-
-# local postremove changes here
-[ -s "${PKG_POSTREMOVE_LOCAL}" ]  &&  . ${PKG_POSTREMOVE_LOCAL}
-
-cat >> postremove << _EOF
-exit 0
-_EOF
-
-## Build request file
-echo "Building request file..."
-cat > request << _EOF
-trap 'exit 3' 15
-
-_EOF
-
-[ -x /usr/bin/ckyorn ]  ||  cat >> request << _EOF
-
-ckyorn() {
-# for some strange reason OpenServer5 has no ckyorn
-# We build a striped down version here
-
-DEFAULT=n
-PROMPT="Yes or No [yes,no,?,quit]"
-HELP_PROMPT="        Enter y or yes if your answer is yes; n or no if your answer is no."
-USAGE="usage: ckyorn [options]
-where options may include:
-        -d default
-        -h help
-        -p prompt
-"
-
-if [ \$# != 0 ]
-then
-	while getopts d:p:h: c
-	do
-		case \$c in
-			h)	HELP_PROMPT="\$OPTARG" ;;
-			d)	DEFAULT=\$OPTARG ;;
-			p)	PROMPT=\$OPTARG ;;
-			\\?)	echo "\$USAGE" 1>&2
-				exit 1 ;;
-		esac
-	done
-	shift \`expr \$OPTIND - 1\`
-fi
-
-while true
-do
-	echo "\${PROMPT}\\c " 1>&2
-	read key
-	[ -z "\$key" ]  &&  key=\$DEFAULT
-	case \$key in
-		[n,N]|[n,N][o,O]|[y,Y]|[y,Y][e,E][s,S])	echo "\${key}\\c"
-			exit 0 ;;
-		\\?)	echo \$HELP_PROMPT 1>&2 ;;
-		q|quit)	echo "q\\c" 1>&2
-			exit 3 ;;
-	esac
-done
-
-}
-
-_EOF
-
-if [ $DO_SMF -eq 1 ]
-then
-	# This could get hairy, as the running sshd may not be under SMF.
-	# We'll assume an earlier version of OpenSSH started via SMF.
-	cat >> request << _EOF
-PRE_INS_STOP=no
-POST_INS_START=no
-# determine if should restart the daemon
-if [ -s ${piddir}/sshd.pid  ] && \
-    /usr/bin/svcs -H $OPENSSH_FMRI 2>&1 | egrep "^online" > /dev/null 2>&1
-then
-	ans=\`ckyorn -d n \
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
-	case \$ans in
-		[y,Y]*)	PRE_INS_STOP=yes
-			POST_INS_START=yes
-			;;
-	esac
-
-else
-
-# determine if we should start sshd
-	ans=\`ckyorn -d n \
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
-	case \$ans in
-		[y,Y]*)	POST_INS_START=yes ;;
-	esac
-fi
-
-# make parameters available to installation service,
-# and so to any other packaging scripts
-cat >\$1 <<!
-PRE_INS_STOP='\$PRE_INS_STOP'
-POST_INS_START='\$POST_INS_START'
-!
-
-_EOF
-else
-	cat >> request << _EOF
-USE_SYM_LINKS=no
-PRE_INS_STOP=no
-POST_INS_START=no
-# Use symbolic links?
-ans=\`ckyorn -d n \
-p "Do you want symbolic links for the start/stop scripts? ${DEF_MSG}"\` || exit \$?
-case \$ans in
-	[y,Y]*)	USE_SYM_LINKS=yes ;;
-esac
-
-# determine if should restart the daemon
-if [ -s ${piddir}/sshd.pid  -a  -f ${TEST_DIR}/etc/init.d/${SYSVINIT_NAME} ]
-then
-	ans=\`ckyorn -d n \
-p "Should the running sshd daemon be restarted? ${DEF_MSG}"\` || exit \$?
-	case \$ans in
-		[y,Y]*)	PRE_INS_STOP=yes
-			POST_INS_START=yes
-			;;
-	esac
-
-else
-
-# determine if we should start sshd
-	ans=\`ckyorn -d n \
-p "Start the sshd daemon after installing this package? ${DEF_MSG}"\` || exit \$?
-	case \$ans in
-		[y,Y]*)	POST_INS_START=yes ;;
-	esac
-fi
-
-# make parameters available to installation service,
-# and so to any other packaging scripts
-cat >\$1 <<!
-USE_SYM_LINKS='\$USE_SYM_LINKS'
-PRE_INS_STOP='\$PRE_INS_STOP'
-POST_INS_START='\$POST_INS_START'
-!
-
-_EOF
-fi
-
-# local request changes here
-[ -s "${PKG_REQUEST_LOCAL}" ]  &&  . ${PKG_REQUEST_LOCAL}
-
-cat >> request << _EOF
-exit 0
-
-_EOF
-
-## Next Build our prototype
-echo "Building prototype file..."
-cat >mk-proto.awk << _EOF
-	    BEGIN { print "i pkginfo"; print "i depend"; \\
-		    print "i preinstall"; print "i postinstall"; \\
- 		    print "i preremove"; print "i postremove"; \\
-		    print "i request"; print "i space"; \\
-		    split("$SYSTEM_DIR",sys_files); }
-	    {
-	     for (dir in sys_files) { if ( \$3 != sys_files[dir] )
-		     { if ( \$1 == "s" )
-			{ \$5=""; \$6=""; }
-		     else
-			{ \$5="root"; \$6="sys"; }
-		     }
-		else
-		     { \$4="?"; \$5="?"; \$6="?"; break;}
-	    } }
-	    { print; }
-_EOF
-
-find . | egrep -v "prototype|pkginfo|mk-proto.awk" | sort | \
-	pkgproto $PROTO_ARGS | ${AWK} -f mk-proto.awk > prototype
-
-# /usr/local is a symlink on some systems
-[ "${USR_LOCAL_IS_SYMLINK}" = yes ]  &&  {
-	grep -v "^d none /usr/local ? ? ?$" prototype > prototype.new
-	mv prototype.new prototype
-}
-
-## Step back a directory and now build the package.
-cd ..
-# local prototype tweeks here
-[ -s "${POST_PROTOTYPE_EDITS}" ]  &&  . ${POST_PROTOTYPE_EDITS}
-
-echo "Building package.."
-pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
-echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
-	;;
-
-	justpkg.sh)
-rm -fr ${FAKE_ROOT}/${PKGNAME}
-grep -v "^PSTAMP=" $FAKE_ROOT/pkginfo > $$tmp
-mv $$tmp $FAKE_ROOT/pkginfo
-cat >> $FAKE_ROOT/pkginfo << _EOF
-PSTAMP="${UNAME_S} ${OS_VER} ${ARCH} `date '+%d%b%Y %H:%M'`"
-_EOF
-pkgmk -d ${FAKE_ROOT} -f $FAKE_ROOT/prototype -o
-echo | pkgtrans -os ${FAKE_ROOT} ${START}/$PKGNAME-$VERSION$REV-$UNAME_S-$ARCH.pkg
-	;;
-
-esac
-
-[ "${REMOVE_FAKE_ROOT_WHEN_DONE}" = yes ]  &&  rm -rf $FAKE_ROOT
-exit 0
-
--- a/canohost.c
+++ b/canohost.c
@ -1,446 +0,0 @@
-/* $OpenBSD: canohost.c,v 1.72 2015/03/01 15:44:40 millert Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for returning the canonical host name of the remote site.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <sys/un.h>
-
-#include <netinet/in.h>
-#include <arpa/inet.h>
-
-#include <errno.h>
-#include <netdb.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <stdarg.h>
-#include <unistd.h>
-
-#include "xmalloc.h"
-#include "packet.h"
-#include "log.h"
-#include "canohost.h"
-#include "misc.h"
-
-static void check_ip_options(int, char *);
-static char *canonical_host_ip = NULL;
-static int cached_port = -1;
-
-/*
- * Return the canonical name of the host at the other end of the socket. The
- * caller should free the returned string.
- */
-
-static char *
-get_remote_hostname(int sock, int use_dns)
-{
-	struct sockaddr_storage from;
-	socklen_t fromlen;
-	struct addrinfo hints, *ai, *aitop;
-	char name[NI_MAXHOST], ntop[NI_MAXHOST], ntop2[NI_MAXHOST];
-
-	/* Get IP address of client. */
-	fromlen = sizeof(from);
-	memset(&from, 0, sizeof(from));
-	if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
-		debug("getpeername failed: %.100s", strerror(errno));
-		cleanup_exit(255);
-	}
-
-	if (from.ss_family == AF_INET)
-		check_ip_options(sock, ntop);
-
-	ipv64_normalise_mapped(&from, &fromlen);
-
-	if (from.ss_family == AF_INET6)
-		fromlen = sizeof(struct sockaddr_in6);
-
-	if (getnameinfo((struct sockaddr *)&from, fromlen, ntop, sizeof(ntop),
-	    NULL, 0, NI_NUMERICHOST) != 0)
-		fatal("get_remote_hostname: getnameinfo NI_NUMERICHOST failed");
-
-	if (!use_dns)
-		return xstrdup(ntop);
-
-	debug3("Trying to reverse map address %.100s.", ntop);
-	/* Map the IP address to a host name. */
-	if (getnameinfo((struct sockaddr *)&from, fromlen, name, sizeof(name),
-	    NULL, 0, NI_NAMEREQD) != 0) {
-		/* Host name not found.  Use ip address. */
-		return xstrdup(ntop);
-	}
-
-	/*
-	 * if reverse lookup result looks like a numeric hostname,
-	 * someone is trying to trick us by PTR record like following:
-	 *	1.1.1.10.in-addr.arpa.	IN PTR	2.3.4.5
-	 */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_socktype = SOCK_DGRAM;	/*dummy*/
-	hints.ai_flags = AI_NUMERICHOST;
-	if (getaddrinfo(name, NULL, &hints, &ai) == 0) {
-		logit("Nasty PTR record \"%s\" is set up for %s, ignoring",
-		    name, ntop);
-		freeaddrinfo(ai);
-		return xstrdup(ntop);
-	}
-
-	/* Names are stores in lowercase. */
-	lowercase(name);
-
-	/*
-	 * Map it back to an IP address and check that the given
-	 * address actually is an address of this host.  This is
-	 * necessary because anyone with access to a name server can
-	 * define arbitrary names for an IP address. Mapping from
-	 * name to IP address can be trusted better (but can still be
-	 * fooled if the intruder has access to the name server of
-	 * the domain).
-	 */
-	memset(&hints, 0, sizeof(hints));
-	hints.ai_family = from.ss_family;
-	hints.ai_socktype = SOCK_STREAM;
-	if (getaddrinfo(name, NULL, &hints, &aitop) != 0) {
-		logit("reverse mapping checking getaddrinfo for %.700s "
-		    "[%s] failed - POSSIBLE BREAK-IN ATTEMPT!", name, ntop);
-		return xstrdup(ntop);
-	}
-	/* Look for the address from the list of addresses. */
-	for (ai = aitop; ai; ai = ai->ai_next) {
-		if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop2,
-		    sizeof(ntop2), NULL, 0, NI_NUMERICHOST) == 0 &&
-		    (strcmp(ntop, ntop2) == 0))
-				break;
-	}
-	freeaddrinfo(aitop);
-	/* If we reached the end of the list, the address was not there. */
-	if (!ai) {
-		/* Address not found for the host name. */
-		logit("Address %.100s maps to %.600s, but this does not "
-		    "map back to the address - POSSIBLE BREAK-IN ATTEMPT!",
-		    ntop, name);
-		return xstrdup(ntop);
-	}
-	return xstrdup(name);
-}
-
-/*
- * If IP options are supported, make sure there are none (log and
- * disconnect them if any are found).  Basically we are worried about
- * source routing; it can be used to pretend you are somebody
- * (ip-address) you are not. That itself may be "almost acceptable"
- * under certain circumstances, but rhosts autentication is useless
- * if source routing is accepted. Notice also that if we just dropped
- * source routing here, the other side could use IP spoofing to do
- * rest of the interaction and could still bypass security.  So we
- * exit here if we detect any IP options.
- */
-/* IPv4 only */
-static void
-check_ip_options(int sock, char *ipaddr)
-{
-#ifdef IP_OPTIONS
-	u_char options[200];
-	char text[sizeof(options) * 3 + 1];
-	socklen_t option_size, i;
-	int ipproto;
-	struct protoent *ip;
-
-	if ((ip = getprotobyname("ip")) != NULL)
-		ipproto = ip->p_proto;
-	else
-		ipproto = IPPROTO_IP;
-	option_size = sizeof(options);
-	if (getsockopt(sock, ipproto, IP_OPTIONS, options,
-	    &option_size) >= 0 && option_size != 0) {
-		text[0] = '\0';
-		for (i = 0; i < option_size; i++)
-			snprintf(text + i*3, sizeof(text) - i*3,
-			    " %2.2x", options[i]);
-		fatal("Connection from %.100s with IP options:%.800s",
-		    ipaddr, text);
-	}
-#endif /* IP_OPTIONS */
-}
-
-void
-ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
-{
-	struct sockaddr_in6 *a6 = (struct sockaddr_in6 *)addr;
-	struct sockaddr_in *a4 = (struct sockaddr_in *)addr;
-	struct in_addr inaddr;
-	u_int16_t port;
-
-	if (addr->ss_family != AF_INET6 ||
-	    !IN6_IS_ADDR_V4MAPPED(&a6->sin6_addr))
-		return;
-
-	debug3("Normalising mapped IPv4 in IPv6 address");
-
-	memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr));
-	port = a6->sin6_port;
-
-	memset(a4, 0, sizeof(*a4));
-
-	a4->sin_family = AF_INET;
-	*len = sizeof(*a4);
-	memcpy(&a4->sin_addr, &inaddr, sizeof(inaddr));
-	a4->sin_port = port;
-}
-
-/*
- * Return the canonical name of the host in the other side of the current
- * connection.  The host name is cached, so it is efficient to call this
- * several times.
- */
-
-const char *
-get_canonical_hostname(int use_dns)
-{
-	char *host;
-	static char *canonical_host_name = NULL;
-	static char *remote_ip = NULL;
-
-	/* Check if we have previously retrieved name with same option. */
-	if (use_dns && canonical_host_name != NULL)
-		return canonical_host_name;
-	if (!use_dns && remote_ip != NULL)
-		return remote_ip;
-
-	/* Get the real hostname if socket; otherwise return UNKNOWN. */
-	if (packet_connection_is_on_socket())
-		host = get_remote_hostname(packet_get_connection_in(), use_dns);
-	else
-		host = "UNKNOWN";
-
-	if (use_dns)
-		canonical_host_name = host;
-	else
-		remote_ip = host;
-	return host;
-}
-
-/*
- * Returns the local/remote IP-address/hostname of socket as a string.
- * The returned string must be freed.
- */
-static char *
-get_socket_address(int sock, int remote, int flags)
-{
-	struct sockaddr_storage addr;
-	socklen_t addrlen;
-	char ntop[NI_MAXHOST];
-	int r;
-
-	/* Get IP address of client. */
-	addrlen = sizeof(addr);
-	memset(&addr, 0, sizeof(addr));
-
-	if (remote) {
-		if (getpeername(sock, (struct sockaddr *)&addr, &addrlen)
-		    < 0)
-			return NULL;
-	} else {
-		if (getsockname(sock, (struct sockaddr *)&addr, &addrlen)
-		    < 0)
-			return NULL;
-	}
-
-	/* Work around Linux IPv6 weirdness */
-	if (addr.ss_family == AF_INET6) {
-		addrlen = sizeof(struct sockaddr_in6);
-		ipv64_normalise_mapped(&addr, &addrlen);
-	}
-
-	switch (addr.ss_family) {
-	case AF_INET:
-	case AF_INET6:
-		/* Get the address in ascii. */
-		if ((r = getnameinfo((struct sockaddr *)&addr, addrlen, ntop,
-		    sizeof(ntop), NULL, 0, flags)) != 0) {
-			error("get_socket_address: getnameinfo %d failed: %s",
-			    flags, ssh_gai_strerror(r));
-			return NULL;
-		}
-		return xstrdup(ntop);
-	case AF_UNIX:
-		/* Get the Unix domain socket path. */
-		return xstrdup(((struct sockaddr_un *)&addr)->sun_path);
-	default:
-		/* We can't look up remote Unix domain sockets. */
-		return NULL;
-	}
-}
-
-char *
-get_peer_ipaddr(int sock)
-{
-	char *p;
-
-	if ((p = get_socket_address(sock, 1, NI_NUMERICHOST)) != NULL)
-		return p;
-	return xstrdup("UNKNOWN");
-}
-
-char *
-get_local_ipaddr(int sock)
-{
-	char *p;
-
-	if ((p = get_socket_address(sock, 0, NI_NUMERICHOST)) != NULL)
-		return p;
-	return xstrdup("UNKNOWN");
-}
-
-char *
-get_local_name(int fd)
-{
-	char *host, myname[NI_MAXHOST];
-
-	/* Assume we were passed a socket */
-	if ((host = get_socket_address(fd, 0, NI_NAMEREQD)) != NULL)
-		return host;
-
-	/* Handle the case where we were passed a pipe */
-	if (gethostname(myname, sizeof(myname)) == -1) {
-		verbose("get_local_name: gethostname: %s", strerror(errno));
-	} else {
-		host = xstrdup(myname);
-	}
-
-	return host;
-}
-
-void
-clear_cached_addr(void)
-{
-	free(canonical_host_ip);
-	canonical_host_ip = NULL;
-	cached_port = -1;
-}
-
-/*
- * Returns the IP-address of the remote host as a string.  The returned
- * string must not be freed.
- */
-
-const char *
-get_remote_ipaddr(void)
-{
-	/* Check whether we have cached the ipaddr. */
-	if (canonical_host_ip == NULL) {
-		if (packet_connection_is_on_socket()) {
-			canonical_host_ip =
-			    get_peer_ipaddr(packet_get_connection_in());
-			if (canonical_host_ip == NULL)
-				cleanup_exit(255);
-		} else {
-			/* If not on socket, return UNKNOWN. */
-			canonical_host_ip = xstrdup("UNKNOWN");
-		}
-	}
-	return canonical_host_ip;
-}
-
-const char *
-get_remote_name_or_ip(u_int utmp_len, int use_dns)
-{
-	static const char *remote = "";
-	if (utmp_len > 0)
-		remote = get_canonical_hostname(use_dns);
-	if (utmp_len == 0 || strlen(remote) > utmp_len)
-		remote = get_remote_ipaddr();
-	return remote;
-}
-
-/* Returns the local/remote port for the socket. */
-
-int
-get_sock_port(int sock, int local)
-{
-	struct sockaddr_storage from;
-	socklen_t fromlen;
-	char strport[NI_MAXSERV];
-	int r;
-
-	/* Get IP address of client. */
-	fromlen = sizeof(from);
-	memset(&from, 0, sizeof(from));
-	if (local) {
-		if (getsockname(sock, (struct sockaddr *)&from, &fromlen) < 0) {
-			error("getsockname failed: %.100s", strerror(errno));
-			return 0;
-		}
-	} else {
-		if (getpeername(sock, (struct sockaddr *)&from, &fromlen) < 0) {
-			debug("getpeername failed: %.100s", strerror(errno));
-			return -1;
-		}
-	}
-
-	/* Work around Linux IPv6 weirdness */
-	if (from.ss_family == AF_INET6)
-		fromlen = sizeof(struct sockaddr_in6);
-
-	/* Non-inet sockets don't have a port number. */
-	if (from.ss_family != AF_INET && from.ss_family != AF_INET6)
-		return 0;
-
-	/* Return port number. */
-	if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
-	    strport, sizeof(strport), NI_NUMERICSERV)) != 0)
-		fatal("get_sock_port: getnameinfo NI_NUMERICSERV failed: %s",
-		    ssh_gai_strerror(r));
-	return atoi(strport);
-}
-
-/* Returns remote/local port number for the current connection. */
-
-static int
-get_port(int local)
-{
-	/*
-	 * If the connection is not a socket, return 65535.  This is
-	 * intentionally chosen to be an unprivileged port number.
-	 */
-	if (!packet_connection_is_on_socket())
-		return 65535;
-
-	/* Get socket and return the port number. */
-	return get_sock_port(packet_get_connection_in(), local);
-}
-
-int
-get_peer_port(int sock)
-{
-	return get_sock_port(sock, 0);
-}
-
-int
-get_remote_port(void)
-{
-	/* Cache to avoid getpeername() on a dead connection */
-	if (cached_port == -1)
-		cached_port = get_port(0);
-
-	return cached_port;
-}
-
-int
-get_local_port(void)
-{
-	return get_port(1);
-}
--- a/canohost.h
+++ b/canohost.h
@ -1,29 +0,0 @@
-/* $OpenBSD: canohost.h,v 1.11 2009/05/27 06:31:25 andreas Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-
-const char	*get_canonical_hostname(int);
-const char	*get_remote_ipaddr(void);
-const char	*get_remote_name_or_ip(u_int, int);
-
-char		*get_peer_ipaddr(int);
-int		 get_peer_port(int);
-char		*get_local_ipaddr(int);
-char		*get_local_name(int);
-
-int		 get_remote_port(void);
-int		 get_local_port(void);
-int		 get_sock_port(int, int);
-void		 clear_cached_addr(void);
-
-void		 ipv64_normalise_mapped(struct sockaddr_storage *, socklen_t *);
--- a/chacha.c
+++ b/chacha.c
@ -1,219 +0,0 @@
-/*
-chacha-merged.c version 20080118
-D. J. Bernstein
-Public domain.
-*/
-
-#include "includes.h"
-
-#include "chacha.h"
-
-/* $OpenBSD: chacha.c,v 1.1 2013/11/21 00:45:44 djm Exp $ */
-
-typedef unsigned char u8;
-typedef unsigned int u32;
-
-typedef struct chacha_ctx chacha_ctx;
-
-#define U8C(v) (v##U)
-#define U32C(v) (v##U)
-
-#define U8V(v) ((u8)(v) & U8C(0xFF))
-#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
-
-#define ROTL32(v, n) \
-  (U32V((v) << (n)) | ((v) >> (32 - (n))))
-
-#define U8TO32_LITTLE(p) \
-  (((u32)((p)[0])      ) | \
-   ((u32)((p)[1]) <<  8) | \
-   ((u32)((p)[2]) << 16) | \
-   ((u32)((p)[3]) << 24))
-
-#define U32TO8_LITTLE(p, v) \
-  do { \
-    (p)[0] = U8V((v)      ); \
-    (p)[1] = U8V((v) >>  8); \
-    (p)[2] = U8V((v) >> 16); \
-    (p)[3] = U8V((v) >> 24); \
-  } while (0)
-
-#define ROTATE(v,c) (ROTL32(v,c))
-#define XOR(v,w) ((v) ^ (w))
-#define PLUS(v,w) (U32V((v) + (w)))
-#define PLUSONE(v) (PLUS((v),1))
-
-#define QUARTERROUND(a,b,c,d) \
-  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
-  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
-  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
-  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
-
-static const char sigma[16] = "expand 32-byte k";
-static const char tau[16] = "expand 16-byte k";
-
-void
-chacha_keysetup(chacha_ctx *x,const u8 *k,u32 kbits)
-{
-  const char *constants;
-
-  x->input[4] = U8TO32_LITTLE(k + 0);
-  x->input[5] = U8TO32_LITTLE(k + 4);
-  x->input[6] = U8TO32_LITTLE(k + 8);
-  x->input[7] = U8TO32_LITTLE(k + 12);
-  if (kbits == 256) { /* recommended */
-    k += 16;
-    constants = sigma;
-  } else { /* kbits == 128 */
-    constants = tau;
-  }
-  x->input[8] = U8TO32_LITTLE(k + 0);
-  x->input[9] = U8TO32_LITTLE(k + 4);
-  x->input[10] = U8TO32_LITTLE(k + 8);
-  x->input[11] = U8TO32_LITTLE(k + 12);
-  x->input[0] = U8TO32_LITTLE(constants + 0);
-  x->input[1] = U8TO32_LITTLE(constants + 4);
-  x->input[2] = U8TO32_LITTLE(constants + 8);
-  x->input[3] = U8TO32_LITTLE(constants + 12);
-}
-
-void
-chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
-{
-  x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
-  x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
-  x->input[14] = U8TO32_LITTLE(iv + 0);
-  x->input[15] = U8TO32_LITTLE(iv + 4);
-}
-
-void
-chacha_encrypt_bytes(chacha_ctx *x,const u8 *m,u8 *c,u32 bytes)
-{
-  u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
-  u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
-  u8 *ctarget = NULL;
-  u8 tmp[64];
-  u_int i;
-
-  if (!bytes) return;
-
-  j0 = x->input[0];
-  j1 = x->input[1];
-  j2 = x->input[2];
-  j3 = x->input[3];
-  j4 = x->input[4];
-  j5 = x->input[5];
-  j6 = x->input[6];
-  j7 = x->input[7];
-  j8 = x->input[8];
-  j9 = x->input[9];
-  j10 = x->input[10];
-  j11 = x->input[11];
-  j12 = x->input[12];
-  j13 = x->input[13];
-  j14 = x->input[14];
-  j15 = x->input[15];
-
-  for (;;) {
-    if (bytes < 64) {
-      for (i = 0;i < bytes;++i) tmp[i] = m[i];
-      m = tmp;
-      ctarget = c;
-      c = tmp;
-    }
-    x0 = j0;
-    x1 = j1;
-    x2 = j2;
-    x3 = j3;
-    x4 = j4;
-    x5 = j5;
-    x6 = j6;
-    x7 = j7;
-    x8 = j8;
-    x9 = j9;
-    x10 = j10;
-    x11 = j11;
-    x12 = j12;
-    x13 = j13;
-    x14 = j14;
-    x15 = j15;
-    for (i = 20;i > 0;i -= 2) {
-      QUARTERROUND( x0, x4, x8,x12)
-      QUARTERROUND( x1, x5, x9,x13)
-      QUARTERROUND( x2, x6,x10,x14)
-      QUARTERROUND( x3, x7,x11,x15)
-      QUARTERROUND( x0, x5,x10,x15)
-      QUARTERROUND( x1, x6,x11,x12)
-      QUARTERROUND( x2, x7, x8,x13)
-      QUARTERROUND( x3, x4, x9,x14)
-    }
-    x0 = PLUS(x0,j0);
-    x1 = PLUS(x1,j1);
-    x2 = PLUS(x2,j2);
-    x3 = PLUS(x3,j3);
-    x4 = PLUS(x4,j4);
-    x5 = PLUS(x5,j5);
-    x6 = PLUS(x6,j6);
-    x7 = PLUS(x7,j7);
-    x8 = PLUS(x8,j8);
-    x9 = PLUS(x9,j9);
-    x10 = PLUS(x10,j10);
-    x11 = PLUS(x11,j11);
-    x12 = PLUS(x12,j12);
-    x13 = PLUS(x13,j13);
-    x14 = PLUS(x14,j14);
-    x15 = PLUS(x15,j15);
-
-    x0 = XOR(x0,U8TO32_LITTLE(m + 0));
-    x1 = XOR(x1,U8TO32_LITTLE(m + 4));
-    x2 = XOR(x2,U8TO32_LITTLE(m + 8));
-    x3 = XOR(x3,U8TO32_LITTLE(m + 12));
-    x4 = XOR(x4,U8TO32_LITTLE(m + 16));
-    x5 = XOR(x5,U8TO32_LITTLE(m + 20));
-    x6 = XOR(x6,U8TO32_LITTLE(m + 24));
-    x7 = XOR(x7,U8TO32_LITTLE(m + 28));
-    x8 = XOR(x8,U8TO32_LITTLE(m + 32));
-    x9 = XOR(x9,U8TO32_LITTLE(m + 36));
-    x10 = XOR(x10,U8TO32_LITTLE(m + 40));
-    x11 = XOR(x11,U8TO32_LITTLE(m + 44));
-    x12 = XOR(x12,U8TO32_LITTLE(m + 48));
-    x13 = XOR(x13,U8TO32_LITTLE(m + 52));
-    x14 = XOR(x14,U8TO32_LITTLE(m + 56));
-    x15 = XOR(x15,U8TO32_LITTLE(m + 60));
-
-    j12 = PLUSONE(j12);
-    if (!j12) {
-      j13 = PLUSONE(j13);
-      /* stopping at 2^70 bytes per nonce is user's responsibility */
-    }
-
-    U32TO8_LITTLE(c + 0,x0);
-    U32TO8_LITTLE(c + 4,x1);
-    U32TO8_LITTLE(c + 8,x2);
-    U32TO8_LITTLE(c + 12,x3);
-    U32TO8_LITTLE(c + 16,x4);
-    U32TO8_LITTLE(c + 20,x5);
-    U32TO8_LITTLE(c + 24,x6);
-    U32TO8_LITTLE(c + 28,x7);
-    U32TO8_LITTLE(c + 32,x8);
-    U32TO8_LITTLE(c + 36,x9);
-    U32TO8_LITTLE(c + 40,x10);
-    U32TO8_LITTLE(c + 44,x11);
-    U32TO8_LITTLE(c + 48,x12);
-    U32TO8_LITTLE(c + 52,x13);
-    U32TO8_LITTLE(c + 56,x14);
-    U32TO8_LITTLE(c + 60,x15);
-
-    if (bytes <= 64) {
-      if (bytes < 64) {
-        for (i = 0;i < bytes;++i) ctarget[i] = c[i];
-      }
-      x->input[12] = j12;
-      x->input[13] = j13;
-      return;
-    }
-    bytes -= 64;
-    c += 64;
-    m += 64;
-  }
-}
--- a/chacha.h
+++ b/chacha.h
@ -1,35 +0,0 @@
-/* $OpenBSD: chacha.h,v 1.3 2014/05/02 03:27:54 djm Exp $ */
-
-/*
-chacha-merged.c version 20080118
-D. J. Bernstein
-Public domain.
-*/
-
-#ifndef CHACHA_H
-#define CHACHA_H
-
-#include <sys/types.h>
-
-struct chacha_ctx {
-	u_int input[16];
-};
-
-#define CHACHA_MINKEYLEN 	16
-#define CHACHA_NONCELEN		8
-#define CHACHA_CTRLEN		8
-#define CHACHA_STATELEN		(CHACHA_NONCELEN+CHACHA_CTRLEN)
-#define CHACHA_BLOCKLEN		64
-
-void chacha_keysetup(struct chacha_ctx *x, const u_char *k, u_int kbits)
-    __attribute__((__bounded__(__minbytes__, 2, CHACHA_MINKEYLEN)));
-void chacha_ivsetup(struct chacha_ctx *x, const u_char *iv, const u_char *ctr)
-    __attribute__((__bounded__(__minbytes__, 2, CHACHA_NONCELEN)))
-    __attribute__((__bounded__(__minbytes__, 3, CHACHA_CTRLEN)));
-void chacha_encrypt_bytes(struct chacha_ctx *x, const u_char *m,
-    u_char *c, u_int bytes)
-    __attribute__((__bounded__(__buffer__, 2, 4)))
-    __attribute__((__bounded__(__buffer__, 3, 4)));
-
-#endif	/* CHACHA_H */
-
--- a/channels.c
+++ b/channels.c
--- a/channels.h
+++ b/channels.h
@ -1,315 +0,0 @@
-/* $OpenBSD: channels.h,v 1.118 2015/07/01 02:26:31 djm Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- */
-/*
- * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef CHANNEL_H
-#define CHANNEL_H
-
-/* Definitions for channel types. */
-#define SSH_CHANNEL_X11_LISTENER	1	/* Listening for inet X11 conn. */
-#define SSH_CHANNEL_PORT_LISTENER	2	/* Listening on a port. */
-#define SSH_CHANNEL_OPENING		3	/* waiting for confirmation */
-#define SSH_CHANNEL_OPEN		4	/* normal open two-way channel */
-#define SSH_CHANNEL_CLOSED		5	/* waiting for close confirmation */
-#define SSH_CHANNEL_AUTH_SOCKET		6	/* authentication socket */
-#define SSH_CHANNEL_X11_OPEN		7	/* reading first X11 packet */
-#define SSH_CHANNEL_INPUT_DRAINING	8	/* sending remaining data to conn */
-#define SSH_CHANNEL_OUTPUT_DRAINING	9	/* sending remaining data to app */
-#define SSH_CHANNEL_LARVAL		10	/* larval session */
-#define SSH_CHANNEL_RPORT_LISTENER	11	/* Listening to a R-style port  */
-#define SSH_CHANNEL_CONNECTING		12
-#define SSH_CHANNEL_DYNAMIC		13
-#define SSH_CHANNEL_ZOMBIE		14	/* Almost dead. */
-#define SSH_CHANNEL_MUX_LISTENER	15	/* Listener for mux conn. */
-#define SSH_CHANNEL_MUX_CLIENT		16	/* Conn. to mux slave */
-#define SSH_CHANNEL_ABANDONED		17	/* Abandoned session, eg mux */
-#define SSH_CHANNEL_UNIX_LISTENER	18	/* Listening on a domain socket. */
-#define SSH_CHANNEL_RUNIX_LISTENER	19	/* Listening to a R-style domain socket. */
-#define SSH_CHANNEL_MAX_TYPE		20
-
-#define CHANNEL_CANCEL_PORT_STATIC	-1
-
-struct Channel;
-typedef struct Channel Channel;
-
-typedef void channel_open_fn(int, int, void *);
-typedef void channel_callback_fn(int, void *);
-typedef int channel_infilter_fn(struct Channel *, char *, int);
-typedef void channel_filter_cleanup_fn(int, void *);
-typedef u_char *channel_outfilter_fn(struct Channel *, u_char **, u_int *);
-
-/* Channel success/failure callbacks */
-typedef void channel_confirm_cb(int, struct Channel *, void *);
-typedef void channel_confirm_abandon_cb(struct Channel *, void *);
-struct channel_confirm {
-	TAILQ_ENTRY(channel_confirm) entry;
-	channel_confirm_cb *cb;
-	channel_confirm_abandon_cb *abandon_cb;
-	void *ctx;
-};
-TAILQ_HEAD(channel_confirms, channel_confirm);
-
-/* Context for non-blocking connects */
-struct channel_connect {
-	char *host;
-	int port;
-	struct addrinfo *ai, *aitop;
-};
-
-/* Callbacks for mux channels back into client-specific code */
-typedef int mux_callback_fn(struct Channel *);
-
-struct Channel {
-	int     type;		/* channel type/state */
-	int     self;		/* my own channel identifier */
-	int     remote_id;	/* channel identifier for remote peer */
-	u_int   istate;		/* input from channel (state of receive half) */
-	u_int   ostate;		/* output to channel  (state of transmit half) */
-	int     flags;		/* close sent/rcvd */
-	int     rfd;		/* read fd */
-	int     wfd;		/* write fd */
-	int     efd;		/* extended fd */
-	int     sock;		/* sock fd */
-	int     ctl_chan;	/* control channel (multiplexed connections) */
-	int     isatty;		/* rfd is a tty */
-#ifdef _AIX
-	int     wfd_isatty;	/* wfd is a tty */
-#endif
-	int	client_tty;	/* (client) TTY has been requested */
-	int     force_drain;	/* force close on iEOF */
-	time_t	notbefore;	/* Pause IO until deadline (time_t) */
-	int     delayed;	/* post-select handlers for newly created
-				 * channels are delayed until the first call
-				 * to a matching pre-select handler.
-				 * this way post-select handlers are not
-				 * accidentally called if a FD gets reused */
-	Buffer  input;		/* data read from socket, to be sent over
-				 * encrypted connection */
-	Buffer  output;		/* data received over encrypted connection for
-				 * send on socket */
-	Buffer  extended;
-	char    *path;
-		/* path for unix domain sockets, or host name for forwards */
-	int     listening_port;	/* port being listened for forwards */
-	char   *listening_addr;	/* addr being listened for forwards */
-	int     host_port;	/* remote port to connect for forwards */
-	char   *remote_name;	/* remote hostname */
-
-	u_int	remote_window;
-	u_int	remote_maxpacket;
-	u_int	local_window;
-	u_int	local_window_max;
-	u_int	local_consumed;
-	u_int	local_maxpacket;
-	int     extended_usage;
-	int	single_connection;
-
-	char   *ctype;		/* type */
-
-	/* callback */
-	channel_open_fn		*open_confirm;
-	void			*open_confirm_ctx;
-	channel_callback_fn	*detach_user;
-	int			detach_close;
-	struct channel_confirms	status_confirms;
-
-	/* filter */
-	channel_infilter_fn	*input_filter;
-	channel_outfilter_fn	*output_filter;
-	void			*filter_ctx;
-	channel_filter_cleanup_fn *filter_cleanup;
-
-	/* keep boundaries */
-	int     		datagram;
-
-	/* non-blocking connect */
-	struct channel_connect	connect_ctx;
-
-	/* multiplexing protocol hook, called for each packet received */
-	mux_callback_fn		*mux_rcb;
-	void			*mux_ctx;
-	int			mux_pause;
-};
-
-#define CHAN_EXTENDED_IGNORE		0
-#define CHAN_EXTENDED_READ		1
-#define CHAN_EXTENDED_WRITE		2
-
-/* default window/packet sizes for tcp/x11-fwd-channel */
-#define CHAN_SES_PACKET_DEFAULT	(32*1024)
-#define CHAN_SES_WINDOW_DEFAULT	(64*CHAN_SES_PACKET_DEFAULT)
-#define CHAN_TCP_PACKET_DEFAULT	(32*1024)
-#define CHAN_TCP_WINDOW_DEFAULT	(64*CHAN_TCP_PACKET_DEFAULT)
-#define CHAN_X11_PACKET_DEFAULT	(16*1024)
-#define CHAN_X11_WINDOW_DEFAULT	(4*CHAN_X11_PACKET_DEFAULT)
-
-/* possible input states */
-#define CHAN_INPUT_OPEN			0
-#define CHAN_INPUT_WAIT_DRAIN		1
-#define CHAN_INPUT_WAIT_OCLOSE		2
-#define CHAN_INPUT_CLOSED		3
-
-/* possible output states */
-#define CHAN_OUTPUT_OPEN		0
-#define CHAN_OUTPUT_WAIT_DRAIN		1
-#define CHAN_OUTPUT_WAIT_IEOF		2
-#define CHAN_OUTPUT_CLOSED		3
-
-#define CHAN_CLOSE_SENT			0x01
-#define CHAN_CLOSE_RCVD			0x02
-#define CHAN_EOF_SENT			0x04
-#define CHAN_EOF_RCVD			0x08
-#define CHAN_LOCAL			0x10
-
-#define CHAN_RBUF	16*1024
-
-/* check whether 'efd' is still in use */
-#define CHANNEL_EFD_INPUT_ACTIVE(c) \
-	(compat20 && c->extended_usage == CHAN_EXTENDED_READ && \
-	(c->efd != -1 || \
-	buffer_len(&c->extended) > 0))
-#define CHANNEL_EFD_OUTPUT_ACTIVE(c) \
-	(compat20 && c->extended_usage == CHAN_EXTENDED_WRITE && \
-	c->efd != -1 && (!(c->flags & (CHAN_EOF_RCVD|CHAN_CLOSE_RCVD)) || \
-	buffer_len(&c->extended) > 0))
-
-/* channel management */
-
-Channel	*channel_by_id(int);
-Channel	*channel_lookup(int);
-Channel *channel_new(char *, int, int, int, int, u_int, u_int, int, char *, int);
-void	 channel_set_fds(int, int, int, int, int, int, int, u_int);
-void	 channel_free(Channel *);
-void	 channel_free_all(void);
-void	 channel_stop_listening(void);
-
-void	 channel_send_open(int);
-void	 channel_request_start(int, char *, int);
-void	 channel_register_cleanup(int, channel_callback_fn *, int);
-void	 channel_register_open_confirm(int, channel_open_fn *, void *);
-void	 channel_register_filter(int, channel_infilter_fn *,
-    channel_outfilter_fn *, channel_filter_cleanup_fn *, void *);
-void	 channel_register_status_confirm(int, channel_confirm_cb *,
-    channel_confirm_abandon_cb *, void *);
-void	 channel_cancel_cleanup(int);
-int	 channel_close_fd(int *);
-void	 channel_send_window_changes(void);
-
-/* protocol handler */
-
-int	 channel_input_close(int, u_int32_t, void *);
-int	 channel_input_close_confirmation(int, u_int32_t, void *);
-int	 channel_input_data(int, u_int32_t, void *);
-int	 channel_input_extended_data(int, u_int32_t, void *);
-int	 channel_input_ieof(int, u_int32_t, void *);
-int	 channel_input_oclose(int, u_int32_t, void *);
-int	 channel_input_open_confirmation(int, u_int32_t, void *);
-int	 channel_input_open_failure(int, u_int32_t, void *);
-int	 channel_input_port_open(int, u_int32_t, void *);
-int	 channel_input_window_adjust(int, u_int32_t, void *);
-int	 channel_input_status_confirm(int, u_int32_t, void *);
-
-/* file descriptor handling (read/write) */
-
-void	 channel_prepare_select(fd_set **, fd_set **, int *, u_int*,
-	     time_t*, int);
-void     channel_after_select(fd_set *, fd_set *);
-void     channel_output_poll(void);
-
-int      channel_not_very_much_buffered_data(void);
-void     channel_close_all(void);
-int      channel_still_open(void);
-char	*channel_open_message(void);
-int	 channel_find_open(void);
-
-/* tcp forwarding */
-struct Forward;
-struct ForwardOptions;
-void	 channel_set_af(int af);
-void     channel_permit_all_opens(void);
-void	 channel_add_permitted_opens(char *, int);
-int	 channel_add_adm_permitted_opens(char *, int);
-void	 channel_disable_adm_local_opens(void);
-void	 channel_update_permitted_opens(int, int);
-void	 channel_clear_permitted_opens(void);
-void	 channel_clear_adm_permitted_opens(void);
-void 	 channel_print_adm_permitted_opens(void);
-int      channel_input_port_forward_request(int, struct ForwardOptions *);
-Channel	*channel_connect_to_port(const char *, u_short, char *, char *);
-Channel *channel_connect_to_path(const char *, char *, char *);
-Channel	*channel_connect_stdio_fwd(const char*, u_short, int, int);
-Channel	*channel_connect_by_listen_address(const char *, u_short,
-	     char *, char *);
-Channel	*channel_connect_by_listen_path(const char *, char *, char *);
-int	 channel_request_remote_forwarding(struct Forward *);
-int	 channel_setup_local_fwd_listener(struct Forward *, struct ForwardOptions *);
-int	 channel_request_rforward_cancel(struct Forward *);
-int	 channel_setup_remote_fwd_listener(struct Forward *, int *, struct ForwardOptions *);
-int	 channel_cancel_rport_listener(struct Forward *);
-int	 channel_cancel_lport_listener(struct Forward *, int, struct ForwardOptions *);
-int	 permitopen_port(const char *);
-
-/* x11 forwarding */
-
-void	 channel_set_x11_refuse_time(u_int);
-int	 x11_connect_display(void);
-int	 x11_create_display_inet(int, int, int, u_int *, int **);
-int      x11_input_open(int, u_int32_t, void *);
-void	 x11_request_forwarding_with_spoofing(int, const char *, const char *,
-	     const char *, int);
-int	 deny_input_open(int, u_int32_t, void *);
-
-/* agent forwarding */
-
-void	 auth_request_forwarding(void);
-
-/* channel close */
-
-int	 chan_is_dead(Channel *, int);
-void	 chan_mark_dead(Channel *);
-
-/* channel events */
-
-void	 chan_rcvd_oclose(Channel *);
-void	 chan_rcvd_eow(Channel *);	/* SSH2-only */
-void	 chan_read_failed(Channel *);
-void	 chan_ibuf_empty(Channel *);
-
-void	 chan_rcvd_ieof(Channel *);
-void	 chan_write_failed(Channel *);
-void	 chan_obuf_empty(Channel *);
-
-#endif
--- a/cipher-3des1.c
+++ b/cipher-3des1.c
@ -1,155 +0,0 @@
-/* $OpenBSD: cipher-3des1.c,v 1.12 2015/01/14 10:24:42 markus Exp $ */
-/*
- * Copyright (c) 2003 Markus Friedl.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <string.h>
-#include <openssl/evp.h>
-
-#include "ssherr.h"
-
-/*
- * This is used by SSH1:
- *
- * What kind of triple DES are these 2 routines?
- *
- * Why is there a redundant initialization vector?
- *
- * If only iv3 was used, then, this would till effect have been
- * outer-cbc. However, there is also a private iv1 == iv2 which
- * perhaps makes differential analysis easier. On the other hand, the
- * private iv1 probably makes the CRC-32 attack ineffective. This is a
- * result of that there is no longer any known iv1 to use when
- * choosing the X block.
- */
-struct ssh1_3des_ctx
-{
-	EVP_CIPHER_CTX	k1, k2, k3;
-};
-
-const EVP_CIPHER * evp_ssh1_3des(void);
-int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-
-static int
-ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-    int enc)
-{
-	struct ssh1_3des_ctx *c;
-	u_char *k1, *k2, *k3;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-		if ((c = calloc(1, sizeof(*c))) == NULL)
-			return 0;
-		EVP_CIPHER_CTX_set_app_data(ctx, c);
-	}
-	if (key == NULL)
-		return 1;
-	if (enc == -1)
-		enc = ctx->encrypt;
-	k1 = k2 = k3 = (u_char *) key;
-	k2 += 8;
-	if (EVP_CIPHER_CTX_key_length(ctx) >= 16+8) {
-		if (enc)
-			k3 += 16;
-		else
-			k1 += 16;
-	}
-	EVP_CIPHER_CTX_init(&c->k1);
-	EVP_CIPHER_CTX_init(&c->k2);
-	EVP_CIPHER_CTX_init(&c->k3);
-	if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
-	    EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
-	    EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
-		explicit_bzero(c, sizeof(*c));
-		free(c);
-		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-		return 0;
-	}
-	return 1;
-}
-
-static int
-ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, size_t len)
-{
-	struct ssh1_3des_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
-		return 0;
-	if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
-	    EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
-	    EVP_Cipher(&c->k3, dest, dest, len) == 0)
-		return 0;
-	return 1;
-}
-
-static int
-ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
-{
-	struct ssh1_3des_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
-		EVP_CIPHER_CTX_cleanup(&c->k1);
-		EVP_CIPHER_CTX_cleanup(&c->k2);
-		EVP_CIPHER_CTX_cleanup(&c->k3);
-		explicit_bzero(c, sizeof(*c));
-		free(c);
-		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-	}
-	return 1;
-}
-
-int
-ssh1_3des_iv(EVP_CIPHER_CTX *evp, int doset, u_char *iv, int len)
-{
-	struct ssh1_3des_ctx *c;
-
-	if (len != 24)
-		return SSH_ERR_INVALID_ARGUMENT;
-	if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
-		return SSH_ERR_INTERNAL_ERROR;
-	if (doset) {
-		memcpy(c->k1.iv, iv, 8);
-		memcpy(c->k2.iv, iv + 8, 8);
-		memcpy(c->k3.iv, iv + 16, 8);
-	} else {
-		memcpy(iv, c->k1.iv, 8);
-		memcpy(iv + 8, c->k2.iv, 8);
-		memcpy(iv + 16, c->k3.iv, 8);
-	}
-	return 0;
-}
-
-const EVP_CIPHER *
-evp_ssh1_3des(void)
-{
-	static EVP_CIPHER ssh1_3des;
-
-	memset(&ssh1_3des, 0, sizeof(ssh1_3des));
-	ssh1_3des.nid = NID_undef;
-	ssh1_3des.block_size = 8;
-	ssh1_3des.iv_len = 0;
-	ssh1_3des.key_len = 16;
-	ssh1_3des.init = ssh1_3des_init;
-	ssh1_3des.cleanup = ssh1_3des_cleanup;
-	ssh1_3des.do_cipher = ssh1_3des_cbc;
-	ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
-	return &ssh1_3des;
-}
--- a/cipher-acss.c
+++ b/cipher-acss.c
@ -1,86 +0,0 @@
-/*
- * Copyright (c) 2004 The OpenBSD project
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <openssl/evp.h>
-
-#include <string.h>
-
-#if !defined(EVP_CTRL_SET_ACSS_MODE) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
-
-#include "acss.h"
-#include "openbsd-compat/openssl-compat.h"
-
-#define data(ctx) ((EVP_ACSS_KEY *)(ctx)->cipher_data)
-
-typedef struct {
-	ACSS_KEY ks;
-} EVP_ACSS_KEY;
-
-#define EVP_CTRL_SET_ACSS_MODE          0xff06
-#define EVP_CTRL_SET_ACSS_SUBKEY        0xff07
-
-static int
-acss_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key,
-    const unsigned char *iv, int enc)
-{
-	acss_setkey(&data(ctx)->ks,key,enc,ACSS_DATA);
-	return 1;
-}
-
-static int
-acss_ciph(EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
-    LIBCRYPTO_EVP_INL_TYPE inl)
-{
-	acss(&data(ctx)->ks,inl,in,out);
-	return 1;
-}
-
-static int
-acss_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr)
-{
-	switch(type) {
-	case EVP_CTRL_SET_ACSS_MODE:
-		data(ctx)->ks.mode = arg;
-		return 1;
-	case EVP_CTRL_SET_ACSS_SUBKEY:
-		acss_setsubkey(&data(ctx)->ks,(unsigned char *)ptr);
-		return 1;
-	default:
-		return -1;
-	}
-}
-
-const EVP_CIPHER *
-evp_acss(void)
-{
-	static EVP_CIPHER acss_cipher;
-
-	memset(&acss_cipher, 0, sizeof(EVP_CIPHER));
-
-	acss_cipher.nid = NID_undef;
-	acss_cipher.block_size = 1;
-	acss_cipher.key_len = 5;
-	acss_cipher.init = acss_init_key;
-	acss_cipher.do_cipher = acss_ciph;
-	acss_cipher.ctx_size = sizeof(EVP_ACSS_KEY);
-	acss_cipher.ctrl = acss_ctrl;
-
-	return (&acss_cipher);
-}
-#endif
-
--- a/cipher-aes.c
+++ b/cipher-aes.c
@ -1,161 +0,0 @@
-/*
- * Copyright (c) 2003 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-/* compatibility with old or broken OpenSSL versions */
-#include "openbsd-compat/openssl-compat.h"
-
-#ifdef USE_BUILTIN_RIJNDAEL
-#include <sys/types.h>
-
-#include <openssl/evp.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include "rijndael.h"
-#include "xmalloc.h"
-#include "log.h"
-
-#define RIJNDAEL_BLOCKSIZE 16
-struct ssh_rijndael_ctx
-{
-	rijndael_ctx	r_ctx;
-	u_char		r_iv[RIJNDAEL_BLOCKSIZE];
-};
-
-static int
-ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-    int enc)
-{
-	struct ssh_rijndael_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-		c = xmalloc(sizeof(*c));
-		EVP_CIPHER_CTX_set_app_data(ctx, c);
-	}
-	if (key != NULL) {
-		if (enc == -1)
-			enc = ctx->encrypt;
-		rijndael_set_key(&c->r_ctx, (u_char *)key,
-		    8*EVP_CIPHER_CTX_key_length(ctx), enc);
-	}
-	if (iv != NULL)
-		memcpy(c->r_iv, iv, RIJNDAEL_BLOCKSIZE);
-	return (1);
-}
-
-static int
-ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-    LIBCRYPTO_EVP_INL_TYPE len)
-{
-	struct ssh_rijndael_ctx *c;
-	u_char buf[RIJNDAEL_BLOCKSIZE];
-	u_char *cprev, *cnow, *plain, *ivp;
-	int i, j, blocks = len / RIJNDAEL_BLOCKSIZE;
-
-	if (len == 0)
-		return (1);
-	if (len % RIJNDAEL_BLOCKSIZE)
-		fatal("ssh_rijndael_cbc: bad len %d", len);
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-		error("ssh_rijndael_cbc: no context");
-		return (0);
-	}
-	if (ctx->encrypt) {
-		cnow  = dest;
-		plain = (u_char *)src;
-		cprev = c->r_iv;
-		for (i = 0; i < blocks; i++, plain+=RIJNDAEL_BLOCKSIZE,
-		    cnow+=RIJNDAEL_BLOCKSIZE) {
-			for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
-				buf[j] = plain[j] ^ cprev[j];
-			rijndael_encrypt(&c->r_ctx, buf, cnow);
-			cprev = cnow;
-		}
-		memcpy(c->r_iv, cprev, RIJNDAEL_BLOCKSIZE);
-	} else {
-		cnow  = (u_char *) (src+len-RIJNDAEL_BLOCKSIZE);
-		plain = dest+len-RIJNDAEL_BLOCKSIZE;
-
-		memcpy(buf, cnow, RIJNDAEL_BLOCKSIZE);
-		for (i = blocks; i > 0; i--, cnow-=RIJNDAEL_BLOCKSIZE,
-		    plain-=RIJNDAEL_BLOCKSIZE) {
-			rijndael_decrypt(&c->r_ctx, cnow, plain);
-			ivp = (i == 1) ? c->r_iv : cnow-RIJNDAEL_BLOCKSIZE;
-			for (j = 0; j < RIJNDAEL_BLOCKSIZE; j++)
-				plain[j] ^= ivp[j];
-		}
-		memcpy(c->r_iv, buf, RIJNDAEL_BLOCKSIZE);
-	}
-	return (1);
-}
-
-static int
-ssh_rijndael_cleanup(EVP_CIPHER_CTX *ctx)
-{
-	struct ssh_rijndael_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
-		memset(c, 0, sizeof(*c));
-		free(c);
-		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-	}
-	return (1);
-}
-
-void
-ssh_rijndael_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, u_int len)
-{
-	struct ssh_rijndael_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
-		fatal("ssh_rijndael_iv: no context");
-	if (doset)
-		memcpy(c->r_iv, iv, len);
-	else
-		memcpy(iv, c->r_iv, len);
-}
-
-const EVP_CIPHER *
-evp_rijndael(void)
-{
-	static EVP_CIPHER rijndal_cbc;
-
-	memset(&rijndal_cbc, 0, sizeof(EVP_CIPHER));
-	rijndal_cbc.nid = NID_undef;
-	rijndal_cbc.block_size = RIJNDAEL_BLOCKSIZE;
-	rijndal_cbc.iv_len = RIJNDAEL_BLOCKSIZE;
-	rijndal_cbc.key_len = 16;
-	rijndal_cbc.init = ssh_rijndael_init;
-	rijndal_cbc.cleanup = ssh_rijndael_cleanup;
-	rijndal_cbc.do_cipher = ssh_rijndael_cbc;
-#ifndef SSH_OLD_EVP
-	rijndal_cbc.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-#endif
-	return (&rijndal_cbc);
-}
-#endif /* USE_BUILTIN_RIJNDAEL */
--- a/cipher-aesctr.c
+++ b/cipher-aesctr.c
@ -1,83 +0,0 @@
-/* $OpenBSD: cipher-aesctr.c,v 1.2 2015/01/14 10:24:42 markus Exp $ */
-/*
- * Copyright (c) 2003 Markus Friedl.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <string.h>
-
-#ifndef WITH_OPENSSL
-
-#include "cipher-aesctr.h"
-
-/*
- * increment counter 'ctr',
- * the counter is of size 'len' bytes and stored in network-byte-order.
- * (LSB at ctr[len-1], MSB at ctr[0])
- */
-static inline void
-aesctr_inc(u8 *ctr, u32 len)
-{
-	ssize_t i;
-
-#ifndef CONSTANT_TIME_INCREMENT
-	for (i = len - 1; i >= 0; i--)
-		if (++ctr[i])	/* continue on overflow */
-			return;
-#else
-	u8 x, add = 1;
-
-	for (i = len - 1; i >= 0; i--) {
-		ctr[i] += add;
-		/* constant time for: x = ctr[i] ? 1 : 0 */
-		x = ctr[i];
-		x = (x | (x >> 4)) & 0xf;
-		x = (x | (x >> 2)) & 0x3;
-		x = (x | (x >> 1)) & 0x1;
-		add *= (x^1);
-	}
-#endif
-}
-
-void
-aesctr_keysetup(aesctr_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
-{
-	x->rounds = rijndaelKeySetupEnc(x->ek, k, kbits);
-}
-
-void
-aesctr_ivsetup(aesctr_ctx *x,const u8 *iv)
-{
-	memcpy(x->ctr, iv, AES_BLOCK_SIZE);
-}
-
-void
-aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes)
-{
-	u32 n = 0;
-	u8 buf[AES_BLOCK_SIZE];
-
-	while ((bytes--) > 0) {
-		if (n == 0) {
-			rijndaelEncrypt(x->ek, x->rounds, x->ctr, buf);
-			aesctr_inc(x->ctr, AES_BLOCK_SIZE);
-		}
-		*(c++) = *(m++) ^ buf[n];
-		n = (n + 1) % AES_BLOCK_SIZE;
-	}
-}
-#endif /* !WITH_OPENSSL */
--- a/cipher-aesctr.h
+++ b/cipher-aesctr.h
@ -1,35 +0,0 @@
-/* $OpenBSD: cipher-aesctr.h,v 1.1 2014/04/29 15:39:33 markus Exp $ */
-/*
- * Copyright (c) 2014 Markus Friedl
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef OPENSSH_AESCTR_H
-#define OPENSSH_AESCTR_H
-
-#include "rijndael.h"
-
-#define AES_BLOCK_SIZE 16
-
-typedef struct aesctr_ctx {
-	int	rounds;				/* keylen-dependent #rounds */
-	u32	ek[4*(AES_MAXROUNDS + 1)];	/* encrypt key schedule */
-	u8	ctr[AES_BLOCK_SIZE];		/* counter */
-} aesctr_ctx;
-
-void aesctr_keysetup(aesctr_ctx *x,const u8 *k,u32 kbits,u32 ivbits);
-void aesctr_ivsetup(aesctr_ctx *x,const u8 *iv);
-void aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes);
-
-#endif
--- a/cipher-bf1.c
+++ b/cipher-bf1.c
@ -1,103 +0,0 @@
-/* $OpenBSD: cipher-bf1.c,v 1.7 2015/01/14 10:24:42 markus Exp $ */
-/*
- * Copyright (c) 2003 Markus Friedl.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#ifdef WITH_OPENSSL
-
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include <openssl/evp.h>
-
-#include "openbsd-compat/openssl-compat.h"
-
-/*
- * SSH1 uses a variation on Blowfish, all bytes must be swapped before
- * and after encryption/decryption. Thus the swap_bytes stuff (yuk).
- */
-
-const EVP_CIPHER * evp_ssh1_bf(void);
-
-static void
-swap_bytes(const u_char *src, u_char *dst, int n)
-{
-	u_char c[4];
-
-	/* Process 4 bytes every lap. */
-	for (n = n / 4; n > 0; n--) {
-		c[3] = *src++;
-		c[2] = *src++;
-		c[1] = *src++;
-		c[0] = *src++;
-
-		*dst++ = c[0];
-		*dst++ = c[1];
-		*dst++ = c[2];
-		*dst++ = c[3];
-	}
-}
-
-#ifdef SSH_OLD_EVP
-static void bf_ssh1_init (EVP_CIPHER_CTX * ctx, const unsigned char *key,
-			  const unsigned char *iv, int enc)
-{
-	if (iv != NULL)
-		memcpy (&(ctx->oiv[0]), iv, 8);
-	memcpy (&(ctx->iv[0]), &(ctx->oiv[0]), 8);
-	if (key != NULL)
-		BF_set_key (&(ctx->c.bf_ks), EVP_CIPHER_CTX_key_length (ctx),
-			    key);
-}
-#endif
-
-static int (*orig_bf)(EVP_CIPHER_CTX *, u_char *,
-    const u_char *, LIBCRYPTO_EVP_INL_TYPE) = NULL;
-
-static int
-bf_ssh1_cipher(EVP_CIPHER_CTX *ctx, u_char *out, const u_char *in,
-    LIBCRYPTO_EVP_INL_TYPE len)
-{
-	int ret;
-
-	swap_bytes(in, out, len);
-	ret = (*orig_bf)(ctx, out, out, len);
-	swap_bytes(out, out, len);
-	return (ret);
-}
-
-const EVP_CIPHER *
-evp_ssh1_bf(void)
-{
-	static EVP_CIPHER ssh1_bf;
-
-	memcpy(&ssh1_bf, EVP_bf_cbc(), sizeof(EVP_CIPHER));
-	orig_bf = ssh1_bf.do_cipher;
-	ssh1_bf.nid = NID_undef;
-#ifdef SSH_OLD_EVP
-	ssh1_bf.init = bf_ssh1_init;
-#endif
-	ssh1_bf.do_cipher = bf_ssh1_cipher;
-	ssh1_bf.key_len = 32;
-	return (&ssh1_bf);
-}
-#endif /* WITH_OPENSSL */
--- a/cipher-chachapoly.c
+++ b/cipher-chachapoly.c
@ -1,118 +0,0 @@
-/*
- * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/* $OpenBSD: cipher-chachapoly.c,v 1.7 2015/01/14 10:24:42 markus Exp $ */
-
-#include "includes.h"
-
-#include <sys/types.h>
-#include <stdarg.h> /* needed for log.h */
-#include <string.h>
-#include <stdio.h>  /* needed for misc.h */
-
-#include "log.h"
-#include "sshbuf.h"
-#include "ssherr.h"
-#include "cipher-chachapoly.h"
-
-int chachapoly_init(struct chachapoly_ctx *ctx,
-    const u_char *key, u_int keylen)
-{
-	if (keylen != (32 + 32)) /* 2 x 256 bit keys */
-		return SSH_ERR_INVALID_ARGUMENT;
-	chacha_keysetup(&ctx->main_ctx, key, 256);
-	chacha_keysetup(&ctx->header_ctx, key + 32, 256);
-	return 0;
-}
-
-/*
- * chachapoly_crypt() operates as following:
- * En/decrypt with header key 'aadlen' bytes from 'src', storing result
- * to 'dest'. The ciphertext here is treated as additional authenticated
- * data for MAC calculation.
- * En/decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'. Use
- * POLY1305_TAGLEN bytes at offset 'len'+'aadlen' as the authentication
- * tag. This tag is written on encryption and verified on decryption.
- */
-int
-chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
-    const u_char *src, u_int len, u_int aadlen, u_int authlen, int do_encrypt)
-{
-	u_char seqbuf[8];
-	const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */
-	u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
-	int r = SSH_ERR_INTERNAL_ERROR;
-
-	/*
-	 * Run ChaCha20 once to generate the Poly1305 key. The IV is the
-	 * packet sequence number.
-	 */
-	memset(poly_key, 0, sizeof(poly_key));
-	POKE_U64(seqbuf, seqnr);
-	chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
-	chacha_encrypt_bytes(&ctx->main_ctx,
-	    poly_key, poly_key, sizeof(poly_key));
-
-	/* If decrypting, check tag before anything else */
-	if (!do_encrypt) {
-		const u_char *tag = src + aadlen + len;
-
-		poly1305_auth(expected_tag, src, aadlen + len, poly_key);
-		if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) {
-			r = SSH_ERR_MAC_INVALID;
-			goto out;
-		}
-	}
-
-	/* Crypt additional data */
-	if (aadlen) {
-		chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
-		chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
-	}
-
-	/* Set Chacha's block counter to 1 */
-	chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
-	chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
-	    dest + aadlen, len);
-
-	/* If encrypting, calculate and append tag */
-	if (do_encrypt) {
-		poly1305_auth(dest + aadlen + len, dest, aadlen + len,
-		    poly_key);
-	}
-	r = 0;
- out:
-	explicit_bzero(expected_tag, sizeof(expected_tag));
-	explicit_bzero(seqbuf, sizeof(seqbuf));
-	explicit_bzero(poly_key, sizeof(poly_key));
-	return r;
-}
-
-/* Decrypt and extract the encrypted packet length */
-int
-chachapoly_get_length(struct chachapoly_ctx *ctx,
-    u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
-{
-	u_char buf[4], seqbuf[8];
-
-	if (len < 4)
-		return SSH_ERR_MESSAGE_INCOMPLETE;
-	POKE_U64(seqbuf, seqnr);
-	chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
-	chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4);
-	*plenp = PEEK_U32(buf);
-	return 0;
-}
--- a/cipher-chachapoly.h
+++ b/cipher-chachapoly.h
@ -1,41 +0,0 @@
-/* $OpenBSD: cipher-chachapoly.h,v 1.4 2014/06/24 01:13:21 djm Exp $ */
-
-/*
- * Copyright (c) Damien Miller 2013 <djm@mindrot.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#ifndef CHACHA_POLY_AEAD_H
-#define CHACHA_POLY_AEAD_H
-
-#include <sys/types.h>
-#include "chacha.h"
-#include "poly1305.h"
-
-#define CHACHA_KEYLEN	32 /* Only 256 bit keys used here */
-
-struct chachapoly_ctx {
-	struct chacha_ctx main_ctx, header_ctx;
-};
-
-int	chachapoly_init(struct chachapoly_ctx *cpctx,
-    const u_char *key, u_int keylen)
-    __attribute__((__bounded__(__buffer__, 2, 3)));
-int	chachapoly_crypt(struct chachapoly_ctx *cpctx, u_int seqnr,
-    u_char *dest, const u_char *src, u_int len, u_int aadlen, u_int authlen,
-    int do_encrypt);
-int	chachapoly_get_length(struct chachapoly_ctx *cpctx,
-    u_int *plenp, u_int seqnr, const u_char *cp, u_int len)
-    __attribute__((__bounded__(__buffer__, 4, 5)));
-
-#endif /* CHACHA_POLY_AEAD_H */
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@ -1,146 +0,0 @@
-/* $OpenBSD: cipher-ctr.c,v 1.11 2010/10/01 23:05:32 djm Exp $ */
-/*
- * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include "includes.h"
-
-#if defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR)
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include <openssl/evp.h>
-
-#include "xmalloc.h"
-#include "log.h"
-
-/* compatibility with old or broken OpenSSL versions */
-#include "openbsd-compat/openssl-compat.h"
-
-#ifndef USE_BUILTIN_RIJNDAEL
-#include <openssl/aes.h>
-#endif
-
-struct ssh_aes_ctr_ctx
-{
-	AES_KEY		aes_ctx;
-	u_char		aes_counter[AES_BLOCK_SIZE];
-};
-
-/*
- * increment counter 'ctr',
- * the counter is of size 'len' bytes and stored in network-byte-order.
- * (LSB at ctr[len-1], MSB at ctr[0])
- */
-static void
-ssh_ctr_inc(u_char *ctr, size_t len)
-{
-	int i;
-
-	for (i = len - 1; i >= 0; i--)
-		if (++ctr[i])	/* continue on overflow */
-			return;
-}
-
-static int
-ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-    LIBCRYPTO_EVP_INL_TYPE len)
-{
-	struct ssh_aes_ctr_ctx *c;
-	size_t n = 0;
-	u_char buf[AES_BLOCK_SIZE];
-
-	if (len == 0)
-		return (1);
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
-		return (0);
-
-	while ((len--) > 0) {
-		if (n == 0) {
-			AES_encrypt(c->aes_counter, buf, &c->aes_ctx);
-			ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
-		}
-		*(dest++) = *(src++) ^ buf[n];
-		n = (n + 1) % AES_BLOCK_SIZE;
-	}
-	return (1);
-}
-
-static int
-ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-    int enc)
-{
-	struct ssh_aes_ctr_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-		c = xmalloc(sizeof(*c));
-		EVP_CIPHER_CTX_set_app_data(ctx, c);
-	}
-	if (key != NULL)
-		AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-		    &c->aes_ctx);
-	if (iv != NULL)
-		memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
-	return (1);
-}
-
-static int
-ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
-{
-	struct ssh_aes_ctr_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
-		memset(c, 0, sizeof(*c));
-		free(c);
-		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-	}
-	return (1);
-}
-
-void
-ssh_aes_ctr_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, size_t len)
-{
-	struct ssh_aes_ctr_ctx *c;
-
-	if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
-		fatal("ssh_aes_ctr_iv: no context");
-	if (doset)
-		memcpy(c->aes_counter, iv, len);
-	else
-		memcpy(iv, c->aes_counter, len);
-}
-
-const EVP_CIPHER *
-evp_aes_128_ctr(void)
-{
-	static EVP_CIPHER aes_ctr;
-
-	memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
-	aes_ctr.nid = NID_undef;
-	aes_ctr.block_size = AES_BLOCK_SIZE;
-	aes_ctr.iv_len = AES_BLOCK_SIZE;
-	aes_ctr.key_len = 16;
-	aes_ctr.init = ssh_aes_ctr_init;
-	aes_ctr.cleanup = ssh_aes_ctr_cleanup;
-	aes_ctr.do_cipher = ssh_aes_ctr;
-#ifndef SSH_OLD_EVP
-	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-#endif
-	return (&aes_ctr);
-}
-
-#endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) */
--- a/cipher.c
+++ b/cipher.c
@ -1,657 +0,0 @@
-/* $OpenBSD: cipher.c,v 1.100 2015/01/14 10:29:45 djm Exp $ */
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 1999 Niels Provos.  All rights reserved.
- * Copyright (c) 1999, 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <string.h>
-#include <stdarg.h>
-#include <stdio.h>
-
-#include "cipher.h"
-#include "misc.h"
-#include "sshbuf.h"
-#include "ssherr.h"
-#include "digest.h"
-
-#include "openbsd-compat/openssl-compat.h"
-
-#ifdef WITH_SSH1
-extern const EVP_CIPHER *evp_ssh1_bf(void);
-extern const EVP_CIPHER *evp_ssh1_3des(void);
-extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
-#endif
-
-struct sshcipher {
-	char	*name;
-	int	number;		/* for ssh1 only */
-	u_int	block_size;
-	u_int	key_len;
-	u_int	iv_len;		/* defaults to block_size */
-	u_int	auth_len;
-	u_int	discard_len;
-	u_int	flags;
-#define CFLAG_CBC		(1<<0)
-#define CFLAG_CHACHAPOLY	(1<<1)
-#define CFLAG_AESCTR		(1<<2)
-#define CFLAG_NONE		(1<<3)
-#ifdef WITH_OPENSSL
-	const EVP_CIPHER	*(*evptype)(void);
-#else
-	void	*ignored;
-#endif
-};
-
-static const struct sshcipher ciphers[] = {
-#ifdef WITH_SSH1
-	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
-	{ "3des",	SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
-	{ "blowfish",	SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
-#endif /* WITH_SSH1 */
-#ifdef WITH_OPENSSL
-	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
-	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
-	{ "blowfish-cbc",
-			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
-	{ "cast128-cbc",
-			SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_cast5_cbc },
-	{ "arcfour",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 0, EVP_rc4 },
-	{ "arcfour128",	SSH_CIPHER_SSH2, 8, 16, 0, 0, 1536, 0, EVP_rc4 },
-	{ "arcfour256",	SSH_CIPHER_SSH2, 8, 32, 0, 0, 1536, 0, EVP_rc4 },
-	{ "aes128-cbc",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
-	{ "aes192-cbc",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
-	{ "aes256-cbc",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
-	{ "rijndael-cbc@lysator.liu.se",
-			SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
-	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
-	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
-	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
-# ifdef OPENSSL_HAVE_EVPGCM
-	{ "aes128-gcm@openssh.com",
-			SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
-	{ "aes256-gcm@openssh.com",
-			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
-# endif /* OPENSSL_HAVE_EVPGCM */
-#else /* WITH_OPENSSL */
-	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL },
-	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL },
-	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL },
-	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, CFLAG_NONE, NULL },
-#endif /* WITH_OPENSSL */
-	{ "chacha20-poly1305@openssh.com",
-			SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL },
-
-	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
-};
-
-/*--*/
-
-/* Returns a comma-separated list of supported ciphers. */
-char *
-cipher_alg_list(char sep, int auth_only)
-{
-	char *tmp, *ret = NULL;
-	size_t nlen, rlen = 0;
-	const struct sshcipher *c;
-
-	for (c = ciphers; c->name != NULL; c++) {
-		if (c->number != SSH_CIPHER_SSH2)
-			continue;
-		if (auth_only && c->auth_len == 0)
-			continue;
-		if (ret != NULL)
-			ret[rlen++] = sep;
-		nlen = strlen(c->name);
-		if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
-			free(ret);
-			return NULL;
-		}
-		ret = tmp;
-		memcpy(ret + rlen, c->name, nlen + 1);
-		rlen += nlen;
-	}
-	return ret;
-}
-
-u_int
-cipher_blocksize(const struct sshcipher *c)
-{
-	return (c->block_size);
-}
-
-u_int
-cipher_keylen(const struct sshcipher *c)
-{
-	return (c->key_len);
-}
-
-u_int
-cipher_seclen(const struct sshcipher *c)
-{
-	if (strcmp("3des-cbc", c->name) == 0)
-		return 14;
-	return cipher_keylen(c);
-}
-
-u_int
-cipher_authlen(const struct sshcipher *c)
-{
-	return (c->auth_len);
-}
-
-u_int
-cipher_ivlen(const struct sshcipher *c)
-{
-	/*
-	 * Default is cipher block size, except for chacha20+poly1305 that
-	 * needs no IV. XXX make iv_len == -1 default?
-	 */
-	return (c->iv_len != 0 || (c->flags & CFLAG_CHACHAPOLY) != 0) ?
-	    c->iv_len : c->block_size;
-}
-
-u_int
-cipher_get_number(const struct sshcipher *c)
-{
-	return (c->number);
-}
-
-u_int
-cipher_is_cbc(const struct sshcipher *c)
-{
-	return (c->flags & CFLAG_CBC) != 0;
-}
-
-u_int
-cipher_mask_ssh1(int client)
-{
-	u_int mask = 0;
-	mask |= 1 << SSH_CIPHER_3DES;		/* Mandatory */
-	mask |= 1 << SSH_CIPHER_BLOWFISH;
-	if (client) {
-		mask |= 1 << SSH_CIPHER_DES;
-	}
-	return mask;
-}
-
-const struct sshcipher *
-cipher_by_name(const char *name)
-{
-	const struct sshcipher *c;
-	for (c = ciphers; c->name != NULL; c++)
-		if (strcmp(c->name, name) == 0)
-			return c;
-	return NULL;
-}
-
-const struct sshcipher *
-cipher_by_number(int id)
-{
-	const struct sshcipher *c;
-	for (c = ciphers; c->name != NULL; c++)
-		if (c->number == id)
-			return c;
-	return NULL;
-}
-
-#define	CIPHER_SEP	","
-int
-ciphers_valid(const char *names)
-{
-	const struct sshcipher *c;
-	char *cipher_list, *cp;
-	char *p;
-
-	if (names == NULL || strcmp(names, "") == 0)
-		return 0;
-	if ((cipher_list = cp = strdup(names)) == NULL)
-		return 0;
-	for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
-	    (p = strsep(&cp, CIPHER_SEP))) {
-		c = cipher_by_name(p);
-		if (c == NULL || c->number != SSH_CIPHER_SSH2) {
-			free(cipher_list);
-			return 0;
-		}
-	}
-	free(cipher_list);
-	return 1;
-}
-
-/*
- * Parses the name of the cipher.  Returns the number of the corresponding
- * cipher, or -1 on error.
- */
-
-int
-cipher_number(const char *name)
-{
-	const struct sshcipher *c;
-	if (name == NULL)
-		return -1;
-	for (c = ciphers; c->name != NULL; c++)
-		if (strcasecmp(c->name, name) == 0)
-			return c->number;
-	return -1;
-}
-
-char *
-cipher_name(int id)
-{
-	const struct sshcipher *c = cipher_by_number(id);
-	return (c==NULL) ? "<unknown>" : c->name;
-}
-
-const char *
-cipher_warning_message(const struct sshcipher_ctx *cc)
-{
-	if (cc == NULL || cc->cipher == NULL)
-		return NULL;
-	if (cc->cipher->number == SSH_CIPHER_DES)
-		return "use of DES is strongly discouraged due to "
-		    "cryptographic weaknesses";
-	return NULL;
-}
-
-int
-cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
-    const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
-    int do_encrypt)
-{
-#ifdef WITH_OPENSSL
-	int ret = SSH_ERR_INTERNAL_ERROR;
-	const EVP_CIPHER *type;
-	int klen;
-	u_char *junk, *discard;
-
-	if (cipher->number == SSH_CIPHER_DES) {
-		if (keylen > 8)
-			keylen = 8;
-	}
-#endif
-	cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
-	cc->encrypt = do_encrypt;
-
-	if (keylen < cipher->key_len ||
-	    (iv != NULL && ivlen < cipher_ivlen(cipher)))
-		return SSH_ERR_INVALID_ARGUMENT;
-
-	cc->cipher = cipher;
-	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
-		return chachapoly_init(&cc->cp_ctx, key, keylen);
-	}
-#ifndef WITH_OPENSSL
-	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
-		aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
-		aesctr_ivsetup(&cc->ac_ctx, iv);
-		return 0;
-	}
-	if ((cc->cipher->flags & CFLAG_NONE) != 0)
-		return 0;
-	return SSH_ERR_INVALID_ARGUMENT;
-#else
-	type = (*cipher->evptype)();
-	EVP_CIPHER_CTX_init(&cc->evp);
-	if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
-	    (do_encrypt == CIPHER_ENCRYPT)) == 0) {
-		ret = SSH_ERR_LIBCRYPTO_ERROR;
-		goto bad;
-	}
-	if (cipher_authlen(cipher) &&
-	    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
-	    -1, (u_char *)iv)) {
-		ret = SSH_ERR_LIBCRYPTO_ERROR;
-		goto bad;
-	}
-	klen = EVP_CIPHER_CTX_key_length(&cc->evp);
-	if (klen > 0 && keylen != (u_int)klen) {
-		if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) {
-			ret = SSH_ERR_LIBCRYPTO_ERROR;
-			goto bad;
-		}
-	}
-	if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
-		ret = SSH_ERR_LIBCRYPTO_ERROR;
-		goto bad;
-	}
-
-	if (cipher->discard_len > 0) {
-		if ((junk = malloc(cipher->discard_len)) == NULL ||
-		    (discard = malloc(cipher->discard_len)) == NULL) {
-			if (junk != NULL)
-				free(junk);
-			ret = SSH_ERR_ALLOC_FAIL;
-			goto bad;
-		}
-		ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len);
-		explicit_bzero(discard, cipher->discard_len);
-		free(junk);
-		free(discard);
-		if (ret != 1) {
-			ret = SSH_ERR_LIBCRYPTO_ERROR;
- bad:
-			EVP_CIPHER_CTX_cleanup(&cc->evp);
-			return ret;
-		}
-	}
-#endif
-	return 0;
-}
-
-/*
- * cipher_crypt() operates as following:
- * Copy 'aadlen' bytes (without en/decryption) from 'src' to 'dest'.
- * Theses bytes are treated as additional authenticated data for
- * authenticated encryption modes.
- * En/Decrypt 'len' bytes at offset 'aadlen' from 'src' to 'dest'.
- * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
- * This tag is written on encryption and verified on decryption.
- * Both 'aadlen' and 'authlen' can be set to 0.
- */
-int
-cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
-   const u_char *src, u_int len, u_int aadlen, u_int authlen)
-{
-	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
-		return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src,
-		    len, aadlen, authlen, cc->encrypt);
-	}
-#ifndef WITH_OPENSSL
-	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
-		if (aadlen)
-			memcpy(dest, src, aadlen);
-		aesctr_encrypt_bytes(&cc->ac_ctx, src + aadlen,
-		    dest + aadlen, len);
-		return 0;
-	}
-	if ((cc->cipher->flags & CFLAG_NONE) != 0) {
-		memcpy(dest, src, aadlen + len);
-		return 0;
-	}
-	return SSH_ERR_INVALID_ARGUMENT;
-#else
-	if (authlen) {
-		u_char lastiv[1];
-
-		if (authlen != cipher_authlen(cc->cipher))
-			return SSH_ERR_INVALID_ARGUMENT;
-		/* increment IV */
-		if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
-		    1, lastiv))
-			return SSH_ERR_LIBCRYPTO_ERROR;
-		/* set tag on decyption */
-		if (!cc->encrypt &&
-		    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
-		    authlen, (u_char *)src + aadlen + len))
-			return SSH_ERR_LIBCRYPTO_ERROR;
-	}
-	if (aadlen) {
-		if (authlen &&
-		    EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
-			return SSH_ERR_LIBCRYPTO_ERROR;
-		memcpy(dest, src, aadlen);
-	}
-	if (len % cc->cipher->block_size)
-		return SSH_ERR_INVALID_ARGUMENT;
-	if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
-	    len) < 0)
-		return SSH_ERR_LIBCRYPTO_ERROR;
-	if (authlen) {
-		/* compute tag (on encrypt) or verify tag (on decrypt) */
-		if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0)
-			return cc->encrypt ?
-			    SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
-		if (cc->encrypt &&
-		    !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
-		    authlen, dest + aadlen + len))
-			return SSH_ERR_LIBCRYPTO_ERROR;
-	}
-	return 0;
-#endif
-}
-
-/* Extract the packet length, including any decryption necessary beforehand */
-int
-cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
-    const u_char *cp, u_int len)
-{
-	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
-		return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr,
-		    cp, len);
-	if (len < 4)
-		return SSH_ERR_MESSAGE_INCOMPLETE;
-	*plenp = get_u32(cp);
-	return 0;
-}
-
-int
-cipher_cleanup(struct sshcipher_ctx *cc)
-{
-	if (cc == NULL || cc->cipher == NULL)
-		return 0;
-	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
-		explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
-	else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
-		explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
-#ifdef WITH_OPENSSL
-	else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
-		return SSH_ERR_LIBCRYPTO_ERROR;
-#endif
-	return 0;
-}
-
-/*
- * Selects the cipher, and keys if by computing the MD5 checksum of the
- * passphrase and using the resulting 16 bytes as the key.
- */
-int
-cipher_set_key_string(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
-    const char *passphrase, int do_encrypt)
-{
-	u_char digest[16];
-	int r = SSH_ERR_INTERNAL_ERROR;
-
-	if ((r = ssh_digest_memory(SSH_DIGEST_MD5,
-	    passphrase, strlen(passphrase),
-	    digest, sizeof(digest))) != 0)
-		goto out;
-
-	r = cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
- out:
-	explicit_bzero(digest, sizeof(digest));
-	return r;
-}
-
-/*
- * Exports an IV from the sshcipher_ctx required to export the key
- * state back from the unprivileged child to the privileged parent
- * process.
- */
-int
-cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
-{
-	const struct sshcipher *c = cc->cipher;
-	int ivlen = 0;
-
-	if (c->number == SSH_CIPHER_3DES)
-		ivlen = 24;
-	else if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
-		ivlen = 0;
-	else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
-		ivlen = sizeof(cc->ac_ctx.ctr);
-#ifdef WITH_OPENSSL
-	else
-		ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
-#endif /* WITH_OPENSSL */
-	return (ivlen);
-}
-
-int
-cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
-{
-	const struct sshcipher *c = cc->cipher;
-#ifdef WITH_OPENSSL
- 	int evplen;
-#endif
-
-	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
-		if (len != 0)
-			return SSH_ERR_INVALID_ARGUMENT;
-		return 0;
-	}
-	if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
-		if (len != sizeof(cc->ac_ctx.ctr))
-			return SSH_ERR_INVALID_ARGUMENT;
-		memcpy(iv, cc->ac_ctx.ctr, len);
-		return 0;
-	}
-	if ((cc->cipher->flags & CFLAG_NONE) != 0)
-		return 0;
-
-	switch (c->number) {
-#ifdef WITH_OPENSSL
-	case SSH_CIPHER_SSH2:
-	case SSH_CIPHER_DES:
-	case SSH_CIPHER_BLOWFISH:
-		evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
-		if (evplen == 0)
-			return 0;
-		else if (evplen < 0)
-			return SSH_ERR_LIBCRYPTO_ERROR;
-		if ((u_int)evplen != len)
-			return SSH_ERR_INVALID_ARGUMENT;
-#ifndef OPENSSL_HAVE_EVPCTR
-		if (c->evptype == evp_aes_128_ctr)
-			ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
-		else
-#endif
-		if (cipher_authlen(c)) {
-			if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
-			   len, iv))
-			       return SSH_ERR_LIBCRYPTO_ERROR;
-		} else
-			memcpy(iv, cc->evp.iv, len);
-		break;
-#endif
-#ifdef WITH_SSH1
-	case SSH_CIPHER_3DES:
-		return ssh1_3des_iv(&cc->evp, 0, iv, 24);
-#endif
-	default:
-		return SSH_ERR_INVALID_ARGUMENT;
-	}
-	return 0;
-}
-
-int
-cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
-{
-	const struct sshcipher *c = cc->cipher;
-#ifdef WITH_OPENSSL
- 	int evplen = 0;
-#endif
-
-	if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
-		return 0;
-	if ((cc->cipher->flags & CFLAG_NONE) != 0)
-		return 0;
-
-	switch (c->number) {
-#ifdef WITH_OPENSSL
-	case SSH_CIPHER_SSH2:
-	case SSH_CIPHER_DES:
-	case SSH_CIPHER_BLOWFISH:
-		evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
-		if (evplen <= 0)
-			return SSH_ERR_LIBCRYPTO_ERROR;
-		if (cipher_authlen(c)) {
-			/* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
-			if (!EVP_CIPHER_CTX_ctrl(&cc->evp,
-			    EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
-				return SSH_ERR_LIBCRYPTO_ERROR;
-		} else
-			memcpy(cc->evp.iv, iv, evplen);
-		break;
-#endif
-#ifdef WITH_SSH1
-	case SSH_CIPHER_3DES:
-		return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);
-#endif
-	default:
-		return SSH_ERR_INVALID_ARGUMENT;
-	}
-	return 0;
-}
-
-#ifdef WITH_OPENSSL
-#define EVP_X_STATE(evp)	(evp).cipher_data
-#define EVP_X_STATE_LEN(evp)	(evp).cipher->ctx_size
-#endif
-
-int
-cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat)
-{
-#ifdef WITH_OPENSSL
-	const struct sshcipher *c = cc->cipher;
-	int plen = 0;
-
-	if (c->evptype == EVP_rc4) {
-		plen = EVP_X_STATE_LEN(cc->evp);
-		if (dat == NULL)
-			return (plen);
-		memcpy(dat, EVP_X_STATE(cc->evp), plen);
-	}
-	return (plen);
-#else
-	return 0;
-#endif
-}
-
-void
-cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat)
-{
-#ifdef WITH_OPENSSL
-	const struct sshcipher *c = cc->cipher;
-	int plen;
-
-	if (c->evptype == EVP_rc4) {
-		plen = EVP_X_STATE_LEN(cc->evp);
-		memcpy(EVP_X_STATE(cc->evp), dat, plen);
-	}
-#endif
-}
--- a/cipher.h
+++ b/cipher.h
@ -1,105 +0,0 @@
-/* $OpenBSD: cipher.h,v 1.48 2015/07/08 19:09:25 markus Exp $ */
-
-/*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef CIPHER_H
-#define CIPHER_H
-
-#include <sys/types.h>
-#include <openssl/evp.h>
-#include "cipher-chachapoly.h"
-#include "cipher-aesctr.h"
-
-/*
- * Cipher types for SSH-1.  New types can be added, but old types should not
- * be removed for compatibility.  The maximum allowed value is 31.
- */
-#define SSH_CIPHER_SSH2		-3
-#define SSH_CIPHER_INVALID	-2	/* No valid cipher selected. */
-#define SSH_CIPHER_NOT_SET	-1	/* None selected (invalid number). */
-#define SSH_CIPHER_NONE		0	/* no encryption */
-#define SSH_CIPHER_IDEA		1	/* IDEA CFB */
-#define SSH_CIPHER_DES		2	/* DES CBC */
-#define SSH_CIPHER_3DES		3	/* 3DES CBC */
-#define SSH_CIPHER_BROKEN_TSS	4	/* TRI's Simple Stream encryption CBC */
-#define SSH_CIPHER_BROKEN_RC4	5	/* Alleged RC4 */
-#define SSH_CIPHER_BLOWFISH	6
-#define SSH_CIPHER_RESERVED	7
-#define SSH_CIPHER_MAX		31
-
-#define CIPHER_ENCRYPT		1
-#define CIPHER_DECRYPT		0
-
-struct sshcipher;
-struct sshcipher_ctx {
-	int	plaintext;
-	int	encrypt;
-	EVP_CIPHER_CTX evp;
-	struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
-	struct aesctr_ctx ac_ctx; /* XXX union with evp? */
-	const struct sshcipher *cipher;
-};
-
-u_int	 cipher_mask_ssh1(int);
-const struct sshcipher *cipher_by_name(const char *);
-const struct sshcipher *cipher_by_number(int);
-int	 cipher_number(const char *);
-char	*cipher_name(int);
-const char *cipher_warning_message(const struct sshcipher_ctx *);
-int	 ciphers_valid(const char *);
-char	*cipher_alg_list(char, int);
-int	 cipher_init(struct sshcipher_ctx *, const struct sshcipher *,
-    const u_char *, u_int, const u_char *, u_int, int);
-int	 cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,
-    u_int, u_int, u_int);
-int	 cipher_get_length(struct sshcipher_ctx *, u_int *, u_int,
-    const u_char *, u_int);
-int	 cipher_cleanup(struct sshcipher_ctx *);
-int	 cipher_set_key_string(struct sshcipher_ctx *, const struct sshcipher *,
-    const char *, int);
-u_int	 cipher_blocksize(const struct sshcipher *);
-u_int	 cipher_keylen(const struct sshcipher *);
-u_int	 cipher_seclen(const struct sshcipher *);
-u_int	 cipher_authlen(const struct sshcipher *);
-u_int	 cipher_ivlen(const struct sshcipher *);
-u_int	 cipher_is_cbc(const struct sshcipher *);
-
-u_int	 cipher_get_number(const struct sshcipher *);
-int	 cipher_get_keyiv(struct sshcipher_ctx *, u_char *, u_int);
-int	 cipher_set_keyiv(struct sshcipher_ctx *, const u_char *);
-int	 cipher_get_keyiv_len(const struct sshcipher_ctx *);
-int	 cipher_get_keycontext(const struct sshcipher_ctx *, u_char *);
-void	 cipher_set_keycontext(struct sshcipher_ctx *, const u_char *);
-#endif				/* CIPHER_H */
--- a/cleanup.c
+++ b/cleanup.c
@ -1,32 +0,0 @@
-/* $OpenBSD: cleanup.c,v 1.5 2006/08/03 03:34:42 deraadt Exp $ */
-/*
- * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <unistd.h>
-#include <stdarg.h>
-
-#include "log.h"
-
-/* default implementation */
-void
-cleanup_exit(int i)
-{
-	_exit(i);
-}
--- a/clientloop.c
+++ b/clientloop.c
--- a/Show More
+++ b/Show More