git: 2cd20d9bc807 - stable/13 - ssh: Update to OpenSSH 9.6p1

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Mon, 08 Jan 2024 14:04:26 UTC
The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=2cd20d9bc80743d6562cb6165dc07b8391dddc27

commit 2cd20d9bc80743d6562cb6165dc07b8391dddc27
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2024-01-05 03:16:30 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2024-01-08 13:57:12 +0000

    ssh: Update to OpenSSH 9.6p1
    
    From the release notes,
    
    > This release contains a number of security fixes, some small features
    > and bugfixes.
    
    The most significant change in 9.6p1 is a set of fixes for a newly-
    discovered weakness in the SSH transport protocol.  The fix was already
    merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.
    
    Full release notes at https://www.openssh.com/txt/release-9.6
    
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation
    
    (cherry picked from commit 069ac18495ad8fde2748bc94b0f80a50250bb01d)
    (cherry picked from commit a25789646d7130f5be166cac63d5c8b2b07c4706)
---
 crypto/openssh/.depend                          |     3 +-
 crypto/openssh/.github/configs                  |    14 +-
 crypto/openssh/.github/setup_ci.sh              |    53 +-
 crypto/openssh/.github/workflows/c-cpp.yml      |    15 +-
 crypto/openssh/.github/workflows/selfhosted.yml |    21 +-
 crypto/openssh/ChangeLog                        | 12792 +++++++++++-----------
 crypto/openssh/Makefile.in                      |    14 +-
 crypto/openssh/PROTOCOL                         |    21 +-
 crypto/openssh/PROTOCOL.agent                   |    33 +-
 crypto/openssh/README                           |     2 +-
 crypto/openssh/auth2.c                          |     8 +-
 crypto/openssh/authfd.c                         |    40 +-
 crypto/openssh/authfd.h                         |     5 +-
 crypto/openssh/channels.c                       |    36 +-
 crypto/openssh/channels.h                       |     4 +-
 crypto/openssh/cipher.c                         |    23 +-
 crypto/openssh/cipher.h                         |     3 +-
 crypto/openssh/clientloop.c                     |    34 +-
 crypto/openssh/config.h                         |     9 +
 crypto/openssh/configure.ac                     |    49 +-
 crypto/openssh/contrib/redhat/openssh.spec      |    34 +-
 crypto/openssh/contrib/suse/openssh.spec        |     2 +-
 crypto/openssh/kex.c                            |   235 +-
 crypto/openssh/kex.h                            |     7 +-
 crypto/openssh/log.c                            |     6 +-
 crypto/openssh/m4/openssh.m4                    |   116 +-
 crypto/openssh/misc.c                           |    41 +-
 crypto/openssh/misc.h                           |     3 +-
 crypto/openssh/moduli                           |   898 +-
 crypto/openssh/monitor_wrap.c                   |     4 +-
 crypto/openssh/mux.c                            |     4 +-
 crypto/openssh/openbsd-compat/port-solaris.c    |    24 +-
 crypto/openssh/readconf.c                       |    57 +-
 crypto/openssh/readconf.h                       |     7 +-
 crypto/openssh/regress/Makefile                 |    10 +-
 crypto/openssh/regress/agent-pkcs11-cert.sh     |    92 +
 crypto/openssh/regress/agent-pkcs11-restrict.sh |   193 +
 crypto/openssh/regress/agent-pkcs11.sh          |    82 +-
 crypto/openssh/regress/conch-ciphers.sh         |    11 +-
 crypto/openssh/regress/dropbear-ciphers.sh      |    33 +
 crypto/openssh/regress/dropbear-kex.sh          |    31 +
 crypto/openssh/regress/forcecommand.sh          |    56 +-
 crypto/openssh/regress/sshsig.sh                |    72 +-
 crypto/openssh/regress/test-exec.sh             |   169 +-
 crypto/openssh/regress/unittests/Makefile       |     3 +-
 crypto/openssh/regress/unittests/Makefile.inc   |     4 +-
 crypto/openssh/scp.c                            |    12 +-
 crypto/openssh/servconf.c                       |    40 +-
 crypto/openssh/sftp-client.c                    |     4 +-
 crypto/openssh/ssh-add.1                        |    14 +-
 crypto/openssh/ssh-add.c                        |    92 +-
 crypto/openssh/ssh-agent.c                      |   241 +-
 crypto/openssh/ssh-pkcs11-client.c              |    56 +-
 crypto/openssh/ssh-pkcs11.h                     |     5 +-
 crypto/openssh/ssh.1                            |     7 +-
 crypto/openssh/ssh.c                            |    26 +-
 crypto/openssh/ssh2.h                           |     3 +-
 crypto/openssh/ssh_config.5                     |    83 +-
 crypto/openssh/ssh_namespace.h                  |     7 +-
 crypto/openssh/sshconnect.c                     |    10 +-
 crypto/openssh/sshconnect.h                     |     6 +-
 crypto/openssh/sshconnect2.c                    |    63 +-
 crypto/openssh/sshd.c                           |     4 +-
 crypto/openssh/sshd_config                      |     2 +-
 crypto/openssh/sshd_config.5                    |     2 +-
 crypto/openssh/sshkey.c                         |    40 +-
 crypto/openssh/sshsig.c                         |     7 +-
 crypto/openssh/version.h                        |     6 +-
 secure/usr.bin/ssh-agent/Makefile               |     2 +-
 69 files changed, 8731 insertions(+), 7374 deletions(-)

diff --git a/crypto/openssh/.depend b/crypto/openssh/.depend
index 259bf3b2f136..4897698ab74a 100644
--- a/crypto/openssh/.depend
+++ b/crypto/openssh/.depend
@@ -28,7 +28,8 @@ auth2-passwd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-
 auth2-pubkey.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h kex.h mac.h crypto_api.h sshbuf.h log.h ssherr.h misc.h servconf.h compat.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h
 auth2-pubkey.o: pathnames.h uidswap.h auth-options.h canohost.h monitor_wrap.h authfile.h match.h channels.h session.h sk-api.h
 auth2-pubkeyfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h ssh.h log.h ssherr.h misc.h sshkey.h digest.h hostfile.h auth.h auth-pam.h audit.h loginrec.h auth-options.h authfile.h match.h
-auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h
+auth2.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h atomicio.h xmalloc.h ssh2.h packet.h openbsd-compat/sys-queue.h dispatch.h log.h ssherr.h sshbuf.h misc.h servconf.h sshkey.h hostfile.h auth.h auth-pam.h audit.h loginrec.h pathnames.h monitor_wrap.h digest.h kex
 .h
+auth2.o: mac.h crypto_api.h
 authfd.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h xmalloc.h ssh.h sshbuf.h sshkey.h authfd.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h log.h ssherr.h atomicio.h misc.h
 authfile.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h ssh.h log.h ssherr.h authfile.h misc.h atomicio.h sshkey.h sshbuf.h krl.h
 bitmap.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h bitmap.h
diff --git a/crypto/openssh/.github/configs b/crypto/openssh/.github/configs
index c7d6a55ab962..df82faf5046b 100755
--- a/crypto/openssh/.github/configs
+++ b/crypto/openssh/.github/configs
@@ -108,9 +108,19 @@ case "$config" in
 	SKIP_LTESTS=sftp-chroot
 	;;
     gcc-11-Werror)
-	CC="gcc"
+	CC="gcc-11"
+	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
+	# -Wunused-result ignores (void) so is not useful.  See
+	# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
+	CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
+	CONFIGFLAGS="--with-pam --with-Werror"
+	;;
+    gcc-12-Werror)
+	CC="gcc-12"
 	# -Wnoformat-truncation in gcc 7.3.1 20180130 fails on fmt_scaled
-	CFLAGS="-Wall -Wextra -O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter"
+	# -Wunused-result ignores (void) so is not useful.  See
+	# https://gcc.gnu.org/bugzilla/show_bug.cgi?id=66425
+	CFLAGS="-O2 -Wno-format-truncation -Wimplicit-fallthrough=4 -Wno-unused-parameter -Wno-unused-result"
 	CONFIGFLAGS="--with-pam --with-Werror"
 	;;
     clang*|gcc*)
diff --git a/crypto/openssh/.github/setup_ci.sh b/crypto/openssh/.github/setup_ci.sh
index 010a333a6642..d0ba7b4724e9 100755
--- a/crypto/openssh/.github/setup_ci.sh
+++ b/crypto/openssh/.github/setup_ci.sh
@@ -18,8 +18,7 @@ case "$host" in
 	;;
 *-darwin*)
 	PACKAGER=brew
-	brew install automake
-	exit 0
+	PACKAGES="automake"
 	;;
 *)
 	PACKAGER=apt
@@ -30,20 +29,30 @@ TARGETS=$@
 INSTALL_FIDO_PPA="no"
 export DEBIAN_FRONTEND=noninteractive
 
-#echo "Setting up for '$TARGETS'"
-
-set -ex
+set -e
 
 if [ -x "`which lsb_release 2>&1`" ]; then
 	lsb_release -a
 fi
 
-# Ubuntu 22.04 defaults to private home dirs which prevent the
-# agent-getpeerid test from running ssh-add as nobody.  See
-# https://github.com/actions/runner-images/issues/6106
-if [ ! -z "$SUDO" ] && ! "$SUDO" -u nobody test -x ~; then
-	echo ~ is not executable by nobody, adding perms.
-	chmod go+x ~
+if [ ! -z "$SUDO" ]; then
+	# Ubuntu 22.04 defaults to private home dirs which prevent the
+	# agent-getpeerid test from running ssh-add as nobody.  See
+	# https://github.com/actions/runner-images/issues/6106
+	if ! "$SUDO" -u nobody test -x ~; then
+		echo ~ is not executable by nobody, adding perms.
+		chmod go+x ~
+	fi
+	# Some of the Mac OS X runners don't have a nopasswd sudo rule. Regular
+	# sudo still works, but sudo -u doesn't.  Restore the sudo rule.
+	if ! "$SUDO" grep  -E 'runner.*NOPASSWD' /etc/passwd >/dev/null; then
+		echo "Restoring runner nopasswd rule to sudoers."
+		echo 'runner ALL=(ALL) NOPASSWD: ALL' |$SUDO tee -a /etc/sudoers
+	fi
+	if ! "$SUDO" -u nobody -S test -x ~ </dev/null; then
+		echo "Still can't sudo to nobody."
+		exit 1
+	fi
 fi
 
 if [ "${TARGETS}" = "kitchensink" ]; then
@@ -57,6 +66,7 @@ for flag in $CONFIGFLAGS; do
     esac
 done
 
+echo "Setting up for '$TARGETS'"
 for TARGET in $TARGETS; do
     case $TARGET in
     default|without-openssl|without-zlib|c89)
@@ -87,7 +97,9 @@ for TARGET in $TARGETS; do
 	esac
         ;;
     *pam)
-        PACKAGES="$PACKAGES libpam0g-dev"
+	case "$PACKAGER" in
+	apt)	PACKAGES="$PACKAGES libpam0g-dev" ;;
+	esac
         ;;
     sk)
         INSTALL_FIDO_PPA="yes"
@@ -116,7 +128,7 @@ for TARGET in $TARGETS; do
           1.*)	INSTALL_OPENSSL="OpenSSL_$(echo ${INSTALL_OPENSSL} | tr . _)" ;;
           3.*)	INSTALL_OPENSSL="openssl-${INSTALL_OPENSSL}" ;;
         esac
-        PACKAGES="${PACKAGES} putty-tools"
+        PACKAGES="${PACKAGES} putty-tools dropbear-bin"
        ;;
     libressl-*)
         INSTALL_LIBRESSL=$(echo ${TARGET} | cut -f2 -d-)
@@ -124,7 +136,7 @@ for TARGET in $TARGETS; do
           master) ;;
           *) INSTALL_LIBRESSL="$(echo ${TARGET} | cut -f2 -d-)" ;;
         esac
-        PACKAGES="${PACKAGES} putty-tools"
+        PACKAGES="${PACKAGES} putty-tools dropbear-bin"
        ;;
     boringssl)
         INSTALL_BORINGSSL=1
@@ -156,6 +168,13 @@ while [ ! -z "$PACKAGES" ] && [ "$tries" -gt "0" ]; do
 		PACKAGES=""
 	fi
 	;;
+    brew)
+	if [ ! -z "PACKAGES" ]; then
+		if brew install $PACKAGES; then
+			PACKAGES=""
+		fi
+	fi
+	;;
     setup)
 	if /cygdrive/c/setup.exe -q -P `echo "$PACKAGES" | tr ' ' ,`; then
 		PACKAGES=""
@@ -176,7 +195,7 @@ if [ "${INSTALL_HARDENED_MALLOC}" = "yes" ]; then
     (cd ${HOME} &&
      git clone https://github.com/GrapheneOS/hardened_malloc.git &&
      cd ${HOME}/hardened_malloc &&
-     make -j2 && sudo cp out/libhardened_malloc.so /usr/lib/)
+     make && sudo cp out/libhardened_malloc.so /usr/lib/)
 fi
 
 if [ ! -z "${INSTALL_OPENSSL}" ]; then
@@ -197,14 +216,14 @@ if [ ! -z "${INSTALL_LIBRESSL}" ]; then
          git checkout ${INSTALL_LIBRESSL} &&
          sh update.sh && sh autogen.sh &&
          ./configure --prefix=/opt/libressl &&
-         make -j2 && sudo make install)
+         make && sudo make install)
     else
         LIBRESSL_URLBASE=https://cdn.openbsd.org/pub/OpenBSD/LibreSSL
         (cd ${HOME} &&
          wget ${LIBRESSL_URLBASE}/libressl-${INSTALL_LIBRESSL}.tar.gz &&
          tar xfz libressl-${INSTALL_LIBRESSL}.tar.gz &&
          cd libressl-${INSTALL_LIBRESSL} &&
-         ./configure --prefix=/opt/libressl && make -j2 && sudo make install)
+         ./configure --prefix=/opt/libressl && make && sudo make install)
     fi
 fi
 
diff --git a/crypto/openssh/.github/workflows/c-cpp.yml b/crypto/openssh/.github/workflows/c-cpp.yml
index be0c97f84cfd..8f624d21016c 100644
--- a/crypto/openssh/.github/workflows/c-cpp.yml
+++ b/crypto/openssh/.github/workflows/c-cpp.yml
@@ -47,7 +47,8 @@ jobs:
           - { target: ubuntu-20.04, config: gcc-7 }
           - { target: ubuntu-20.04, config: gcc-8 }
           - { target: ubuntu-20.04, config: gcc-10 }
-          - { target: ubuntu-20.04, config: gcc-11-Werror }
+          - { target: ubuntu-22.04, config: gcc-11-Werror }
+          - { target: ubuntu-22.04, config: gcc-12-Werror }
           - { target: ubuntu-20.04, config: pam }
           - { target: ubuntu-20.04, config: kitchensink }
           - { target: ubuntu-22.04, config: hardenedmalloc }
@@ -61,18 +62,20 @@ jobs:
           - { target: ubuntu-latest, config: libressl-3.5.3 }
           - { target: ubuntu-latest, config: libressl-3.6.1 }
           - { target: ubuntu-latest, config: libressl-3.7.2 }
+          - { target: ubuntu-latest, config: libressl-3.8.2 }
           - { target: ubuntu-latest, config: openssl-master }
           - { target: ubuntu-latest, config: openssl-noec }
           - { target: ubuntu-latest, config: openssl-1.1.1 }
-          - { target: ubuntu-latest, config: openssl-1.1.1k }
-          - { target: ubuntu-latest, config: openssl-1.1.1n }
-          - { target: ubuntu-latest, config: openssl-1.1.1q }
           - { target: ubuntu-latest, config: openssl-1.1.1t }
+          - { target: ubuntu-latest, config: openssl-1.1.1w }
           - { target: ubuntu-latest, config: openssl-3.0.0 }
-          - { target: ubuntu-latest, config: openssl-3.0.7 }
+          - { target: ubuntu-latest, config: openssl-3.0.12 }
           - { target: ubuntu-latest, config: openssl-3.1.0 }
+          - { target: ubuntu-latest, config: openssl-3.1.4 }
+          - { target: ubuntu-latest, config: openssl-3.2.0 }
           - { target: ubuntu-latest, config: openssl-1.1.1_stable }
           - { target: ubuntu-latest, config: openssl-3.0 }  # stable branch
+          - { target: ubuntu-latest, config: openssl-3.2 }  # stable branch
           - { target: ubuntu-latest, config: zlib-develop }
           - { target: ubuntu-22.04, config: pam }
           - { target: ubuntu-22.04, config: krb5 }
@@ -108,7 +111,7 @@ jobs:
     - name: make clean
       run: make clean
     - name: make
-      run: make -j2
+      run: make
     - name: make tests
       run: sh ./.github/run_test.sh ${{ matrix.config }}
       env:
diff --git a/crypto/openssh/.github/workflows/selfhosted.yml b/crypto/openssh/.github/workflows/selfhosted.yml
index de0a4125bf08..be0b4ffec580 100644
--- a/crypto/openssh/.github/workflows/selfhosted.yml
+++ b/crypto/openssh/.github/workflows/selfhosted.yml
@@ -31,6 +31,7 @@ jobs:
           - fbsd10
           - fbsd12
           - fbsd13
+          - fbsd14
           - minix3
           - nbsd3
           - nbsd4
@@ -38,22 +39,27 @@ jobs:
           - nbsd9
           - obsd51
           - obsd67
-          - obsd69
-          - obsd70
           - obsd72
           - obsd73
+          - obsd74
           - obsdsnap
           - obsdsnap-i386
           - openindiana
-          - sol10
-          - sol11
+          - ubuntu-2204
         config:
           - default
         host:
           - libvirt
         include:
+          # Long-running/slow tests have access to high priority runners.
+          - { target: aix51, config: default, host: libvirt-hipri }
+          - { target: openindiana, config: pam, host: libvirt-hipri }
+          - { target: sol10,  config: default, host: libvirt-hipri }
+          - { target: sol10,  config: pam, host: libvirt-hipri }
+          - { target: sol11,  config: default, host: libvirt-hipri }
+          - { target: sol11,  config: pam-krb5, host: libvirt-hipri }
+          - { target: sol11,  config: sol64, host: libvirt-hipri }
           # Then we include extra libvirt test configs.
-          - { target: aix51, config: default, host: libvirt }
           - { target: centos7, config: pam, host: libvirt }
           - { target: debian-i386, config: pam, host: libvirt }
           - { target: dfly30, config: without-openssl, host: libvirt}
@@ -64,12 +70,9 @@ jobs:
           - { target: fbsd10, config: pam, host: libvirt }
           - { target: fbsd12, config: pam, host: libvirt }
           - { target: fbsd13, config: pam, host: libvirt }
+          - { target: fbsd14, config: pam, host: libvirt }
           - { target: nbsd8,  config: pam, host: libvirt }
           - { target: nbsd9,  config: pam, host: libvirt }
-          - { target: openindiana, config: pam, host: libvirt }
-          - { target: sol10,  config: pam, host: libvirt }
-          - { target: sol11,  config: pam-krb5, host: libvirt }
-          - { target: sol11,  config: sol64, host: libvirt }
           # VMs with persistent disks that have their own runner.
           - { target: win10, config: default, host: win10 }
           - { target: win10, config: cygwin-release, host: win10 }
diff --git a/crypto/openssh/ChangeLog b/crypto/openssh/ChangeLog
index 61725d3a136b..981b7ecd94b6 100644
--- a/crypto/openssh/ChangeLog
+++ b/crypto/openssh/ChangeLog
@@ -1,9557 +1,9505 @@
-commit 80a2f64b8c1d27383cc83d182b73920d1e6a91f1
+commit 8241b9c0529228b4b86d88b1a6076fb9f97e4a99
 Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Oct 4 15:34:10 2023 +1100
+Date:   Tue Dec 19 01:59:50 2023 +1100
 
-    crank version numbers
+    crank versions
 
-commit f65f187b105d9b5c12fd750a211397d08c17c6d4
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Oct 4 04:04:09 2023 +0000
+commit 2f2c65cb5f1518a9c556d3e8efa27ea0ca305c6b
+Author: Damien Miller <djm@mindrot.org>
+Date:   Tue Dec 19 01:59:06 2023 +1100
 
-    upstream: openssh-9.5
-    
-    OpenBSD-Commit-ID: 5e0af680480bd3b6f5560cf840ad032d48fd6b16
+    depend
 
-commit ffe27e54a4bb18d5d3bbd3f4cc93a41b8d94dfd2
+commit e48cdee8e19059203b1aeeabec2350b8375fa61f
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Oct 4 04:03:50 2023 +0000
+Date:   Mon Dec 18 14:50:08 2023 +0000
 
-    upstream: add some cautionary text about % token expansion and
-    
-    shell metacharacters; based on report from vinci AT protonmail.ch
+    upstream: regress test for agent PKCS#11-backed certificates
     
-    OpenBSD-Commit-ID: aa1450a54fcee2f153ef70368d90edb1e7019113
+    OpenBSD-Regress-ID: 38f681777cb944a8cc3bf9d0ad62959a16764df9
 
-commit 60ec3d54fd1ebfe2dda75893fa1e870b8dffbb0d
+commit 2f512f862df1d5f456f82a0334c9e8cc7208a2a1
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Oct 3 23:56:10 2023 +0000
+Date:   Mon Dec 18 14:49:39 2023 +0000
 
-    upstream: fix link to agent draft; spotted by Jann Horn
+    upstream: regress test for constrained PKCS#11 keys
     
-    OpenBSD-Commit-ID: ff5bda21a83ec013db683e282256a85201d2dc4b
+    OpenBSD-Regress-ID: b2f26ae95d609d12257b43aef7cd7714c82618ff
 
-commit 12e2d4b13f6f63ce2de13cbfcc9e4d0d4b4ab231
-Author: Damien Miller <djm@mindrot.org>
-Date:   Wed Oct 4 10:54:04 2023 +1100
+commit cdddd66412ca5920ed4d3ebbfa6ace12dbd9b82f
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Dec 18 14:48:44 2023 +0000
 
-    use portable provider allowlist path in manpage
+    upstream: openssh-9.6
     
-    spotted by Jann Horn
+    OpenBSD-Commit-ID: 21759837cf0e0092d9a2079f8fb562071c11016b
 
-commit 6c2c6ffde75df95fd838039850d3dd3d84956d87
-Author: deraadt@openbsd.org <deraadt@openbsd.org>
-Date:   Tue Sep 19 20:37:07 2023 +0000
+commit 6d51feab157cedf1e7ef5b3f8781ca8ff9c4ab1b
+Author: djm@openbsd.org <djm@openbsd.org>
+Date:   Mon Dec 18 14:48:08 2023 +0000
 
-    upstream: typo; from Jim Spath
+    upstream: ssh-agent: record failed session-bind attempts
     
-    OpenBSD-Commit-ID: 2f5fba917b5d4fcf93d9e0b0756c7f63189e228e
+    Record failed attempts to session-bind a connection and refuse signing
+    operations on that connection henceforth.
+    
+    Prevents a future situation where we add a new hostkey type that is not
+    recognised by an older ssh-agent, that consequently causes session-bind
+    to fail (this situation is only likely to arise when people mix ssh(1)
+    and ssh-agent(1) of different versions on the same host). Previously,
+    after such a failure the agent socket would be considered unbound and
+    not subject to restriction.
+    
+    Spotted by Jann Horn
+    
+    OpenBSD-Commit-ID: b0fdd023e920aa4831413f640de4c5307b53552e
 
-commit b6b49130a0089b297245ee39e769231d7c763014
+commit 7ef3787c84b6b524501211b11a26c742f829af1a
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Sep 10 23:12:32 2023 +0000
+Date:   Mon Dec 18 14:47:44 2023 +0000
 
-    upstream: rename remote_glob() -> sftp_glob() to match other API
+    upstream: ban user/hostnames with most shell metacharacters
     
-    OpenBSD-Commit-ID: d9dfb3708d824ec02970a84d96cf5937e0887229
+    This makes ssh(1) refuse user or host names provided on the
+    commandline that contain most shell metacharacters.
+    
+    Some programs that invoke ssh(1) using untrusted data do not filter
+    metacharacters in arguments they supply. This could create
+    interactions with user-specified ProxyCommand and other directives
+    that allow shell injection attacks to occur.
+    
+    It's a mistake to invoke ssh(1) with arbitrary untrusted arguments,
+    but getting this stuff right can be tricky, so this should prevent
+    most obvious ways of creating risky situations. It however is not
+    and cannot be perfect: ssh(1) has no practical way of interpreting
+    what shell quoting rules are in use and how they interact with the
+    user's specified ProxyCommand.
+    
+    To allow configurations that use strange user or hostnames to
+    continue to work, this strictness is applied only to names coming
+    from the commandline. Names specified using User or Hostname
+    directives in ssh_config(5) are not affected.
+    
+    feedback/ok millert@ markus@ dtucker@ deraadt@
+    
+    OpenBSD-Commit-ID: 3b487348b5964f3e77b6b4d3da4c3b439e94b2d9
 
-commit 21b79af6c8d2357c822c84cef3fbdb8001ed263b
+commit 0cb50eefdd29f0fec31d0e71cc4b004a5f704e67
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Sep 10 03:51:55 2023 +0000
+Date:   Mon Dec 18 14:47:20 2023 +0000
 
-    upstream: typo in comment
+    upstream: stricter handling of channel window limits
     
-    OpenBSD-Commit-ID: 69285e0ce962a7c6b0ab5f17a293c60a0a360a18
-
-commit 41232d25532b4d2ef6c5db62efc0cf50a79d26ca
-Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Sun Sep 10 15:45:38 2023 +1000
-
-    Use zero-call-used-regs=used with Apple compilers.
+    This makes ssh/sshd more strict in handling non-compliant peers that
+    send more data than the advertised channel window allows. Previously
+    the additional data would be silently discarded. This change will
+    cause ssh/sshd to terminate the connection if the channel window is
+    exceeded by more than a small grace allowance.
     
-    Apple's versions of clang have version numbers that do not match the
-    corresponding upstream clang versions.  Unfortunately, they do still
-    have the clang-15 zero-call-used-regs=all bug, so for now use the value
-    that doesn't result in segfaults.  We could allowlist future versions
-    that are known to work.  bz#3584 (and probably also our github CI
-    failures).
+    ok markus@
+    
+    OpenBSD-Commit-ID: 811e21b41831eba3dd7f67b3d409a438f20d3037
 
-commit 90ccc5918ea505bf156c31148b6b59a1bf5d6dc6
+commit 4448a2938abc76e6bd33ba09b2ec17a216dfb491
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Sep 10 03:25:53 2023 +0000
+Date:   Mon Dec 18 14:46:56 2023 +0000
 
-    upstream: randomise keystroke obfuscation intervals and average
+    upstream: Make it possible to load certs from PKCS#11 tokens
     
-    interval rate. ok dtucker@
+    Adds a protocol extension to allow grafting certificates supplied by
+    ssh-add to keys loaded from PKCS#11 tokens in the agent.
     
-    OpenBSD-Commit-ID: 05f61d051ab418fcfc4857ff306e420037502382
+    feedback/ok markus@
+    
+    OpenBSD-Commit-ID: bb5433cd28ede2bc910996eb3c0b53e20f86037f
 
-commit bd1b9e52f5fa94d87223c90905c5fdc1a7c32aa6
+commit 881d9c6af9da4257c69c327c4e2f1508b2fa754b
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 8 06:34:24 2023 +0000
+Date:   Mon Dec 18 14:46:12 2023 +0000
 
-    upstream: fix sizeof(*ptr) instead sizeof(ptr) in realloc (pointer here
+    upstream: apply destination constraints to all p11 keys
     
-    is char**, so harmless); spotted in CID 416964
+    Previously applied only to the first key returned from each token.
     
-    OpenBSD-Commit-ID: c61caa4a5a667ee20bb1042098861e6c72c69002
+    ok markus@
+    
+    OpenBSD-Commit-ID: 36df3afb8eb94eec6b2541f063d0d164ef8b488d
 
-commit c4f966482983e18601eec70a1563115de836616f
+commit a7ed931caeb68947d30af8a795f4108b6efad761
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 8 06:10:57 2023 +0000
+Date:   Mon Dec 18 14:45:49 2023 +0000
 
-    upstream: regress test recursive remote-remote directories copies where
+    upstream: add "ext-info-in-auth@openssh.com" extension
     
-    the directory contains a symlink to another directory.
+    This adds another transport protocol extension to allow a sshd to send
+    SSH2_MSG_EXT_INFO during user authentication, after the server has
+    learned the username that is being logged in to.
     
-    also remove errant `set -x` that snuck in at some point
+    This lets sshd to update the acceptable signature algoritms for public
+    key authentication, and allows these to be varied via sshd_config(5)
+    "Match" directives, which are evaluated after the server learns the
+    username being authenticated.
     
-    OpenBSD-Regress-ID: 1c94a48bdbd633ef2285954ee257725cd7bc456f
+    Full details in the PROTOCOL file
+    
+    OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
 
-commit 5e1dfe5014ebc194641678303e22ab3bba15f4e5
+commit 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 8 06:10:02 2023 +0000
+Date:   Mon Dec 18 14:45:17 2023 +0000
 
-    upstream: fix recursive remote-remote copies of directories that
+    upstream: implement "strict key exchange" in ssh and sshd
     
-    contain symlinks to other directories (similar to bz3611)
+    This adds a protocol extension to improve the integrity of the SSH
+    transport protocol, particular in and around the initial key exchange
+    (KEX) phase.
     
-    OpenBSD-Commit-ID: 7e19d2ae09b4f941bf8eecc3955c9120171da37f
+    Full details of the extension are in the PROTOCOL file.
+    
+    with markus@
+    
+    OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
 
-commit 7c0ce2bf98b303b6ad91493ee3247d96c18ba1f6
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 8 05:50:57 2023 +0000
+commit 59d691b886c79e70b1d1c4ab744e81fd176222fd
+Author: Damien Miller <djm@mindrot.org>
+Date:   Mon Dec 18 14:49:11 2023 +1100
 
-    upstream: regress test for recursive copies of directories containing
+    better detection of broken -fzero-call-used-regs
     
-    symlinks to other directories. bz3611, ok dtucker@
+    Use OSSH_CHECK_CFLAG_LINK() for detection of these flags and extend
+    test program to exercise varargs, which seems to catch more stuff.
     
-    OpenBSD-Regress-ID: eaa4c29cc5cddff4e72a16bcce14aeb1ecfc94b9
+    ok dtucker@
 
-commit 2de990142a83bf60ef694378b8598706bc654b08
+commit aa7b21708511a6d4aed3839fc9f6e82e849dd4a1
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 8 05:56:13 2023 +0000
+Date:   Wed Dec 13 03:28:19 2023 +0000
 
-    upstream: the sftp code was one of my first contributions to
+    upstream: when invoking KnownHostsCommand to determine the order of
     
-    OpenSSH and it shows - the function names are terrible.
+    host key algorithms to request, ensure that the hostname passed to the
+    command is decorated with the port number for ports other than 22.
     
-    Rename do_blah() to sftp_blah() to make them less so.
+    This matches the behaviour of KnownHostsCommand when invoked to look
+    up the actual host key.
     
-    Completely mechanical except for sftp_stat() and sftp_lstat() which
-    change from returning a pointer to a static variable (error-prone) to
-    taking a pointer to a caller-provided receiver.
+    bz3643, ok dtucker@
     
-    OpenBSD-Commit-ID: eb54d6a72d0bbba4d623e2175cf5cc4c75dc2ba4
+    OpenBSD-Commit-ID: 5cfabc0b7c6c7ab473666df314f377b1f15420b1
 
-commit 249d8bd0472b53e3a2a0e138b4c030a31e83346a
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Fri Sep 8 05:50:12 2023 +0000
+commit 4086bd6652c0badccc020218a62190a7798fb72c
+Author: markus@openbsd.org <markus@openbsd.org>
+Date:   Fri Dec 8 09:18:39 2023 +0000
 
-    upstream: fix scp in SFTP mode recursive upload and download of
-    
-    directories that contain symlinks to other directories. In scp mode, the
-    links would be followed, but in SFTP mode they were not. bz3611, ok dtucker@
+    upstream: prevent leak in sshsig_match_principals; ok djm@
     
-    OpenBSD-Commit-ID: 9760fda668eaa94a992250d7670dfbc62a45197c
+    OpenBSD-Commit-ID: 594f61ad4819ff5c72dfe99ba666a17f0e1030ae
 
-commit 0e1f4401c466fa4fdaea81b6dadc8dd1fc4cf0af
+commit 19d3ee2f3adf7d9a606ff015c1e153744702c4c9
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 6 23:36:09 2023 +0000
+Date:   Wed Dec 6 21:06:48 2023 +0000
 
-    upstream: regression test for override of subsystem in match blocks
+    upstream: short circuit debug log processing early if we're not going
     
-    OpenBSD-Regress-ID: 5f8135da3bfda71067084c048d717b0e8793e87c
+    to log anything. From Kobe Housen
+    
+    OpenBSD-Commit-ID: 2bcddd695872a1bef137cfff7823044dcded90ea
 
-commit 8a1450c62035e834d8a79a5d0d1c904236f9dcfe
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 6 23:35:35 2023 +0000
+commit 947affad4831df015c498c00c6351ea6f13895d5
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Mon Nov 27 09:37:28 2023 +1100
 
-    upstream: allow override of Sybsystem directives in sshd Match
-    
-    blocks
+    Add tests for OpenSSL 3.2.0 and 3.2 stable branch.
+
+commit 747dce36206675ca6b885010a835733df469351b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Sat Nov 25 09:03:38 2023 +1100
+
+    Use non-zero arg in compiler test program.
     
-    OpenBSD-Commit-ID: 3911d18a826a2d2fe7e4519075cf3e57af439722
+    Now that we're running the test program, passing zero to the test function
+    can cause divide-by-zero exceptions which might show up in logs.
 
-commit 6e52826e2a74d077147a82ead8d4fbd5b54f4e3b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 6 23:26:37 2023 +0000
+commit 3d44a5c56585d1c351dbc006240a591b6da502b1
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Fri Nov 24 00:31:30 2023 +0000
 
-    upstream: allocate the subsystems array as necessary and remove the
+    upstream: Plug mem leak of msg when processing a quit message.
     
-    fixed limit of subsystems. Saves a few kb of memory in the server and makes
-    it more like the other options.
+    Coverity CID#427852, ok djm@
     
-    OpenBSD-Commit-ID: e683dfca6bdcbc3cc339bb6c6517c0c4736a547f
+    OpenBSD-Commit-ID: bf85362addbe2134c3d8c4b80f16601fbff823b7
 
-commit e19069c9fac4c111d6496b19c7f7db43b4f07b4f
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 6 23:23:53 2023 +0000
+commit 1d7f9b6e297877bd00973e6dc5c0642dbefc3b5f
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Thu Nov 23 03:37:05 2023 +0000
 
-    upstream: preserve quoting of Subsystem commands and arguments.
+    upstream: Include existing mux path in debug message.
     
-    This may change behaviour of exotic configurations, but the most common
-    subsystem configuration (sftp-server) is unlikely to be affected.
+    OpenBSD-Commit-ID: 1c3641be10c2f4fbad2a1b088a441d072e18bf16
+
+commit f29934066bd0e561a2e516b7e584fb92d2eedee0
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Thu Nov 23 19:41:27 2023 +1100
+
+    Add an Ubuntu 22.04 test VM.
     
-    OpenBSD-Commit-ID: 8ffa296aeca981de5b0945242ce75aa6dee479bf
+    This is the same version as Github's runners so most of the testing on
+    it is over there, but having a local VM makes debugging much easier.
 
-commit 52dfe3c72d98503d8b7c6f64fc7e19d685636c0b
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 6 23:21:36 2023 +0000
+commit a93284a780cd3972afe5f89086b75d564ba157f3
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Thu Nov 23 19:36:22 2023 +1100
 
-    upstream: downgrade duplicate Subsystem directives from being a
+    Add gcc-12 -Werror test on Ubuntu 22.04.
     
-    fatal error to being a debug message to match behaviour with just about all
-    other directives.
+    Explictly specify gcc-11 on Ubuntu 22.04 (it's the system compiler).
+
+commit 670f5a647e98b6fd95ad64f789f87ee3274b481b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Thu Nov 23 19:34:57 2023 +1100
+
+    Check return value from write to prevent warning.
     
-    OpenBSD-Commit-ID: fc90ed2cc0c18d4eb8e33d2c5e98d25f282588ce
+    ... and since we're testing for flags with -Werror, this caused
+    configure to mis-detect compiler flags.
 
-commit 1ee0a16e07b6f0847ff463d7b5221c4bf1876e25
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Wed Sep 6 23:18:15 2023 +0000
+commit cea007d691cfedfa07a5b8599f97ce0511f53fc9
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Wed Nov 22 21:18:55 2023 +1100
 
-    upstream: handle cr+lf (instead of just cr) in sshsig signature
+    Run compiler test program when compiling natively.
     
-    files
+    ok djm@
+
+commit ee0d305828f13536c0a416bbf9c3e81039d9ea55
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Wed Nov 22 21:18:07 2023 +1100
+
+    Factor out compiler test program into a macro.
     
-    OpenBSD-Commit-ID: 647460a212b916540016d066568816507375fd7f
+    ok djm@
 
-commit e1c284d60a928bcdd60bc575c6f9604663502770
-Author: job@openbsd.org <job@openbsd.org>
-Date:   Mon Sep 4 10:29:58 2023 +0000
+commit de304c76316b029df460673725a9104224b9959b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Wed Nov 22 08:55:36 2023 +1100
 
-    upstream: Generate Ed25519 keys when invoked without arguments
+    Add fbsd14 VM to test pool.
+
+commit 99a2df5e1994cdcb44ba2187b5f34d0e9190be91
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Tue Nov 21 16:19:29 2023 +1100
+
+    Expand -fzero-call-used-regs test to cover gcc 11.
     
-    Ed25519 public keys are very convenient due to their small size.
-    OpenSSH has supported Ed25519 since version 6.5 (January 2014).
+    It turns out that gcc also has some problems with -fzero-call-used-regs,
+    at least v11 on mips.  Previously the test in OSSH_CHECK_CFLAG_COMPILE
+    was sufficient to catch it with "=all", but not sufficient for "=used".
+    Expand the testcase and include it in the other tests for good measure.
+    See bz#3629.  ok djm@.
+
+commit ff220d4010717f7bfbbc02a2400666fb9d24f250
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Tue Nov 21 14:04:34 2023 +1100
+
+    Stop using -fzero-call-used-regs=all
     
-    OK djm@ markus@ sthen@ deraadt@
+    ... since it seems to be problematic with several different versions of
+    clang.  Only use -fzero-call-used-regs=used which is less
+    problematic, except with Apple's clang where we don't use it at all.
+    bz#3629, ok djm@
+
+commit 2a19e02f36b16f0f6cc915f7d1e60ead5e36303b
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Tue Nov 21 14:02:18 2023 +1100
+
+    Allow for vendor prefix on clang version numbers.
     
-    OpenBSD-Commit-ID: f498beaad19c8cdcc357381a60df4a9c69858b3f
+    Correctly detects the version of OpenBSD's native clang, as well as
+    Apple's.  Spotted tb@, ok djm@.
 
-commit 694150ad92765574ff82a18f4e86322bd3231e68
+commit c52db0114826d73eff6cdbf205e9c1fa4f7ca6c6
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Sep 4 00:08:14 2023 +0000
+Date:   Mon Nov 20 02:50:00 2023 +0000
 
-    upstream: trigger keystroke timing obfucation only if the channels
-    
-    layer enqueud some data in the last poll() cycle; this avoids triggering the
-    obfuscatior for non-channels data like ClientAlive probes and also fixes a
-    related problem were the obfucations would be triggered on fully quiescent
-    connections.
+    upstream: set errno=EAFNOSUPPORT when filtering addresses that don't
     
-    Based on / tested by naddy@
+    match AddressFamily; yields slightly better error message if no address
+    matches. bz#3526
     
-    OpenBSD-Commit-ID: d98f32dc62d7663ff4660e4556e184032a0db123
+    OpenBSD-Commit-ID: 29cea900ddd8b04a4d1968da5c4a893be2ebd9e6
 
-commit b5fd97896b59a3a46245cf438cc8b16c795d9f74
+commit 26f3f3bbc69196d908cad6558c8c7dc5beb8d74a
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Sep 4 00:04:02 2023 +0000
+Date:   Wed Nov 15 23:03:38 2023 +0000
 
-    upstream: avoid bogus "obfuscate_keystroke_timing: stopping ..."
+    upstream: when connecting via socket (the default case), filter
     
-    debug messages when keystroke timing obfuscation was never started; spotted
-    by naddy@
+    addresses by AddressFamily if one was specified. Fixes the case where, if
+    CanonicalizeHostname is enabled, ssh may ignore AddressFamily. bz5326; ok
+    dtucker
     
-    OpenBSD-Commit-ID: 5c270d35f7d2974db5c1646e9c64188f9393be31
+    OpenBSD-Commit-ID: 6c7d7751f6cd055126b2b268a7b64dcafa447439
 
-commit ccf7d913db34e49b7a6db1b8331bd402004c840d
+commit 050c335c8da43741ed0df2570ebfbd5d1dfd0a31
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Sep 4 00:01:46 2023 +0000
+Date:   Wed Nov 15 22:51:49 2023 +0000
 
-    upstream: make channel_output_poll() return a flag indicating
+    upstream: when deciding whether to enable keystroke timing
     
-    whether channel data was enqueued. Will be used to improve keystroke timing
-    obfuscation. Problem spotted by / tested by naddy@
+    obfuscation, only consider enabling it when a channel with a tty is open.
     
-    OpenBSD-Commit-ID: f9776c7b0065ba7c3bbe50431fd3b629f44314d0
+    Avoids turning on the obfucation when X11 forwarding only is in use,
+    which slows it right down. Reported by Roger Marsh
+    
+    OpenBSD-Commit-ID: c292f738db410f729190f92de100c39ec931a4f1
 
-commit 43254b326ac6e2131dbd750f9464dc62c14bd5a7
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Sun Sep 3 23:59:32 2023 +0000
+commit 676377ce67807a24e08a54cd60ec832946cc6cae
+Author: tobhe@openbsd.org <tobhe@openbsd.org>
+Date:   Mon Nov 13 09:18:19 2023 +0000
 
-    upstream: set interactive mode for ControlPersist sessions if they
+    upstream: Make sure sftp_get_limits() only returns 0 if 'limits'
     
-    originally requested a tty; enables keystroke timing obfuscation for most
-    ControlPersist sessions. Spotted by naddy@
+    was initialized. This fixes a potential uninitialized use of 'limits' in
+    sftp_init() if sftp_get_limits() returned early because of an unexpected
+    message type.
     
-    OpenBSD-Commit-ID: 72783a26254202e2f3f41a2818a19956fe49a772
+    ok djm@
+    
+    OpenBSD-Commit-ID: 1c177d7c3becc1d71bc8763eecf61873a1d3884c
 
-commit ff3eda68ceb2e2bb8f48e3faceb96076c3e85c20
+commit 64e0600f23c6dec36c3875392ac95b8a9100c2d6
 Author: Darren Tucker <dtucker@dtucker.net>
-Date:   Thu Aug 31 23:02:35 2023 +1000
+Date:   Mon Nov 13 20:03:31 2023 +1100
 
-    Set LLONG_MAX for C89 test.
+    Test current releases of LibreSSL and OpenSSL.
     
-    If we don't have LLONG_MAX, configure will figure out that it can get it
-    by setting -std=gnu99, at which point we won't be testing C89 any more.
-    To avoid this, feed it in via CFLAGS.
+    Retire some of the older releases.
 
-commit f98031773db361424d59e3301aa92aacf423d920
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Tue Aug 29 02:50:10 2023 +0000
+commit c8ed7cc545879ac15f6ce428be4b29c35598bb2a
+Author: dtucker@openbsd.org <dtucker@openbsd.org>
+Date:   Wed Nov 1 02:08:38 2023 +0000
 
-    upstream: make PerSourceMaxStartups first-match-wins; ok dtucker@
+    upstream: Specify ssh binary to use
     
-    OpenBSD-Commit-ID: dac0c24cb709e3c595b8b4f422a0355dc5a3b4e7
+    ... instead of relying on installed one.  Fixes test failures in -portable
+    when running tests prior to installation.
+    
+    OpenBSD-Regress-ID: b6d6ba71c23209c616efc805a60d9a445d53a685
 
-commit cfa66857db90cd908de131e0041a50ffc17c7df8
-Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Aug 28 09:52:09 2023 +0000
+commit e9fc2c48121cada1b4dcc5dadea5d447fe0093c3
+Author: Darren Tucker <dtucker@dtucker.net>
+Date:   Wed Nov 1 13:11:31 2023 +1100
 
-    upstream: descriptive text shouldn't be under .Cm
+    Put long-running test targets on hipri runners.
     
-    OpenBSD-Commit-ID: b1afaeb456a52bc8a58f4f9f8b2f9fa8f6bf651b
+    Some of the selfhosted test targets take a long time to run for various
+    reasons, so label them for "libvirt-hipri" runners so that they can
+    start immediately.  This should reduce the time to complete all tests.
 
-commit 01dbf3d46651b7d6ddf5e45d233839bbfffaeaec
+commit 7ddf27668f0e21233f08c0ab2fe9ee3fdd6ab1e2
 Author: djm@openbsd.org <djm@openbsd.org>
-Date:   Mon Aug 28 09:48:11 2023 +0000
+Date:   Wed Nov 1 00:29:46 2023 +0000
 
-    upstream: limit artificial login delay to a reasonable maximum (5s)
+    upstream: add some tests of forced commands overriding Subsystem
     
-    and don't delay at all for the "none" authentication mechanism. Patch by
-    Dmitry Belyavskiy in bz3602 with polish/ok dtucker@
+    directives
     
-    OpenBSD-Commit-ID: 85b364676dd84cf1de0e98fc2fbdcb1a844ce515
+    OpenBSD-Regress-ID: eb48610282f6371672bdf2a8b5d2aa33cfbd322b
 
-commit 528da5b9d7c5da01ed7a73ff21c722e1b5326006
-Author: jmc@openbsd.org <jmc@openbsd.org>
-Date:   Mon Aug 28 05:32:28 2023 +0000
+commit fb06f9b5a065dfbbef5916fc4accc03c0bf026dd
*** 20737 LINES SKIPPED ***