Merge 6.5p1.

* New upstream release (http://www.openssh.com/txt/release-6.5,
  LP: #1275068):
  - ssh(1): Add support for client-side hostname canonicalisation using a
    set of DNS suffixes and rules in ssh_config(5).  This allows
    unqualified names to be canonicalised to fully-qualified domain names
    to eliminate ambiguity when looking up keys in known_hosts or checking
    host certificate names (closes: #115286).

19 files changed, 526 insertions, 168 deletions

diff --git a/regress/Makefile b/regress/Makefile
index ab2a6ae7b..0c66b1774 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,6 +1,6 @@
-#       $OpenBSD: Makefile,v 1.65 2013/04/18 02:46:12 djm Exp $
+#       $OpenBSD: Makefile,v 1.67 2013/12/06 13:52:46 markus Exp $
 
-REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t8 t9 t-exec
+REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec
 tests:          $(REGRESS_TARGETS)
 
 # Interop tests are not run by default
@@ -44,6 +44,7 @@ LTESTS= 	connect \
                 sftp-badcmds \
                 sftp-batch \
                 sftp-glob \
+                sftp-perm \
                 reconfigure \
                 dynamic-forward \
                 forwarding \
@@ -72,7 +73,7 @@ INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
 
 USER!=          id -un
 CLEANFILES=     t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
-                t8.out t8.out.pub t9.out t9.out.pub \
+                t8.out t8.out.pub t9.out t9.out.pub t10.out t10.out.pub \
                 authorized_keys_${USER} known_hosts pidfile testdata \
                 ssh_config sshd_config.orig ssh_proxy sshd_config sshd_proxy \
                 rsa.pub rsa rsa1.pub rsa1 host.rsa host.rsa1 \
@@ -86,7 +87,10 @@ CLEANFILES=	t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub copy.1 copy.2 \
                 authorized_principals_${USER} expect actual ready \
                 sshd_proxy.* authorized_keys_${USER}.* modpipe revoked-* krl-* \
                 ssh.log failed-ssh.log sshd.log failed-sshd.log \
-                regress.log failed-regress.log ssh-log-wrapper.sh
+                regress.log failed-regress.log ssh-log-wrapper.sh \
+                sftp-server.sh sftp-server.log sftp.log setuid-allowed \
+                data ed25519-agent ed25519-agent.pub key.ed25519-512 \
+                key.ed25519-512.pub
 
 SUDO_CLEAN+=    /var/run/testdata_${USER} /var/run/keycommand_${USER}
 
@@ -151,6 +155,14 @@ t9: $(OBJ)/t9.out
         test "${TEST_SSH_ECC}" != yes || \
         ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t9.out > /dev/null
 
+
+$(OBJ)/t10.out:
+        ${TEST_SSH_SSHKEYGEN} -q -t ed25519 -N '' -f $@
+
+t10: $(OBJ)/t10.out
+        ${TEST_SSH_SSHKEYGEN} -lf $(OBJ)/t10.out > /dev/null
+        ${TEST_SSH_SSHKEYGEN} -Bf $(OBJ)/t10.out > /dev/null
+
 t-exec: ${LTESTS:=.sh}
         @if [ "x$?" = "x" ]; then exit 0; fi; \
         for TEST in ""$?; do \
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index 9f29464c5..ae150641f 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -19,6 +19,13 @@ else
         exit 0
 fi
 
+if $OBJ/setuid-allowed ${SSHAGENT} ; then
+        : ok
+else
+        echo "skipped (${SSHAGENT} is mounted on a no-setuid filesystem)"
+        exit 0
+fi
+
 if test -z "$SUDO" ; then
         echo "skipped (SUDO not set)"
         exit 0
@@ -38,8 +45,9 @@ else
         gdb ${SSHAGENT} ${SSH_AGENT_PID} > ${OBJ}/gdb.out 2>&1 << EOF
                 quit
 EOF
-        if [ $? -ne 0 ]; then
-                fail "gdb failed: exit code $?"
+        r=$?
+        if [ $r -ne 0 ]; then
+                fail "gdb failed: exit code $r"
         fi
         egrep 'ptrace: Operation not permitted.|procfs:.*Permission denied.|ttrace.*Permission denied.|procfs:.*: Invalid argument.|Unable to access task ' >/dev/null ${OBJ}/gdb.out
         r=$?
diff --git a/regress/agent.sh b/regress/agent.sh
index be7d91334..cf1a45fe0 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: agent.sh,v 1.8 2013/05/17 00:37:40 dtucker Exp $
+#       $OpenBSD: agent.sh,v 1.9 2013/12/06 13:52:46 markus Exp $
 #       Placed in the Public Domain.
 
 tid="simple agent test"
@@ -20,7 +20,7 @@ else
         fi
         trace "overwrite authorized keys"
         printf '' > $OBJ/authorized_keys_$USER
-        for t in rsa rsa1; do
+        for t in ed25519 rsa rsa1; do
                 # generate user key for agent
                 rm -f $OBJ/$t-agent
                 ${SSHKEYGEN} -q -N '' -t $t -f $OBJ/$t-agent ||\
@@ -34,40 +34,46 @@ else
                 fi
         done
         ${SSHADD} -l > /dev/null 2>&1
-        if [ $? -ne 0 ]; then
-                fail "ssh-add -l failed: exit code $?"
+        r=$?
+        if [ $r -ne 0 ]; then
+                fail "ssh-add -l failed: exit code $r"
         fi
         # the same for full pubkey output
         ${SSHADD} -L > /dev/null 2>&1
-        if [ $? -ne 0 ]; then
-                fail "ssh-add -L failed: exit code $?"
+        r=$?
+        if [ $r -ne 0 ]; then
+                fail "ssh-add -L failed: exit code $r"
         fi
 
         trace "simple connect via agent"
         for p in 1 2; do
                 ${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
-                if [ $? -ne 5$p ]; then
-                        fail "ssh connect with protocol $p failed (exit code $?)"
+                r=$?
+                if [ $r -ne 5$p ]; then
+                        fail "ssh connect with protocol $p failed (exit code $r)"
                 fi
         done
 
         trace "agent forwarding"
         for p in 1 2; do
                 ${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
-                if [ $? -ne 0 ]; then
-                        fail "ssh-add -l via agent fwd proto $p failed (exit code $?)"
+                r=$?
+                if [ $r -ne 0 ]; then
+                        fail "ssh-add -l via agent fwd proto $p failed (exit code $r)"
                 fi
                 ${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
                         "${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
-                if [ $? -ne 5$p ]; then
-                        fail "agent fwd proto $p failed (exit code $?)"
+                r=$?
+                if [ $r -ne 5$p ]; then
+                        fail "agent fwd proto $p failed (exit code $r)"
                 fi
         done
 
         trace "delete all agent keys"
         ${SSHADD} -D > /dev/null 2>&1
-        if [ $? -ne 0 ]; then
-                fail "ssh-add -D failed: exit code $?"
+        r=$?
+        if [ $r -ne 0 ]; then
+                fail "ssh-add -D failed: exit code $r"
         fi
 
         trace "kill agent"
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 35cd39293..a1318cd53 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,14 +1,8 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.7 2013/05/17 00:37:40 dtucker Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.8 2013/12/06 13:52:46 markus Exp $
 #       Placed in the Public Domain.
 
 tid="certified host keys"
 
-# used to disable ECC based tests on platforms without ECC
-ecdsa=""
-if test "x$TEST_SSH_ECC" = "xyes"; then
-        ecdsa=ecdsa
-fi
-
 rm -f $OBJ/known_hosts-cert $OBJ/host_ca_key* $OBJ/cert_host_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
@@ -23,8 +17,17 @@ ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/host_ca_key ||\
         cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
 
+PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/g;s/^ssh-//'`
+
+type_has_legacy() {
+        case $1 in
+                ed25519*|ecdsa*) return 1 ;;
+        esac
+        return 0
+}
+
 # Generate and sign host keys
-for ktype in rsa dsa $ecdsa ; do 
+for ktype in $PLAIN_TYPES ; do 
         verbose "$tid: sign host ${ktype} cert"
         # Generate and sign a host key
         ${SSHKEYGEN} -q -N '' -t ${ktype} \
@@ -34,10 +37,10 @@ for ktype in rsa dsa $ecdsa ; do
             -I "regress host key for $USER" \
             -n $HOSTS $OBJ/cert_host_key_${ktype} ||
                 fail "couldn't sign cert_host_key_${ktype}"
-        # v00 ecdsa certs do not exist
-        test "${ktype}" = "ecdsa" && continue
+        type_has_legacy $ktype || continue
         cp $OBJ/cert_host_key_${ktype} $OBJ/cert_host_key_${ktype}_v00
         cp $OBJ/cert_host_key_${ktype}.pub $OBJ/cert_host_key_${ktype}_v00.pub
+        verbose "$tid: sign host ${ktype}_v00 cert"
         ${SSHKEYGEN} -t v00 -h -q -s $OBJ/host_ca_key \
             -I "regress host key for $USER" \
             -n $HOSTS $OBJ/cert_host_key_${ktype}_v00 ||
@@ -46,7 +49,7 @@ done
 
 # Basic connect tests
 for privsep in yes no ; do
-        for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 
+        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
                 verbose "$tid: host ${ktype} cert connect privsep $privsep"
                 (
                         cat $OBJ/sshd_proxy_bak
@@ -69,26 +72,13 @@ done
         printf '@cert-authority '
         printf "$HOSTS "
         cat $OBJ/host_ca_key.pub
-        printf '@revoked '
-        printf "* "
-        cat $OBJ/cert_host_key_rsa.pub
-        if test "x$TEST_SSH_ECC" = "xyes"; then
-                printf '@revoked '
-                printf "* "
-                cat $OBJ/cert_host_key_ecdsa.pub
-        fi
-        printf '@revoked '
-        printf "* "
-        cat $OBJ/cert_host_key_dsa.pub
-        printf '@revoked '
-        printf "* "
-        cat $OBJ/cert_host_key_rsa_v00.pub
-        printf '@revoked '
-        printf "* "
-        cat $OBJ/cert_host_key_dsa_v00.pub
+        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do
+                test -f "$OBJ/cert_host_key_${ktype}.pub" || fatal "no pubkey"
+                printf "@revoked * `cat $OBJ/cert_host_key_${ktype}.pub`\n"
+        done
 ) > $OBJ/known_hosts-cert
 for privsep in yes no ; do
-        for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00; do 
+        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00; do 
                 verbose "$tid: host ${ktype} revoked cert privsep $privsep"
                 (
                         cat $OBJ/sshd_proxy_bak
@@ -115,7 +105,7 @@ done
         printf "* "
         cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
-for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
         verbose "$tid: host ${ktype} revoked cert"
         (
                 cat $OBJ/sshd_proxy_bak
@@ -186,9 +176,8 @@ test_one "cert has constraints"	failure "-h -Oforce-command=false"
 
 # Check downgrade of cert to raw key when no CA found
 for v in v01 v00 ;  do 
-        for ktype in rsa dsa $ecdsa ; do 
-                # v00 ecdsa certs do not exist.
-                test "${v}${ktype}" = "v00ecdsa" && continue
+        for ktype in $PLAIN_TYPES ; do 
+                type_has_legacy $ktype || continue
                 rm -f $OBJ/known_hosts-cert $OBJ/cert_host_key*
                 verbose "$tid: host ${ktype} ${v} cert downgrade to raw key"
                 # Generate and sign a host key
@@ -225,9 +214,8 @@ done
         cat $OBJ/host_ca_key.pub
 ) > $OBJ/known_hosts-cert
 for v in v01 v00 ;  do 
-        for kt in rsa dsa $ecdsa ; do 
-                # v00 ecdsa certs do not exist.
-                test "${v}${ktype}" = "v00ecdsa" && continue
+        for kt in $PLAIN_TYPES ; do 
+                type_has_legacy $kt || continue
                 rm -f $OBJ/cert_host_key*
                 # Self-sign key
                 ${SSHKEYGEN} -q -N '' -t ${kt} \
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 6018b38f4..b093a9196 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,23 +1,26 @@
-#       $OpenBSD: cert-userkey.sh,v 1.11 2013/05/17 00:37:40 dtucker Exp $
+#       $OpenBSD: cert-userkey.sh,v 1.12 2013/12/06 13:52:46 markus Exp $
 #       Placed in the Public Domain.
 
 tid="certified user keys"
 
-# used to disable ECC based tests on platforms without ECC
-ecdsa=""
-if test "x$TEST_SSH_ECC" = "xyes"; then
-        ecdsa=ecdsa
-fi
-
 rm -f $OBJ/authorized_keys_$USER $OBJ/user_ca_key* $OBJ/cert_user_key*
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
+PLAIN_TYPES=`$SSH -Q key-plain | sed 's/^ssh-dss/ssh-dsa/;s/^ssh-//'`
+
+type_has_legacy() {
+        case $1 in
+                ed25519*|ecdsa*) return 1 ;;
+        esac
+        return 0
+}
+
 # Create a CA key
 ${SSHKEYGEN} -q -N '' -t rsa  -f $OBJ/user_ca_key ||\
         fail "ssh-keygen of user_ca_key failed"
 
 # Generate and sign user keys
-for ktype in rsa dsa $ecdsa ; do 
+for ktype in $PLAIN_TYPES ; do 
         verbose "$tid: sign user ${ktype} cert"
         ${SSHKEYGEN} -q -N '' -t ${ktype} \
             -f $OBJ/cert_user_key_${ktype} || \
@@ -25,18 +28,18 @@ for ktype in rsa dsa $ecdsa ; do
         ${SSHKEYGEN} -q -s $OBJ/user_ca_key -I "regress user key for $USER" \
             -z $$ -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype} ||
                 fail "couldn't sign cert_user_key_${ktype}"
-        # v00 ecdsa certs do not exist
-        test "${ktype}" = "ecdsa" && continue
+        type_has_legacy $ktype || continue
         cp $OBJ/cert_user_key_${ktype} $OBJ/cert_user_key_${ktype}_v00
         cp $OBJ/cert_user_key_${ktype}.pub $OBJ/cert_user_key_${ktype}_v00.pub
+        verbose "$tid: sign host ${ktype}_v00 cert"
         ${SSHKEYGEN} -q -t v00 -s $OBJ/user_ca_key -I \
             "regress user key for $USER" \
             -n ${USER},mekmitasdigoat $OBJ/cert_user_key_${ktype}_v00 ||
-                fail "couldn't sign cert_user_key_${ktype}_v00"
+                fatal "couldn't sign cert_user_key_${ktype}_v00"
 done
 
 # Test explicitly-specified principals
-for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
         for privsep in yes no ; do
                 _prefix="${ktype} privsep $privsep"
 
@@ -162,7 +165,7 @@ basic_tests() {
                 extra_sshd="TrustedUserCAKeys $OBJ/user_ca_key.pub"
         fi
         
-        for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+        for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
                 for privsep in yes no ; do
                         _prefix="${ktype} privsep $privsep $auth"
                         # Simple connect
@@ -332,7 +335,7 @@ test_one "principals key option no principals" failure "" \
 
 # Wrong certificate
 cat $OBJ/sshd_proxy_bak > $OBJ/sshd_proxy
-for ktype in rsa dsa $ecdsa rsa_v00 dsa_v00 ; do 
+for ktype in $PLAIN_TYPES rsa_v00 dsa_v00 ; do 
         case $ktype in
         *_v00) args="-t v00" ;;
         *) args="" ;;
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 489d9f5fa..a6d53a78d 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cipher-speed.sh,v 1.9 2013/05/17 04:29:14 dtucker Exp $
+#       $OpenBSD: cipher-speed.sh,v 1.11 2013/11/21 03:18:51 djm Exp $
 #       Placed in the Public Domain.
 
 tid="cipher speed"
@@ -11,18 +11,7 @@ getbytes ()
 
 tries="1 2"
 
-ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
-        arcfour128 arcfour256 arcfour 
-        aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
-        aes128-ctr aes192-ctr aes256-ctr"
-config_defined OPENSSL_HAVE_EVPGCM && \
-        ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
-macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
-        hmac-sha1-96 hmac-md5-96"
-config_defined HAVE_EVP_SHA256 && \
-    macs="$macs hmac-sha2-256 hmac-sha2-512"
-
-for c in $ciphers; do n=0; for m in $macs; do
+for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
         trace "proto 2 cipher $c mac $m"
         for x in $tries; do
                 printf "%-60s" "$c/$m:"
@@ -35,10 +24,10 @@ for c in $ciphers; do n=0; for m in $macs; do
                         fail "ssh -2 failed with mac $m cipher $c"
                 fi
         done
-        # No point trying all MACs for GCM since they are ignored.
-        case $c in
-        aes*-gcm@openssh.com)   test $n -gt 0 && break;;
-        esac
+        # No point trying all MACs for AEAD ciphers since they are ignored.
+        if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
+                break
+        fi
         n=`expr $n + 1`
 done; done
 
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
index 80ddb4167..7f7d105e8 100644
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: forward-control.sh,v 1.1 2012/12/02 20:47:48 djm Exp $
+#       $OpenBSD: forward-control.sh,v 1.2 2013/11/18 05:09:32 naddy Exp $
 #       Placed in the Public Domain.
 
 tid="sshd control of local and remote forwarding"
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 1d17fe10a..852d82690 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: integrity.sh,v 1.10 2013/05/17 01:32:11 dtucker Exp $
+#       $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $
 #       Placed in the Public Domain.
 
 tid="integrity"
@@ -8,18 +8,10 @@ tid="integrity"
 # XXX and ssh tries to read...
 tries=10
 startoffset=2900
-macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
-        hmac-sha1-96 hmac-md5-96 
-        hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
-        umac-64-etm@openssh.com umac-128-etm@openssh.com
-        hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com"
-config_defined HAVE_EVP_SHA256 &&
-        macs="$macs hmac-sha2-256 hmac-sha2-512
-                hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
+macs=`${SSH} -Q mac`
 # The following are not MACs, but ciphers with integrated integrity. They are
 # handled specially below.
-config_defined OPENSSL_HAVE_EVPGCM && \
-        macs="$macs aes128-gcm@openssh.com aes256-gcm@openssh.com"
+macs="$macs `${SSH} -Q cipher-auth`"
 
 # avoid DH group exchange as the extra traffic makes it harder to get the
 # offset into the stream right.
@@ -44,12 +36,14 @@ for m in $macs; do
                 fi
                 # modify output from sshd at offset $off
                 pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
-                case $m in
-                        aes*gcm*)       macopt="-c $m";;
-                        *)              macopt="-m $m";;
-                esac
+                if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
+                        macopt="-c $m"
+                else
+                        macopt="-m $m -c aes128-ctr"
+                fi
                 verbose "test $tid: $m @$off"
                 ${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
+                    -oServerAliveInterval=1 -oServerAliveCountMax=30 \
                     999.999.999.999 'printf "%4096s" " "' >/dev/null
                 if [ $? -eq 0 ]; then
                         fail "ssh -m $m succeeds with bit-flip at $off"
diff --git a/regress/kextype.sh b/regress/kextype.sh
index 79c0817bb..8c2ac09d6 100644
--- a/regress/kextype.sh
+++ b/regress/kextype.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: kextype.sh,v 1.1 2010/09/22 12:26:05 djm Exp $
+#       $OpenBSD: kextype.sh,v 1.4 2013/11/07 04:26:56 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="login with different key exchange algorithms"
@@ -7,18 +7,8 @@ TIME=/usr/bin/time
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 
-if test "$TEST_SSH_ECC" = "yes"; then
-        kextypes="ecdh-sha2-nistp256 ecdh-sha2-nistp384 ecdh-sha2-nistp521"
-fi
-if test "$TEST_SSH_SHA256" = "yes"; then
-        kextypes="$kextypes diffie-hellman-group-exchange-sha256"
-fi
-kextypes="$kextypes diffie-hellman-group-exchange-sha1"
-kextypes="$kextypes diffie-hellman-group14-sha1"
-kextypes="$kextypes diffie-hellman-group1-sha1"
-
 tries="1 2 3 4"
-for k in $kextypes; do 
+for k in `${SSH} -Q kex`; do
         verbose "kex $k"
         for i in $tries; do
                 ${SSH} -F $OBJ/ssh_proxy -o KexAlgorithms=$k x true
diff --git a/regress/keytype.sh b/regress/keytype.sh
index 59586bf0d..9752acb0a 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: keytype.sh,v 1.2 2013/05/17 00:37:40 dtucker Exp $
+#       $OpenBSD: keytype.sh,v 1.3 2013/12/06 13:52:46 markus Exp $
 #       Placed in the Public Domain.
 
 tid="login with different key types"
@@ -11,10 +11,16 @@ fi
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 
-ktypes="dsa-1024 rsa-2048 rsa-3072"
-if test "$TEST_SSH_ECC" = "yes"; then
-        ktypes="$ktypes ecdsa-256 ecdsa-384 ecdsa-521"
-fi
+# Traditional and builtin key types.
+ktypes="dsa-1024 rsa-2048 rsa-3072 ed25519-512"
+# Types not present in all OpenSSL versions.
+for i in `$SSH -Q key`; do
+        case "$i" in
+                ecdsa-sha2-nistp256)    ktypes="$ktypes ecdsa-256" ;;
+                ecdsa-sha2-nistp384)    ktypes="$ktypes ecdsa-384" ;;
+                ecdsa-sha2-nistp521)    ktypes="$ktypes ecdsa-521" ;;
+        esac
+done
 
 for kt in $ktypes; do 
         rm -f $OBJ/key.$kt
diff --git a/regress/krl.sh b/regress/krl.sh
index de9cc8764..09246371c 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: krl.sh,v 1.1 2013/01/18 00:45:29 djm Exp $
+#       $OpenBSD: krl.sh,v 1.2 2013/11/21 03:15:46 djm Exp $
 #       Placed in the Public Domain.
 
 tid="key revocation lists"
@@ -101,6 +101,9 @@ $SSHKEYGEN $OPTS -kf $OBJ/krl-keyid -s $OBJ/revoked-ca.pub $OBJ/revoked-keyid \
         >/dev/null || fatal "$SSHKEYGEN KRL failed"
 }
 
+## XXX dump with trace and grep for set cert serials
+## XXX test ranges near (u64)-1, etc.
+
 verbose "$tid: generating KRLs"
 genkrls
 
diff --git a/regress/modpipe.c b/regress/modpipe.c
index 85747cf7d..e854f9e07 100755
--- a/regress/modpipe.c
+++ b/regress/modpipe.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: modpipe.c,v 1.5 2013/05/10 03:46:14 djm Exp $ */
+/* $OpenBSD: modpipe.c,v 1.6 2013/11/21 03:16:47 djm Exp $ */
 
 #include "includes.h"
 
@@ -68,7 +68,7 @@ usage(void)
 #define MAX_MODIFICATIONS 256
 struct modification {
         enum { MOD_XOR, MOD_AND_OR } what;
-        u_int64_t offset;
+        unsigned long long offset;
         u_int8_t m1, m2;
 };
 
@@ -79,7 +79,7 @@ parse_modification(const char *s, struct modification *m)
         int n, m1, m2;
 
         bzero(m, sizeof(*m));
-        if ((n = sscanf(s, "%16[^:]%*[:]%lli%*[:]%i%*[:]%i",
+        if ((n = sscanf(s, "%16[^:]%*[:]%llu%*[:]%i%*[:]%i",
             what, &m->offset, &m1, &m2)) < 3)
                 errx(1, "Invalid modification spec \"%s\"", s);
         if (strcasecmp(what, "xor") == 0) {
diff --git a/regress/rekey.sh b/regress/rekey.sh
index 8eb7efaf9..cf9401ea0 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: rekey.sh,v 1.8 2013/05/17 04:29:14 dtucker Exp $
+#       $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $
 #       Placed in the Public Domain.
 
 tid="rekey"
@@ -7,34 +7,67 @@ LOG=${TEST_SSH_LOGFILE}
 
 rm -f ${LOG}
 
-for s in 16 1k 128k 256k; do
-        verbose "client rekeylimit ${s}"
+# Test rekeying based on data volume only.
+# Arguments will be passed to ssh.
+ssh_data_rekeying()
+{
         rm -f ${COPY} ${LOG}
-        cat $DATA | \
-                ${SSH} -oCompression=no -oRekeyLimit=$s \
-                        -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
+        ${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \
+                "cat > ${COPY}"
         if [ $? -ne 0 ]; then
-                fail "ssh failed"
+                fail "ssh failed ($@)"
         fi
-        cmp $DATA ${COPY}               || fail "corrupted copy"
+        cmp ${DATA} ${COPY}             || fail "corrupted copy ($@)"
         n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
         n=`expr $n - 1`
         trace "$n rekeying(s)"
         if [ $n -lt 1 ]; then
-                fail "no rekeying occured"
+                fail "no rekeying occured ($@)"
         fi
+}
+
+increase_datafile_size 300
+
+opts=""
+for i in `${SSH} -Q kex`; do
+        opts="$opts KexAlgorithms=$i"
+done
+for i in `${SSH} -Q cipher`; do
+        opts="$opts Ciphers=$i"
+done
+for i in `${SSH} -Q mac`; do
+        opts="$opts MACs=$i"
+done
+
+for opt in $opts; do
+        verbose "client rekey $opt"
+        ssh_data_rekeying -oRekeyLimit=256k -o$opt
+done
+
+# AEAD ciphers are magical so test with all KexAlgorithms
+if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
+  for c in `${SSH} -Q cipher-auth`; do
+    for kex in `${SSH} -Q kex`; do
+        verbose "client rekey $c $kex"
+        ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
+    done
+  done
+fi
+
+for s in 16 1k 128k 256k; do
+        verbose "client rekeylimit ${s}"
+        ssh_data_rekeying -oCompression=no -oRekeyLimit=$s
 done
 
 for s in 5 10; do
         verbose "client rekeylimit default ${s}"
         rm -f ${COPY} ${LOG}
-        cat $DATA | \
-                ${SSH} -oCompression=no -oRekeyLimit="default $s" -F \
-                        $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
+        ${SSH} < ${DATA} -oCompression=no -oRekeyLimit="default $s" -F \
+                $OBJ/ssh_proxy somehost "cat >${COPY};sleep $s;sleep 3"
         if [ $? -ne 0 ]; then
                 fail "ssh failed"
         fi
-        cmp $DATA ${COPY}               || fail "corrupted copy"
+        cmp ${DATA} ${COPY}             || fail "corrupted copy"
         n=`grep 'NEWKEYS sent' ${LOG} | wc -l`
         n=`expr $n - 1`
         trace "$n rekeying(s)"
@@ -98,10 +131,10 @@ for size in 16 1k 1K 1m 1M 1g 1G; do
             awk '/rekeylimit/{print $3}'`
 
         if [ "$bytes" != "$b" ]; then
-                fatal "rekeylimit size: expected $bytes got $b"
+                fatal "rekeylimit size: expected $bytes bytes got $b"
         fi
         if [ "$seconds" != "$s" ]; then
-                fatal "rekeylimit time: expected $time got $s"
+                fatal "rekeylimit time: expected $time seconds got $s"
         fi
     done
 done
diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh
index d1005a995..c63bc2bc1 100644
--- a/regress/scp-ssh-wrapper.sh
+++ b/regress/scp-ssh-wrapper.sh
@@ -17,7 +17,7 @@ printname () {
 }
 
 # Discard all but last argument.  We use arg later.
-while test "$1" != ""; do
+while test "x$1" != "x"; do
         arg="$1"
         shift
 done
@@ -52,6 +52,8 @@ badserver_4)
         echo "X"
         ;;
 *)
-        exec $arg
+        set -- $arg
+        shift
+        exec $SCP "$@"
         ;;
 esac
diff --git a/regress/scp.sh b/regress/scp.sh
index 29c5b35d4..c2da2a862 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -20,6 +20,7 @@ SRC=`dirname ${SCRIPT}`
 cp ${SRC}/scp-ssh-wrapper.sh ${OBJ}/scp-ssh-wrapper.scp
 chmod 755 ${OBJ}/scp-ssh-wrapper.scp
 scpopts="-q -S ${OBJ}/scp-ssh-wrapper.scp"
+export SCP # used in scp-ssh-wrapper.scp
 
 scpclean() {
         rm -rf ${COPY} ${COPY2} ${DIR} ${DIR2}
diff --git a/regress/setuid-allowed.c b/regress/setuid-allowed.c
new file mode 100644
index 000000000..37b7dc8ad
--- /dev/null
+++ b/regress/setuid-allowed.c
@@ -0,0 +1,56 @@
+/*
+ * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* $OpenBSD$ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#ifdef HAVE_SYS_STATVFS_H
+# include <sys/statvfs.h>
+#endif
+#include <stdio.h>
+#include <errno.h>
+
+void
+usage(void)
+{
+        fprintf(stderr, "check-setuid [path]\n");
+        exit(1);
+}
+
+int
+main(int argc, char **argv)
+{
+        const char *path = ".";
+        struct statvfs sb;
+
+        if (argc > 2)
+                usage();
+        else if (argc == 2)
+                path = argv[1];
+
+        if (statvfs(path, &sb) != 0) {
+                /* Don't return an error if the host doesn't support statvfs */
+                if (errno == ENOSYS)
+                        return 0;
+                fprintf(stderr, "statvfs for \"%s\" failed: %s\n",
+                     path, strerror(errno));
+        }
+        return (sb.f_flag & ST_NOSUID) ? 1 : 0;
+}
+
+
diff --git a/regress/sftp-perm.sh b/regress/sftp-perm.sh
new file mode 100644
index 000000000..304ca0ac5
--- /dev/null
+++ b/regress/sftp-perm.sh
@@ -0,0 +1,269 @@
+#       $OpenBSD: sftp-perm.sh,v 1.2 2013/10/17 22:00:18 djm Exp $
+#       Placed in the Public Domain.
+
+tid="sftp permissions"
+
+SERVER_LOG=${OBJ}/sftp-server.log
+CLIENT_LOG=${OBJ}/sftp.log
+TEST_SFTP_SERVER=${OBJ}/sftp-server.sh
+
+prepare_server() {
+        printf "#!/bin/sh\nexec $SFTPSERVER -el debug3 $* 2>$SERVER_LOG\n" \
+        > $TEST_SFTP_SERVER
+        chmod a+x $TEST_SFTP_SERVER
+}
+
+run_client() {
+        echo "$@" | ${SFTP} -D ${TEST_SFTP_SERVER} -vvvb - >$CLIENT_LOG 2>&1
+}
+
+prepare_files() {
+        _prep="$1"
+        rm -f ${COPY} ${COPY}.1
+        test -d ${COPY}.dd && { rmdir ${COPY}.dd || fatal "rmdir ${COPY}.dd"; }
+        test -z "$_prep" && return
+        sh -c "$_prep" || fail "preparation failed: \"$_prep\""
+}
+
+postcondition() {
+        _title="$1"
+        _check="$2"
+        test -z "$_check" && return
+        ${TEST_SHELL} -c "$_check" || fail "postcondition check failed: $_title"
+}
+
+ro_test() {
+        _desc=$1
+        _cmd="$2"
+        _prep="$3"
+        _expect_success_post="$4"
+        _expect_fail_post="$5"
+        verbose "$tid: read-only $_desc"
+        # Plain (no options, mostly to test that _cmd is good)
+        prepare_files "$_prep"
+        prepare_server
+        run_client "$_cmd" || fail "plain $_desc failed"
+        postcondition "$_desc no-readonly" "$_expect_success_post"
+        # Read-only enabled
+        prepare_files "$_prep"
+        prepare_server -R
+        run_client "$_cmd" && fail "read-only $_desc succeeded"
+        postcondition "$_desc readonly" "$_expect_fail_post"
+}
+
+perm_test() {
+        _op=$1
+        _whitelist_ops=$2
+        _cmd="$3"
+        _prep="$4"
+        _expect_success_post="$5"
+        _expect_fail_post="$6"
+        verbose "$tid: explicit $_op"
+        # Plain (no options, mostly to test that _cmd is good)
+        prepare_files "$_prep"
+        prepare_server
+        run_client "$_cmd" || fail "plain $_op failed"
+        postcondition "$_op no white/blacklists" "$_expect_success_post"
+        # Whitelist
+        prepare_files "$_prep"
+        prepare_server -p $_op,$_whitelist_ops
+        run_client "$_cmd" || fail "whitelisted $_op failed"
+        postcondition "$_op whitelisted" "$_expect_success_post"
+        # Blacklist
+        prepare_files "$_prep"
+        prepare_server -P $_op
+        run_client "$_cmd" && fail "blacklisted $_op succeeded"
+        postcondition "$_op blacklisted" "$_expect_fail_post"
+        # Whitelist with op missing.
+        prepare_files "$_prep"
+        prepare_server -p $_whitelist_ops
+        run_client "$_cmd" && fail "no whitelist $_op succeeded"
+        postcondition "$_op not in whitelist" "$_expect_fail_post"
+}
+
+ro_test \
+        "upload" \
+        "put $DATA $COPY" \
+        "" \
+        "cmp $DATA $COPY" \
+        "test ! -f $COPY"
+
+ro_test \
+        "setstat" \
+        "chmod 0700 $COPY" \
+        "touch $COPY; chmod 0400 $COPY" \
+        "test -x $COPY" \
+        "test ! -x $COPY"
+
+ro_test \
+        "rm" \
+        "rm $COPY" \
+        "touch $COPY" \
+        "test ! -f $COPY" \
+        "test -f $COPY"
+
+ro_test \
+        "mkdir" \
+        "mkdir ${COPY}.dd" \
+        "" \
+        "test -d ${COPY}.dd" \
+        "test ! -d ${COPY}.dd"
+
+ro_test \
+        "rmdir" \
+        "rmdir ${COPY}.dd" \
+        "mkdir ${COPY}.dd" \
+        "test ! -d ${COPY}.dd" \
+        "test -d ${COPY}.dd"
+
+ro_test \
+        "posix-rename" \
+        "rename $COPY ${COPY}.1" \
+        "touch $COPY" \
+        "test -f ${COPY}.1 -a ! -f $COPY" \
+        "test -f $COPY -a ! -f ${COPY}.1"
+
+ro_test \
+        "oldrename" \
+        "rename -l $COPY ${COPY}.1" \
+        "touch $COPY" \
+        "test -f ${COPY}.1 -a ! -f $COPY" \
+        "test -f $COPY -a ! -f ${COPY}.1"
+
+ro_test \
+        "symlink" \
+        "ln -s $COPY ${COPY}.1" \
+        "touch $COPY" \
+        "test -h ${COPY}.1" \
+        "test ! -h ${COPY}.1"
+
+ro_test \
+        "hardlink" \
+        "ln $COPY ${COPY}.1" \
+        "touch $COPY" \
+        "test -f ${COPY}.1" \
+        "test ! -f ${COPY}.1"
+
+# Test explicit permissions
+
+perm_test \
+        "open" \
+        "realpath,stat,lstat,read,close" \
+        "get $DATA $COPY" \
+        "" \
+        "cmp $DATA $COPY" \
+        "! cmp $DATA $COPY 2>/dev/null"
+
+perm_test \
+        "read" \
+        "realpath,stat,lstat,open,close" \
+        "get $DATA $COPY" \
+        "" \
+        "cmp $DATA $COPY" \
+        "! cmp $DATA $COPY 2>/dev/null"
+
+perm_test \
+        "write" \
+        "realpath,stat,lstat,open,close" \
+        "put $DATA $COPY" \
+        "" \
+        "cmp $DATA $COPY" \
+        "! cmp $DATA $COPY 2>/dev/null"
+
+perm_test \
+        "lstat" \
+        "realpath,stat,open,read,close" \
+        "get $DATA $COPY" \
+        "" \
+        "cmp $DATA $COPY" \
+        "! cmp $DATA $COPY 2>/dev/null"
+
+perm_test \
+        "opendir" \
+        "realpath,readdir,stat,lstat" \
+        "ls -ln $OBJ"
+
+perm_test \
+        "readdir" \
+        "realpath,opendir,stat,lstat" \
+        "ls -ln $OBJ"
+
+perm_test \
+        "setstat" \
+        "realpath,stat,lstat" \
+        "chmod 0700 $COPY" \
+        "touch $COPY; chmod 0400 $COPY" \
+        "test -x $COPY" \
+        "test ! -x $COPY"
+
+perm_test \
+        "remove" \
+        "realpath,stat,lstat" \
+        "rm $COPY" \
+        "touch $COPY" \
+        "test ! -f $COPY" \
+        "test -f $COPY"
+
+perm_test \
+        "mkdir" \
+        "realpath,stat,lstat" \
+        "mkdir ${COPY}.dd" \
+        "" \
+        "test -d ${COPY}.dd" \
+        "test ! -d ${COPY}.dd"
+
+perm_test \
+        "rmdir" \
+        "realpath,stat,lstat" \
+        "rmdir ${COPY}.dd" \
+        "mkdir ${COPY}.dd" \
+        "test ! -d ${COPY}.dd" \
+        "test -d ${COPY}.dd"
+
+perm_test \
+        "posix-rename" \
+        "realpath,stat,lstat" \
+        "rename $COPY ${COPY}.1" \
+        "touch $COPY" \
+        "test -f ${COPY}.1 -a ! -f $COPY" \
+        "test -f $COPY -a ! -f ${COPY}.1"
+
+perm_test \
+        "rename" \
+        "realpath,stat,lstat" \
+        "rename -l $COPY ${COPY}.1" \
+        "touch $COPY" \
+        "test -f ${COPY}.1 -a ! -f $COPY" \
+        "test -f $COPY -a ! -f ${COPY}.1"
+
+perm_test \
+        "symlink" \
+        "realpath,stat,lstat" \
+        "ln -s $COPY ${COPY}.1" \
+        "touch $COPY" \
+        "test -h ${COPY}.1" \
+        "test ! -h ${COPY}.1"
+
+perm_test \
+        "hardlink" \
+        "realpath,stat,lstat" \
+        "ln $COPY ${COPY}.1" \
+        "touch $COPY" \
+        "test -f ${COPY}.1" \
+        "test ! -f ${COPY}.1"
+
+perm_test \
+        "statvfs" \
+        "realpath,stat,lstat" \
+        "df /"
+
+# XXX need good tests for:
+# fstat
+# fsetstat
+# realpath
+# stat
+# readlink
+# fstatvfs
+
+rm -rf ${COPY} ${COPY}.1 ${COPY}.dd
+
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index eee446264..aac8aa5c2 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: test-exec.sh,v 1.46 2013/06/21 02:26:26 djm Exp $
+#       $OpenBSD: test-exec.sh,v 1.47 2013/11/09 05:41:34 dtucker Exp $
 #       Placed in the Public Domain.
 
 #SUDO=sudo
@@ -133,7 +133,12 @@ fi
 # Path to sshd must be absolute for rexec
 case "$SSHD" in
 /*) ;;
-*) SSHD=`which sshd` ;;
+*) SSHD=`which $SSHD` ;;
+esac
+
+case "$SSHAGENT" in
+/*) ;;
+*) SSHAGENT=`which $SSHAGENT` ;;
 esac
 
 # Logfiles.
@@ -166,14 +171,22 @@ SSH="$SSHLOGWRAP"
 
 # Some test data.  We make a copy because some tests will overwrite it.
 # The tests may assume that $DATA exists and is writable and $COPY does
-# not exist.
+# not exist.  Tests requiring larger data files can call increase_datafile_size
+# [kbytes] to ensure the file is at least that large.
 DATANAME=data
 DATA=$OBJ/${DATANAME}
-cat $SSHD $SSHD $SSHD $SSHD >${DATA}
+cat ${SSHAGENT} >${DATA}
 chmod u+w ${DATA}
 COPY=$OBJ/copy
 rm -f ${COPY}
 
+increase_datafile_size()
+{
+        while [ `du -k ${DATA} | cut -f1` -lt $1 ]; do
+                cat ${SSHAGENT} >>${DATA}
+        done
+}
+
 # these should be used in tests
 export SSH SSHD SSHAGENT SSHADD SSHKEYGEN SSHKEYSCAN SFTP SFTPSERVER SCP
 #echo $SSH $SSHD $SSHAGENT $SSHADD $SSHKEYGEN $SSHKEYSCAN $SFTP $SFTPSERVER $SCP
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index e17c9f5e9..ac34cedbf 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,37 +1,22 @@
-#       $OpenBSD: try-ciphers.sh,v 1.20 2013/05/17 10:16:26 dtucker Exp $
+#       $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $
 #       Placed in the Public Domain.
 
 tid="try ciphers"
 
-ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc 
-        arcfour128 arcfour256 arcfour 
-        aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
-        aes128-ctr aes192-ctr aes256-ctr"
-config_defined OPENSSL_HAVE_EVPGCM && \
-        ciphers="$ciphers aes128-gcm@openssh.com aes256-gcm@openssh.com"
-macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
-        hmac-sha1-96 hmac-md5-96
-        hmac-sha1-etm@openssh.com hmac-md5-etm@openssh.com
-        umac-64-etm@openssh.com umac-128-etm@openssh.com
-        hmac-sha1-96-etm@openssh.com hmac-md5-96-etm@openssh.com
-        hmac-ripemd160-etm@openssh.com"
-config_defined HAVE_EVP_SHA256 &&
-    macs="$macs hmac-sha2-256 hmac-sha2-512
-        hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
-
-for c in $ciphers; do
+for c in `${SSH} -Q cipher`; do
         n=0
-        for m in $macs; do
+        for m in `${SSH} -Q mac`; do
                 trace "proto 2 cipher $c mac $m"
                 verbose "test $tid: proto 2 cipher $c mac $m"
                 ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
                 if [ $? -ne 0 ]; then
                         fail "ssh -2 failed with mac $m cipher $c"
                 fi
-                # No point trying all MACs for GCM since they are ignored.
-                case $c in
-                aes*-gcm@openssh.com)   test $n -gt 0 && break;;
-                esac
+                # No point trying all MACs for AEAD ciphers since they
+                # are ignored.
+                if ssh -Q cipher-auth | grep "^${c}\$" >/dev/null 2>&1 ; then
+                        break
+                fi
                 n=`expr $n + 1`
         done
 done