Undef int32 after sort routines.

This prevents typedef'ing crypto_int32 twice, in sntrup761.c and
crypto_api.h, which some compilers (at least some GCCs) don't accept.

fix: missing pieces of previous commit

upstream: Use int64_t for intermediate values in int32_MINMAX to

prevent signed 32-bit integer overflow.

Found by and ok djm@
ok markus@

OpenBSD-Commit-ID: 4f0704768e34cf45fdd792bac4011c6971881bb3

adapt KEX fuzzer to PQ kex change

upstream: Adapt to replacement of

sntrup4591761x25519-sha512@tinyssh.org with
sntrup761x25519-sha512@openssh.com.

Also test sntrup761x25519-sha512@openssh.com in unittests/kex

OpenBSD-Regress-ID:

upstream: Adapt to replacement of

sntrup4591761x25519-sha512@tinyssh.org with
sntrup761x25519-sha512@openssh.com.

Also test sntrup761x25519-sha512@openssh.com in unittests/kex

OpenBSD-Regress-ID: cfa3506b2b077a9cac1877fb521efd2641b6030c

show more ...

upstream: Update/replace the experimental post-quantim hybrid key

exchange method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method i

upstream: Update/replace the experimental post-quantim hybrid key

exchange method based on Streamlined NTRU Prime (coupled with X25519).

The previous sntrup4591761x25519-sha512@tinyssh.org method is
replaced with sntrup761x25519-sha512@openssh.com. Per the authors,
sntrup4591761 was replaced almost two years ago by sntrup761.

The sntrup761 implementaion, like sntrup4591761 before it, is public
domain code extracted from the SUPERCOP cryptography benchmark
suite (https://bench.cr.yp.to/supercop.html).

Thanks for Daniel J Bernstein for guidance on algorithm selection.
Patch from Tobias Heider; feedback & ok markus@ and myself

(note this both the updated method and the one that it replaced are
disabled by default)

OpenBSD-Commit-ID: 2bf582b772d81ee24e911bb6f4b2aecfd39338ae

show more ...

upstream: tweak the description of KnownHostsCommand in ssh_conf.5,

and add entries for it to the -O list in scp.1 and sftp.1;

ok djm

OpenBSD-Commit-ID: aba31ebea03f38f8d218857f7ce16a500c3e4aff

whitespace at EOL

whitespace at EOL

Improve AIX text.

Include stdio.h for FILE in misc.h.

Fixes build on at least OpenBSD.

ensure $LOGNAME is set in tests

upstream: more detail for failing tests

OpenBSD-Regress-ID: c68c0e5a521cad7e7f68e54c54ebf86d6c10ee1d

upstream: regress test for KnownHostsCommand

OpenBSD-Regress-ID: ffc77464320b6dabdcfa0a72e0df02659233a38a

upstream: Remove lines accidentally left behind in the ProxyJump

parsing fix r1.345.

ok djm

OpenBSD-Commit-ID: fe767c108c8117bea33767b080ff62eef2c55f5c

upstream: add a ssh_config KnownHostsCommand that allows the client

to obtain known_hosts data from a command in addition to the usual files.

The command accepts bunch of %-expansions, including de

upstream: add a ssh_config KnownHostsCommand that allows the client

to obtain known_hosts data from a command in addition to the usual files.

The command accepts bunch of %-expansions, including details of the
connection and the offered server host key. Note that the command may
be invoked up to three times per connection (see the manpage for
details).

ok markus@

OpenBSD-Commit-ID: 2433cff4fb323918ae968da6ff38feb99b4d33d0

show more ...

upstream: move subprocess() from auth.c to misc.c

make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)

add some other flags (keep environment, di

upstream: move subprocess() from auth.c to misc.c

make privilege dropping optional but allow it via callbacks (to avoid
need to link uidswap.c everywhere)

add some other flags (keep environment, disable strict path safety check)
that make this more useful for client-side use.

feedback & ok markus@

OpenBSD-Commit-ID: a80ea9fdcc156f1a18e9c166122c759fae1637bf

show more ...

upstream: Remove explicit rijndael-cbc@lysator.liu.se test since the

cipher was removed.

OpenBSD-Regress-ID: aa93cddb4ecd9bc21446a79008a1a53050e64f17

upstream: Remove the pre-standardization cipher

rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc which was
standardized in RFC4253 (2006), has been deprecated and disabled by default
since

upstream: Remove the pre-standardization cipher

rijndael-cbc@lysator.liu.se. It is an alias for aes256-cbc which was
standardized in RFC4253 (2006), has been deprecated and disabled by default
since OpenSSH 7.2 (2016) and was only briefly documented in ssh.1 in 2001.

This will reduce the amount of work the cipher/kex regression tests need
to do by a little bit. ok markus@ djm@

OpenBSD-Commit-ID: fb460acc18290a998fd70910b19c29b4e4f199ad

show more ...

upstream: properly fix ProxyJump parsing; Thanks to tb@ for

pointing out my error (parse_ssh_uri() can return -1/0/1, that I missed).
Reported by Raf Czlonka via bugs@

ok tb@

OpenBSD-Commit-ID: a2

upstream: properly fix ProxyJump parsing; Thanks to tb@ for

pointing out my error (parse_ssh_uri() can return -1/0/1, that I missed).
Reported by Raf Czlonka via bugs@

ok tb@

OpenBSD-Commit-ID: a2991a3794bcaf1ca2b025212cce11cdb5f6b7d6

show more ...

upstream: adapt to API change in hostkeys_foreach()/load_hostkeys()

OpenBSD-Regress-ID: dcb468514f32da49a446372453497dc6eeafdbf3

upstream: few more things needs match.c and addrmatch.c now that

log.c calls match_pattern_list()

OpenBSD-Regress-ID: f7c95c76b150d0aeb00a67858b9579b7d1b2db74

Pull in missing rev 1.2.

upstream: plumb ssh_conn_info through to sshconnect.c; feedback/ok

markus@

OpenBSD-Commit-ID: e8d14a09cda3f1dc55df08f8a4889beff74e68b0

upstream: allow UserKnownHostsFile=none; feedback and ok markus@

OpenBSD-Commit-ID: c46d515eac94a35a1d50d5fd71c4b1ca53334b48