git: b16cb28aca00 - stable/13 - ssh: Update to OpenSSH 9.7p1

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Mon, 25 Mar 2024 22:39:24 UTC
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=b16cb28aca00112db2a7b5c070ee019c100cbc20

commit b16cb28aca00112db2a7b5c070ee019c100cbc20
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-03-18 14:00:57 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-03-25 22:39:14 +0000

    ssh: Update to OpenSSH 9.7p1
    
    This release contains mostly bugfixes.
    
    It also makes support for the DSA signature algorithm a compile-time
    option, with plans to disable it upstream later this year and remove
    support entirely in 2025.
    
    Full release notes at https://www.openssh.com/txt/release-9.7
    
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit a91a246563dffa876a52f53a98de4af9fa364c52)
    (cherry picked from commit 464fa66f639bdc8e340dd3f640af4309530d48ca)
---
 crypto/openssh/.github/configs                     |    21 +-
 crypto/openssh/.github/setup_ci.sh                 |    26 +
 crypto/openssh/.github/workflows/c-cpp.yml         |    20 +-
 crypto/openssh/.github/workflows/selfhosted.yml    |     1 +
 crypto/openssh/.gitignore                          |     2 +
 crypto/openssh/.skipped-commit-ids                 |     2 +
 crypto/openssh/ChangeLog                           | 11979 +++++++++----------
 crypto/openssh/PROTOCOL                            |    22 +-
 crypto/openssh/PROTOCOL.agent                      |     4 +-
 crypto/openssh/PROTOCOL.mux                        |     4 +-
 crypto/openssh/README                              |     2 +-
 crypto/openssh/README.platform                     |     9 +-
 crypto/openssh/channels.c                          |    79 +-
 crypto/openssh/clientloop.c                        |     4 +-
 crypto/openssh/config.h                            |     3 +
 crypto/openssh/configure.ac                        |    50 +-
 crypto/openssh/contrib/redhat/openssh.spec         |     2 +-
 crypto/openssh/contrib/suse/openssh.spec           |     2 +-
 crypto/openssh/gss-genr.c                          |     8 +-
 crypto/openssh/kex.c                               |    31 +-
 crypto/openssh/kex.h                               |    10 +-
 crypto/openssh/m4/openssh.m4                       |    12 +-
 crypto/openssh/misc.c                              |    15 +-
 crypto/openssh/misc.h                              |     3 +-
 crypto/openssh/nchan.c                             |     4 +-
 crypto/openssh/openbsd-compat/getopt.h             |    12 +-
 crypto/openssh/openbsd-compat/openbsd-compat.h     |    10 +-
 crypto/openssh/packet.c                            |     2 +-
 crypto/openssh/packet.h                            |     2 +-
 crypto/openssh/readconf.c                          |   165 +-
 crypto/openssh/readconf.h                          |     8 +-
 crypto/openssh/regress/Makefile                    |    77 +-
 crypto/openssh/regress/channel-timeout.sh          |    74 +-
 crypto/openssh/regress/dynamic-forward.sh          |     9 +-
 crypto/openssh/regress/misc/fuzz-harness/Makefile  |     8 +-
 .../regress/misc/fuzz-harness/agent_fuzz_helper.c  |     7 +
 crypto/openssh/regress/multiplex.sh                |     3 +-
 crypto/openssh/regress/putty-ciphers.sh            |    51 +-
 crypto/openssh/regress/putty-kex.sh                |    40 +-
 crypto/openssh/regress/putty-transfer.sh           |    13 +-
 crypto/openssh/regress/test-exec.sh                |    28 +-
 crypto/openssh/regress/unittests/Makefile.inc      |     7 +-
 .../regress/unittests/hostkeys/test_iterate.c      |    11 +-
 crypto/openssh/regress/unittests/kex/test_kex.c    |     4 +-
 .../openssh/regress/unittests/sshkey/test_file.c   |     4 +-
 .../openssh/regress/unittests/sshkey/test_fuzz.c   |     8 +-
 .../openssh/regress/unittests/sshkey/test_sshkey.c |    23 +-
 crypto/openssh/regress/unittests/sshsig/tests.c    |     4 +-
 crypto/openssh/servconf.c                          |   168 +-
 crypto/openssh/session.c                           |     4 +-
 crypto/openssh/sftp.c                              |    44 +-
 crypto/openssh/ssh-add.1                           |    14 +-
 crypto/openssh/ssh-add.c                           |    10 +-
 crypto/openssh/ssh-agent.c                         |    48 +-
 crypto/openssh/ssh-dss.c                           |     7 +-
 crypto/openssh/ssh-keygen.c                        |    26 +-
 crypto/openssh/ssh-keyscan.c                       |     8 +-
 crypto/openssh/ssh-keysign.c                       |     7 +-
 crypto/openssh/ssh-pkcs11-client.c                 |     2 +
 crypto/openssh/ssh.c                               |     6 +-
 crypto/openssh/ssh_api.c                           |    14 +-
 crypto/openssh/ssh_config                          |     2 +-
 crypto/openssh/ssh_config.5                        |    26 +-
 crypto/openssh/ssh_namespace.h                     |     1 +
 crypto/openssh/sshbuf-getput-crypto.c              |     4 +-
 crypto/openssh/sshconnect.c                        |     4 +-
 crypto/openssh/sshconnect2.c                       |    21 +-
 crypto/openssh/sshd.c                              |     4 +-
 crypto/openssh/sshd_config                         |     2 +-
 crypto/openssh/sshd_config.5                       |    59 +-
 crypto/openssh/sshkey.c                            |    12 +-
 crypto/openssh/sshsig.c                            |     4 +-
 crypto/openssh/version.h                           |     6 +-
 crypto/openssh/xmss_hash.c                         |     4 +-
 74 files changed, 6366 insertions(+), 7026 deletions(-)

diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
index df82faf5046b..370fe29a3ee4 100755
--- a/crypto/openssh/.github/configs
+++ b/crypto/openssh/.github/configs
@@ -164,6 +164,11 @@ case "$config" in
     libressl-*)
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/libressl --with-rpath=-Wl,-rpath,"
 	;;
+    putty-*)
+	CONFIGFLAGS="--with-plink=/usr/local/bin/plink --with-puttygen=/usr/local/bin/puttygen"
+	# We don't need to rerun the regular tests, just the interop ones.
+	TEST_TARGET=interop-tests
+	;;
     openssl-*)
 	LIBCRYPTOFLAGS="--with-ssl-dir=/opt/openssl --with-rpath=-Wl,-rpath,"
 	# OpenSSL 1.1.1 specifically has a bug in its RNG that breaks reexec
@@ -269,20 +274,22 @@ case "${TARGET_HOST}" in
 	;;
     minix3)
 	CONFIGFLAGS="${CONFIGFLAGS} --disable-security-key"
+	# Unix domain sockets don't work quite like we expect, so also
+	# disable FD passing (and thus multiplexing).
+	CONFIGFLAGS="${CONFIGFLAGS} --disable-fd-passing"
 	LIBCRYPTOFLAGS="--without-openssl"
+
 	# Minix does not have a loopback interface so we have to skip any
 	# test that relies on one.
 	# Also, Minix seems to be very limited in the number of select()
 	# calls that can be operating concurrently, so prune additional tests for that.
 	T="addrmatch agent-restrict brokenkeys cfgmatch cfgmatchlisten cfgparse
-	    connect connect-uri exit-status forwarding hostkey-agent
-	    key-options keyscan knownhosts-command login-timeout
+	    connect connect-uri dynamic-forward exit-status forwarding
+	    forward-control
+	    hostkey-agent key-options keyscan knownhosts-command login-timeout
 	    reconfigure reexec rekey scp scp-uri scp3 sftp sftp-badcmds
 	    sftp-batch sftp-cmds sftp-glob sftp-perm sftp-uri stderr-data
 	    transfer"
-	# Unix domain sockets don't work quite like we expect, so also skip any tests
-	# that use multiplexing.
-	T="$T connection-timeout dynamic-forward forward-control multiplex"
 	SKIP_LTESTS="$(echo $T)"
 	TEST_TARGET=t-exec
 	SUDO=""
@@ -320,6 +327,10 @@ case "$host" in
 	# modern versions don't ship with libcrypto.
 	LIBCRYPTOFLAGS="--without-openssl"
 	TEST_TARGET=t-exec
+
+	# On some OS X runners we can't write to /var/empty.
+	CONFIGFLAGS="${CONFIGFLAGS} --with-privsep-path=/usr/local/empty"
+
 	case "$host" in
 	*-darwin22.*)
 		# sudo -S nobody doesn't work on macos 13 for some reason.
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
index d0ba7b4724e9..f0f2761c7107 100755
--- a/crypto/openssh/.github/setup_ci.sh
+++ b/crypto/openssh/.github/setup_ci.sh
@@ -142,6 +142,10 @@ for TARGET in $TARGETS; do
         INSTALL_BORINGSSL=1
         PACKAGES="${PACKAGES} cmake ninja-build"
        ;;
+    putty-*)
+	INSTALL_PUTTY=$(echo "${TARGET}" | cut -f2 -d-)
+	PACKAGES="${PACKAGES} cmake"
+	;;
     valgrind*)
        PACKAGES="$PACKAGES valgrind"
        ;;
@@ -241,3 +245,25 @@ if [ ! -z "${INSTALL_ZLIB}" ]; then
      cd ${HOME}/zlib && ./configure && make &&
      sudo make install prefix=/opt/zlib)
 fi
+
+if [ ! -z "${INSTALL_PUTTY}" ]; then
+    ver="${INSTALL_PUTTY}"
+    case "${INSTALL_PUTTY}" in
+    snapshot)
+	tarball=putty.tar.gz
+	(cd /tmp && wget https://tartarus.org/~simon/putty-snapshots/${tarball})
+	;;
+    *)
+	tarball=putty-${ver}.tar.gz
+	(cd /tmp && wget https://the.earth.li/~sgtatham/putty/${ver}/${tarball})
+	;;
+    esac
+    (cd ${HOME} && tar xfz /tmp/${tarball} && cd putty-*
+     if [ -f CMakeLists.txt ]; then
+	cmake . && cmake --build . && sudo cmake --build . --target install
+     else
+	./configure && make && sudo make install
+     fi
+    )
+    /usr/local/bin/plink -V
+fi
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
index 8f624d21016c..edb88f23c0fb 100644
--- a/crypto/openssh/.github/workflows/c-cpp.yml
+++ b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -62,20 +62,32 @@ jobs:
           - { target: ubuntu-latest, config: libressl-3.5.3 }
           - { target: ubuntu-latest, config: libressl-3.6.1 }
           - { target: ubuntu-latest, config: libressl-3.7.2 }
-          - { target: ubuntu-latest, config: libressl-3.8.2 }
+          - { target: ubuntu-latest, config: libressl-3.8.3 }
+          - { target: ubuntu-latest, config: libressl-3.9.0 }
           - { target: ubuntu-latest, config: openssl-master }
           - { target: ubuntu-latest, config: openssl-noec }
           - { target: ubuntu-latest, config: openssl-1.1.1 }
           - { target: ubuntu-latest, config: openssl-1.1.1t }
           - { target: ubuntu-latest, config: openssl-1.1.1w }
           - { target: ubuntu-latest, config: openssl-3.0.0 }
-          - { target: ubuntu-latest, config: openssl-3.0.12 }
+          - { target: ubuntu-latest, config: openssl-3.0.13 }
           - { target: ubuntu-latest, config: openssl-3.1.0 }
-          - { target: ubuntu-latest, config: openssl-3.1.4 }
-          - { target: ubuntu-latest, config: openssl-3.2.0 }
+          - { target: ubuntu-latest, config: openssl-3.1.5 }
+          - { target: ubuntu-latest, config: openssl-3.2.1 }
           - { target: ubuntu-latest, config: openssl-1.1.1_stable }
           - { target: ubuntu-latest, config: openssl-3.0 }  # stable branch
           - { target: ubuntu-latest, config: openssl-3.2 }  # stable branch
+          - { target: ubuntu-latest, config: putty-0.71 }
+          - { target: ubuntu-latest, config: putty-0.72 }
+          - { target: ubuntu-latest, config: putty-0.73 }
+          - { target: ubuntu-latest, config: putty-0.74 }
+          - { target: ubuntu-latest, config: putty-0.75 }
+          - { target: ubuntu-latest, config: putty-0.76 }
+          - { target: ubuntu-latest, config: putty-0.77 }
+          - { target: ubuntu-latest, config: putty-0.78 }
+          - { target: ubuntu-latest, config: putty-0.79 }
+          - { target: ubuntu-latest, config: putty-0.80 }
+          - { target: ubuntu-latest, config: putty-snapshot }
           - { target: ubuntu-latest, config: zlib-develop }
           - { target: ubuntu-22.04, config: pam }
           - { target: ubuntu-22.04, config: krb5 }
diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
index be0b4ffec580..4f1c587a5779 100644
--- a/crypto/openssh/.github/workflows/selfhosted.yml
+++ b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -73,6 +73,7 @@ jobs:
           - { target: fbsd14, config: pam, host: libvirt }
           - { target: nbsd8,  config: pam, host: libvirt }
           - { target: nbsd9,  config: pam, host: libvirt }
+          - { target: nbsd10, config: pam, host: libvirt }
           # VMs with persistent disks that have their own runner.
           - { target: win10, config: default, host: win10 }
           - { target: win10, config: cygwin-release, host: win10 }
diff --git a/crypto/openssh/.gitignore b/crypto/openssh/.gitignore
index 5e4ae5a60d06..7fccc6fe3dc3 100644
--- a/crypto/openssh/.gitignore
+++ b/crypto/openssh/.gitignore
@@ -18,6 +18,8 @@ survey.sh
 **/*.so
 **/*.out
 **/*.a
+**/*.un~
+**/.*.swp
 autom4te.cache/
 scp
 sftp
diff --git a/crypto/openssh/.skipped-commit-ids b/crypto/openssh/.skipped-commit-ids
index 59e80518acf2..06303955c566 100644
--- a/crypto/openssh/.skipped-commit-ids
+++ b/crypto/openssh/.skipped-commit-ids
@@ -1,3 +1,4 @@
+509bb19bb9762a4b3b589af98bac2e730541b6d4	clean sshd random relinking kit
 5317f294d63a876bfc861e19773b1575f96f027d	remove libssh from makefiles
 a337e886a49f96701ccbc4832bed086a68abfa85	Makefile changes
 f2c9feb26963615c4fece921906cf72e248b61ee	more Makefile
@@ -27,6 +28,7 @@ cc12a9029833d222043aecd252d654965c351a69	moduli-gen Makefile
 f9a0726d957cf10692a231996a1f34e7f9cdfeb0	moduli update
 1e0a2692b7e20b126dda60bf04999d1d30d959d8	sshd relinking makefile changes
 e1dc11143f83082e3154d6094f9136d0dc2637ad	more relinking makefile tweaks
+5a636f6ca7f25bfe775df4952f7aac90a7fcbbee	moduli update
 
 Old upstream tree:
 
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 981b7ecd94b6..3bbccf5ea3eb 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,9505 +1,8300 @@
-commit 8241b9c0529228b4b86d88b1a6076fb9f97e4a99
+commit 86bdd3853f4d32c85e295e6216a2fe0953ad93f0
 Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Dec 19 01:59:50 2023 +1100
+Date:   Mon Mar 11 16:20:49 2024 +1100
 
-    crank versions
+    version number in README
 
-commit 2f2c65cb5f1518a9c556d3e8efa27ea0ca305c6b
+commit 282721418e6465bc39ccfd39bb0133e670ee4423
 Author: Damien Miller <djm@mindrot.org>
-Date:   Tue Dec 19 01:59:06 2023 +1100
+Date:   Mon Mar 11 16:20:08 2024 +1100
 
-    depend
+    crank RPM spec versions
 
-commit e48cdee8e19059203b1aeeabec2350b8375fa61f
+commit 3876a3bbd2ca84d23ba20f8b69ba83270c04ce3a
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Dec 18 14:50:08 2023 +0000
+Date:   Mon Mar 11 04:59:47 2024 +0000
 
-    upstream: regress test for agent PKCS#11-backed certificates
+    upstream: openssh-9.7
     
-    OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9
+    OpenBSD-Commit-ID: 618ececf58b8cdae016b149787af06240f7b0cbc
 
-commit 2f512f862df1d5f456f82a0334c9e8cc7208a2a1
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Dec 18 14:49:39 2023 +0000
+commit 8fc109cc614954a8eb2738c48c0db36a62af9a06
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Mon Mar 11 12:59:26 2024 +1100
 
-    upstream: regress test for constrained PKCS#11 keys
+    Test against current OpenSSL and LibreSSL releases.
     
-    OpenBSD-Regress-ID: b2f26ae95d609d12257b43aef7cd7714c82618ff
+    Add LibreSSL 3.9.0, bump older branches to their respective current
+    releases.
 
-commit cdddd66412ca5920ed4d3ebbfa6ace12dbd9b82f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Dec 18 14:48:44 2023 +0000
+commit 26b09b45fec7b88ba09042c09be4157e58e231e2
+Author: Damien Miller <djm@mindrot.org>
+Date:   Sun Mar 10 16:24:57 2024 +1100
 
-    upstream: openssh-9.6
+    quote regexes used to test for algorithm support
     
-    OpenBSD-Commit-ID: 21759837cf0e0092d9a2079f8fb562071c11016b
+    Fixes test failures on Solaris 8 reported by Tom G. Christensen
 
-commit 6d51feab157cedf1e7ef5b3f8781ca8ff9c4ab1b
+commit a6a740a4948d10a622b505135bb485c10f21db5e
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Dec 18 14:48:08 2023 +0000
+Date:   Sat Mar 9 05:12:13 2024 +0000
 
-    upstream: ssh-agent: record failed session-bind attempts
-    
-    Record failed attempts to session-bind a connection and refuse signing
-    operations on that connection henceforth.
-    
-    Prevents a future situation where we add a new hostkey type that is not
-    recognised by an older ssh-agent, that consequently causes session-bind
-    to fail (this situation is only likely to arise when people mix ssh(1)
-    and ssh-agent(1) of different versions on the same host). Previously,
-    after such a failure the agent socket would be considered unbound and
-    not subject to restriction.
+    upstream: avoid logging in signal handler by converting mainloop to
     
-    Spotted by Jann Horn
+    ppoll() bz3670, reported by Ben Hamilton; ok dtucker@
     
-    OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e
+    OpenBSD-Commit-ID: e58f18042b86425405ca09e6e9d7dfa1df9f5f7f
 
-commit 7ef3787c84b6b524501211b11a26c742f829af1a
+commit cd82f7526e0481720567ae41db7849ab1c27e27b
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Dec 18 14:47:44 2023 +0000
+Date:   Fri Mar 8 22:16:32 2024 +0000
 
-    upstream: ban user/hostnames with most shell metacharacters
+    upstream: skip more whitespace, fixes find-principals on
     
-    This makes ssh(1) refuse user or host names provided on the
-    commandline that contain most shell metacharacters.
-    
-    Some programs that invoke ssh(1) using untrusted data do not filter
-    metacharacters in arguments they supply. This could create
-    interactions with user-specified ProxyCommand and other directives
-    that allow shell injection attacks to occur.
+    allowed_signers files with blank lines; reported by Wiktor Kwapisiewicz
     
-    It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
-    but getting this stuff right can be tricky, so this should prevent
-    most obvious ways of creating risky situations. It however is not
-    and cannot be perfect: ssh(1) has no practical way of interpreting
-    what shell quoting rules are in use and how they interact with the
-    user's specified ProxyCommand.
+    OpenBSD-Commit-ID: b3a22a2afd753d70766f34bc7f309c03706b5298
+
+commit 2f9d2af5cb19905d87f37d1e11c9f035ac5daf3b
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Mar 8 11:34:10 2024 +0000
+
+    upstream: Invoke ProxyCommand that uses stderr redirection via
     
-    To allow configurations that use strange user or hostnames to
-    continue to work, this strictness is applied only to names coming
-    from the commandline. Names specified using User or Hostname
-    directives in ssh_config(5) are not affected.
+    $TEST_SHELL. Fixes test when run by a user whose login shell is tcsh.
+    Found by vinschen at redhat.com.
     
-    feedback/ok millert@ markus@ dtucker@ deraadt@
+    OpenBSD-Regress-ID: f68d79e7f00caa8d216ebe00ee5f0adbb944062a
+
+commit 9b3f0beb4007a7e01dfedabb429097fb593deae6
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Thu Mar 7 17:18:14 2024 +1100
+
+    Prefer openssl binary from --with-ssl-dir directory.
     
-    OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
+    Use openssl in the directory specified by --with-ssl-dir as long
+    as it's functional.  Reported by The Doctor.
 
-commit 0cb50eefdd29f0fec31d0e71cc4b004a5f704e67
+commit c47e1c9c7911f38b2fc2fb01b1f6ae3a3121a838
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Dec 18 14:47:20 2023 +0000
+Date:   Wed Mar 6 02:59:59 2024 +0000
 
-    upstream: stricter handling of channel window limits
-    
-    This makes ssh/sshd more strict in handling non-compliant peers that
-    send more data than the advertised channel window allows. Previously
-    the additional data would be silently discarded. This change will
-    cause ssh/sshd to terminate the connection if the channel window is
-    exceeded by more than a small grace allowance.
+    upstream: fix memory leak in mux proxy mode when requesting forwarding.
     
-    ok markus@
+    found by RASU JSC, reported by Maks Mishin in GHPR#467
     
-    OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037
+    OpenBSD-Commit-ID: 97d96a166b1ad4b8d229864a553e3e56d3116860
 
-commit 4448a2938abc76e6bd33ba09b2ec17a216dfb491
+commit 242742827fea4508e68097c128e802edc79addb5
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Dec 18 14:46:56 2023 +0000
+Date:   Wed Mar 6 00:31:04 2024 +0000
 
-    upstream: Make it possible to load certs from PKCS#11 tokens
-    
-    Adds a protocol extension to allow grafting certificates supplied by
-    ssh-add to keys loaded from PKCS#11 tokens in the agent.
-    
-    feedback/ok markus@
+    upstream: wrap a few PKCS#11-specific bits in ENABLE_PKCS11
     
-    OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
+    OpenBSD-Commit-ID: 463e4a69eef3426a43a2b922c4e7b2011885d923
 
-commit 881d9c6af9da4257c69c327c4e2f1508b2fa754b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Dec 18 14:46:12 2023 +0000
+commit d52b6509210e2043f33e5a1de58dd4a0d5d48c2a
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed Mar 6 11:31:36 2024 +1100
 
-    upstream: apply destination constraints to all p11 keys
+    disable RSA tests when algorithm is not supported
     
-    Previously applied only to the first key returned from each token.
+    Unbreaks "make test" when compiled --without-openssl.
     
-    ok markus@
+    Similar treatment to how we do DSA and ECDSA.
+
+commit 668d270a6c77e8b5a1da26ecad2e6de9f62c8fe4
+Author: Damien Miller <djm@mindrot.org>
+Date:   Wed Mar 6 10:33:20 2024 +1100
+
+    add a --without-retpoline configure option
     
-    OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
+    discussed with deraadt and dtucker a while ago
 
-commit a7ed931caeb68947d30af8a795f4108b6efad761
+commit 3deb501f86fc47e175ef6a3eaba9b9846a80d444
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Dec 18 14:45:49 2023 +0000
+Date:   Mon Mar 4 04:13:18 2024 +0000
 
-    upstream: add "ext-info-in-auth@openssh.com" extension
-    
-    This adds another transport protocol extension to allow a sshd to send
-    SSH2_MSG_EXT_INFO during user authentication, after the server has
-    learned the username that is being logged in to.
-    
-    This lets sshd to update the acceptable signature algoritms for public
-    key authentication, and allows these to be varied via sshd_config(5)
-    "Match" directives, which are evaluated after the server learns the
-    username being authenticated.
+    upstream: fix leak of CanonicalizePermittedCNAMEs on error path;
     
-    Full details in the PROTOCOL file
+    spotted by Coverity (CID 438039)
     
-    OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
+    OpenBSD-Commit-ID: 208839699939721f452a4418afc028a9f9d3d8af
 
-commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
+commit 65a44a8a4f7d902a64d4e60eda84384b2e2a24a2
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Dec 18 14:45:17 2023 +0000
+Date:   Mon Mar 4 02:16:11 2024 +0000
 
-    upstream: implement "strict key exchange" in ssh and sshd
+    upstream: Separate parsing of string array options from applying them
     
-    This adds a protocol extension to improve the integrity of the SSH
-    transport protocol, particular in and around the initial key exchange
-    (KEX) phase.
+    to the active configuration. This fixes the config parser from erroneously
+    rejecting cases like:
     
-    Full details of the extension are in the PROTOCOL file.
+    AuthenticationMethods password
+    Match User ivy
+     AuthenticationMethods any
     
-    with markus@
+    bz3657 ok markus@
     
-    OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
+    OpenBSD-Commit-ID: 7f196cba634c2a3dba115f3fac3c4635a2199491
 
-commit 59d691b886c79e70b1d1c4ab744e81fd176222fd
+commit 6886e1b1f55c90942e4e6deed930f8ac32e0f938
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Thu Feb 22 17:59:35 2024 +1100
+
+    Add nbsd10 test target.
+
+commit d86bf8a3f6ea4fa7887406c2aa9959db71fa41be
 Author: Damien Miller <djm@mindrot.org>
-Date:   Mon Dec 18 14:49:11 2023 +1100
+Date:   Thu Feb 22 12:06:10 2024 +1100
 
-    better detection of broken -fzero-call-used-regs
+    more descriptive configure test name
+
+commit 9ee335aacc9f5bdc4cc2c19fafb45e27be7d234e
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Feb 21 06:17:29 2024 +0000
+
+    upstream: explain arguments of internal-sftp GHPR#454 from Niklas
     
-    Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend
-    test program to exercise varargs, which seems to catch more stuff.
+    Hambüchen
+    MIME-Version: 1.0
+    Content-Type: text/plain; charset=UTF-8
+    Content-Transfer-Encoding: 8bit
     
-    ok dtucker@
+    OpenBSD-Commit-ID: 0335d641ae6b5b6201b9ffd5dd06345ebbd0a3f3
 
-commit aa7b21708511a6d4aed3839fc9f6e82e849dd4a1
+commit d1164cb1001dd208fee88aaa9b43d5e6fd917274
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Dec 13 03:28:19 2023 +0000
+Date:   Wed Feb 21 06:06:43 2024 +0000
 
-    upstream: when invoking KnownHostsCommand to determine the order of
-    
-    host key algorithms to request, ensure that the hostname passed to the
-    command is decorated with the port number for ports other than 22.
+    upstream: clarify permissions requirements for ChrootDirectory Part
     
-    This matches the behaviour of KnownHostsCommand when invoked to look
-    up the actual host key.
+    of GHPR#454 from Niklas Hambüchen
+    MIME-Version: 1.0
+    Content-Type: text/plain; charset=UTF-8
+    Content-Transfer-Encoding: 8bit
     
-    bz3643, ok dtucker@
+    OpenBSD-Commit-ID: d37bc8786317a11649c62ff5e2936441186ef7a0
+
+commit d410e17d186552d0717f18217d0d049486754365
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Feb 21 06:05:06 2024 +0000
+
+    upstream: .Cm for a keyword. Part of GHPR#454 from Niklas Hambüchen
     
-    OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1
+    OpenBSD-Commit-ID: d59c52559f926fa82859035d79749fbb4a3ce18a
 
-commit 4086bd6652c0badccc020218a62190a7798fb72c
-Author: markus@openbsd.org <markus@openbsd.org>
-Date:   Fri Dec 8 09:18:39 2023 +0000
+commit ab73f9678ebf06b32d6361b88b50b42775e0565b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Wed Feb 21 06:01:13 2024 +0000
 
-    upstream: prevent leak in sshsig_match_principals; ok djm@
+    upstream: fix typo in match directive predicate (s/tagged/tag) GHPR#462
     
-    OpenBSD-Commit-ID: 594f61ad4819ff5c72dfe99ba666a17f0e1030ae
+    from Tobias Manske
+    
+    OpenBSD-Commit-ID: 05b23b772677d48aa82eefd7ebebd369ae758908
 
-commit 19d3ee2f3adf7d9a606ff015c1e153744702c4c9
+commit 9844aa2521ccfb1a2d73745680327b79e0574445
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Dec 6 21:06:48 2023 +0000
+Date:   Wed Feb 21 05:57:34 2024 +0000
 
-    upstream: short circuit debug log processing early if we're not going
+    upstream: fix proxy multiplexing mode, broken when keystroke timing
     
-    to log anything. From Kobe Housen
+    obfuscation was added. GHPR#463 from montag451
     
-    OpenBSD-Commit-ID: 2bcddd695872a1bef137cfff7823044dcded90ea
+    OpenBSD-Commit-ID: 4e412d59b3f557d431f1d81c715a3bc0491cc677
 
-commit 947affad4831df015c498c00c6351ea6f13895d5
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Nov 27 09:37:28 2023 +1100
+commit ee6d932acb532f80b11bb7cf161668c70ec8a117
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Feb 20 04:10:03 2024 +0000
 
-    Add tests for OpenSSL 3.2.0 and 3.2 stable branch.
+    upstream: don't append a gratuitous space to the end of subsystem
+    
+    arguments; bz3667
+    
+    OpenBSD-Commit-ID: e11023aeb3f30b77a674e37b8292c862926d5dc6
 
-commit 747dce36206675ca6b885010a835733df469351b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sat Nov 25 09:03:38 2023 +1100
+commit e27f032aa8fcbae9b2e7c451baaf4b8ac6fa3d45
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Mon Feb 19 09:25:52 2024 +0000
 
-    Use non-zero arg in compiler test program.
+    upstream: Always define puttysetup function.
     
-    Now that we're running the test program, passing zero to the test function
-    can cause divide-by-zero exceptions which might show up in logs.
+    OpenBSD-Regress-ID: b4c0ccfa4006a1bc5dfd99ccf21c854d3ce2aee0
 
-commit 3d44a5c56585d1c351dbc006240a591b6da502b1
+commit 84046f9991abef5f46b040b10cf3d494f933a17b
 Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Fri Nov 24 00:31:30 2023 +0000
+Date:   Fri Feb 9 08:56:59 2024 +0000
 
-    upstream: Plug mem leak of msg when processing a quit message.
+    upstream: Exapnd PuTTY test coverage.
     
-    Coverity CID#427852, ok djm@
+    Expand the set of ciphers, MACs and KEX methods in the PuTTY interop
+    tests.
     
-    OpenBSD-Commit-ID: bf85362addbe2134c3d8c4b80f16601fbff823b7
+    OpenBSD-Regress-ID: dd28d97d48efe7329a396d0d505ee2907bf7fc57
 
-commit 1d7f9b6e297877bd00973e6dc5c0642dbefc3b5f
+commit bbf541ee2afe07b08a8b56fa0dc6f38fcfceef2a
 Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Thu Nov 23 03:37:05 2023 +0000
+Date:   Fri Feb 9 08:47:42 2024 +0000
 
-    upstream: Include existing mux path in debug message.
+    upstream: Factor out PuTTY setup.
     
-    OpenBSD-Commit-ID: 1c3641be10c2f4fbad2a1b088a441d072e18bf16
+    Factor out PuTTY and call only when needed.
+    
+    This allows us to avoid PuTTY key setup when it's not needed, which
+    speeds up the overall test run by a couple of percent.
+    
+    OpenBSD-Regress-ID: c25eaccc3c91bc874400f7c85ce40e9032358c1c
 
-commit f29934066bd0e561a2e516b7e584fb92d2eedee0
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Nov 23 19:41:27 2023 +1100
+commit d31c21c57fb4245271680a1e5043cf6470a96766
+Author: naddy@openbsd.org <naddy@openbsd.org>
+Date:   Sat Feb 10 11:28:52 2024 +0000
 
-    Add an Ubuntu 22.04 test VM.
+    upstream: clean sshd random relinking kit; ok miod@
     
-    This is the same version as Github's runners so most of the testing on
-    it is over there, but having a local VM makes debugging much easier.
+    OpenBSD-Commit-ID: 509bb19bb9762a4b3b589af98bac2e730541b6d4
 
-commit a93284a780cd3972afe5f89086b75d564ba157f3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Nov 23 19:36:22 2023 +1100
+commit 4dbc5a363ff53a2fcecf6bc3bcc038badc12f118
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Fri Feb 2 00:13:34 2024 +0000
 
-    Add gcc-12 -Werror test on Ubuntu 22.04.
+    upstream: whitespace
     
-    Explictly specify gcc-11 on Ubuntu 22.04 (it's the system compiler).
+    OpenBSD-Commit-ID: b24680bc755b621ea801ff8edf6f0f02b68edae1
 
-commit 670f5a647e98b6fd95ad64f789f87ee3274b481b
+commit efde85dda2130272af24cc346f6c3cd326182ff1
 Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Nov 23 19:34:57 2023 +1100
+Date:   Mon Feb 19 17:29:31 2024 +1100
 
-    Check return value from write to prevent warning.
+    Improve error message for OpenSSL header check.
     
-    ... and since we're testing for flags with -Werror, this caused
-    configure to mis-detect compiler flags.
+    bz#3668, ok djm@
 
-commit cea007d691cfedfa07a5b8599f97ce0511f53fc9
+commit cbbdf868bce431a59e2fa36ca244d5739429408d
 Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Nov 22 21:18:55 2023 +1100
+Date:   Wed Feb 7 13:45:02 2024 +1100
 
-    Run compiler test program when compiling natively.
-    
-    ok djm@
+    Interop test against PuTTY snapshot and releases.
 
-commit ee0d305828f13536c0a416bbf9c3e81039d9ea55
+commit 91898bf786b0f149f962c4c96c08a46f29888c10
 Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Nov 22 21:18:07 2023 +1100
+Date:   Tue Feb 6 16:21:05 2024 +1100
 
-    Factor out compiler test program into a macro.
+    Put privsep dir on OS X on /usr/local.
     
-    ok djm@
+    On some runners we can't create /var/empty, so put it some place we can
+    write.  Should fix test breakage on Max OS X 11.
 
-commit de304c76316b029df460673725a9104224b9959b
+commit be5ed8ebed8388c5056bfde4688308cc873c18b9
 Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Nov 22 08:55:36 2023 +1100
+Date:   Tue Feb 6 11:19:42 2024 +1100
 
-    Add fbsd14 VM to test pool.
+    Add --disable-fd-passing option.
+    
+    .. and enable for the minix3 test VM.  This will cause it to more reliably
+    skip tests that need FD passing and should fix the current test breakage.
 
-commit 99a2df5e1994cdcb44ba2187b5f34d0e9190be91
+commit 0f6a8a0d0a518fd78c4cbebfdac990a57a1c4e41
 Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Tue Nov 21 16:19:29 2023 +1100
+Date:   Tue Feb 6 11:18:44 2024 +1100
 
-    Expand -fzero-call-used-regs test to cover gcc 11.
-    
-    It turns out that gcc also has some problems with -fzero-call-used-regs,
-    at least v11 on mips.  Previously the test in OSSH_CHECK_CFLAG_COMPILE
-    was sufficient to catch it with "=all", but not sufficient for "=used".
-    Expand the testcase and include it in the other tests for good measure.
-    See bz#3629.  ok djm@.
+    Use "skip" function instead doing it ourselves.
 
-commit ff220d4010717f7bfbbc02a2400666fb9d24f250
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Tue Nov 21 14:04:34 2023 +1100
+commit 3ad669f81aabbd2ba9fbd472903f680f598e1e99
+Author: Damien Miller <djm@mindrot.org>
+Date:   Thu Feb 1 14:01:18 2024 +1100
 
-    Stop using -fzero-call-used-regs=all
+    ignore some vim droppings
+
+commit c283f29d23611a06bbee06bcf458f2fffad721d9
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Feb 1 02:37:33 2024 +0000
+
+    upstream: whitespace
     
-    ... since it seems to be problematic with several different versions of
-    clang.  Only use -fzero-call-used-regs=used which is less
-    problematic, except with Apple's clang where we don't use it at all.
-    bz#3629, ok djm@
+    OpenBSD-Commit-ID: bf9e4a1049562ee4322684fbdce07142f04fdbb7
 
-commit 2a19e02f36b16f0f6cc915f7d1e60ead5e36303b
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Tue Nov 21 14:02:18 2023 +1100
+commit 0d96b1506b2f4757fefa5d1f884d49e96a6fd4c3
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Jan 16 14:40:18 2024 +1100
 
-    Allow for vendor prefix on clang version numbers.
+    skip tests that use multiplexing on Windows
     
-    Correctly detects the version of OpenBSD's native clang, as well as
-    Apple's.  Spotted tb@, ok djm@.
+    Some tests here use multiplexing, skip these if DISABLE_FD_PASSING
+    is set. Should unbreak tests on Windows.
 
-commit c52db0114826d73eff6cdbf205e9c1fa4f7ca6c6
+commit 50080fa42f5f744b798ee29400c0710f1b59f50e
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Nov 20 02:50:00 2023 +0000
+Date:   Thu Jan 11 04:50:28 2024 +0000
 
-    upstream: set errno=EAFNOSUPPORT when filtering addresses that don't
+    upstream: don't disable RSA test when DSA is disabled; bug introduced
     
-    match AddressFamily; yields slightly better error message if no address
-    matches. bz#3526
+    in last commit
     
-    OpenBSD-Commit-ID: 29cea900ddd8b04a4d1968da5c4a893be2ebd9e6
+    OpenBSD-Regress-ID: 8780a7250bf742b33010e9336359a1c516f2d7b5
 
-commit 26f3f3bbc69196d908cad6558c8c7dc5beb8d74a
+commit 415c94ce17288e0cdcb9e58cc91fba78d33c8457
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Nov 15 23:03:38 2023 +0000
+Date:   Thu Jan 11 01:45:58 2024 +0000
 
-    upstream: when connecting via socket (the default case), filter
+    upstream: make DSA testing optional, defaulting to on
     
-    addresses by AddressFamily if one was specified. Fixes the case where, if
-    CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok
-    dtucker
+    ok markus
     
-    OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439
+    OpenBSD-Regress-ID: dfc27b5574e3f19dc4043395594cea5f90b8572a
 
-commit 050c335c8da43741ed0df2570ebfbd5d1dfd0a31
+commit f9311e8921d92c5efca767227a497ab63280ac39
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Nov 15 22:51:49 2023 +0000
+Date:   Thu Jan 11 01:51:16 2024 +0000
 
-    upstream: when deciding whether to enable keystroke timing
-    
-    obfuscation, only consider enabling it when a channel with a tty is open.
+    upstream: ensure key_fd is filled when DSA is disabled; spotted by
     
-    Avoids turning on the obfucation when X11 forwarding only is in use,
-    which slows it right down. Reported by Roger Marsh
+    tb@
     
-    OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1
+    OpenBSD-Commit-ID: 9dd417b6eec3cf67e870f147464a8d93f076dce7
 
-commit 676377ce67807a24e08a54cd60ec832946cc6cae
-Author: tobhe@openbsd.org <tobhe@openbsd.org>
-Date:   Mon Nov 13 09:18:19 2023 +0000
+commit 4e838120a759d187b036036610402cbda33f3203
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Thu Jan 11 01:45:36 2024 +0000
 
-    upstream: Make sure sftp_get_limits() only returns 0 if 'limits'
+    upstream: make DSA key support compile-time optional, defaulting to
     
-    was initialized. This fixes a potential uninitialized use of 'limits' in
-    sftp_init() if sftp_get_limits() returned early because of an unexpected
-    message type.
+    on
     
-    ok djm@
+    ok markus@
     
-    OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c
+    OpenBSD-Commit-ID: 4f8e98fc1fd6de399d0921d5b31b3127a03f581d
 
-commit 64e0600f23c6dec36c3875392ac95b8a9100c2d6
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Mon Nov 13 20:03:31 2023 +1100
+commit afcc9028bfc411bc26d20bba803b83f90cb84e26
+Author: jmc@openbsd.org <jmc@openbsd.org>
+Date:   Wed Jan 10 06:33:13 2024 +0000
 
-    Test current releases of LibreSSL and OpenSSL.
+    upstream: fix incorrect capitalisation;
     
-    Retire some of the older releases.
+    OpenBSD-Commit-ID: cb07eb06e15fa2334660ac73e98f29b6a1931984
 
-commit c8ed7cc545879ac15f6ce428be4b29c35598bb2a
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Wed Nov 1 02:08:38 2023 +0000
+commit 9707c8170c0c1baeb1e06e5a53f604498193885f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Jan 9 22:19:36 2024 +0000
 
-    upstream: Specify ssh binary to use
+    upstream: extend ChannelTimeout regression test to exercise multiplexed
     
-    ... instead of relying on installed one.  Fixes test failures in -portable
-    when running tests prior to installation.
+    connections and the new "global" timeout type. ok dtucker@
     
-    OpenBSD-Regress-ID: b6d6ba71c23209c616efc805a60d9a445d53a685
+    OpenBSD-Regress-ID: f10d19f697024e9941acad7c2057f73d6eacb8a2
 
-commit e9fc2c48121cada1b4dcc5dadea5d447fe0093c3
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Wed Nov 1 13:11:31 2023 +1100
+commit b31b12d28de96e1d43581d32f34da8db27e11c03
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Tue Jan 9 22:19:00 2024 +0000
 
-    Put long-running test targets on hipri runners.
+    upstream: add a "global" ChannelTimeout type to ssh(1) and sshd(8)
     
-    Some of the selfhosted test targets take a long time to run for various
-    reasons, so label them for "libvirt-hipri" runners so that they can
-    start immediately.  This should reduce the time to complete all tests.
+    that watches all open channels and will close all open channels if there is
+    no traffic on any of them for the specified interval. This is in addition to
+    the existing per-channel timeouts added a few releases ago.
+    
+    This supports use-cases like having a session + x11 forwarding channel
+    open where one may be idle for an extended period but the other is
+    actively used. The global timeout would allow closing both channels when
+    both have been idle for too long.
+    
+    ok dtucker@
+    
+    OpenBSD-Commit-ID: 0054157d24d2eaa5dc1a9a9859afefc13d1d7eb3
 
-commit 7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2
+commit 602f4beeeda5bb0eca181f8753d923a2997d0a51
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Nov 1 00:29:46 2023 +0000
+Date:   Tue Jan 9 21:39:14 2024 +0000
 
-    upstream: add some tests of forced commands overriding Subsystem
+    upstream: adapt ssh_api.c code for kex-strict
     
-    directives
+    from markus@ ok me
     
-    OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b
+    OpenBSD-Commit-ID: 4d9f256852af2a5b882b12cae9447f8f00f933ac
 
-commit fb06f9b5a065dfbbef5916fc4accc03c0bf026dd
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue Oct 31 04:15:40 2023 +0000
+commit 42ba34aba8708cf96583ff52975d95a8b47d990d
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Jan 8 16:26:37 2024 +1100
 
-    upstream: Don't try to use sudo inside sshd log wrapper.
-    
-    We still need to check if we're using sudo since we don't want to chown
-    unecessarily, as on some platforms this causes an error which pollutes
-    stderr. We also don't want to unnecessarily invoke sudo, since it's
-    running in the context of the proxycommand, on *other* platforms it
-    may not be able to authenticate, and if we're using SUDO then it should
-    already be privileged.
-    
-    OpenBSD-Regress-ID: 70d58df7503db699de579a9479300e5f3735f4ee
+    nite that recent OSX tun/tap is unsupported
 
-commit fc3cc33e88c242c704781c6c48087838f1dcfa2a
-Author: dtucker@openbsd.org <dtucker@openbsd.org>
-Date:   Tue Oct 31 02:58:45 2023 +0000
+commit 690bc125f9a3b20e47745fa8f5b5e1fd5820247f
+Author: Sevan Janiyan <venture37@geeklan.co.uk>
+Date:   Wed Dec 27 04:57:49 2023 +0000
 
-    upstream: Only try to chmod logfile if we have sudo. If we don't have
-    
-    sudo then we won't need to chmod.
*** 17647 LINES SKIPPED ***