stricter validation of messaging socket fd number; disallow usage of
stderr. Based on GHPR492 by RealHurrison

ensure key_fd is filled when DSA is disabled; spotted by tb@

make DSA key support compile-time optional, defaulting to on

ok markus@

avoid double-free in error path introduced in r1.70;
report and fix based on GHPR#332 by v-rzh
ok dtucker@

make ssh-keysign use the requested signature algorithm and not the
default for the keytype. Part of unbreaking hostbased auth for RSA/SHA2
keys. ok markus@

It really looks like pledge "stdio dns" is possible earlier.
Discussed with mestre

fix ssh-keysign for KEX algorithms that use SHA384/512 exchange hashes;
feedback/ok markus@

Order includes as per style(9). Portable already has these so this
removes a handful of diffs between the two.

prepare readconf.c for fuzzing; remove fatal calls and fix some
(one-off) memory leaks; ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

additional missing stdarg.h includes when built without WITH_OPENSSL; ok djm@

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

remove some duplicate #includes

fixes for !WITH_OPENSSL compilation; ok dtucker@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

if passed a bad fd, log what it was

Replace calls to ssh_malloc_init() by a static init of malloc_options.
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@

add a ssh_config "Match final" predicate

Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus

Now that ssh can't be setuid, remove the original_real_uid and
original_effective_uid globals and replace with calls to plain getuid().
ok djm@

Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
ok djm@

ssh_free checks for and handles NULL args, remove NULL checks from remaining
callers. ok djm@

Add a function to enable security-related malloc_options. With and ok
deraadt@, something similar has been in the snaps for a while.

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

pledge, better fatal() messages; feedback deraadt@

add an XXX reminder for getting correct key paths from sshd_config

consistent check for NULL as noted by Nicholas Lemonias; ok djm@

update to new API (key_fingerprint => sshkey_fingerprint)
check sshkey_fingerprint return values;
ok markus

sync ssh-keysign, ssh-keygen and some dependencies to the new
buffer/key API; mostly mechanical, ok markus@

deprecate key_load_private_pem() and sshkey_load_private_pem()
interfaces. Refactor the generic key loading API to not require
pathnames to be specified (they weren't really used).

Fixes a few other things en passant:

Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).

Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.

ok markus@

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

Delete futile calls to RAND_seed. ok djm

include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random()

support ed25519 keys (hostkeys and user identities) using the public domain
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@

add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@

bye, bye xfree(); ok markus@

make hostbased auth with ECDSA keys work correctly. Based on patch
by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock)

reintroduce commit from tedu@, which I pulled out for release engineering:

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

backout previous temporarily; discussed with deraadt@

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

clean for -Wuninitialized

enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@

Make HostBased authentication work with a ProxyCommand. bz #1569, patch
from imorgan at nas nasa gov, ok djm@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <fcntl.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

sessionid can be 32 bytes now too when sha256 kex is used; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.20.2;
move #include <paths.h> out of includes.h; ok markus@

ensure that stdio fds are attached; ok deraadt@

branches: 1.18.4; 1.18.6;
Remove duplicate getuid(), suggested by & ok markus@

Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches
change in Portable; ok markus@

perform strict ownership and modes checks for ~/.ssh/config files, as these
can be used to execute arbitrary programs; ok markus@

NB. ssh will now exit when it detects a config with poor permissions

branches: 1.15.2;
fix mem leaks; some fixes from Pete Flugstad; tested dtucker@

return error on msg send/receive failure (rather than fatal); ok markus@

branches: 1.13.2;
fix AddressFamily option in config file, from brent@graveland.net; ok markus@

add AddressFamily option to ssh_config (like -4, -6 on commandline).
Portable bug #534; ok markus@

potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526

branches: 1.10.2;
move RSA_blinding_on to generic key load method

s/msg_send/ssh_msg_send/ to avoid namespace clashes in portable; ok markus@

we cannot use HostbasedAuthentication for enabling ssh-keysign(8),
because HostbasedAuthentication might be enabled based on the
target host and ssh-keysign(8) does not know the remote hostname
and not trust ssh(1) about the hostname, so we add a new option
EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de

branches: 1.7.2;
re-enable ssh-keysign's sbit, but make ssh-keysign read /etc/ssh/ssh_config
and exit if HostbasedAuthentication is disabled globally. based on discussions
with deraadt, itojun and sommerfeld; ok itojun@

use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
in order to avoid a possible Kocher timing attack pointed out by Charles
Hannum; ok provos@

bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu

branches: 1.4.2; 1.4.4;
KNF done automatically while reading....

only accept 20 byte session ids

extent ssh-keysign protocol:
pass # of socket-fd to ssh-keysign, keysign verfies locally used
ip-address using this socket-fd, restricts fake local hostnames
to actual local hostnames; ok stevesk@

add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication
in protocol v2 (needs to access the hostkeys).

ensure key_fd is filled when DSA is disabled; spotted by tb@

make DSA key support compile-time optional, defaulting to on

ok markus@

avoid double-free in error path introduced in r1.70;
report and fix based on GHPR#332 by v-rzh
ok dtucker@

make ssh-keysign use the requested signature algorithm and not the
default for the keytype. Part of unbreaking hostbased auth for RSA/SHA2
keys. ok markus@

It really looks like pledge "stdio dns" is possible earlier.
Discussed with mestre

fix ssh-keysign for KEX algorithms that use SHA384/512 exchange hashes;
feedback/ok markus@

Order includes as per style(9). Portable already has these so this
removes a handful of diffs between the two.

prepare readconf.c for fuzzing; remove fatal calls and fix some
(one-off) memory leaks; ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

additional missing stdarg.h includes when built without WITH_OPENSSL; ok djm@

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

remove some duplicate #includes

fixes for !WITH_OPENSSL compilation; ok dtucker@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

if passed a bad fd, log what it was

Replace calls to ssh_malloc_init() by a static init of malloc_options.
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@

add a ssh_config "Match final" predicate

Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus

Now that ssh can't be setuid, remove the original_real_uid and
original_effective_uid globals and replace with calls to plain getuid().
ok djm@

Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
ok djm@

ssh_free checks for and handles NULL args, remove NULL checks from remaining
callers. ok djm@

Add a function to enable security-related malloc_options. With and ok
deraadt@, something similar has been in the snaps for a while.

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

pledge, better fatal() messages; feedback deraadt@

add an XXX reminder for getting correct key paths from sshd_config

consistent check for NULL as noted by Nicholas Lemonias; ok djm@

update to new API (key_fingerprint => sshkey_fingerprint)
check sshkey_fingerprint return values;
ok markus

sync ssh-keysign, ssh-keygen and some dependencies to the new
buffer/key API; mostly mechanical, ok markus@

deprecate key_load_private_pem() and sshkey_load_private_pem()
interfaces. Refactor the generic key loading API to not require
pathnames to be specified (they weren't really used).

Fixes a few other things en passant:

Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).

Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.

ok markus@

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

Delete futile calls to RAND_seed. ok djm

include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random()

support ed25519 keys (hostkeys and user identities) using the public domain
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@

add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@

bye, bye xfree(); ok markus@

make hostbased auth with ECDSA keys work correctly. Based on patch
by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock)

reintroduce commit from tedu@, which I pulled out for release engineering:

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

backout previous temporarily; discussed with deraadt@

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

clean for -Wuninitialized

enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@

Make HostBased authentication work with a ProxyCommand. bz #1569, patch
from imorgan at nas nasa gov, ok djm@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <fcntl.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

sessionid can be 32 bytes now too when sha256 kex is used; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.20.2;
move #include <paths.h> out of includes.h; ok markus@

ensure that stdio fds are attached; ok deraadt@

branches: 1.18.4; 1.18.6;
Remove duplicate getuid(), suggested by & ok markus@

Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches
change in Portable; ok markus@

perform strict ownership and modes checks for ~/.ssh/config files, as these
can be used to execute arbitrary programs; ok markus@

NB. ssh will now exit when it detects a config with poor permissions

branches: 1.15.2;
fix mem leaks; some fixes from Pete Flugstad; tested dtucker@

return error on msg send/receive failure (rather than fatal); ok markus@

branches: 1.13.2;
fix AddressFamily option in config file, from brent@graveland.net; ok markus@

add AddressFamily option to ssh_config (like -4, -6 on commandline).
Portable bug #534; ok markus@

potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526

branches: 1.10.2;
move RSA_blinding_on to generic key load method

s/msg_send/ssh_msg_send/ to avoid namespace clashes in portable; ok markus@

we cannot use HostbasedAuthentication for enabling ssh-keysign(8),
because HostbasedAuthentication might be enabled based on the
target host and ssh-keysign(8) does not know the remote hostname
and not trust ssh(1) about the hostname, so we add a new option
EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de

branches: 1.7.2;
re-enable ssh-keysign's sbit, but make ssh-keysign read /etc/ssh/ssh_config
and exit if HostbasedAuthentication is disabled globally. based on discussions
with deraadt, itojun and sommerfeld; ok itojun@

use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
in order to avoid a possible Kocher timing attack pointed out by Charles
Hannum; ok provos@

bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu

branches: 1.4.2; 1.4.4;
KNF done automatically while reading....

only accept 20 byte session ids

extent ssh-keysign protocol:
pass # of socket-fd to ssh-keysign, keysign verfies locally used
ip-address using this socket-fd, restricts fake local hostnames
to actual local hostnames; ok stevesk@

add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication
in protocol v2 (needs to access the hostkeys).

avoid double-free in error path introduced in r1.70;
report and fix based on GHPR#332 by v-rzh
ok dtucker@

make ssh-keysign use the requested signature algorithm and not the
default for the keytype. Part of unbreaking hostbased auth for RSA/SHA2
keys. ok markus@

It really looks like pledge "stdio dns" is possible earlier.
Discussed with mestre

fix ssh-keysign for KEX algorithms that use SHA384/512 exchange hashes;
feedback/ok markus@

Order includes as per style(9). Portable already has these so this
removes a handful of diffs between the two.

prepare readconf.c for fuzzing; remove fatal calls and fix some
(one-off) memory leaks; ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

additional missing stdarg.h includes when built without WITH_OPENSSL; ok djm@

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

remove some duplicate #includes

fixes for !WITH_OPENSSL compilation; ok dtucker@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

if passed a bad fd, log what it was

Replace calls to ssh_malloc_init() by a static init of malloc_options.
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@

add a ssh_config "Match final" predicate

Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus

Now that ssh can't be setuid, remove the original_real_uid and
original_effective_uid globals and replace with calls to plain getuid().
ok djm@

Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
ok djm@

ssh_free checks for and handles NULL args, remove NULL checks from remaining
callers. ok djm@

Add a function to enable security-related malloc_options. With and ok
deraadt@, something similar has been in the snaps for a while.

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

pledge, better fatal() messages; feedback deraadt@

add an XXX reminder for getting correct key paths from sshd_config

consistent check for NULL as noted by Nicholas Lemonias; ok djm@

update to new API (key_fingerprint => sshkey_fingerprint)
check sshkey_fingerprint return values;
ok markus

sync ssh-keysign, ssh-keygen and some dependencies to the new
buffer/key API; mostly mechanical, ok markus@

deprecate key_load_private_pem() and sshkey_load_private_pem()
interfaces. Refactor the generic key loading API to not require
pathnames to be specified (they weren't really used).

Fixes a few other things en passant:

Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).

Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.

ok markus@

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

Delete futile calls to RAND_seed. ok djm

include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random()

support ed25519 keys (hostkeys and user identities) using the public domain
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@

add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@

bye, bye xfree(); ok markus@

make hostbased auth with ECDSA keys work correctly. Based on patch
by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock)

reintroduce commit from tedu@, which I pulled out for release engineering:

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

backout previous temporarily; discussed with deraadt@

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

clean for -Wuninitialized

enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@

Make HostBased authentication work with a ProxyCommand. bz #1569, patch
from imorgan at nas nasa gov, ok djm@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <fcntl.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

sessionid can be 32 bytes now too when sha256 kex is used; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.20.2;
move #include <paths.h> out of includes.h; ok markus@

ensure that stdio fds are attached; ok deraadt@

branches: 1.18.4; 1.18.6;
Remove duplicate getuid(), suggested by & ok markus@

Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches
change in Portable; ok markus@

perform strict ownership and modes checks for ~/.ssh/config files, as these
can be used to execute arbitrary programs; ok markus@

NB. ssh will now exit when it detects a config with poor permissions

branches: 1.15.2;
fix mem leaks; some fixes from Pete Flugstad; tested dtucker@

return error on msg send/receive failure (rather than fatal); ok markus@

branches: 1.13.2;
fix AddressFamily option in config file, from brent@graveland.net; ok markus@

add AddressFamily option to ssh_config (like -4, -6 on commandline).
Portable bug #534; ok markus@

potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526

branches: 1.10.2;
move RSA_blinding_on to generic key load method

s/msg_send/ssh_msg_send/ to avoid namespace clashes in portable; ok markus@

we cannot use HostbasedAuthentication for enabling ssh-keysign(8),
because HostbasedAuthentication might be enabled based on the
target host and ssh-keysign(8) does not know the remote hostname
and not trust ssh(1) about the hostname, so we add a new option
EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de

branches: 1.7.2;
re-enable ssh-keysign's sbit, but make ssh-keysign read /etc/ssh/ssh_config
and exit if HostbasedAuthentication is disabled globally. based on discussions
with deraadt, itojun and sommerfeld; ok itojun@

use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
in order to avoid a possible Kocher timing attack pointed out by Charles
Hannum; ok provos@

bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu

branches: 1.4.2; 1.4.4;
KNF done automatically while reading....

only accept 20 byte session ids

extent ssh-keysign protocol:
pass # of socket-fd to ssh-keysign, keysign verfies locally used
ip-address using this socket-fd, restricts fake local hostnames
to actual local hostnames; ok stevesk@

add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication
in protocol v2 (needs to access the hostkeys).

make ssh-keysign use the requested signature algorithm and not the
default for the keytype. Part of unbreaking hostbased auth for RSA/SHA2
keys. ok markus@

It really looks like pledge "stdio dns" is possible earlier.
Discussed with mestre

fix ssh-keysign for KEX algorithms that use SHA384/512 exchange hashes;
feedback/ok markus@

Order includes as per style(9). Portable already has these so this
removes a handful of diffs between the two.

prepare readconf.c for fuzzing; remove fatal calls and fix some
(one-off) memory leaks; ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

additional missing stdarg.h includes when built without WITH_OPENSSL; ok djm@

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

remove some duplicate #includes

fixes for !WITH_OPENSSL compilation; ok dtucker@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

if passed a bad fd, log what it was

Replace calls to ssh_malloc_init() by a static init of malloc_options.
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@

add a ssh_config "Match final" predicate

Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus

Now that ssh can't be setuid, remove the original_real_uid and
original_effective_uid globals and replace with calls to plain getuid().
ok djm@

Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
ok djm@

ssh_free checks for and handles NULL args, remove NULL checks from remaining
callers. ok djm@

Add a function to enable security-related malloc_options. With and ok
deraadt@, something similar has been in the snaps for a while.

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

pledge, better fatal() messages; feedback deraadt@

add an XXX reminder for getting correct key paths from sshd_config

consistent check for NULL as noted by Nicholas Lemonias; ok djm@

update to new API (key_fingerprint => sshkey_fingerprint)
check sshkey_fingerprint return values;
ok markus

sync ssh-keysign, ssh-keygen and some dependencies to the new
buffer/key API; mostly mechanical, ok markus@

deprecate key_load_private_pem() and sshkey_load_private_pem()
interfaces. Refactor the generic key loading API to not require
pathnames to be specified (they weren't really used).

Fixes a few other things en passant:

Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).

Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.

ok markus@

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

Delete futile calls to RAND_seed. ok djm

include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random()

support ed25519 keys (hostkeys and user identities) using the public domain
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@

add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@

bye, bye xfree(); ok markus@

make hostbased auth with ECDSA keys work correctly. Based on patch
by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock)

reintroduce commit from tedu@, which I pulled out for release engineering:

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

backout previous temporarily; discussed with deraadt@

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

clean for -Wuninitialized

enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@

Make HostBased authentication work with a ProxyCommand. bz #1569, patch
from imorgan at nas nasa gov, ok djm@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <fcntl.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

sessionid can be 32 bytes now too when sha256 kex is used; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.20.2;
move #include <paths.h> out of includes.h; ok markus@

ensure that stdio fds are attached; ok deraadt@

branches: 1.18.4; 1.18.6;
Remove duplicate getuid(), suggested by & ok markus@

Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches
change in Portable; ok markus@

perform strict ownership and modes checks for ~/.ssh/config files, as these
can be used to execute arbitrary programs; ok markus@

NB. ssh will now exit when it detects a config with poor permissions

branches: 1.15.2;
fix mem leaks; some fixes from Pete Flugstad; tested dtucker@

return error on msg send/receive failure (rather than fatal); ok markus@

branches: 1.13.2;
fix AddressFamily option in config file, from brent@graveland.net; ok markus@

add AddressFamily option to ssh_config (like -4, -6 on commandline).
Portable bug #534; ok markus@

potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526

branches: 1.10.2;
move RSA_blinding_on to generic key load method

s/msg_send/ssh_msg_send/ to avoid namespace clashes in portable; ok markus@

we cannot use HostbasedAuthentication for enabling ssh-keysign(8),
because HostbasedAuthentication might be enabled based on the
target host and ssh-keysign(8) does not know the remote hostname
and not trust ssh(1) about the hostname, so we add a new option
EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de

branches: 1.7.2;
re-enable ssh-keysign's sbit, but make ssh-keysign read /etc/ssh/ssh_config
and exit if HostbasedAuthentication is disabled globally. based on discussions
with deraadt, itojun and sommerfeld; ok itojun@

use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
in order to avoid a possible Kocher timing attack pointed out by Charles
Hannum; ok provos@

bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu

branches: 1.4.2; 1.4.4;
KNF done automatically while reading....

only accept 20 byte session ids

extent ssh-keysign protocol:
pass # of socket-fd to ssh-keysign, keysign verfies locally used
ip-address using this socket-fd, restricts fake local hostnames
to actual local hostnames; ok stevesk@

add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication
in protocol v2 (needs to access the hostkeys).

It really looks like pledge "stdio dns" is possible earlier.
Discussed with mestre

fix ssh-keysign for KEX algorithms that use SHA384/512 exchange hashes;
feedback/ok markus@

Order includes as per style(9). Portable already has these so this
removes a handful of diffs between the two.

prepare readconf.c for fuzzing; remove fatal calls and fix some
(one-off) memory leaks; ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

additional missing stdarg.h includes when built without WITH_OPENSSL; ok djm@

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

remove some duplicate #includes

fixes for !WITH_OPENSSL compilation; ok dtucker@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

if passed a bad fd, log what it was

Replace calls to ssh_malloc_init() by a static init of malloc_options.
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@

add a ssh_config "Match final" predicate

Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus

Now that ssh can't be setuid, remove the original_real_uid and
original_effective_uid globals and replace with calls to plain getuid().
ok djm@

Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
ok djm@

ssh_free checks for and handles NULL args, remove NULL checks from remaining
callers. ok djm@

Add a function to enable security-related malloc_options. With and ok
deraadt@, something similar has been in the snaps for a while.

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

pledge, better fatal() messages; feedback deraadt@

add an XXX reminder for getting correct key paths from sshd_config

consistent check for NULL as noted by Nicholas Lemonias; ok djm@

update to new API (key_fingerprint => sshkey_fingerprint)
check sshkey_fingerprint return values;
ok markus

sync ssh-keysign, ssh-keygen and some dependencies to the new
buffer/key API; mostly mechanical, ok markus@

deprecate key_load_private_pem() and sshkey_load_private_pem()
interfaces. Refactor the generic key loading API to not require
pathnames to be specified (they weren't really used).

Fixes a few other things en passant:

Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).

Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.

ok markus@

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

Delete futile calls to RAND_seed. ok djm

include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random()

support ed25519 keys (hostkeys and user identities) using the public domain
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@

add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@

bye, bye xfree(); ok markus@

make hostbased auth with ECDSA keys work correctly. Based on patch
by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock)

reintroduce commit from tedu@, which I pulled out for release engineering:

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

backout previous temporarily; discussed with deraadt@

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

clean for -Wuninitialized

enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@

Make HostBased authentication work with a ProxyCommand. bz #1569, patch
from imorgan at nas nasa gov, ok djm@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <fcntl.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

sessionid can be 32 bytes now too when sha256 kex is used; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.20.2;
move #include <paths.h> out of includes.h; ok markus@

ensure that stdio fds are attached; ok deraadt@

branches: 1.18.4; 1.18.6;
Remove duplicate getuid(), suggested by & ok markus@

Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches
change in Portable; ok markus@

perform strict ownership and modes checks for ~/.ssh/config files, as these
can be used to execute arbitrary programs; ok markus@

NB. ssh will now exit when it detects a config with poor permissions

branches: 1.15.2;
fix mem leaks; some fixes from Pete Flugstad; tested dtucker@

return error on msg send/receive failure (rather than fatal); ok markus@

branches: 1.13.2;
fix AddressFamily option in config file, from brent@graveland.net; ok markus@

add AddressFamily option to ssh_config (like -4, -6 on commandline).
Portable bug #534; ok markus@

potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526

branches: 1.10.2;
move RSA_blinding_on to generic key load method

s/msg_send/ssh_msg_send/ to avoid namespace clashes in portable; ok markus@

we cannot use HostbasedAuthentication for enabling ssh-keysign(8),
because HostbasedAuthentication might be enabled based on the
target host and ssh-keysign(8) does not know the remote hostname
and not trust ssh(1) about the hostname, so we add a new option
EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de

branches: 1.7.2;
re-enable ssh-keysign's sbit, but make ssh-keysign read /etc/ssh/ssh_config
and exit if HostbasedAuthentication is disabled globally. based on discussions
with deraadt, itojun and sommerfeld; ok itojun@

use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
in order to avoid a possible Kocher timing attack pointed out by Charles
Hannum; ok provos@

bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu

branches: 1.4.2; 1.4.4;
KNF done automatically while reading....

only accept 20 byte session ids

extent ssh-keysign protocol:
pass # of socket-fd to ssh-keysign, keysign verfies locally used
ip-address using this socket-fd, restricts fake local hostnames
to actual local hostnames; ok stevesk@

add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication
in protocol v2 (needs to access the hostkeys).

fix ssh-keysign for KEX algorithms that use SHA384/512 exchange hashes;
feedback/ok markus@

Order includes as per style(9). Portable already has these so this
removes a handful of diffs between the two.

prepare readconf.c for fuzzing; remove fatal calls and fix some
(one-off) memory leaks; ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

additional missing stdarg.h includes when built without WITH_OPENSSL; ok djm@

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

remove some duplicate #includes

fixes for !WITH_OPENSSL compilation; ok dtucker@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

if passed a bad fd, log what it was

Replace calls to ssh_malloc_init() by a static init of malloc_options.
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@

add a ssh_config "Match final" predicate

Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus

Now that ssh can't be setuid, remove the original_real_uid and
original_effective_uid globals and replace with calls to plain getuid().
ok djm@

Add experimental support for PQC XMSS keys (Extended Hash-Based Signatures)
The code is not compiled in by default (see WITH_XMSS in Makefile.inc)
Joint work with stefan-lukas_gazdag at genua.eu
See https://tools.ietf.org/html/draft-irtf-cfrg-xmss-hash-based-signatures-12
ok djm@

ssh_free checks for and handles NULL args, remove NULL checks from remaining
callers. ok djm@

Add a function to enable security-related malloc_options. With and ok
deraadt@, something similar has been in the snaps for a while.

implement SHA2-{256,512} for RSASSA-PKCS1-v1_5 signatures (user and host auth)
based on draft-rsa-dsa-sha2-256-03.txt and draft-ssh-ext-info-04.txt;
with & ok djm@

pledge, better fatal() messages; feedback deraadt@

add an XXX reminder for getting correct key paths from sshd_config

consistent check for NULL as noted by Nicholas Lemonias; ok djm@

update to new API (key_fingerprint => sshkey_fingerprint)
check sshkey_fingerprint return values;
ok markus

sync ssh-keysign, ssh-keygen and some dependencies to the new
buffer/key API; mostly mechanical, ok markus@

deprecate key_load_private_pem() and sshkey_load_private_pem()
interfaces. Refactor the generic key loading API to not require
pathnames to be specified (they weren't really used).

Fixes a few other things en passant:

Makes ed25519 keys work for hostbased authentication (ssh-keysign
previously used the PEM-only routines).

Fixes key comment regression bz#2306: key pathnames were being lost as
comment fields.

ok markus@

Add FingerprintHash option to control algorithm used for key
fingerprints. Default changes from MD5 to SHA256 and format
from hex to base64.

Feedback and ok naddy@ markus@

Tweak config reparsing with host canonicalisation

Make the second pass through the config files always run when
hostname canonicalisation is enabled.

Add a "Match canonical" criteria that allows ssh_config Match
blocks to trigger only in the second config pass.

Add a -G option to ssh that causes it to parse its configuration
and dump the result to stdout, similar to "sshd -T"

Allow ssh_config Port options set in the second config parse
phase to be applied (they were being ignored).

bz#2267 bz#2286; ok markus

make compiling against OpenSSL optional (make OPENSSL=no);
reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
allows us to explore further options; with and ok djm

Delete futile calls to RAND_seed. ok djm

include fingerprint of key not found
use arc4random_buf() instead of loop+arc4random()

support ed25519 keys (hostkeys and user identities) using the public domain
ed25519 reference code from SUPERCOP, see http://ed25519.cr.yp.to/software.html
feedback, help & ok djm@

add a "Match" keyword to ssh_config that allows matching on hostname,
user and result of arbitrary commands. "nice work" markus@

bye, bye xfree(); ok markus@

make hostbased auth with ECDSA keys work correctly. Based on patch
by harvey.eneman AT oracle.com in bz#1858; ok markus@ (pre-lock)

reintroduce commit from tedu@, which I pulled out for release engineering:

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

backout previous temporarily; discussed with deraadt@

OpenSSL_add_all_algorithms is the name of the function we have a man page
for, so use that. ok djm

clean for -Wuninitialized

enable certificates for hostbased authentication, from Iain Morgan;
"looks ok" markus@

Make HostBased authentication work with a ProxyCommand. bz #1569, patch
from imorgan at nas nasa gov, ok djm@

almost entirely get rid of the culture of ".h files that include .h files"
ok djm, sort of ok stevesk
makes the pain stop in one easy step

move #include <stdlib.h> out of includes.h

move #include <string.h> out of includes.h

move #include <unistd.h> out of includes.h

move #include <fcntl.h> out of includes.h

move #include <pwd.h> out of includes.h; ok markus@

sessionid can be 32 bytes now too when sha256 kex is used; ok djm@

Put $OpenBSD$ tags back (as comments) to replace the RCSID()s that
Theo nuked - our scripts to sync -portable need them in the files

RCSID() can die

branches: 1.20.2;
move #include <paths.h> out of includes.h; ok markus@

ensure that stdio fds are attached; ok deraadt@

branches: 1.18.4; 1.18.6;
Remove duplicate getuid(), suggested by & ok markus@

Use permanently_set_uid() in ssh and ssh-keysign for consistency, matches
change in Portable; ok markus@

perform strict ownership and modes checks for ~/.ssh/config files, as these
can be used to execute arbitrary programs; ok markus@

NB. ssh will now exit when it detects a config with poor permissions

branches: 1.15.2;
fix mem leaks; some fixes from Pete Flugstad; tested dtucker@

return error on msg send/receive failure (rather than fatal); ok markus@

branches: 1.13.2;
fix AddressFamily option in config file, from brent@graveland.net; ok markus@

add AddressFamily option to ssh_config (like -4, -6 on commandline).
Portable bug #534; ok markus@

potential segfault if KEY_UNSPEC; cjwatson@debian.org; bug #526

branches: 1.10.2;
move RSA_blinding_on to generic key load method

s/msg_send/ssh_msg_send/ to avoid namespace clashes in portable; ok markus@

we cannot use HostbasedAuthentication for enabling ssh-keysign(8),
because HostbasedAuthentication might be enabled based on the
target host and ssh-keysign(8) does not know the remote hostname
and not trust ssh(1) about the hostname, so we add a new option
EnableSSHKeysign; ok djm@, report from zierke@informatik.uni-hamburg.de

branches: 1.7.2;
re-enable ssh-keysign's sbit, but make ssh-keysign read /etc/ssh/ssh_config
and exit if HostbasedAuthentication is disabled globally. based on discussions
with deraadt, itojun and sommerfeld; ok itojun@

use RSA_blinding_on() for rsa hostkeys (suggested by Bill Sommerfeld)
in order to avoid a possible Kocher timing attack pointed out by Charles
Hannum; ok provos@

bug #304, xfree(data) called to early; openssh@sigint.cs.purdue.edu

branches: 1.4.2; 1.4.4;
KNF done automatically while reading....

only accept 20 byte session ids

extent ssh-keysign protocol:
pass # of socket-fd to ssh-keysign, keysign verfies locally used
ip-address using this socket-fd, restricts fake local hostnames
to actual local hostnames; ok stevesk@

add /usr/libexec/ssh-keysign: a setuid helper program for hostbased authentication
in protocol v2 (needs to access the hostkeys).

Order includes as per style(9). Portable already has these so this
removes a handful of diffs between the two.

prepare readconf.c for fuzzing; remove fatal calls and fix some
(one-off) memory leaks; ok markus@

use the new variant log macros instead of prepending __func__ and
appending ssh_err(r) manually; ok markus@

support for user-verified FIDO keys

FIDO2 supports a notion of "user verification" where the user is
required to demonstrate their identity to the token before particular
operations (e.g. signing). Typically this is done by authenticating
themselves using a PIN that has been set on the token.

This adds support for generating and using user verified keys where
the verification happens via PIN (other options might be added in the
future, but none are in common use now). Practically, this adds
another key generation option "verify-required" that yields a key that
requires a PIN before each authentication.

feedback markus@ and Pedro Martelletto; ok markus@

additional missing stdarg.h includes when built without WITH_OPENSSL; ok djm@

Refactor signing - use sshkey_sign for everything, including the new
U2F signatures.

Don't use sshsk_ecdsa_sign() directly, instead make it reachable via
sshkey_sign() like all other signature operations. This means that
we need to add a provider argument to sshkey_sign(), so most of this
change is mechanically adding that.

Suggested by / ok markus@

remove some duplicate #includes

fixes for !WITH_OPENSSL compilation; ok dtucker@

lots of things were relying on libcrypto headers to transitively
include various system headers (mostly stdlib.h); include them
explicitly

if passed a bad fd, log what it was

Replace calls to ssh_malloc_init() by a static init of malloc_options.
Prepares for changes in the way malloc is initialized. ok guenther@ dtucker@

add a ssh_config "Match final" predicate

Matches in same pass as "Match canonical" but doesn't require
hostname canonicalisation be enabled. bz#2906 ok markus

Now that ssh can't be setuid, remove the original_real_uid and
original_effective_uid globals and replace with calls to plain getuid().
ok djm@