15 files changed, 90 insertions, 88 deletions
diff --git a/auth.h b/auth.h
index 71c372e97..bf393e755 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.98 2019/01/19 21:41:18 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.99 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -132,8 +132,8 @@ auth_rhosts2(struct passwd *, const char *, const char *, const char *);
 int      auth_password(struct ssh *, const char *);
-int      hostbased_key_allowed(struct passwd *, const char *, char *,
+int      hostbased_key_allowed(struct ssh *, struct passwd *,
-            struct sshkey *);
+            const char *, char *, struct sshkey *);
 int      user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
    struct sshauthopt **);
 int      auth2_key_already_used(Authctxt *, const struct sshkey *);
@@ -208,8 +208,8 @@ struct sshkey	*get_hostkey_public_by_index(int, struct ssh *);
 struct sshkey   *get_hostkey_public_by_type(int, int, struct ssh *);
 struct sshkey   *get_hostkey_private_by_type(int, int, struct ssh *);
 int      get_hostkey_index(struct sshkey *, int, struct ssh *);
-int      sshd_hostkey_sign(struct sshkey *, struct sshkey *, u_char **,
+int      sshd_hostkey_sign(struct ssh *, struct sshkey *, struct sshkey *,
-             size_t *, const u_char *, size_t, const char *, u_int);
+    u_char **, size_t *, const u_char *, size_t, const char *);
 /* Key / cert options linkage to auth layer */
 const struct sshauthopt *auth_options(struct ssh *);
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index e28a48fb3..0c40fad4e 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.39 2019/01/19 21:31:32 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.40 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright (c) 2000 Markus Friedl.  All rights reserved.
 *
@@ -51,8 +51,6 @@
 #include "ssherr.h"
 #include "match.h"
-extern struct ssh *active_state; /* XXX */
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
@@ -149,7 +147,8 @@ userauth_hostbased(struct ssh *ssh)
        /* test for allowed key and correct signature */
        authenticated = 0;
-        if (PRIVSEP(hostbased_key_allowed(authctxt->pw, cuser, chost, key)) &&
+        if (PRIVSEP(hostbased_key_allowed(ssh, authctxt->pw, cuser,
+            chost, key)) &&
            PRIVSEP(sshkey_verify(key, sig, slen,
            sshbuf_ptr(b), sshbuf_len(b), pkalg, ssh->compat)) == 0)
                authenticated = 1;
@@ -169,10 +168,9 @@ done:
 /* return 1 if given hostkey is allowed */
 int
-hostbased_key_allowed(struct passwd *pw, const char *cuser, char *chost,
+hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
-    struct sshkey *key)
+    const char *cuser, char *chost, struct sshkey *key)
 {
-        struct ssh *ssh = active_state; /* XXX */
        const char *resolvedname, *ipaddr, *lookup, *reason;
        HostStatus host_status;
        int len;
diff --git a/kex.h b/kex.h
index 9ba860954..085e60b52 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.93 2018/12/27 03:25:25 djm Exp $ */
+/* $OpenBSD: kex.h,v 1.94 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -156,8 +156,8 @@ struct kex {
        struct sshkey *(*load_host_public_key)(int, int, struct ssh *);
        struct sshkey *(*load_host_private_key)(int, int, struct ssh *);
        int     (*host_key_index)(struct sshkey *, int, struct ssh *);
-        int     (*sign)(struct sshkey *, struct sshkey *, u_char **, size_t *,
+        int     (*sign)(struct ssh *, struct sshkey *, struct sshkey *,
-            const u_char *, size_t, const char *, u_int);
+            u_char **, size_t *, const u_char *, size_t, const char *);
        int     (*kex[KEX_MAX])(struct ssh *);
        /* kex specific state */
        DH      *dh;                    /* DH */
diff --git a/kexc25519s.c b/kexc25519s.c
index 81f816e56..9ff74d912 100644
--- a/kexc25519s.c
+++ b/kexc25519s.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexc25519s.c,v 1.12 2018/12/27 03:25:25 djm Exp $ */
+/* $OpenBSD: kexc25519s.c,v 1.13 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -133,8 +133,8 @@ input_kex_c25519_init(int type, u_int32_t seq, struct ssh *ssh)
        }
        /* sign H */
-        if ((r = kex->sign(server_host_private, server_host_public, &signature,
+        if ((r = kex->sign(ssh, server_host_private, server_host_public,
-             &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
+            &signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
                goto out;
        /* send server hostkey, ECDH pubkey 'Q_S' and signed H */
diff --git a/kexdhs.c b/kexdhs.c
index adf70babd..c8be1b2f7 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexdhs.c,v 1.29 2018/12/27 03:25:25 djm Exp $ */
+/* $OpenBSD: kexdhs.c,v 1.30 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 *
@@ -189,8 +189,8 @@ input_kex_dh_init(int type, u_int32_t seq, struct ssh *ssh)
        }
        /* sign H */
-        if ((r = kex->sign(server_host_private, server_host_public, &signature,
+        if ((r = kex->sign(ssh, server_host_private, server_host_public,
-             &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
+            &signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
                goto out;
        /* destroy_sensitive_data(); */
diff --git a/kexecdhs.c b/kexecdhs.c
index c690feffe..45ac3f794 100644
--- a/kexecdhs.c
+++ b/kexecdhs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexecdhs.c,v 1.18 2018/12/27 03:25:25 djm Exp $ */
+/* $OpenBSD: kexecdhs.c,v 1.19 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
 * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -168,8 +168,8 @@ input_kex_ecdh_init(int type, u_int32_t seq, struct ssh *ssh)
        }
        /* sign H */
-        if ((r = kex->sign(server_host_private, server_host_public, &signature,
+        if ((r = kex->sign(ssh, server_host_private, server_host_public,
-             &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
+            &signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
                goto out;
        /* destroy_sensitive_data(); */
diff --git a/kexgexs.c b/kexgexs.c
index cd0e758c4..3b2ad37e4 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.36 2018/12/27 03:25:25 djm Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.37 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright (c) 2000 Niels Provos.  All rights reserved.
 * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -223,8 +223,8 @@ input_kex_dh_gex_init(int type, u_int32_t seq, struct ssh *ssh)
        }
        /* sign H */
-        if ((r = kex->sign(server_host_private, server_host_public, &signature,
+        if ((r = kex->sign(ssh, server_host_private, server_host_public,
-             &slen, hash, hashlen, kex->hostkey_alg, ssh->compat)) < 0)
+            &signature, &slen, hash, hashlen, kex->hostkey_alg)) < 0)
                goto out;
        /* destroy_sensitive_data(); */
diff --git a/monitor.c b/monitor.c
index 387b50026..1dcf930d4 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.191 2019/01/19 21:43:07 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.192 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -360,7 +360,7 @@ monitor_child_preauth(struct ssh *ssh, struct monitor *pmonitor)
        ssh->authctxt = NULL;
        ssh_packet_set_log_preamble(ssh, "user %s", authctxt->user);
-        mm_get_keystate(pmonitor);
+        mm_get_keystate(ssh, pmonitor);
        /* Drain any buffered messages from the child */
        while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
@@ -1195,7 +1195,7 @@ mm_answer_keyallowed(struct ssh *ssh, int sock, struct sshbuf *m)
                        if (!key_base_type_match(auth_method, key,
                            options.hostbased_key_types))
                                break;
-                        allowed = hostbased_key_allowed(authctxt->pw,
+                        allowed = hostbased_key_allowed(ssh, authctxt->pw,
                            cuser, chost, key);
                        auth2_record_info(authctxt,
                            "client user \"%.100s\", client host \"%.100s\"",
@@ -1699,7 +1699,7 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
 /* This function requries careful sanity checking */
 void
-mm_get_keystate(struct monitor *pmonitor)
+mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
 {
        debug3("%s: Waiting for new keys", __func__);
diff --git a/monitor.h b/monitor.h
index a4b68fbe2..683e5e071 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.h,v 1.22 2019/01/19 21:43:07 djm Exp $ */
+/* $OpenBSD: monitor.h,v 1.23 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -90,5 +90,6 @@ void monitor_apply_keystate(struct ssh *, struct monitor *);
 void mm_request_send(int, enum monitor_reqtype, struct sshbuf *);
 void mm_request_receive(int, struct sshbuf *);
 void mm_request_receive_expect(int, enum monitor_reqtype, struct sshbuf *);
+void mm_get_keystate(struct ssh *, struct monitor *);
 #endif /* _MONITOR_H_ */
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 4bdfd518e..5a0964b69 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.110 2019/01/19 21:43:07 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.111 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
 * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -76,8 +76,6 @@
 #include "ssherr.h"
-extern struct ssh *active_state; /* XXX */
 /* Imports */
 extern struct monitor *pmonitor;
 extern struct sshbuf *loginmsg;
@@ -220,12 +218,12 @@ mm_choose_dh(int min, int nbits, int max)
 #endif
 int
-mm_sshkey_sign(struct sshkey *key, u_char **sigp, size_t *lenp,
+mm_sshkey_sign(struct ssh *ssh, struct sshkey *key, u_char **sigp, size_t *lenp,
    const u_char *data, size_t datalen, const char *hostkey_alg, u_int compat)
 {
        struct kex *kex = *pmonitor->m_pkex;
        struct sshbuf *m;
-        u_int ndx = kex->host_key_index(key, 0, active_state);
+        u_int ndx = kex->host_key_index(key, 0, ssh);
        int r;
        debug3("%s entering", __func__);
@@ -439,8 +437,8 @@ mm_user_key_allowed(struct ssh *ssh, struct passwd *pw, struct sshkey *key,
 }
 int
-mm_hostbased_key_allowed(struct passwd *pw, const char *user, const char *host,
+mm_hostbased_key_allowed(struct ssh *ssh, struct passwd *pw,
-    struct sshkey *key)
+    const char *user, const char *host, struct sshkey *key)
 {
        return (mm_key_allowed(MM_HOSTKEY, user, host, key, 0, NULL));
 }
@@ -533,9 +531,8 @@ mm_sshkey_verify(const struct sshkey *key, const u_char *sig, size_t siglen,
 }
 void
-mm_send_keystate(struct monitor *monitor)
+mm_send_keystate(struct ssh *ssh, struct monitor *monitor)
 {
-        struct ssh *ssh = active_state;         /* XXX */
        struct sshbuf *m;
        int r;
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 8277cbf45..2b7052202 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.h,v 1.40 2019/01/19 21:43:07 djm Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.41 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -42,8 +42,8 @@ struct sshauthopt;
 void mm_log_handler(LogLevel, const char *, void *);
 int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
-int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
+int mm_sshkey_sign(struct ssh *, struct sshkey *, u_char **, size_t *,
-    const char *, u_int compat);
+    const u_char *, size_t, const char *, u_int compat);
 void mm_inform_authserv(char *, char *);
 struct passwd *mm_getpwnamallow(struct ssh *, const char *);
 char *mm_auth2_read_banner(void);
@@ -52,7 +52,7 @@ int mm_key_allowed(enum mm_keytype, const char *, const char *, struct sshkey *,
    int, struct sshauthopt **);
 int mm_user_key_allowed(struct ssh *, struct passwd *, struct sshkey *, int,
    struct sshauthopt **);
-int mm_hostbased_key_allowed(struct passwd *, const char *,
+int mm_hostbased_key_allowed(struct ssh *, struct passwd *, const char *,
    const char *, struct sshkey *);
 int mm_sshkey_verify(const struct sshkey *, const u_char *, size_t,
    const u_char *, size_t, const char *, u_int);
@@ -89,8 +89,7 @@ void mm_session_pty_cleanup2(struct Session *);
 struct newkeys *mm_newkeys_from_blob(u_char *, int);
 int mm_newkeys_to_blob(int, u_char **, u_int *);
-void mm_get_keystate(struct monitor *);
+void mm_send_keystate(struct ssh *, struct monitor*);
-void mm_send_keystate(struct monitor*);
 /* bsdauth */
 int mm_bsdauth_query(void *, char **, char **, u_int *, char ***, u_int **);
diff --git a/serverloop.c b/serverloop.c
index c60758e88..afb32fd34 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.211 2019/01/19 21:40:48 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.212 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -782,9 +782,9 @@ server_input_hostkeys_prove(struct ssh *ssh, struct sshbuf **respp)
                    (r = sshbuf_put_string(sigbuf,
                    ssh->kex->session_id, ssh->kex->session_id_len)) != 0 ||
                    (r = sshkey_puts(key, sigbuf)) != 0 ||
-                    (r = ssh->kex->sign(key_prv, key_pub, &sig, &slen,
+                    (r = ssh->kex->sign(ssh, key_prv, key_pub, &sig, &slen,
                    sshbuf_ptr(sigbuf), sshbuf_len(sigbuf),
-                    use_kexsigtype ? ssh->kex->hostkey_alg : NULL, 0)) != 0 ||
+                    use_kexsigtype ? ssh->kex->hostkey_alg : NULL)) != 0 ||
                    (r = sshbuf_put_string(resp, sig, slen)) != 0) {
                        error("%s: couldn't prepare signature: %s",
                            __func__, ssh_err(r));
diff --git a/ssh.c b/ssh.c
index 160bf6b54..91e7c3511 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.499 2019/01/19 21:36:06 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.500 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -113,8 +113,6 @@
 #include "ssh-pkcs11.h"
 #endif
-extern struct ssh *active_state; /* XXX remove after sshconnect2.c updated */
 extern char *__progname;
 /* Saves a copy of argv for setproctitle emulation */
@@ -652,7 +650,6 @@ main(int ac, char **av)
         */
        if ((ssh = ssh_alloc_session_state()) == NULL)
                fatal("Couldn't allocate session state");
-        active_state = ssh; /* XXX */
        channel_init_channels(ssh);
        /* Parse command-line arguments. */
diff --git a/ssh_api.c b/ssh_api.c
index ab209c4ca..182c0d7e4 100644
--- a/ssh_api.c
+++ b/ssh_api.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh_api.c,v 1.9 2018/12/27 03:25:25 djm Exp $ */
+/* $OpenBSD: ssh_api.c,v 1.10 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Copyright (c) 2012 Markus Friedl.  All rights reserved.
 *
@@ -40,8 +40,8 @@ int	_ssh_order_hostkeyalgs(struct ssh *);
 int     _ssh_verify_host_key(struct sshkey *, struct ssh *);
 struct sshkey *_ssh_host_public_key(int, int, struct ssh *);
 struct sshkey *_ssh_host_private_key(int, int, struct ssh *);
-int     _ssh_host_key_sign(struct sshkey *, struct sshkey *,
+int     _ssh_host_key_sign(struct ssh *, struct sshkey *, struct sshkey *,
-    u_char **, size_t *, const u_char *, size_t, const char *, u_int);
+    u_char **, size_t *, const u_char *, size_t, const char *);
 /*
 * stubs for the server side implementation of kex.
@@ -547,9 +547,10 @@ _ssh_order_hostkeyalgs(struct ssh *ssh)
 }
 int
-_ssh_host_key_sign(struct sshkey *privkey, struct sshkey *pubkey,
+_ssh_host_key_sign(struct ssh *ssh, struct sshkey *privkey,
-    u_char **signature, size_t *slen, const u_char *data, size_t dlen,
+    struct sshkey *pubkey, u_char **signature, size_t *slen,
-    const char *alg, u_int compat)
+    const u_char *data, size_t dlen, const char *alg)
 {
-        return sshkey_sign(privkey, signature, slen, data, dlen, alg, compat);
+        return sshkey_sign(privkey, signature, slen, data, dlen,
+            alg, ssh->compat);
 }
diff --git a/sshd.c b/sshd.c
index 0c93f7f31..58d17e546 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.526 2019/01/19 21:43:07 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.527 2019/01/19 21:43:56 djm Exp $ */
 /*
 * Author: Tatu Ylonen <ylo@cs.hut.fi>
 * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -123,8 +123,6 @@
 #include "version.h"
 #include "ssherr.h"
-extern struct ssh *active_state; /* XXX move decl to this file */
 /* Re-exec fds */
 #define REEXEC_DEVCRYPTO_RESERVED_FD    (STDERR_FILENO + 1)
 #define REEXEC_STARTUP_PIPE_FD          (STDERR_FILENO + 2)
@@ -225,8 +223,9 @@ struct monitor *pmonitor = NULL;
 int privsep_is_preauth = 1;
 static int privsep_chroot = 1;
-/* global authentication context */
+/* global connection state and authentication contexts */
 Authctxt *the_authctxt = NULL;
+struct ssh *the_active_state;
 /* global key/cert auth options. XXX move to permanent ssh->authctxt? */
 struct sshauthopt *auth_opts = NULL;
@@ -353,9 +352,11 @@ grace_alarm_handler(int sig)
                kill(0, SIGTERM);
        }
+        /* XXX pre-format ipaddr/port so we don't need to access active_state */
        /* Log error and exit. */
        sigdie("Timeout before authentication for %s port %d",
-            ssh_remote_ipaddr(active_state), ssh_remote_port(active_state));
+            ssh_remote_ipaddr(the_active_state),
+            ssh_remote_port(the_active_state));
 }
 /* Destroy the host and server keys.  They will no longer be needed. */
@@ -742,7 +743,7 @@ notify_hostkeys(struct ssh *ssh)
        char *fp;
        /* Some clients cannot cope with the hostkeys message, skip those. */
-        if (datafellows & SSH_BUG_HOSTKEYS)
+        if (ssh->compat & SSH_BUG_HOSTKEYS)
                return;
        if ((buf = sshbuf_new()) == NULL)
@@ -1960,8 +1961,8 @@ main(int ac, char **av)
         */
        if ((ssh = ssh_packet_set_connection(NULL, sock_in, sock_out)) == NULL)
                fatal("Unable to create connection");
+        the_active_state = ssh;
        ssh_packet_set_server(ssh);
-        active_state = ssh; /* XXX needed elsewhere */
        check_ip_options(ssh);
@@ -2060,7 +2061,7 @@ main(int ac, char **av)
         * the current keystate and exits
         */
        if (use_privsep) {
-                mm_send_keystate(pmonitor);
+                mm_send_keystate(ssh, pmonitor);
                ssh_packet_clear_keys(ssh);
                exit(0);
        }
@@ -2139,25 +2140,35 @@ main(int ac, char **av)
 }
 int
-sshd_hostkey_sign(struct sshkey *privkey, struct sshkey *pubkey,
+sshd_hostkey_sign(struct ssh *ssh, struct sshkey *privkey,
-    u_char **signature, size_t *slenp, const u_char *data, size_t dlen,
+    struct sshkey *pubkey, u_char **signature, size_t *slenp,
-    const char *alg, u_int flag)
+    const u_char *data, size_t dlen, const char *alg)
 {
        int r;
-        if (privkey) {
+        if (use_privsep) {
-                if (PRIVSEP(sshkey_sign(privkey, signature, slenp, data, dlen,
+                if (privkey) {
-                    alg, datafellows)) < 0)
+                        if (mm_sshkey_sign(ssh, privkey, signature, slenp,
-                        fatal("%s: key_sign failed", __func__);
+                            data, dlen, alg, ssh->compat) < 0)
-        } else if (use_privsep) {
+                                fatal("%s: privkey sign failed", __func__);
-                if (mm_sshkey_sign(pubkey, signature, slenp, data, dlen,
+                } else {
-                    alg, datafellows) < 0)
+                        if (mm_sshkey_sign(ssh, pubkey, signature, slenp,
-                        fatal("%s: pubkey_sign failed", __func__);
+                            data, dlen, alg, ssh->compat) < 0)
+                                fatal("%s: pubkey sign failed", __func__);
+                }
        } else {
-                if ((r = ssh_agent_sign(auth_sock, pubkey, signature, slenp,
+                if (privkey) {
-                    data, dlen, alg, datafellows)) != 0)
+                        if (sshkey_sign(privkey, signature, slenp, data, dlen,
-                        fatal("%s: ssh_agent_sign failed: %s",
+                            alg, ssh->compat) < 0)
-                            __func__, ssh_err(r));
+                                fatal("%s: privkey sign failed", __func__);
+                } else {
+                        if ((r = ssh_agent_sign(auth_sock, pubkey,
+                            signature, slenp, data, dlen, alg,
+                            ssh->compat)) != 0) {
+                                fatal("%s: agent sign failed: %s",
+                                    __func__, ssh_err(r));
+                        }
+                }
        }
        return 0;
 }
@@ -2232,10 +2243,8 @@ do_ssh2_kex(struct ssh *ssh)
 void
 cleanup_exit(int i)
 {
-        struct ssh *ssh = active_state; /* XXX */
+        if (the_active_state != NULL && the_authctxt != NULL) {
+                do_cleanup(the_active_state, the_authctxt);
-        if (the_authctxt) {
-                do_cleanup(ssh, the_authctxt);
                if (use_privsep && privsep_is_preauth &&
                    pmonitor != NULL && pmonitor->m_pid > 1) {
                        debug("Killing privsep child %d", pmonitor->m_pid);