283 files changed, 17319 insertions, 7125 deletions

diff --git a/ChangeLog b/ChangeLog
index 38de846ff..63aeae556 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,934 @@
+20131006
+ - (djm) Release OpenSSH-6.7
+
+20141003
+ - (djm) [sshd_config.5] typo; from Iain Morgan
+
+20141001
+ - (djm) [openbsd-compat/Makefile.in openbsd-compat/kludge-fd_set.c]
+   [openbsd-compat/openbsd-compat.h] Kludge around bad glibc
+   _FORTIFY_SOURCE check that doesn't grok heap-allocated fd_sets;
+   ok dtucker@
+
+20140910
+ - (djm) [sandbox-seccomp-filter.c] Allow mremap and exit for DietLibc;
+   patch from Felix von Leitner; ok dtucker
+
+20140908
+ - (dtucker) [INSTALL] Update info about egd.  ok djm@
+
+20140904
+ - (djm) [openbsd-compat/arc4random.c] Zero seed after keying PRNG
+
+20140903
+ - (djm) [defines.h sshbuf.c] Move __predict_true|false to defines.h and
+   conditionalise to avoid duplicate definition.
+ - (djm) [contrib/cygwin/ssh-host-config] Fix old code leading to
+   permissions/ACLs; from Corinna Vinschen
+
+20140830
+ - (djm) [openbsd-compat/openssl-compat.h] add
+   OPENSSL_[RD]SA_MAX_MODULUS_BITS defines for OpenSSL that lacks them
+ - (djm) [misc.c] Missing newline between functions
+ - (djm) [openbsd-compat/openssl-compat.h] add include guard
+ - (djm) [Makefile.in] Make TEST_SHELL a variable; "good idea" tim@
+
+20140827
+ - (djm) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
+   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
+   [regress/unittests/sshkey/common.c]
+   [regress/unittests/sshkey/test_file.c]
+   [regress/unittests/sshkey/test_fuzz.c]
+   [regress/unittests/sshkey/test_sshkey.c] Don't include openssl/ec.h
+   on !ECC OpenSSL systems
+ - (djm) [monitor.c sshd.c] SIGXFSZ needs to be ignored in postauth
+   monitor, not preauth; bz#2263
+ - (djm) [openbsd-compat/explicit_bzero.c] implement explicit_bzero()
+   using memset_s() where possible; improve fallback to indirect bzero
+   via a volatile pointer to give it more of a chance to avoid being
+   optimised away.
+
+20140825
+ - (djm) [bufec.c] Skip this file on !ECC OpenSSL
+ - (djm) [INSTALL] Recommend libcrypto be built -fPIC, mention LibreSSL,
+   update OpenSSL version requirement.
+
+20140824
+ - (djm) [sftp-server.c] Some systems (e.g. Irix) have prctl() but not
+   PR_SET_DUMPABLE, so adjust ifdef; reported by Tom Christensen
+
+20140823
+ - (djm) [sshd.c] Ignore SIGXFSZ in preauth monitor child; can explode on
+   lastlog writing on platforms with high UIDs; bz#2263
+ - (djm) [configure.ac] We now require a working vsnprintf everywhere (not
+   just for systems that lack asprintf); check for it always and extend
+   test to catch more brokenness. Fixes builds on Solaris <= 9
+
+20140822
+ - (djm) [configure.ac] include leading zero characters in OpenSSL version
+   number; fixes test for unsupported versions
+ - (djm) [sshbuf-getput-crypto.c] Fix compilation when OpenSSL lacks ECC
+ - (djm) [openbsd-compat/bsd-snprintf.c] Fix compilation failure (prototype/
+   definition mismatch) and warning for broken/missing snprintf case.
+ - (djm) [configure.ac] double braces to appease autoconf
+
+20140821
+ - (djm) [Makefile.in] fix reference to libtest_helper.a in sshkey test too.
+ - (djm) [key.h] Fix ifdefs for no-ECC OpenSSL
+ - (djm) [regress/unittests/test_helper/test_helper.c] Fix for systems that
+   don't set __progname. Diagnosed by Tom Christensen.
+
+20140820
+ - (djm) [configure.ac] Check OpenSSL version is supported at configure time;
+   suggested by Kevin Brott
+ - (djm) [Makefile.in] refer to libtest_helper.a by explicit path rather than
+   -L/-l; fixes linking problems on some platforms
+ - (djm) [sshkey.h] Fix compilation when OpenSSL lacks ECC
+ - (djm) [contrib/cygwin/README] Correct build instructions; from Corinna
+
+20140819
+ - (djm) [serverloop.c] Fix syntax error on Cygwin; from Corinna Vinschen
+ - (djm) [sshbuf.h] Fix compilation on systems without OPENSSL_HAS_ECC.
+ - (djm) [ssh-dss.c] Include openssl/dsa.h for DSA_SIG
+ - (djm) [INSTALL contrib/caldera/openssh.spec contrib/cygwin/README]
+   [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Remove mentions
+   of TCP wrappers.
+
+20140811
+ - (djm) [myproposal.h] Make curve25519 KEX dependent on
+   HAVE_EVP_SHA256 instead of OPENSSL_HAS_ECC.
+
+20140810
+ - (djm) [README contrib/caldera/openssh.spec]
+   [contrib/redhat/openssh.spec contrib/suse/openssh.spec] Update versions
+
+20140801
+ - (djm) [regress/multiplex.sh] Skip test for non-OpenBSD netcat. We need
+   a better solution, but this will have to do for now.
+ - (djm) [regress/multiplex.sh] Instruct nc not to quit as soon as stdin
+   is closed; avoid regress failures when stdin is /dev/null
+ - (djm) [regress/multiplex.sh] Use -d (detach stdin) flag to disassociate
+   nc from stdin, it's more portable
+
+20140730
+ - OpenBSD CVS Sync
+   - millert@cvs.openbsd.org 2014/07/24 22:57:10
+     [ssh.1]
+     Mention UNIX-domain socket forwarding too.  OK jmc@ deraadt@
+   - dtucker@cvs.openbsd.org 2014/07/25 21:22:03
+     [ssh-agent.c]
+     Clear buffer used for handling messages.  This prevents keys being
+     left in memory after they have been expired or deleted in some cases
+     (but note that ssh-agent is setgid so you would still need root to
+     access them).  Pointed out by Kevin Burns, ok deraadt
+   - schwarze@cvs.openbsd.org 2014/07/28 15:40:08
+     [sftp-server.8 sshd_config.5]
+     some systems no longer need /dev/log;
+     issue noticed by jirib;
+     ok deraadt
+
+20140725
+ - (djm) [regress/multiplex.sh] restore incorrectly deleted line;
+   pointed out by Christian Hesse
+
+20140722
+ - (djm) [regress/multiplex.sh] ssh mux master lost -N somehow;
+   put it back
+ - (djm) [regress/multiplex.sh] change the test for still-open Unix
+   domain sockets to be robust against nc implementations that produce
+   error messages.
+ - (dtucker) [regress/unittests/sshkey/test_{file,fuzz,sshkey}.c] Wrap ecdsa-
+   specific tests inside OPENSSL_HAS_ECC.
+ - (dtucker) OpenBSD CVS Sync
+   - dtucker@cvs.openbsd.org 2014/07/22 01:18:50
+     [key.c]
+     Prevent spam from key_load_private_pem during hostbased auth.  ok djm@
+   - guenther@cvs.openbsd.org 2014/07/22 07:13:42
+     [umac.c]
+     Convert from <sys/endian.h> to the shiney new <endian.h>
+     ok dtucker@, who also confirmed that -portable handles this already
+     (ID sync only, includes.h pulls in endian.h if available.)
+   - djm@cvs.openbsd.org 2014/07/22 01:32:12
+     [regress/multiplex.sh]
+     change the test for still-open Unix domain sockets to be robust against
+     nc implementations that produce error messages. from -portable
+     (Id sync only)
+   - dtucker@cvs.openbsd.org 2014/07/22 23:23:22
+     [regress/unittests/sshkey/mktestdata.sh]
+     Sign test certs with ed25519 instead of ecdsa so that they'll work in
+     -portable on platforms that don't have ECDSA in their OpenSSL.  ok djm
+   - dtucker@cvs.openbsd.org 2014/07/22 23:57:40
+     [regress/unittests/sshkey/mktestdata.sh]
+     Add $OpenBSD tag to make syncs easier
+   - dtucker@cvs.openbsd.org 2014/07/22 23:35:38
+     [regress/unittests/sshkey/testdata/*]
+     Regenerate test keys with certs signed with ed25519 instead of ecdsa.
+     These can be used in -portable on platforms that don't support ECDSA.
+
+20140721
+ - OpenBSD CVS Sync
+   - millert@cvs.openbsd.org 2014/07/15 15:54:15
+     [forwarding.sh multiplex.sh]
+     Add support for Unix domain socket forwarding.  A remote TCP port
+     may be forwarded to a local Unix domain socket and vice versa or
+     both ends may be a Unix domain socket.  This is a reimplementation
+     of the streamlocal patches by William Ahern from:
+         http://www.25thandclement.com/~william/projects/streamlocal.html
+     OK djm@ markus@
+ - (djm) [regress/multiplex.sh] Not all netcat accept the -N option.
+ - (dtucker) [sshkey.c] ifdef out unused variable when compiling without
+   OPENSSL_HAS_ECC.
+
+20140721
+ - (dtucker) [cipher.c openbsd-compat/openssl-compat.h] Restore the bits
+   needed to build AES CTR mode against OpenSSL 0.9.8f and above.  ok djm
+ - (dtucker) [regress/unittests/sshkey/
+   {common,test_file,test_fuzz,test_sshkey}.c] Wrap stdint.h includes in
+   ifdefs.
+
+20140719
+ - (tim) [openbsd-compat/port-uw.c] Include misc.h for fwd_opts, used
+   in servconf.h.
+
+20140718
+ - OpenBSD CVS Sync
+   - millert@cvs.openbsd.org 2014/07/15 15:54:14
+     [PROTOCOL auth-options.c auth-passwd.c auth-rh-rsa.c auth-rhosts.c]
+     [auth-rsa.c auth.c auth1.c auth2-hostbased.c auth2-kbdint.c auth2-none.c]
+     [auth2-passwd.c auth2-pubkey.c auth2.c canohost.c channels.c channels.h]
+     [clientloop.c misc.c misc.h monitor.c mux.c packet.c readconf.c]
+     [readconf.h servconf.c servconf.h serverloop.c session.c ssh-agent.c]
+     [ssh.c ssh_config.5 sshconnect.c sshconnect1.c sshconnect2.c sshd.c]
+     [sshd_config.5 sshlogin.c]
+     Add support for Unix domain socket forwarding.  A remote TCP port
+     may be forwarded to a local Unix domain socket and vice versa or
+     both ends may be a Unix domain socket.  This is a reimplementation
+     of the streamlocal patches by William Ahern from:
+         http://www.25thandclement.com/~william/projects/streamlocal.html
+     OK djm@ markus@
+   - jmc@cvs.openbsd.org 2014/07/16 14:48:57
+     [ssh.1]
+     add the streamlocal* options to ssh's -o list; millert says they're
+     irrelevant for scp/sftp;
+     ok markus millert
+   - djm@cvs.openbsd.org 2014/07/17 00:10:56
+     [sandbox-systrace.c]
+     ifdef SYS_sendsyslog so this will compile without patching on -stable
+   - djm@cvs.openbsd.org 2014/07/17 00:10:18
+     [mux.c]
+     preserve errno across syscall
+   - djm@cvs.openbsd.org 2014/07/17 00:12:03
+     [key.c]
+     silence "incorrect passphrase" error spam; reported and ok dtucker@
+   - djm@cvs.openbsd.org 2014/07/17 07:22:19
+     [mux.c ssh.c]
+     reflect stdio-forward ("ssh -W host:port ...") failures in exit status.
+     previously we were always returning 0. bz#2255 reported by Brendan
+     Germain; ok dtucker
+   - djm@cvs.openbsd.org 2014/07/18 02:46:01
+     [ssh-agent.c]
+     restore umask around listener socket creation (dropped in streamlocal patch
+     merge)
+ - (dtucker) [auth2-gss.c gss-serv-krb5.c] Include misc.h for fwd_opts, used
+   in servconf.h.
+ - (dtucker) [Makefile.in] Add a t-exec target to run just the executable
+   tests.
+ - (dtucker) [key.c sshkey.c] Put new ecdsa bits inside ifdef OPENSSL_HAS_ECC.
+
+20140717
+ - (djm) [digest-openssl.c] Preserve array order when disabling digests.
+   Reported by Petr Lautrbach.
+ - OpenBSD CVS Sync
+   - deraadt@cvs.openbsd.org 2014/07/11 08:09:54
+     [sandbox-systrace.c]
+     Permit use of SYS_sendsyslog from inside the sandbox.  Clock is ticking,
+     update your kernels and sshd soon.. libc will start using sendsyslog()
+     in about 4 days.
+   - tedu@cvs.openbsd.org 2014/07/11 13:54:34
+     [myproposal.h]
+     by popular demand, add back hamc-sha1 to server proposal for better compat
+     with many clients still in use. ok deraadt
+
+20140715
+ - (djm) [configure.ac] Delay checks for arc4random* until after libcrypto
+   has been located; fixes builds agains libressl-portable
+
+20140711
+ - OpenBSD CVS Sync
+   - benno@cvs.openbsd.org 2014/07/09 14:15:56
+     [ssh-add.c]
+     fix ssh-add crash while loading more than one key
+     ok markus@
+
+20140709
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/07/07 08:19:12
+     [ssh_config.5]
+     mention that ProxyCommand is executed using shell "exec" to avoid
+     a lingering process; bz#1977
+   - djm@cvs.openbsd.org 2014/07/09 01:45:10
+     [sftp.c]
+     more useful error message when GLOB_NOSPACE occurs;
+     bz#2254, patch from Orion Poplawski
+   - djm@cvs.openbsd.org 2014/07/09 03:02:15
+     [key.c]
+     downgrade more error() to debug() to better match what old authfile.c
+     did; suppresses spurious errors with hostbased authentication enabled
+   - djm@cvs.openbsd.org 2014/07/06 07:42:03
+     [multiplex.sh test-exec.sh]
+     add a hook to the cleanup() function to kill $SSH_PID if it is set
+     
+     use it to kill the mux master started in multiplex.sh (it was being left
+     around on fatal failures)
+   - djm@cvs.openbsd.org 2014/07/07 08:15:26
+     [multiplex.sh]
+     remove forced-fatal that I stuck in there to test the new cleanup
+     logic and forgot to remove...
+
+20140706
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/07/03 23:18:35
+     [authfile.h]
+     remove leakmalloc droppings
+   - djm@cvs.openbsd.org 2014/07/05 23:11:48
+     [channels.c]
+     fix remote-forward cancel regression; ok markus@
+
+20140704
+ - OpenBSD CVS Sync
+   - jsing@cvs.openbsd.org 2014/07/03 12:42:16
+     [cipher-chachapoly.c]
+     Call chacha_ivsetup() immediately before chacha_encrypt_bytes() - this
+     makes it easier to verify that chacha_encrypt_bytes() is only called once
+     per chacha_ivsetup() call.
+     ok djm@
+   - djm@cvs.openbsd.org 2014/07/03 22:23:46
+     [sshconnect.c]
+     when rekeying, skip file/DNS lookup if it is the same as the key sent
+     during initial key exchange. bz#2154 patch from Iain Morgan; ok markus@
+   - djm@cvs.openbsd.org 2014/07/03 22:33:41
+     [channels.c]
+     allow explicit ::1 and 127.0.0.1 forwarding bind addresses when
+     GatewayPorts=no; allows client to choose address family;
+     bz#2222 ok markus@
+   - djm@cvs.openbsd.org 2014/07/03 22:40:43
+     [servconf.c servconf.h session.c sshd.8 sshd_config.5]
+     Add a sshd_config PermitUserRC option to control whether ~/.ssh/rc is
+     executed, mirroring the no-user-rc authorized_keys option;
+     bz#2160; ok markus@
+
+20140703
+ - (djm) [digest-openssl.c configure.ac] Disable RIPEMD160 if libcrypto
+   doesn't support it.
+ - (djm) [monitor_fdpass.c] Use sys/poll.h if poll.h doesn't exist;
+   bz#2237
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/07/03 01:45:38
+     [sshkey.c]
+     make Ed25519 keys' title fit properly in the randomart border; bz#2247
+     based on patch from Christian Hesse
+   - djm@cvs.openbsd.org 2014/07/03 03:11:03
+     [ssh-agent.c]
+     Only cleanup agent socket in the main agent process and not in any
+     subprocesses it may have started (e.g. forked askpass). Fixes
+     agent sockets being zapped when askpass processes fatal();
+     bz#2236 patch from Dmitry V. Levin
+   - djm@cvs.openbsd.org 2014/07/03 03:15:01
+     [ssh-add.c]
+     make stdout line-buffered; saves partial output getting lost when
+     ssh-add fatal()s part-way through (e.g. when listing keys from an
+     agent that supports key types that ssh-add doesn't);
+     bz#2234, reported by Phil Pennock
+   - djm@cvs.openbsd.org 2014/07/03 03:26:43
+     [digest-openssl.c]
+     use EVP_Digest() for one-shot hash instead of creating, updating,
+     finalising and destroying a context.
+     bz#2231, based on patch from Timo Teras
+   - djm@cvs.openbsd.org 2014/07/03 03:34:09
+     [gss-serv.c session.c ssh-keygen.c]
+     standardise on NI_MAXHOST for gethostname() string lengths; about
+     1/2 the cases were using it already. Fixes bz#2239 en passant
+   - djm@cvs.openbsd.org 2014/07/03 03:47:27
+     [ssh-keygen.c]
+     When hashing or removing hosts using ssh-keygen, don't choke on
+     @revoked markers and don't remove @cert-authority markers;
+     bz#2241, reported by mlindgren AT runelind.net
+   - djm@cvs.openbsd.org 2014/07/03 04:36:45
+     [digest.h]
+     forward-declare struct sshbuf so consumers don't need to include sshbuf.h
+   - djm@cvs.openbsd.org 2014/07/03 05:32:36
+     [ssh_config.5]
+     mention '%%' escape sequence in HostName directives and how it may
+     be used to specify IPv6 link-local addresses
+   - djm@cvs.openbsd.org 2014/07/03 05:38:17
+     [ssh.1]
+     document that -g will only work in the multiplexed case if applied to
+     the mux master
+   - djm@cvs.openbsd.org 2014/07/03 06:39:19
+     [ssh.c ssh_config.5]
+     Add a %C escape sequence for LocalCommand and ControlPath that expands
+     to a unique identifer based on a has of the tuple of (local host,
+     remote user, hostname, port).
+     
+     Helps avoid exceeding sockaddr_un's miserly pathname limits for mux
+     control paths.
+     
+     bz#2220, based on patch from mancha1 AT zoho.com; ok markus@
+   - jmc@cvs.openbsd.org 2014/07/03 07:45:27
+     [ssh_config.5]
+     escape %C since groff thinks it part of an Rs/Re block;
+   - djm@cvs.openbsd.org 2014/07/03 11:16:55
+     [auth.c auth.h auth1.c auth2.c]
+     make the "Too many authentication failures" message include the
+     user, source address, port and protocol in a format similar to the
+     authentication success / failure messages; bz#2199, ok dtucker
+
+20140702
+ - OpenBSD CVS Sync
+   - deraadt@cvs.openbsd.org 2014/06/13 08:26:29
+     [sandbox-systrace.c]
+     permit SYS_getentropy
+     from matthew
+   - matthew@cvs.openbsd.org 2014/06/18 02:59:13
+     [sandbox-systrace.c]
+     Now that we have a dedicated getentropy(2) system call for
+     arc4random(3), we can disallow __sysctl(2) in OpenSSH's systrace
+     sandbox.
+     
+     ok djm
+   - naddy@cvs.openbsd.org 2014/06/18 15:42:09
+     [sshbuf-getput-crypto.c]
+     The ssh_get_bignum functions must accept the same range of bignums
+     the corresponding ssh_put_bignum functions create.  This fixes the
+     use of 16384-bit RSA keys (bug reported by Eivind Evensen).
+     ok djm@
+   - djm@cvs.openbsd.org 2014/06/24 00:52:02
+     [krl.c]
+     fix bug in KRL generation: multiple consecutive revoked certificate
+     serial number ranges could be serialised to an invalid format.
+     
+     Readers of a broken KRL caused by this bug will fail closed, so no
+     should-have-been-revoked key will be accepted.
+   - djm@cvs.openbsd.org 2014/06/24 01:13:21
+     [Makefile.in auth-bsdauth.c auth-chall.c auth-options.c auth-rsa.c
+     [auth2-none.c auth2-pubkey.c authfile.c authfile.h cipher-3des1.c
+     [cipher-chachapoly.c cipher-chachapoly.h cipher.c cipher.h
+     [digest-libc.c digest-openssl.c digest.h dns.c entropy.c hmac.h
+     [hostfile.c key.c key.h krl.c monitor.c packet.c rsa.c rsa.h
+     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c
+     [ssh-keygen.c ssh-pkcs11-client.c ssh-pkcs11-helper.c ssh-pkcs11.c
+     [ssh-rsa.c sshbuf-misc.c sshbuf.h sshconnect.c sshconnect1.c
+     [sshconnect2.c sshd.c sshkey.c sshkey.h
+     [openbsd-compat/openssl-compat.c openbsd-compat/openssl-compat.h]
+     New key API: refactor key-related functions to be more library-like,
+     existing API is offered as a set of wrappers.
+     
+     with and ok markus@
+     
+     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
+     Dempsky and Ron Bowes for a detailed review a few months ago.
+     NB. This commit also removes portable OpenSSH support for OpenSSL
+     <0.9.8e.
+   - djm@cvs.openbsd.org 2014/06/24 02:19:48
+     [ssh.c]
+     don't fatal() when hostname canonicalisation fails with a
+     ProxyCommand in use; continue and allow the ProxyCommand to
+     connect anyway (e.g. to a host with a name outside the DNS
+     behind a bastion)
+   - djm@cvs.openbsd.org 2014/06/24 02:21:01
+     [scp.c]
+     when copying local->remote fails during read, don't send uninitialised
+     heap to the remote end. Reported by Jann Horn
+   - deraadt@cvs.openbsd.org 2014/06/25 14:16:09
+     [sshbuf.c]
+     unblock SIGSEGV before raising it
+     ok djm
+   - markus@cvs.openbsd.org 2014/06/27 16:41:56
+     [channels.c channels.h clientloop.c ssh.c]
+     fix remote fwding with same listen port but different listen address
+     with gerhard@, ok djm@
+   - markus@cvs.openbsd.org 2014/06/27 18:50:39
+     [ssh-add.c]
+     fix loading of private keys
+   - djm@cvs.openbsd.org 2014/06/30 12:54:39
+     [key.c]
+     suppress spurious error message when loading key with a passphrase;
+     reported by kettenis@ ok markus@
+   - djm@cvs.openbsd.org 2014/07/02 04:59:06
+     [cipher-3des1.c]
+     fix ssh protocol 1 on the server that regressed with the sshkey change
+     (sometimes fatal() after auth completed), make file return useful status
+     codes.
+     NB. Id sync only for these two. They were bundled into the sshkey merge
+     above, since it was easier to sync the entire file and then apply
+     portable-specific changed atop it.
+   - djm@cvs.openbsd.org 2014/04/30 05:32:00
+     [regress/Makefile]
+     unit tests for new buffer API; including basic fuzz testing
+     NB. Id sync only.
+   - djm@cvs.openbsd.org 2014/05/21 07:04:21
+     [regress/integrity.sh]
+     when failing because of unexpected output, show the offending output
+   - djm@cvs.openbsd.org 2014/06/24 01:04:43
+     [regress/krl.sh]
+     regress test for broken consecutive revoked serial number ranges
+   - djm@cvs.openbsd.org 2014/06/24 01:14:17
+     [Makefile.in regress/Makefile regress/unittests/Makefile]
+     [regress/unittests/sshkey/Makefile]
+     [regress/unittests/sshkey/common.c]
+     [regress/unittests/sshkey/common.h]
+     [regress/unittests/sshkey/mktestdata.sh]
+     [regress/unittests/sshkey/test_file.c]
+     [regress/unittests/sshkey/test_fuzz.c]
+     [regress/unittests/sshkey/test_sshkey.c]
+     [regress/unittests/sshkey/tests.c]
+     [regress/unittests/sshkey/testdata/dsa_1]
+     [regress/unittests/sshkey/testdata/dsa_1-cert.fp]
+     [regress/unittests/sshkey/testdata/dsa_1-cert.pub]
+     [regress/unittests/sshkey/testdata/dsa_1.fp]
+     [regress/unittests/sshkey/testdata/dsa_1.fp.bb]
+     [regress/unittests/sshkey/testdata/dsa_1.param.g]
+     [regress/unittests/sshkey/testdata/dsa_1.param.priv]
+     [regress/unittests/sshkey/testdata/dsa_1.param.pub]
+     [regress/unittests/sshkey/testdata/dsa_1.pub]
+     [regress/unittests/sshkey/testdata/dsa_1_pw]
+     [regress/unittests/sshkey/testdata/dsa_2]
+     [regress/unittests/sshkey/testdata/dsa_2.fp]
+     [regress/unittests/sshkey/testdata/dsa_2.fp.bb]
+     [regress/unittests/sshkey/testdata/dsa_2.pub]
+     [regress/unittests/sshkey/testdata/dsa_n]
+     [regress/unittests/sshkey/testdata/dsa_n_pw]
+     [regress/unittests/sshkey/testdata/ecdsa_1]
+     [regress/unittests/sshkey/testdata/ecdsa_1-cert.fp]
+     [regress/unittests/sshkey/testdata/ecdsa_1-cert.pub]
+     [regress/unittests/sshkey/testdata/ecdsa_1.fp]
+     [regress/unittests/sshkey/testdata/ecdsa_1.fp.bb]
+     [regress/unittests/sshkey/testdata/ecdsa_1.param.curve]
+     [regress/unittests/sshkey/testdata/ecdsa_1.param.priv]
+     [regress/unittests/sshkey/testdata/ecdsa_1.param.pub]
+     [regress/unittests/sshkey/testdata/ecdsa_1.pub]
+     [regress/unittests/sshkey/testdata/ecdsa_1_pw]
+     [regress/unittests/sshkey/testdata/ecdsa_2]
+     [regress/unittests/sshkey/testdata/ecdsa_2.fp]
+     [regress/unittests/sshkey/testdata/ecdsa_2.fp.bb]
+     [regress/unittests/sshkey/testdata/ecdsa_2.param.curve]
+     [regress/unittests/sshkey/testdata/ecdsa_2.param.priv]
+     [regress/unittests/sshkey/testdata/ecdsa_2.param.pub]
+     [regress/unittests/sshkey/testdata/ecdsa_2.pub]
+     [regress/unittests/sshkey/testdata/ecdsa_n]
+     [regress/unittests/sshkey/testdata/ecdsa_n_pw]
+     [regress/unittests/sshkey/testdata/ed25519_1]
+     [regress/unittests/sshkey/testdata/ed25519_1-cert.fp]
+     [regress/unittests/sshkey/testdata/ed25519_1-cert.pub]
+     [regress/unittests/sshkey/testdata/ed25519_1.fp]
+     [regress/unittests/sshkey/testdata/ed25519_1.fp.bb]
+     [regress/unittests/sshkey/testdata/ed25519_1.pub]
+     [regress/unittests/sshkey/testdata/ed25519_1_pw]
+     [regress/unittests/sshkey/testdata/ed25519_2]
+     [regress/unittests/sshkey/testdata/ed25519_2.fp]
+     [regress/unittests/sshkey/testdata/ed25519_2.fp.bb]
+     [regress/unittests/sshkey/testdata/ed25519_2.pub]
+     [regress/unittests/sshkey/testdata/pw]
+     [regress/unittests/sshkey/testdata/rsa1_1]
+     [regress/unittests/sshkey/testdata/rsa1_1.fp]
+     [regress/unittests/sshkey/testdata/rsa1_1.fp.bb]
+     [regress/unittests/sshkey/testdata/rsa1_1.param.n]
+     [regress/unittests/sshkey/testdata/rsa1_1.pub]
+     [regress/unittests/sshkey/testdata/rsa1_1_pw]
+     [regress/unittests/sshkey/testdata/rsa1_2]
+     [regress/unittests/sshkey/testdata/rsa1_2.fp]
+     [regress/unittests/sshkey/testdata/rsa1_2.fp.bb]
+     [regress/unittests/sshkey/testdata/rsa1_2.param.n]
+     [regress/unittests/sshkey/testdata/rsa1_2.pub]
+     [regress/unittests/sshkey/testdata/rsa_1]
+     [regress/unittests/sshkey/testdata/rsa_1-cert.fp]
+     [regress/unittests/sshkey/testdata/rsa_1-cert.pub]
+     [regress/unittests/sshkey/testdata/rsa_1.fp]
+     [regress/unittests/sshkey/testdata/rsa_1.fp.bb]
+     [regress/unittests/sshkey/testdata/rsa_1.param.n]
+     [regress/unittests/sshkey/testdata/rsa_1.param.p]
+     [regress/unittests/sshkey/testdata/rsa_1.param.q]
+     [regress/unittests/sshkey/testdata/rsa_1.pub]
+     [regress/unittests/sshkey/testdata/rsa_1_pw]
+     [regress/unittests/sshkey/testdata/rsa_2]
+     [regress/unittests/sshkey/testdata/rsa_2.fp]
+     [regress/unittests/sshkey/testdata/rsa_2.fp.bb]
+     [regress/unittests/sshkey/testdata/rsa_2.param.n]
+     [regress/unittests/sshkey/testdata/rsa_2.param.p]
+     [regress/unittests/sshkey/testdata/rsa_2.param.q]
+     [regress/unittests/sshkey/testdata/rsa_2.pub]
+     [regress/unittests/sshkey/testdata/rsa_n]
+     [regress/unittests/sshkey/testdata/rsa_n_pw]
+     unit and fuzz tests for new key API
+ - (djm) [sshkey.c] Conditionalise inclusion of util.h
+ - (djm) [regress/Makefile] fix execution of sshkey unit/fuzz test
+
+20140618
+ - (tim) [openssh/session.c] Work around to get chroot sftp working on UnixWare
+
+20140617
+ - (dtucker) [entropy.c openbsd-compat/openssl-compat.{c,h}
+   openbsd-compat/regress/{.cvsignore,Makefile.in,opensslvertest.c}]
+   Move the OpenSSL header/library version test into its own function and add
+   tests for it. Fix it to allow fix version upgrades (but not downgrades).
+   Prompted by chl@ via OpenSMTPD (issue #462) and Debian (bug #748150).
+   ok djm@ chl@
+
+20140616
+ - (dtucker) [defines.h] Fix undef of _PATH_MAILDIR.  From rak at debian via
+   OpenSMTPD and chl@
+
+20140612
+ - (dtucker) [configure.ac] Remove tcpwrappers support, support has already
+   been removed from sshd.c.
+
+20140611
+ - (dtucker) [defines.h] Add va_copy if we don't already have it, taken from
+   openbsd-compat/bsd-asprintf.c.
+ - (dtucker) [regress/unittests/sshbuf/*.c regress/unittests/test_helper/*]
+   Wrap stdlib.h include an ifdef for platforms that don't have it.
+ - (tim) [regress/unittests/test_helper/test_helper.h] Add includes.h for
+   u_intXX_t types.
+
+20140610
+ - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
+   regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] Only do NISTP256
+   curve tests if OpenSSL has them.
+ - (dtucker) [myprosal.h] Don't include curve25519-sha256@libssh.org in
+   the proposal if the version of OpenSSL we're using doesn't support ECC.
+ - (dtucker) [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c] ifdef
+   ECC variable too.
+ - (dtucker) OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/06/05 22:17:50
+     [sshconnect2.c]
+     fix inverted test that caused PKCS#11 keys that were explicitly listed
+     not to be preferred. Reported by Dirk-Willem van Gulik
+   - dtucker@cvs.openbsd.org 2014/06/10 21:46:11
+     [sshbuf.h]
+     Group ECC functions together to make things a little easier in -portable.
+     "doesn't bother me" deraadt@
+ - (dtucker) [sshbuf.h] Only declare ECC functions if building without
+   OpenSSL or if OpenSSL has ECC.
+ - (dtucker) [openbsd-compat/arc4random.c] Use explicit_bzero instead of an
+   assigment that might get optimized out.  ok djm@
+ - (dtucker) [bufaux.c bufbn.c bufec.c buffer.c] Pull in includes.h for
+   compat stuff, specifically whether or not OpenSSL has ECC.
+
+20140527
+ - (djm) [cipher.c] Fix merge botch.
+ - (djm) [contrib/cygwin/ssh-host-config] Updated Cygwin ssh-host-config
+   from Corinna Vinschen, fixing a number of bugs and preparing for
+   Cygwin 1.7.30.
+ - (djm) [configure.ac openbsd-compat/bsd-cygwin_util.c]
+   [openbsd-compat/bsd-cygwin_util.h] On Cygwin, determine privilege
+   separation user at runtime, since it may need to be a domain account.
+   Patch from Corinna Vinschen.
+
+20140522
+ - (djm) [Makefile.in] typo in path
+
+20140521
+ - (djm) [commit configure.ac defines.h sshpty.c] don't attempt to use
+   vhangup on Linux. It doens't work for non-root users, and for them
+   it just messes up the tty settings.
+ - (djm) [misc.c] Use CLOCK_BOOTTIME in preference to CLOCK_MONOTONIC
+   when it is available. It takes into account time spent suspended,
+   thereby ensuring timeouts (e.g. for expiring agent keys) fire
+   correctly. bz#2228 reported by John Haxby
+
+20140519
+ - (djm) [rijndael.c rijndael.h] Sync with newly-ressurected versions ine
+   OpenBSD
+ - OpenBSD CVS Sync
+   - logan@cvs.openbsd.org 2014/04/20 09:24:26
+     [dns.c dns.h ssh-keygen.c]
+     Add support for SSHFP DNS records for ED25519 key types.
+     OK from djm@
+   - logan@cvs.openbsd.org 2014/04/21 14:36:16
+     [sftp-client.c sftp-client.h sftp.c]
+     Implement sftp upload resume support.
+     OK from djm@, with input from guenther@, mlarkin@ and
+     okan@
+   - logan@cvs.openbsd.org 2014/04/22 10:07:12
+     [sftp.c]
+     Sort the sftp command list.
+     OK from djm@
+   - logan@cvs.openbsd.org 2014/04/22 12:42:04
+     [sftp.1]
+     Document sftp upload resume.
+     OK from djm@, with feedback from okan@.
+   - jmc@cvs.openbsd.org 2014/04/22 14:16:30
+     [sftp.1]
+     zap eol whitespace;
+   - djm@cvs.openbsd.org 2014/04/23 12:42:34
+     [readconf.c]
+     don't record duplicate IdentityFiles
+   - djm@cvs.openbsd.org 2014/04/28 03:09:18
+     [authfile.c bufaux.c buffer.h channels.c krl.c mux.c packet.c packet.h]
+     [ssh-keygen.c]
+     buffer_get_string_ptr's return should be const to remind
+     callers that futzing with it will futz with the actual buffer
+     contents
+   - djm@cvs.openbsd.org 2014/04/29 13:10:30
+     [clientloop.c serverloop.c]
+     bz#1818 - don't send channel success/failre replies on channels that
+     have sent a close already; analysis and patch from Simon Tatham;
+     ok markus@
+   - markus@cvs.openbsd.org 2014/04/29 18:01:49
+     [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
+     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
+     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
+     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
+     make compiling against OpenSSL optional (make OPENSSL=no);
+     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
+     allows us to explore further options; with and ok djm
+   - dtucker@cvs.openbsd.org 2014/04/29 19:58:50
+     [sftp.c]
+     Move nulling of variable next to where it's freed.  ok markus@
+   - dtucker@cvs.openbsd.org 2014/04/29 20:36:51
+     [sftp.c]
+     Don't attempt to append a nul quote char to the filename.  Should prevent
+     fatal'ing with "el_insertstr failed" when there's a single quote char
+     somewhere in the string.  bz#2238, ok markus@
+   - djm@cvs.openbsd.org 2014/04/30 05:29:56
+     [bufaux.c bufbn.c bufec.c buffer.c buffer.h sshbuf-getput-basic.c]
+     [sshbuf-getput-crypto.c sshbuf-misc.c sshbuf.c sshbuf.h ssherr.c]
+     [ssherr.h]
+     New buffer API; the first installment of the conversion/replacement
+     of OpenSSH's internals to make them usable as a standalone library.
+     
+     This includes a set of wrappers to make it compatible with the
+     existing buffer API so replacement can occur incrementally.
+     
+     With and ok markus@
+     
+     Thanks also to Ben Hawkes, David Tomaschik, Ivan Fratric, Matthew
+     Dempsky and Ron Bowes for a detailed review.
+   - naddy@cvs.openbsd.org 2014/04/30 19:07:48
+     [mac.c myproposal.h umac.c]
+     UMAC can use our local fallback implementation of AES when OpenSSL isn't
+     available.  Glue code straight from Ted Krovetz's original umac.c.
+     ok markus@
+   - djm@cvs.openbsd.org 2014/05/02 03:27:54
+     [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c]
+     [misc.h poly1305.h ssh-pkcs11.c defines.h]
+     revert __bounded change; it causes way more problems for portable than
+     it solves; pointed out by dtucker@
+   - markus@cvs.openbsd.org 2014/05/03 17:20:34
+     [monitor.c packet.c packet.h]
+     unbreak compression, by re-init-ing the compression code in the
+     post-auth child. the new buffer code is more strict, and requires
+     buffer_init() while the old code was happy after a bzero();
+     originally from djm@
+   - logan@cvs.openbsd.org 2014/05/05 07:02:30
+     [sftp.c]
+     Zap extra whitespace.
+     
+     OK from djm@ and dtucker@
+ - (djm) [configure.ac] Unconditionally define WITH_OPENSSL until we write
+   portability glue to support building without libcrypto
+ - (djm) [Makefile.in configure.ac sshbuf-getput-basic.c]
+   [sshbuf-getput-crypto.c sshbuf.c] compilation and portability fixes
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/03/13 20:44:49
+     [login-timeout.sh]
+     this test is a sorry mess of race conditions; add another sleep
+     to avoid a failure on slow machines (at least until I find a
+     better way)
+   - djm@cvs.openbsd.org 2014/04/21 22:15:37
+     [dhgex.sh integrity.sh kextype.sh rekey.sh try-ciphers.sh]
+     repair regress tests broken by server-side default cipher/kex/mac changes
+     by ensuring that the option under test is included in the server's
+     algorithm list
+   - dtucker@cvs.openbsd.org 2014/05/03 18:46:14
+     [proxy-connect.sh]
+     Add tests for with and without compression, with and without privsep.
+   - logan@cvs.openbsd.org 2014/05/04 10:40:59
+     [connect-privsep.sh]
+     Remove the Z flag from the list of malloc options as it
+     was removed from malloc.c 10 days ago.
+     
+     OK from miod@
+ - (djm) [regress/unittests/Makefile]
+   [regress/unittests/Makefile.inc]
+   [regress/unittests/sshbuf/Makefile]
+   [regress/unittests/sshbuf/test_sshbuf.c]
+   [regress/unittests/sshbuf/test_sshbuf_fixed.c]
+   [regress/unittests/sshbuf/test_sshbuf_fuzz.c]
+   [regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
+   [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
+   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
+   [regress/unittests/sshbuf/test_sshbuf_misc.c]
+   [regress/unittests/sshbuf/tests.c]
+   [regress/unittests/test_helper/Makefile]
+   [regress/unittests/test_helper/fuzz.c]
+   [regress/unittests/test_helper/test_helper.c]
+   [regress/unittests/test_helper/test_helper.h]
+   Import new unit tests from OpenBSD; not yet hooked up to build.
+ - (djm) [regress/Makefile Makefile.in]
+   [regress/unittests/sshbuf/test_sshbuf.c
+   [regress/unittests/sshbuf/test_sshbuf_fixed.c]
+   [regress/unittests/sshbuf/test_sshbuf_fuzz.c]
+   [regress/unittests/sshbuf/test_sshbuf_getput_basic.c]
+   [regress/unittests/sshbuf/test_sshbuf_getput_crypto.c]
+   [regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c]
+   [regress/unittests/sshbuf/test_sshbuf_misc.c]
+   [regress/unittests/sshbuf/tests.c]
+   [regress/unittests/test_helper/fuzz.c]
+   [regress/unittests/test_helper/test_helper.c]
+   Hook new unit tests into the build and "make tests"
+ - (djm) [sshbuf.c] need __predict_false
+
+20140430
+ - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already
+   have it.  Only attempt to use __attribute__(__bounded__) for gcc.
+
+20140420
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/03/03 22:22:30
+     [session.c]
+     ignore enviornment variables with embedded '=' or '\0' characters;
+     spotted by Jann Horn; ok deraadt@
+     Id sync only - portable already has this.
+   - djm@cvs.openbsd.org 2014/03/12 04:44:58
+     [ssh-keyscan.c]
+     scan for Ed25519 keys by default too
+   - djm@cvs.openbsd.org 2014/03/12 04:50:32
+     [auth-bsdauth.c ssh-keygen.c]
+     don't count on things that accept arguments by reference to clear
+     things for us on error; most things do, but it's unsafe form.
+   - djm@cvs.openbsd.org 2014/03/12 04:51:12
+     [authfile.c]
+     correct test that kdf name is not "none" or "bcrypt"
+   - naddy@cvs.openbsd.org 2014/03/12 13:06:59
+     [ssh-keyscan.1]
+     scan for Ed25519 keys by default too
+   - deraadt@cvs.openbsd.org 2014/03/15 17:28:26
+     [ssh-agent.c ssh-keygen.1 ssh-keygen.c]
+     Improve usage() and documentation towards the standard form. 
+     In particular, this line saves a lot of man page reading time.
+       usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
+                         [-N new_passphrase] [-C comment] [-f output_keyfile]
+     ok schwarze jmc
+   - tedu@cvs.openbsd.org 2014/03/17 19:44:10
+     [ssh.1]
+     old descriptions of des and blowfish are old. maybe ok deraadt
+   - tedu@cvs.openbsd.org 2014/03/19 14:42:44
+     [scp.1]
+     there is no need for rcp anymore
+     ok deraadt millert
+   - markus@cvs.openbsd.org 2014/03/25 09:40:03
+     [myproposal.h]
+     trimm default proposals.
+     
+     This commit removes the weaker pre-SHA2 hashes, the broken ciphers
+     (arcfour), and the broken modes (CBC) from the default configuration
+     (the patch only changes the default, all the modes are still available
+     for the config files).
+     
+     ok djm@, reminded by tedu@ & naddy@ and discussed with many
+   - deraadt@cvs.openbsd.org 2014/03/26 17:16:26
+     [myproposal.h]
+     The current sharing of myproposal[] between both client and server code
+     makes the previous diff highly unpallatable.  We want to go in that
+     direction for the server, but not for the client.  Sigh.
+     Brought up by naddy.
+   - markus@cvs.openbsd.org 2014/03/27 23:01:27
+     [myproposal.h ssh-keyscan.c sshconnect2.c sshd.c]
+     disable weak proposals in sshd, but keep them in ssh; ok djm@
+   - djm@cvs.openbsd.org 2014/03/26 04:55:35
+     [chacha.h cipher-chachapoly.h digest.h hmac.h kex.h kexc25519.c
+     [misc.h poly1305.h ssh-pkcs11.c]
+     use __bounded(...) attribute recently added to sys/cdefs.h instead of
+     longform __attribute__(__bounded(...));
+     
+     for brevity and a warning free compilation with llvm/clang
+   - tedu@cvs.openbsd.org 2014/03/26 19:58:37
+     [sshd.8 sshd.c]
+     remove libwrap support. ok deraadt djm mfriedl
+   - naddy@cvs.openbsd.org 2014/03/28 05:17:11
+     [ssh_config.5 sshd_config.5]
+     sync available and default algorithms, improve algorithm list formatting
+     help from jmc@ and schwarze@, ok deraadt@
+   - jmc@cvs.openbsd.org 2014/03/31 13:39:34
+     [ssh-keygen.1]
+     the text for the -K option was inserted in the wrong place in -r1.108;
+     fix From: Matthew Clarke
+   - djm@cvs.openbsd.org 2014/04/01 02:05:27
+     [ssh-keysign.c]
+     include fingerprint of key not found
+     use arc4random_buf() instead of loop+arc4random()
+   - djm@cvs.openbsd.org 2014/04/01 03:34:10
+     [sshconnect.c]
+     When using VerifyHostKeyDNS with a DNSSEC resolver, down-convert any
+     certificate keys to plain keys and attempt SSHFP resolution.
+     
+     Prevents a server from skipping SSHFP lookup and forcing a new-hostkey
+     dialog by offering only certificate keys.
+     
+     Reported by mcv21 AT cam.ac.uk
+   - djm@cvs.openbsd.org 2014/04/01 05:32:57
+     [packet.c]
+     demote a debug3 to PACKET_DEBUG; ok markus@
+   - djm@cvs.openbsd.org 2014/04/12 04:55:53
+     [sshd.c]
+     avoid crash at exit: check that pmonitor!=NULL before dereferencing;
+     bz#2225, patch from kavi AT juniper.net
+   - djm@cvs.openbsd.org 2014/04/16 23:22:45
+     [bufaux.c]
+     skip leading zero bytes in buffer_put_bignum2_from_string();
+     reported by jan AT mojzis.com; ok markus@
+   - djm@cvs.openbsd.org 2014/04/16 23:28:12
+     [ssh-agent.1]
+     remove the identity files from this manpage - ssh-agent doesn't deal
+     with them at all and the same information is duplicated in ssh-add.1
+     (which does deal with them); prodded by deraadt@
+   - djm@cvs.openbsd.org 2014/04/18 23:52:25
+     [compat.c compat.h sshconnect2.c sshd.c version.h]
+     OpenSSH 6.5 and 6.6 have a bug that causes ~0.2% of connections
+     using the curve25519-sha256@libssh.org KEX exchange method to fail
+     when connecting with something that implements the spec properly.
+     
+     Disable this KEX method when speaking to one of the affected
+     versions.
+     
+     reported by Aris Adamantiadis; ok markus@
+   - djm@cvs.openbsd.org 2014/04/19 05:54:59
+     [compat.c]
+     missing wildcard; pointed out by naddy@
+   - tedu@cvs.openbsd.org 2014/04/19 14:53:48
+     [ssh-keysign.c sshd.c]
+     Delete futile calls to RAND_seed. ok djm
+     NB. Id sync only. This only applies to OpenBSD's libcrypto slashathon
+   - tedu@cvs.openbsd.org 2014/04/19 18:15:16
+     [sshd.8]
+     remove some really old rsh references
+   - tedu@cvs.openbsd.org 2014/04/19 18:42:19
+     [ssh.1]
+     delete .xr to hosts.equiv. there's still an unfortunate amount of
+     documentation referring to rhosts equivalency in here.
+   - djm@cvs.openbsd.org 2014/04/20 02:30:25
+     [misc.c misc.h umac.c]
+     use get/put_u32 to load values rather than *((UINT32 *)p) that breaks on
+     strict-alignment architectures; reported by and ok stsp@
+   - djm@cvs.openbsd.org 2014/04/20 02:49:32
+     [compat.c]
+     add a canonical 6.6 + curve25519 bignum fix fake version that I can
+     recommend people use ahead of the openssh-6.7 release
+
+20140401
+ - (djm) On platforms that support it, use prctl() to prevent sftp-server
+   from accessing /proc/self/{mem,maps}; patch from jann AT thejh.net
+ - (djm) Use full release (e.g. 6.5p1) in debug output rather than just
+   version. From des@des.no
+
+20140317
+ - (djm) [sandbox-seccomp-filter.c] Soft-fail stat() syscalls. Add XXX to
+   remind myself to add sandbox violation logging via the log socket.
+
+20140314
+ - (tim) [opensshd.init.in] Add support for ed25519
+
 20140313
  - (djm) Release OpenSSH 6.6
 
@@ -2884,4 +3815,3 @@
    [contrib/suse/openssh.spec] Update for release 6.0
  - (djm) [README] Update URL to release notes.
  - (djm) Release openssh-6.0
-
diff --git a/INSTALL b/INSTALL
index 576723048..cbbb2df59 100644
--- a/INSTALL
+++ b/INSTALL
@@ -1,22 +1,26 @@
 1. Prerequisites
 ----------------
 
-You will need working installations of Zlib and OpenSSL.
+You will need working installations of Zlib and libcrypto (LibreSSL /
+OpenSSL)
 
 Zlib 1.1.4 or 1.2.1.2 or greater (ealier 1.2.x versions have problems):
 http://www.gzip.org/zlib/
 
-OpenSSL 0.9.6 or greater:
-http://www.openssl.org/
+libcrypto (LibreSSL or OpenSSL >= 0.9.8f)
+LibreSSL http://www.libressl.org/ ; or
+OpenSSL http://www.openssl.org/
 
-(OpenSSL 0.9.5a is partially supported, but some ciphers (SSH protocol 1
-Blowfish) do not work correctly.)
+LibreSSL/OpenSSL should be compiled as a position-independent library
+(i.e. with -fPIC) otherwise OpenSSH will not be able to link with it.
+If you must use a non-position-independent libcrypto, then you may need
+to configure OpenSSH --without-pie.
 
 The remaining items are optional.
 
 NB. If you operating system supports /dev/random, you should configure
-OpenSSL to use it. OpenSSH relies on OpenSSL's direct support of
-/dev/random, or failing that, either prngd or egd
+libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
+direct support of /dev/random, or failing that, either prngd or egd
 
 PRNGD:
 
@@ -27,10 +31,10 @@ http://prngd.sourceforge.net/
 
 EGD:
 
-The Entropy Gathering Daemon (EGD) is supported if you have a system which
-lacks /dev/random and don't want to use OpenSSH's internal entropy collection.
+If the kernel lacks /dev/random the Entropy Gathering Daemon (EGD) is
+supported only if libcrypto supports it.
 
-http://www.lothar.com/tech/crypto/
+http://egd.sourceforge.net/
 
 PAM:
 
@@ -55,15 +59,6 @@ passphrase requester. This is maintained separately at:
 
 http://www.jmknoble.net/software/x11-ssh-askpass/
 
-TCP Wrappers:
-
-If you wish to use the TCP wrappers functionality you will need at least
-tcpd.h and libwrap.a, either in the standard include and library paths,
-or in the directory specified by --with-tcp-wrappers.  Version 7.6 is
-known to work.
-
-http://ftp.porcupine.org/pub/security/index.html
-
 S/Key Libraries:
 
 If you wish to use --with-skey then you will need the library below
@@ -180,9 +175,6 @@ Integration Architecture.  The default for OSF1 machines is enable.
 --with-skey=PATH will enable S/Key one time password support. You will
 need the S/Key libraries and header files installed for this to work.
 
---with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
-support.
-
 --with-md5-passwords will enable the use of MD5 passwords. Enable this
 if your operating system uses MD5 passwords and the system crypt() does
 not support them directly (see the crypt(3/3c) man page). If enabled, the
@@ -204,10 +196,11 @@ created.
 
 --with-xauth=PATH specifies the location of the xauth binary
 
---with-ssl-dir=DIR allows you to specify where your OpenSSL libraries
+--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
+libraries
 are installed.
 
---with-ssl-engine enables OpenSSL's (hardware) ENGINE support
+--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
 
 --with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
 real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
@@ -266,4 +259,4 @@ Please refer to the "reporting bugs" section of the webpage at
 http://www.openssh.com/
 
 
-$Id: INSTALL,v 1.88 2013/03/07 01:33:35 dtucker Exp $
+$Id: INSTALL,v 1.91 2014/09/09 02:23:11 dtucker Exp $
diff --git a/Makefile.in b/Makefile.in
index 28a8ec41b..06be3d5d5 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.356 2014/02/04 00:12:56 djm Exp $
+# $Id: Makefile.in,v 1.365 2014/08/30 06:23:07 djm Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -29,6 +29,7 @@ SSH_PKCS11_HELPER=$(libexecdir)/ssh-pkcs11-helper
 PRIVSEP_PATH=@PRIVSEP_PATH@
 SSH_PRIVSEP_USER=@SSH_PRIVSEP_USER@
 STRIP_OPT=@STRIP_OPT@
+TEST_SHELL=@TEST_SHELL@
 
 PATHS= -DSSHDIR=\"$(sysconfdir)\" \
         -D_PATH_SSH_PROGRAM=\"$(SSH_PROGRAM)\" \
@@ -63,7 +64,16 @@ MANFMT=@MANFMT@
 
 TARGETS=ssh$(EXEEXT) sshd$(EXEEXT) ssh-add$(EXEEXT) ssh-keygen$(EXEEXT) ssh-keyscan${EXEEXT} ssh-keysign${EXEEXT} ssh-pkcs11-helper$(EXEEXT) ssh-agent$(EXEEXT) scp$(EXEEXT) sftp-server$(EXEEXT) sftp$(EXEEXT)
 
-LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
+LIBOPENSSH_OBJS=\
+        ssherr.o \
+        sshbuf.o \
+        sshkey.o \
+        sshbuf-getput-basic.o \
+        sshbuf-misc.o \
+        sshbuf-getput-crypto.o
+
+LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
+        authfd.o authfile.o bufaux.o bufbn.o buffer.o \
         canohost.o channels.o cipher.o cipher-aes.o \
         cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
         compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
@@ -135,7 +145,7 @@ $(SSHOBJS): Makefile.in config.h
 $(SSHDOBJS): Makefile.in config.h
 
 .c.o:
-        $(CC) $(CFLAGS) $(CPPFLAGS) -c $<
+        $(CC) $(CFLAGS) $(CPPFLAGS) -c $< -o $@
 
 LIBCOMPAT=openbsd-compat/libopenbsd-compat.a
 $(LIBCOMPAT): always
@@ -214,6 +224,12 @@ umac128.o:	umac.c
 clean:  regressclean
         rm -f *.o *.a $(TARGETS) logintest config.cache config.log
         rm -f *.out core survey
+        rm -f regress/unittests/test_helper/*.a
+        rm -f regress/unittests/test_helper/*.o
+        rm -f regress/unittests/sshbuf/*.o
+        rm -f regress/unittests/sshbuf/test_sshbuf
+        rm -f regress/unittests/sshkey/*.o
+        rm -f regress/unittests/sshkey/test_sshkey
         (cd openbsd-compat && $(MAKE) clean)
 
 distclean:      regressclean
@@ -222,6 +238,12 @@ distclean:	regressclean
         rm -f Makefile buildpkg.sh config.h config.status
         rm -f survey.sh openbsd-compat/regress/Makefile *~ 
         rm -rf autom4te.cache
+        rm -f regress/unittests/test_helper/*.a
+        rm -f regress/unittests/test_helper/*.o
+        rm -f regress/unittests/sshbuf/*.o
+        rm -f regress/unittests/sshbuf/test_sshbuf
+        rm -f regress/unittests/sshkey/*.o
+        rm -f regress/unittests/sshkey/test_sshkey
         (cd openbsd-compat && $(MAKE) distclean)
         if test -d pkg ; then \
                 rm -fr pkg ; \
@@ -394,23 +416,71 @@ uninstall:
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
         -rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 
-regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
+regress-prep:
         [ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress
+        [ -d `pwd`/regress/unittests ]  ||  mkdir -p `pwd`/regress/unittests
+        [ -d `pwd`/regress/unittests/test_helper ]  || \
+                mkdir -p `pwd`/regress/unittests/test_helper
+        [ -d `pwd`/regress/unittests/sshbuf ]  || \
+                mkdir -p `pwd`/regress/unittests/sshbuf
+        [ -d `pwd`/regress/unittests/sshkey ]  || \
+                mkdir -p `pwd`/regress/unittests/sshkey
         [ -f `pwd`/regress/Makefile ]  || \
             ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
+
+regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
         $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
         $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
 regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
-        [ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress
-        [ -f `pwd`/regress/Makefile ]  || \
-            ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
         $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
         $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
-tests interop-tests:    $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$(EXEEXT)
+UNITTESTS_TEST_HELPER_OBJS=\
+        regress/unittests/test_helper/test_helper.o \
+        regress/unittests/test_helper/fuzz.o
+
+regress/unittests/test_helper/libtest_helper.a: ${UNITTESTS_TEST_HELPER_OBJS}
+        $(AR) rv $@ $(UNITTESTS_TEST_HELPER_OBJS)
+        $(RANLIB) $@
+
+UNITTESTS_TEST_SSHBUF_OBJS=\
+        regress/unittests/sshbuf/tests.o \
+        regress/unittests/sshbuf/test_sshbuf.o \
+        regress/unittests/sshbuf/test_sshbuf_getput_basic.o \
+        regress/unittests/sshbuf/test_sshbuf_getput_crypto.o \
+        regress/unittests/sshbuf/test_sshbuf_misc.o \
+        regress/unittests/sshbuf/test_sshbuf_fuzz.o \
+        regress/unittests/sshbuf/test_sshbuf_getput_fuzz.o \
+        regress/unittests/sshbuf/test_sshbuf_fixed.o
+
+regress/unittests/sshbuf/test_sshbuf$(EXEEXT): ${UNITTESTS_TEST_SSHBUF_OBJS} \
+    regress/unittests/test_helper/libtest_helper.a libssh.a
+        $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHBUF_OBJS) \
+            regress/unittests/test_helper/libtest_helper.a \
+            -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+UNITTESTS_TEST_SSHKEY_OBJS=\
+        regress/unittests/sshkey/test_fuzz.o \
+        regress/unittests/sshkey/tests.o \
+        regress/unittests/sshkey/common.o \
+        regress/unittests/sshkey/test_file.o \
+        regress/unittests/sshkey/test_sshkey.o
+
+regress/unittests/sshkey/test_sshkey$(EXEEXT): ${UNITTESTS_TEST_SSHKEY_OBJS} \
+    regress/unittests/test_helper/libtest_helper.a libssh.a
+        $(LD) -o $@ $(LDFLAGS) $(UNITTESTS_TEST_SSHKEY_OBJS) \
+            regress/unittests/test_helper/libtest_helper.a \
+            -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
+REGRESS_BINARIES=\
+        regress/modpipe$(EXEEXT) \
+        regress/setuid-allowed$(EXEEXT) \
+        regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
+        regress/unittests/sshkey/test_sshkey$(EXEEXT)
+
+tests interop-tests t-exec: regress-prep $(TARGETS) $(REGRESS_BINARIES)
         BUILDDIR=`pwd`; \
-        TEST_SHELL="@TEST_SHELL@"; \
         TEST_SSH_SCP="$${BUILDDIR}/scp"; \
         TEST_SSH_SSH="$${BUILDDIR}/ssh"; \
         TEST_SSH_SSHD="$${BUILDDIR}/sshd"; \
@@ -434,7 +504,6 @@ tests interop-tests:	$(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$
                 OBJ="$${BUILDDIR}/regress/" \
                 PATH="$${BUILDDIR}:$${PATH}" \
                 TEST_ENV=MALLOC_OPTIONS="@TEST_MALLOC_OPTIONS@" \
-                TEST_SHELL="$${TEST_SHELL}" \
                 TEST_SSH_SCP="$${TEST_SSH_SCP}" \
                 TEST_SSH_SSH="$${TEST_SSH_SSH}" \
                 TEST_SSH_SSHD="$${TEST_SSH_SSHD}" \
@@ -450,6 +519,7 @@ tests interop-tests:	$(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$
                 TEST_SSH_CONCH="$${TEST_SSH_CONCH}" \
                 TEST_SSH_IPV6="$${TEST_SSH_IPV6}" \
                 TEST_SSH_ECC="$${TEST_SSH_ECC}" \
+                TEST_SHELL="${TEST_SHELL}" \
                 EXEEXT="$(EXEEXT)" \
                 $@ && echo all tests passed
 
diff --git a/PROTOCOL b/PROTOCOL
index 4a5088f90..aa59f584e 100644
--- a/PROTOCOL
+++ b/PROTOCOL
@@ -232,6 +232,56 @@ The contents of the "data" field for layer 2 packets is:
 The "frame" field contains an IEEE 802.3 Ethernet frame, including
 header.
 
+2.4. connection: Unix domain socket forwarding
+
+OpenSSH supports local and remote Unix domain socket forwarding
+using the "streamlocal" extension.  Forwarding is initiated as per
+TCP sockets but with a single path instead of a host and port.
+
+Similar to direct-tcpip, direct-streamlocal is sent by the client
+to request that the server make a connection to a Unix domain socket.
+
+        byte            SSH_MSG_CHANNEL_OPEN
+        string          "direct-streamlocal@openssh.com"
+        uint32          sender channel
+        uint32          initial window size
+        uint32          maximum packet size
+        string          socket path
+        string          reserved for future use
+
+Similar to forwarded-tcpip, forwarded-streamlocal is sent by the
+server when the client has previously send the server a streamlocal-forward
+GLOBAL_REQUEST.
+
+        byte            SSH_MSG_CHANNEL_OPEN
+        string          "forwarded-streamlocal@openssh.com"
+        uint32          sender channel
+        uint32          initial window size
+        uint32          maximum packet size
+        string          socket path
+        string          reserved for future use
+
+The reserved field is not currently defined and is ignored on the
+remote end.  It is intended to be used in the future to pass
+information about the socket file, such as ownership and mode.
+The client currently sends the empty string for this field.
+
+Similar to tcpip-forward, streamlocal-forward is sent by the client
+to request remote forwarding of a Unix domain socket.
+
+        byte            SSH2_MSG_GLOBAL_REQUEST
+        string          "streamlocal-forward@openssh.com"
+        boolean         TRUE
+        string          socket path
+
+Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent
+by the client cancel the forwarding of a Unix domain socket.
+
+        byte            SSH2_MSG_GLOBAL_REQUEST
+        string          "cancel-streamlocal-forward@openssh.com"
+        boolean         FALSE
+        string          socket path
+
 3. SFTP protocol changes
 
 3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
@@ -356,4 +406,4 @@ respond with a SSH_FXP_STATUS message.
 This extension is advertised in the SSH_FXP_VERSION hello with version
 "1".
 
-$OpenBSD: PROTOCOL,v 1.23 2013/12/01 23:19:05 djm Exp $
+$OpenBSD: PROTOCOL,v 1.24 2014/07/15 15:54:14 millert Exp $
diff --git a/README b/README
index 368dca59c..b21441ae0 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-6.6 for the release notes.
+See http://www.openssh.com/txt/release-6.7 for the release notes.
 
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
 
-$Id: README,v 1.86 2014/02/27 23:03:53 djm Exp $
+$Id: README,v 1.87 2014/08/10 01:35:06 djm Exp $
diff --git a/auth-bsdauth.c b/auth-bsdauth.c
index 0b3262b49..37ff893e6 100644
--- a/auth-bsdauth.c
+++ b/auth-bsdauth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-bsdauth.c,v 1.11 2007/09/21 08:15:29 djm Exp $ */
+/* $OpenBSD: auth-bsdauth.c,v 1.13 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -26,6 +26,8 @@
 #include "includes.h"
 
 #include <sys/types.h>
+#include <stdarg.h>
+#include <stdio.h>
 
 #include <stdarg.h>
 
@@ -54,6 +56,11 @@ bsdauth_query(void *ctx, char **name, char **infotxt,
         Authctxt *authctxt = ctx;
         char *challenge = NULL;
 
+        *infotxt = NULL;
+        *numprompts = 0;
+        *prompts = NULL;
+        *echo_on = NULL;
+
         if (authctxt->as != NULL) {
                 debug2("bsdauth_query: try reuse session");
                 challenge = auth_getitem(authctxt->as, AUTHV_CHALLENGE);
diff --git a/auth-chall.c b/auth-chall.c
index 0005aa88b..5c26a403d 100644
--- a/auth-chall.c
+++ b/auth-chall.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-chall.c,v 1.13 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: auth-chall.c,v 1.14 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -26,6 +26,9 @@
 #include "includes.h"
 
 #include <sys/types.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <stdio.h>
 
 #include <stdarg.h>
 
@@ -34,6 +37,7 @@
 #include "hostfile.h"
 #include "auth.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 
 /* limited protocol v1 interface to kbd-interactive authentication */
diff --git a/auth-krb5.c b/auth-krb5.c
index 6c62bdf54..0089b1844 100644
--- a/auth-krb5.c
+++ b/auth-krb5.c
@@ -40,6 +40,7 @@
 #include "packet.h"
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 #include "uidswap.h"
 #include "key.h"
diff --git a/auth-options.c b/auth-options.c
index fa209eaab..f3d9c9df8 100644
--- a/auth-options.c
+++ b/auth-options.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-options.c,v 1.62 2013/12/19 00:27:57 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.64 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -26,9 +26,9 @@
 #include "log.h"
 #include "canohost.h"
 #include "buffer.h"
+#include "misc.h"
 #include "channels.h"
 #include "servconf.h"
-#include "misc.h"
 #include "key.h"
 #include "auth-options.h"
 #include "hostfile.h"
@@ -325,6 +325,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                         patterns[i] = '\0';
                         opts++;
                         p = patterns;
+                        /* XXX - add streamlocal support */
                         host = hpdelim(&p);
                         if (host == NULL || strlen(host) >= NI_MAXHOST) {
                                 debug("%.100s, line %lu: Bad permitopen "
@@ -586,8 +587,8 @@ auth_cert_options(Key *k, struct passwd *pw)
 
         if (key_cert_is_legacy(k)) {
                 /* All options are in the one field for v00 certs */
-                if (parse_option_list(buffer_ptr(&k->cert->critical),
-                    buffer_len(&k->cert->critical), pw,
+                if (parse_option_list(buffer_ptr(k->cert->critical),
+                    buffer_len(k->cert->critical), pw,
                     OPTIONS_CRITICAL|OPTIONS_EXTENSIONS, 1,
                     &cert_no_port_forwarding_flag,
                     &cert_no_agent_forwarding_flag,
@@ -599,14 +600,14 @@ auth_cert_options(Key *k, struct passwd *pw)
                         return -1;
         } else {
                 /* Separate options and extensions for v01 certs */
-                if (parse_option_list(buffer_ptr(&k->cert->critical),
-                    buffer_len(&k->cert->critical), pw,
+                if (parse_option_list(buffer_ptr(k->cert->critical),
+                    buffer_len(k->cert->critical), pw,
                     OPTIONS_CRITICAL, 1, NULL, NULL, NULL, NULL, NULL,
                     &cert_forced_command,
                     &cert_source_address_done) == -1)
                         return -1;
-                if (parse_option_list(buffer_ptr(&k->cert->extensions),
-                    buffer_len(&k->cert->extensions), pw,
+                if (parse_option_list(buffer_ptr(k->cert->extensions),
+                    buffer_len(k->cert->extensions), pw,
                     OPTIONS_EXTENSIONS, 1,
                     &cert_no_port_forwarding_flag,
                     &cert_no_agent_forwarding_flag,
diff --git a/auth-passwd.c b/auth-passwd.c
index 68bbd18dd..63ccf3cab 100644
--- a/auth-passwd.c
+++ b/auth-passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-passwd.c,v 1.43 2007/09/21 08:15:29 djm Exp $ */
+/* $OpenBSD: auth-passwd.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -48,6 +48,7 @@
 #include "packet.h"
 #include "buffer.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 #include "key.h"
 #include "hostfile.h"
diff --git a/auth-rh-rsa.c b/auth-rh-rsa.c
index b21a0f4a2..b7fd064e7 100644
--- a/auth-rh-rsa.c
+++ b/auth-rh-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rh-rsa.c,v 1.43 2010/03/04 10:36:03 djm Exp $ */
+/* $OpenBSD: auth-rh-rsa.c,v 1.44 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -24,6 +24,7 @@
 #include "uidswap.h"
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 #include "key.h"
 #include "hostfile.h"
diff --git a/auth-rhosts.c b/auth-rhosts.c
index 06ae7f0b9..b5bedee8d 100644
--- a/auth-rhosts.c
+++ b/auth-rhosts.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rhosts.c,v 1.44 2010/03/07 11:57:13 dtucker Exp $ */
+/* $OpenBSD: auth-rhosts.c,v 1.45 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,12 +34,12 @@
 #include "uidswap.h"
 #include "pathnames.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 #include "canohost.h"
 #include "key.h"
 #include "hostfile.h"
 #include "auth.h"
-#include "misc.h"
 
 /* import */
 extern ServerOptions options;
diff --git a/auth-rsa.c b/auth-rsa.c
index 5dad6c3dc..e9f4ede26 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rsa.c,v 1.86 2014/01/27 19:18:54 markus Exp $ */
+/* $OpenBSD: auth-rsa.c,v 1.88 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,6 +35,7 @@
 #include "buffer.h"
 #include "pathnames.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 #include "key.h"
 #include "auth-options.h"
@@ -45,7 +46,6 @@
 #endif
 #include "monitor_wrap.h"
 #include "ssh.h"
-#include "misc.h"
 
 #include "digest.h"
 
@@ -144,7 +144,8 @@ auth_rsa_challenge_dialog(Key *key)
         challenge = PRIVSEP(auth_rsa_generate_challenge(key));
 
         /* Encrypt the challenge with the public key. */
-        rsa_public_encrypt(encrypted_challenge, challenge, key->rsa);
+        if (rsa_public_encrypt(encrypted_challenge, challenge, key->rsa) != 0)
+                fatal("%s: rsa_public_encrypt failed", __func__);
 
         /* Send the encrypted challenge to the client. */
         packet_start(SSH_SMSG_AUTH_RSA_CHALLENGE);
diff --git a/auth.c b/auth.c
index 9a36f1dac..5e60682ce 100644
--- a/auth.c
+++ b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.106 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -56,6 +56,7 @@
 #include "groupaccess.h"
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 #include "key.h"
 #include "hostfile.h"
@@ -63,7 +64,6 @@
 #include "auth-options.h"
 #include "canohost.h"
 #include "uidswap.h"
-#include "misc.h"
 #include "packet.h"
 #include "loginrec.h"
 #ifdef GSSAPI
@@ -326,6 +326,20 @@ auth_log(Authctxt *authctxt, int authenticated, int partial,
 #endif
 }
 
+
+void
+auth_maxtries_exceeded(Authctxt *authctxt)
+{
+        packet_disconnect("Too many authentication failures for "
+            "%s%.100s from %.200s port %d %s",
+            authctxt->valid ? "" : "invalid user ",
+            authctxt->user,
+            get_remote_ipaddr(),
+            get_remote_port(),
+            compat20 ? "ssh2" : "ssh1");
+        /* NOTREACHED */
+}
+
 /*
  * Check whether root logins are disallowed.
  */
@@ -659,6 +673,7 @@ getpwnamallow(const char *user)
 int
 auth_key_is_revoked(Key *key)
 {
+#ifdef WITH_OPENSSL
         char *key_fp;
 
         if (options.revoked_keys_file == NULL)
@@ -671,6 +686,7 @@ auth_key_is_revoked(Key *key)
         default:
                 goto revoked;
         }
+#endif
         debug3("%s: treating %s as a key list", __func__,
             options.revoked_keys_file);
         switch (key_in_file(key, options.revoked_keys_file, 0)) {
@@ -682,6 +698,7 @@ auth_key_is_revoked(Key *key)
                 error("Revoked keys file is unreadable: refusing public key "
                     "authentication");
                 return 1;
+#ifdef WITH_OPENSSL
         case 1:
  revoked:
                 /* Key revoked */
@@ -690,6 +707,7 @@ auth_key_is_revoked(Key *key)
                     "%s key %s ", key_type(key), key_fp);
                 free(key_fp);
                 return 1;
+#endif
         }
         fatal("key_in_file returned junk");
 }
diff --git a/auth.h b/auth.h
index 124e59743..d081c94a6 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.77 2014/01/29 06:18:35 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.78 2014/07/03 11:16:55 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -154,6 +154,7 @@ void	auth_info(Authctxt *authctxt, const char *, ...)
             __attribute__((__format__ (printf, 2, 3)))
             __attribute__((__nonnull__ (2)));
 void    auth_log(Authctxt *, int, int, const char *, const char *);
+void    auth_maxtries_exceeded(Authctxt *) __attribute__((noreturn));
 void    userauth_finish(Authctxt *, int, const char *, const char *);
 int     auth_root_allowed(const char *);
 
@@ -210,8 +211,6 @@ struct passwd *fakepw(void);
 
 int      sys_auth_passwd(Authctxt *, const char *);
 
-#define AUTH_FAIL_MSG "Too many authentication failures for %.100s"
-
 #define SKEY_PROMPT "\nS/Key Password: "
 
 #if defined(KRB5) && !defined(HEIMDAL)
diff --git a/auth1.c b/auth1.c
index 0f870b3b6..50388285c 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth1.c,v 1.80 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: auth1.c,v 1.82 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -27,6 +27,7 @@
 #include "packet.h"
 #include "buffer.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 #include "compat.h"
 #include "key.h"
@@ -363,7 +364,7 @@ do_authloop(Authctxt *authctxt)
 #ifdef SSH_AUDIT_EVENTS
                         PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif
-                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+                        auth_maxtries_exceeded(authctxt);
                 }
 
                 packet_start(SSH_SMSG_FAILURE);
diff --git a/auth2-chall.c b/auth2-chall.c
index 980250a91..ea4eb6952 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -41,6 +41,7 @@
 #include "packet.h"
 #include "dispatch.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 
 /* import */
diff --git a/auth2-gss.c b/auth2-gss.c
index c28a705cb..447f896f2 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -40,6 +40,7 @@
 #include "log.h"
 #include "dispatch.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 #include "packet.h"
 #include "ssh-gss.h"
diff --git a/auth2-hostbased.c b/auth2-hostbased.c
index 488008f62..6787e4ca4 100644
--- a/auth2-hostbased.c
+++ b/auth2-hostbased.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-hostbased.c,v 1.17 2013/12/30 23:52:27 djm Exp $ */
+/* $OpenBSD: auth2-hostbased.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -36,6 +36,7 @@
 #include "packet.h"
 #include "buffer.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 #include "compat.h"
 #include "key.h"
diff --git a/auth2-kbdint.c b/auth2-kbdint.c
index c39bdc62d..bf75c6059 100644
--- a/auth2-kbdint.c
+++ b/auth2-kbdint.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-kbdint.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: auth2-kbdint.c,v 1.7 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -36,6 +36,7 @@
 #include "auth.h"
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 
 /* import */
diff --git a/auth2-none.c b/auth2-none.c
index c8c6c74a9..e71e2219c 100644
--- a/auth2-none.c
+++ b/auth2-none.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-none.c,v 1.16 2010/06/25 08:46:17 djm Exp $ */
+/* $OpenBSD: auth2-none.c,v 1.18 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -30,9 +30,10 @@
 #include <sys/uio.h>
 
 #include <fcntl.h>
-#include <stdarg.h>
 #include <string.h>
 #include <unistd.h>
+#include <stdarg.h>
+#include <stdio.h>
 
 #include "atomicio.h"
 #include "xmalloc.h"
@@ -42,6 +43,7 @@
 #include "packet.h"
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 #include "compat.h"
 #include "ssh2.h"
diff --git a/auth2-passwd.c b/auth2-passwd.c
index 707680cd0..b638e8715 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-passwd.c,v 1.11 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: auth2-passwd.c,v 1.12 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -41,6 +41,7 @@
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
+#include "misc.h"
 #include "servconf.h"
 
 /* import */
diff --git a/auth2-pubkey.c b/auth2-pubkey.c
index 0fd27bb92..f3ca96592 100644
--- a/auth2-pubkey.c
+++ b/auth2-pubkey.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-pubkey.c,v 1.39 2013/12/30 23:52:27 djm Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.41 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -48,6 +48,7 @@
 #include "packet.h"
 #include "buffer.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 #include "compat.h"
 #include "key.h"
@@ -61,7 +62,6 @@
 #include "ssh-gss.h"
 #endif
 #include "monitor_wrap.h"
-#include "misc.h"
 #include "authfile.h"
 #include "match.h"
 
@@ -230,7 +230,7 @@ pubkey_auth_info(Authctxt *authctxt, const Key *key, const char *fmt, ...)
 }
 
 static int
-match_principals_option(const char *principal_list, struct KeyCert *cert)
+match_principals_option(const char *principal_list, struct sshkey_cert *cert)
 {
         char *result;
         u_int i;
@@ -250,7 +250,7 @@ match_principals_option(const char *principal_list, struct KeyCert *cert)
 }
 
 static int
-match_principals_file(char *file, struct passwd *pw, struct KeyCert *cert)
+match_principals_file(char *file, struct passwd *pw, struct sshkey_cert *cert)
 {
         FILE *f;
         char line[SSH_MAX_PUBKEY_BYTES], *cp, *ep, *line_opts;
diff --git a/auth2.c b/auth2.c
index a5490c009..d9b440ae3 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.130 2014/01/29 06:18:35 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.132 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -41,6 +41,7 @@
 #include "packet.h"
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 #include "compat.h"
 #include "key.h"
@@ -362,7 +363,7 @@ userauth_finish(Authctxt *authctxt, int authenticated, const char *method,
 #ifdef SSH_AUDIT_EVENTS
                         PRIVSEP(audit_event(SSH_LOGIN_EXCEED_MAXTRIES));
 #endif
-                        packet_disconnect(AUTH_FAIL_MSG, authctxt->user);
+                        auth_maxtries_exceeded(authctxt);
                 }
                 methods = authmethods_get(authctxt);
                 debug3("%s: failure partial=%d next methods=\"%s\"", __func__,
diff --git a/authfd.c b/authfd.c
index cea3f97b4..2d5a8dd5b 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.92 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: authfd.c,v 1.93 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -41,9 +41,6 @@
 #include <sys/un.h>
 #include <sys/socket.h>
 
-#include <openssl/evp.h>
-#include <openssl/crypto.h>
-
 #include <fcntl.h>
 #include <stdlib.h>
 #include <signal.h>
@@ -313,8 +310,10 @@ ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int versi
 Key *
 ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version)
 {
+#ifdef WITH_SSH1
         int keybits;
         u_int bits;
+#endif
         u_char *blob;
         u_int blen;
         Key *key = NULL;
@@ -328,6 +327,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
          * error if the packet is too short or contains corrupt data.
          */
         switch (version) {
+#ifdef WITH_SSH1
         case 1:
                 key = key_new(KEY_RSA1);
                 bits = buffer_get_int(&auth->identities);
@@ -339,6 +339,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
                         logit("Warning: identity keysize mismatch: actual %d, announced %u",
                             BN_num_bits(key->rsa->n), bits);
                 break;
+#endif
         case 2:
                 blob = buffer_get_string(&auth->identities, &blen);
                 *comment = buffer_get_string(&auth->identities, NULL);
@@ -361,6 +362,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
  * supported) and 1 corresponding to protocol version 1.1.
  */
 
+#ifdef WITH_SSH1
 int
 ssh_decrypt_challenge(AuthenticationConnection *auth,
     Key* key, BIGNUM *challenge,
@@ -410,6 +412,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
         buffer_free(&buffer);
         return success;
 }
+#endif
 
 /* ask agent to sign data, returns -1 on error, 0 on success */
 int
@@ -457,6 +460,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
 
 /* Encode key for a message to the agent. */
 
+#ifdef WITH_SSH1
 static void
 ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
 {
@@ -470,6 +474,7 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
         buffer_put_bignum(b, key->p);   /* ssh key->q, SSL key->p */
         buffer_put_cstring(b, comment);
 }
+#endif
 
 static void
 ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
@@ -493,6 +498,7 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
         buffer_init(&msg);
 
         switch (key->type) {
+#ifdef WITH_SSH1
         case KEY_RSA1:
                 type = constrained ?
                     SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
@@ -500,6 +506,8 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
                 buffer_put_char(&msg, type);
                 ssh_encode_identity_rsa1(&msg, key->rsa, comment);
                 break;
+#endif
+#ifdef WITH_OPENSSL
         case KEY_RSA:
         case KEY_RSA_CERT:
         case KEY_RSA_CERT_V00:
@@ -508,6 +516,7 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
         case KEY_DSA_CERT_V00:
         case KEY_ECDSA:
         case KEY_ECDSA_CERT:
+#endif
         case KEY_ED25519:
         case KEY_ED25519_CERT:
                 type = constrained ?
@@ -552,12 +561,15 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
 
         buffer_init(&msg);
 
+#ifdef WITH_SSH1
         if (key->type == KEY_RSA1) {
                 buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
                 buffer_put_int(&msg, BN_num_bits(key->rsa->n));
                 buffer_put_bignum(&msg, key->rsa->e);
                 buffer_put_bignum(&msg, key->rsa->n);
-        } else if (key->type != KEY_UNSPEC) {
+        } else
+#endif
+        if (key->type != KEY_UNSPEC) {
                 key_to_blob(key, &blob, &blen);
                 buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
                 buffer_put_string(&msg, blob, blen);
diff --git a/authfile.c b/authfile.c
index d7eaa9dec..e93d86738 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,18 +1,5 @@
-/* $OpenBSD: authfile.c,v 1.103 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: authfile.c,v 1.107 2014/06/24 01:13:21 djm Exp $ */
 /*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * This file contains functions for reading and writing identity files, and
- * for reading the passphrase from the user.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
  * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
@@ -43,30 +30,15 @@
 #include <sys/param.h>
 #include <sys/uio.h>
 
-#include <openssl/err.h>
-#include <openssl/evp.h>
-#include <openssl/pem.h>
-
-/* compatibility with old or broken OpenSSL versions */
-#include "openbsd-compat/openssl-compat.h"
-
-#include "crypto_api.h"
-
 #include <errno.h>
 #include <fcntl.h>
-#include <stdarg.h>
 #include <stdio.h>
+#include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 
-#ifdef HAVE_UTIL_H
-#include <util.h>
-#endif
-
-#include "xmalloc.h"
 #include "cipher.h"
-#include "buffer.h"
 #include "key.h"
 #include "ssh.h"
 #include "log.h"
@@ -74,903 +46,159 @@
 #include "rsa.h"
 #include "misc.h"
 #include "atomicio.h"
-#include "uuencode.h"
-
-/* openssh private key file format */
-#define MARK_BEGIN              "-----BEGIN OPENSSH PRIVATE KEY-----\n"
-#define MARK_END                "-----END OPENSSH PRIVATE KEY-----\n"
-#define KDFNAME                 "bcrypt"
-#define AUTH_MAGIC              "openssh-key-v1"
-#define SALT_LEN                16
-#define DEFAULT_CIPHERNAME      "aes256-cbc"
-#define DEFAULT_ROUNDS          16
+#include "sshbuf.h"
+#include "ssherr.h"
 
 #define MAX_KEY_FILE_SIZE       (1024 * 1024)
 
-/* Version identification string for SSH v1 identity files. */
-static const char authfile_id_string[] =
-    "SSH PRIVATE KEY FILE FORMAT 1.1\n";
-
-static int
-key_private_to_blob2(Key *prv, Buffer *blob, const char *passphrase,
-    const char *comment, const char *ciphername, int rounds)
-{
-        u_char *key, *cp, salt[SALT_LEN];
-        size_t keylen, ivlen, blocksize, authlen;
-        u_int len, check;
-        int i, n;
-        const Cipher *c;
-        Buffer encoded, b, kdf;
-        CipherContext ctx;
-        const char *kdfname = KDFNAME;
-
-        if (rounds <= 0)
-                rounds = DEFAULT_ROUNDS;
-        if (passphrase == NULL || !strlen(passphrase)) {
-                ciphername = "none";
-                kdfname = "none";
-        } else if (ciphername == NULL)
-                ciphername = DEFAULT_CIPHERNAME;
-        else if (cipher_number(ciphername) != SSH_CIPHER_SSH2)
-                fatal("invalid cipher");
-
-        if ((c = cipher_by_name(ciphername)) == NULL)
-                fatal("unknown cipher name");
-        buffer_init(&kdf);
-        blocksize = cipher_blocksize(c);
-        keylen = cipher_keylen(c);
-        ivlen = cipher_ivlen(c);
-        authlen = cipher_authlen(c);
-        key = xcalloc(1, keylen + ivlen);
-        if (strcmp(kdfname, "none") != 0) {
-                arc4random_buf(salt, SALT_LEN);
-                if (bcrypt_pbkdf(passphrase, strlen(passphrase),
-                    salt, SALT_LEN, key, keylen + ivlen, rounds) < 0)
-                        fatal("bcrypt_pbkdf failed");
-                buffer_put_string(&kdf, salt, SALT_LEN);
-                buffer_put_int(&kdf, rounds);
-        }
-        cipher_init(&ctx, c, key, keylen, key + keylen , ivlen, 1);
-        explicit_bzero(key, keylen + ivlen);
-        free(key);
-
-        buffer_init(&encoded);
-        buffer_append(&encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC));
-        buffer_put_cstring(&encoded, ciphername);
-        buffer_put_cstring(&encoded, kdfname);
-        buffer_put_string(&encoded, buffer_ptr(&kdf), buffer_len(&kdf));
-        buffer_put_int(&encoded, 1);                    /* number of keys */
-        key_to_blob(prv, &cp, &len);                    /* public key */
-        buffer_put_string(&encoded, cp, len);
-
-        explicit_bzero(cp, len);
-        free(cp);
-
-        buffer_free(&kdf);
-
-        /* set up the buffer that will be encrypted */
-        buffer_init(&b);
-
-        /* Random check bytes */
-        check = arc4random();
-        buffer_put_int(&b, check);
-        buffer_put_int(&b, check);
-
-        /* append private key and comment*/
-        key_private_serialize(prv, &b);
-        buffer_put_cstring(&b, comment);
-
-        /* padding */
-        i = 0;
-        while (buffer_len(&b) % blocksize)
-                buffer_put_char(&b, ++i & 0xff);
-
-        /* length */
-        buffer_put_int(&encoded, buffer_len(&b));
-
-        /* encrypt */
-        cp = buffer_append_space(&encoded, buffer_len(&b) + authlen);
-        if (cipher_crypt(&ctx, 0, cp, buffer_ptr(&b), buffer_len(&b), 0,
-            authlen) != 0)
-                fatal("%s: cipher_crypt failed", __func__);
-        buffer_free(&b);
-        cipher_cleanup(&ctx);
-
-        /* uuencode */
-        len = 2 * buffer_len(&encoded);
-        cp = xmalloc(len);
-        n = uuencode(buffer_ptr(&encoded), buffer_len(&encoded),
-            (char *)cp, len);
-        if (n < 0)
-                fatal("%s: uuencode", __func__);
-
-        buffer_clear(blob);
-        buffer_append(blob, MARK_BEGIN, sizeof(MARK_BEGIN) - 1);
-        for (i = 0; i < n; i++) {
-                buffer_put_char(blob, cp[i]);
-                if (i % 70 == 69)
-                        buffer_put_char(blob, '\n');
-        }
-        if (i % 70 != 69)
-                buffer_put_char(blob, '\n');
-        buffer_append(blob, MARK_END, sizeof(MARK_END) - 1);
-        free(cp);
-
-        return buffer_len(blob);
-}
-
-static Key *
-key_parse_private2(Buffer *blob, int type, const char *passphrase,
-    char **commentp)
-{
-        u_char *key = NULL, *cp, *salt = NULL, pad, last;
-        char *comment = NULL, *ciphername = NULL, *kdfname = NULL, *kdfp;
-        u_int keylen = 0, ivlen, blocksize, slen, klen, len, rounds, nkeys;
-        u_int check1, check2, m1len, m2len;
-        size_t authlen;
-        const Cipher *c;
-        Buffer b, encoded, copy, kdf;
-        CipherContext ctx;
-        Key *k = NULL;
-        int dlen, ret, i;
-
-        buffer_init(&b);
-        buffer_init(&kdf);
-        buffer_init(&encoded);
-        buffer_init(&copy);
-
-        /* uudecode */
-        m1len = sizeof(MARK_BEGIN) - 1;
-        m2len = sizeof(MARK_END) - 1;
-        cp = buffer_ptr(blob);
-        len = buffer_len(blob);
-        if (len < m1len || memcmp(cp, MARK_BEGIN, m1len)) {
-                debug("%s: missing begin marker", __func__);
-                goto out;
-        }
-        cp += m1len;
-        len -= m1len;
-        while (len) {
-                if (*cp != '\n' && *cp != '\r')
-                        buffer_put_char(&encoded, *cp);
-                last = *cp;
-                len--;
-                cp++;
-                if (last == '\n') {
-                        if (len >= m2len && !memcmp(cp, MARK_END, m2len)) {
-                                buffer_put_char(&encoded, '\0');
-                                break;
-                        }
-                }
-        }
-        if (!len) {
-                debug("%s: no end marker", __func__);
-                goto out;
-        }
-        len = buffer_len(&encoded);
-        if ((cp = buffer_append_space(&copy, len)) == NULL) {
-                error("%s: buffer_append_space", __func__);
-                goto out;
-        }
-        if ((dlen = uudecode(buffer_ptr(&encoded), cp, len)) < 0) {
-                error("%s: uudecode failed", __func__);
-                goto out;
-        }
-        if ((u_int)dlen > len) {
-                error("%s: crazy uudecode length %d > %u", __func__, dlen, len);
-                goto out;
-        }
-        buffer_consume_end(&copy, len - dlen);
-        if (buffer_len(&copy) < sizeof(AUTH_MAGIC) ||
-            memcmp(buffer_ptr(&copy), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
-                error("%s: bad magic", __func__);
-                goto out;
-        }
-        buffer_consume(&copy, sizeof(AUTH_MAGIC));
-
-        ciphername = buffer_get_cstring_ret(&copy, NULL);
-        if (ciphername == NULL ||
-            (c = cipher_by_name(ciphername)) == NULL) {
-                error("%s: unknown cipher name", __func__);
-                goto out;
-        }
-        if ((passphrase == NULL || !strlen(passphrase)) &&
-            strcmp(ciphername, "none") != 0) {
-                /* passphrase required */
-                goto out;
-        }
-        kdfname = buffer_get_cstring_ret(&copy, NULL);
-        if (kdfname == NULL ||
-            (!strcmp(kdfname, "none") && !strcmp(kdfname, "bcrypt"))) {
-                error("%s: unknown kdf name", __func__);
-                goto out;
-        }
-        if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) {
-                error("%s: cipher %s requires kdf", __func__, ciphername);
-                goto out;
-        }
-        /* kdf options */
-        kdfp = buffer_get_string_ptr_ret(&copy, &klen);
-        if (kdfp == NULL) {
-                error("%s: kdf options not set", __func__);
-                goto out;
-        }
-        if (klen > 0) {
-                if ((cp = buffer_append_space(&kdf, klen)) == NULL) {
-                        error("%s: kdf alloc failed", __func__);
-                        goto out;
-                }
-                memcpy(cp, kdfp, klen);
-        }
-        /* number of keys */
-        if (buffer_get_int_ret(&nkeys, &copy) < 0) {
-                error("%s: key counter missing", __func__);
-                goto out;
-        }
-        if (nkeys != 1) {
-                error("%s: only one key supported", __func__);
-                goto out;
-        }
-        /* pubkey */
-        if ((cp = buffer_get_string_ret(&copy, &len)) == NULL) {
-                error("%s: pubkey not found", __func__);
-                goto out;
-        }
-        free(cp); /* XXX check pubkey against decrypted private key */
-
-        /* size of encrypted key blob */
-        len = buffer_get_int(&copy);
-        blocksize = cipher_blocksize(c);
-        authlen = cipher_authlen(c);
-        if (len < blocksize) {
-                error("%s: encrypted data too small", __func__);
-                goto out;
-        }
-        if (len % blocksize) {
-                error("%s: length not multiple of blocksize", __func__);
-                goto out;
-        }
-
-        /* setup key */
-        keylen = cipher_keylen(c);
-        ivlen = cipher_ivlen(c);
-        key = xcalloc(1, keylen + ivlen);
-        if (!strcmp(kdfname, "bcrypt")) {
-                if ((salt = buffer_get_string_ret(&kdf, &slen)) == NULL) {
-                        error("%s: salt not set", __func__);
-                        goto out;
-                }
-                if (buffer_get_int_ret(&rounds, &kdf) < 0) {
-                        error("%s: rounds not set", __func__);
-                        goto out;
-                }
-                if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
-                    key, keylen + ivlen, rounds) < 0) {
-                        error("%s: bcrypt_pbkdf failed", __func__);
-                        goto out;
-                }
-        }
-
-        cp = buffer_append_space(&b, len);
-        cipher_init(&ctx, c, key, keylen, key + keylen, ivlen, 0);
-        ret = cipher_crypt(&ctx, 0, cp, buffer_ptr(&copy), len, 0, authlen);
-        cipher_cleanup(&ctx);
-        buffer_consume(&copy, len);
-
-        /* fail silently on decryption errors */
-        if (ret != 0) {
-                debug("%s: decrypt failed", __func__);
-                goto out;
-        }
-
-        if (buffer_len(&copy) != 0) {
-                error("%s: key blob has trailing data (len = %u)", __func__,
-                    buffer_len(&copy));
-                goto out;
-        }
-
-        /* check bytes */
-        if (buffer_get_int_ret(&check1, &b) < 0 ||
-            buffer_get_int_ret(&check2, &b) < 0) {
-                error("check bytes missing");
-                goto out;
-        }
-        if (check1 != check2) {
-                debug("%s: decrypt failed: 0x%08x != 0x%08x", __func__,
-                    check1, check2);
-                goto out;
-        }
-
-        k = key_private_deserialize(&b);
-
-        /* comment */
-        comment = buffer_get_cstring_ret(&b, NULL);
-
-        i = 0;
-        while (buffer_len(&b)) {
-                if (buffer_get_char_ret(&pad, &b) == -1 ||
-                    pad != (++i & 0xff)) {
-                        error("%s: bad padding", __func__);
-                        key_free(k);
-                        k = NULL;
-                        goto out;
-                }
-        }
-
-        if (k && commentp) {
-                *commentp = comment;
-                comment = NULL;
-        }
-
-        /* XXX decode pubkey and check against private */
- out:
-        free(ciphername);
-        free(kdfname);
-        free(salt);
-        free(comment);
-        if (key)
-                explicit_bzero(key, keylen + ivlen);
-        free(key);
-        buffer_free(&encoded);
-        buffer_free(&copy);
-        buffer_free(&kdf);
-        buffer_free(&b);
-        return k;
-}
-
-/*
- * Serialises the authentication (private) key to a blob, encrypting it with
- * passphrase.  The identification of the blob (lowest 64 bits of n) will
- * precede the key to provide identification of the key without needing a
- * passphrase.
- */
-static int
-key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase,
-    const char *comment)
-{
-        Buffer buffer, encrypted;
-        u_char buf[100], *cp;
-        int i, cipher_num;
-        CipherContext ciphercontext;
-        const Cipher *cipher;
-        u_int32_t rnd;
-
-        /*
-         * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting
-         * to another cipher; otherwise use SSH_AUTHFILE_CIPHER.
-         */
-        cipher_num = (strcmp(passphrase, "") == 0) ?
-            SSH_CIPHER_NONE : SSH_AUTHFILE_CIPHER;
-        if ((cipher = cipher_by_number(cipher_num)) == NULL)
-                fatal("save_private_key_rsa: bad cipher");
-
-        /* This buffer is used to built the secret part of the private key. */
-        buffer_init(&buffer);
-
-        /* Put checkbytes for checking passphrase validity. */
-        rnd = arc4random();
-        buf[0] = rnd & 0xff;
-        buf[1] = (rnd >> 8) & 0xff;
-        buf[2] = buf[0];
-        buf[3] = buf[1];
-        buffer_append(&buffer, buf, 4);
-
-        /*
-         * Store the private key (n and e will not be stored because they
-         * will be stored in plain text, and storing them also in encrypted
-         * format would just give known plaintext).
-         */
-        buffer_put_bignum(&buffer, key->rsa->d);
-        buffer_put_bignum(&buffer, key->rsa->iqmp);
-        buffer_put_bignum(&buffer, key->rsa->q);        /* reverse from SSL p */
-        buffer_put_bignum(&buffer, key->rsa->p);        /* reverse from SSL q */
-
-        /* Pad the part to be encrypted until its size is a multiple of 8. */
-        while (buffer_len(&buffer) % 8 != 0)
-                buffer_put_char(&buffer, 0);
-
-        /* This buffer will be used to contain the data in the file. */
-        buffer_init(&encrypted);
-
-        /* First store keyfile id string. */
-        for (i = 0; authfile_id_string[i]; i++)
-                buffer_put_char(&encrypted, authfile_id_string[i]);
-        buffer_put_char(&encrypted, 0);
-
-        /* Store cipher type. */
-        buffer_put_char(&encrypted, cipher_num);
-        buffer_put_int(&encrypted, 0);  /* For future extension */
-
-        /* Store public key.  This will be in plain text. */
-        buffer_put_int(&encrypted, BN_num_bits(key->rsa->n));
-        buffer_put_bignum(&encrypted, key->rsa->n);
-        buffer_put_bignum(&encrypted, key->rsa->e);
-        buffer_put_cstring(&encrypted, comment);
-
-        /* Allocate space for the private part of the key in the buffer. */
-        cp = buffer_append_space(&encrypted, buffer_len(&buffer));
-
-        cipher_set_key_string(&ciphercontext, cipher, passphrase,
-            CIPHER_ENCRYPT);
-        if (cipher_crypt(&ciphercontext, 0, cp,
-            buffer_ptr(&buffer), buffer_len(&buffer), 0, 0) != 0)
-                fatal("%s: cipher_crypt failed", __func__);
-        cipher_cleanup(&ciphercontext);
-        explicit_bzero(&ciphercontext, sizeof(ciphercontext));
-
-        /* Destroy temporary data. */
-        explicit_bzero(buf, sizeof(buf));
-        buffer_free(&buffer);
-
-        buffer_append(blob, buffer_ptr(&encrypted), buffer_len(&encrypted));
-        buffer_free(&encrypted);
-
-        return 1;
-}
-
-/* convert SSH v2 key in OpenSSL PEM format */
-static int
-key_private_pem_to_blob(Key *key, Buffer *blob, const char *_passphrase,
-    const char *comment)
-{
-        int success = 0;
-        int blen, len = strlen(_passphrase);
-        u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
-#if (OPENSSL_VERSION_NUMBER < 0x00907000L)
-        const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL;
-#else
-        const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
-#endif
-        const u_char *bptr;
-        BIO *bio;
-
-        if (len > 0 && len <= 4) {
-                error("passphrase too short: have %d bytes, need > 4", len);
-                return 0;
-        }
-        if ((bio = BIO_new(BIO_s_mem())) == NULL) {
-                error("%s: BIO_new failed", __func__);
-                return 0;
-        }
-        switch (key->type) {
-        case KEY_DSA:
-                success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
-                    cipher, passphrase, len, NULL, NULL);
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA:
-                success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
-                    cipher, passphrase, len, NULL, NULL);
-                break;
-#endif
-        case KEY_RSA:
-                success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
-                    cipher, passphrase, len, NULL, NULL);
-                break;
-        }
-        if (success) {
-                if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0)
-                        success = 0;
-                else
-                        buffer_append(blob, bptr, blen);
-        }
-        BIO_free(bio);
-        return success;
-}
-
 /* Save a key blob to a file */
 static int
-key_save_private_blob(Buffer *keybuf, const char *filename)
+sshkey_save_private_blob(struct sshbuf *keybuf, const char *filename)
 {
-        int fd;
+        int fd, oerrno;
 
-        if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600)) < 0) {
-                error("open %s failed: %s.", filename, strerror(errno));
-                return 0;
-        }
-        if (atomicio(vwrite, fd, buffer_ptr(keybuf),
-            buffer_len(keybuf)) != buffer_len(keybuf)) {
-                error("write to key file %s failed: %s", filename,
-                    strerror(errno));
+        if ((fd = open(filename, O_WRONLY | O_CREAT | O_TRUNC, 0600)) < 0)
+                return SSH_ERR_SYSTEM_ERROR;
+        if (atomicio(vwrite, fd, (u_char *)sshbuf_ptr(keybuf),
+            sshbuf_len(keybuf)) != sshbuf_len(keybuf)) {
+                oerrno = errno;
                 close(fd);
                 unlink(filename);
-                return 0;
+                errno = oerrno;
+                return SSH_ERR_SYSTEM_ERROR;
         }
         close(fd);
-        return 1;
-}
-
-/* Serialise "key" to buffer "blob" */
-static int
-key_private_to_blob(Key *key, Buffer *blob, const char *passphrase,
-    const char *comment, int force_new_format, const char *new_format_cipher,
-    int new_format_rounds)
-{
-        switch (key->type) {
-        case KEY_RSA1:
-                return key_private_rsa1_to_blob(key, blob, passphrase, comment);
-        case KEY_DSA:
-        case KEY_ECDSA:
-        case KEY_RSA:
-                if (force_new_format) {
-                        return key_private_to_blob2(key, blob, passphrase,
-                            comment, new_format_cipher, new_format_rounds);
-                }
-                return key_private_pem_to_blob(key, blob, passphrase, comment);
-        case KEY_ED25519:
-                return key_private_to_blob2(key, blob, passphrase,
-                    comment, new_format_cipher, new_format_rounds);
-        default:
-                error("%s: cannot save key type %d", __func__, key->type);
-                return 0;
-        }
+        return 0;
 }
 
 int
-key_save_private(Key *key, const char *filename, const char *passphrase,
-    const char *comment, int force_new_format, const char *new_format_cipher,
-    int new_format_rounds)
+sshkey_save_private(struct sshkey *key, const char *filename,
+    const char *passphrase, const char *comment,
+    int force_new_format, const char *new_format_cipher, int new_format_rounds)
 {
-        Buffer keyblob;
-        int success = 0;
+        struct sshbuf *keyblob = NULL;
+        int r;
 
-        buffer_init(&keyblob);
-        if (!key_private_to_blob(key, &keyblob, passphrase, comment,
-            force_new_format, new_format_cipher, new_format_rounds))
+        if ((keyblob = sshbuf_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((r = sshkey_private_to_fileblob(key, keyblob, passphrase, comment,
+            force_new_format, new_format_cipher, new_format_rounds)) != 0)
                 goto out;
-        if (!key_save_private_blob(&keyblob, filename))
+        if ((r = sshkey_save_private_blob(keyblob, filename)) != 0)
                 goto out;
-        success = 1;
+        r = 0;
  out:
-        buffer_free(&keyblob);
-        return success;
-}
-
-/*
- * Parse the public, unencrypted portion of a RSA1 key.
- */
-static Key *
-key_parse_public_rsa1(Buffer *blob, char **commentp)
-{
-        Key *pub;
-        Buffer copy;
-
-        /* Check that it is at least big enough to contain the ID string. */
-        if (buffer_len(blob) < sizeof(authfile_id_string)) {
-                debug3("Truncated RSA1 identifier");
-                return NULL;
-        }
-
-        /*
-         * Make sure it begins with the id string.  Consume the id string
-         * from the buffer.
-         */
-        if (memcmp(buffer_ptr(blob), authfile_id_string,
-            sizeof(authfile_id_string)) != 0) {
-                debug3("Incorrect RSA1 identifier");
-                return NULL;
-        }
-        buffer_init(&copy);
-        buffer_append(&copy, buffer_ptr(blob), buffer_len(blob));
-        buffer_consume(&copy, sizeof(authfile_id_string));
-
-        /* Skip cipher type and reserved data. */
-        (void) buffer_get_char(&copy);          /* cipher type */
-        (void) buffer_get_int(&copy);           /* reserved */
-
-        /* Read the public key from the buffer. */
-        (void) buffer_get_int(&copy);
-        pub = key_new(KEY_RSA1);
-        buffer_get_bignum(&copy, pub->rsa->n);
-        buffer_get_bignum(&copy, pub->rsa->e);
-        if (commentp)
-                *commentp = buffer_get_string(&copy, NULL);
-        /* The encrypted private part is not parsed by this function. */
-        buffer_free(&copy);
-
-        return pub;
+        sshbuf_free(keyblob);
+        return r;
 }
 
 /* Load a key from a fd into a buffer */
 int
-key_load_file(int fd, const char *filename, Buffer *blob)
+sshkey_load_file(int fd, const char *filename, struct sshbuf *blob)
 {
         u_char buf[1024];
         size_t len;
         struct stat st;
+        int r;
 
-        if (fstat(fd, &st) < 0) {
-                error("%s: fstat of key file %.200s%sfailed: %.100s", __func__,
-                    filename == NULL ? "" : filename,
-                    filename == NULL ? "" : " ",
-                    strerror(errno));
-                return 0;
-        }
+        if (fstat(fd, &st) < 0)
+                return SSH_ERR_SYSTEM_ERROR;
         if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
-            st.st_size > MAX_KEY_FILE_SIZE) {
- toobig:
-                error("%s: key file %.200s%stoo large", __func__,
-                    filename == NULL ? "" : filename,
-                    filename == NULL ? "" : " ");
-                return 0;
-        }
-        buffer_clear(blob);
+            st.st_size > MAX_KEY_FILE_SIZE)
+                return SSH_ERR_INVALID_FORMAT;
         for (;;) {
                 if ((len = atomicio(read, fd, buf, sizeof(buf))) == 0) {
                         if (errno == EPIPE)
                                 break;
-                        debug("%s: read from key file %.200s%sfailed: %.100s",
-                            __func__, filename == NULL ? "" : filename,
-                            filename == NULL ? "" : " ", strerror(errno));
-                        buffer_clear(blob);
-                        explicit_bzero(buf, sizeof(buf));
-                        return 0;
+                        r = SSH_ERR_SYSTEM_ERROR;
+                        goto out;
                 }
-                buffer_append(blob, buf, len);
-                if (buffer_len(blob) > MAX_KEY_FILE_SIZE) {
-                        buffer_clear(blob);
-                        explicit_bzero(buf, sizeof(buf));
-                        goto toobig;
+                if ((r = sshbuf_put(blob, buf, len)) != 0)
+                        goto out;
+                if (sshbuf_len(blob) > MAX_KEY_FILE_SIZE) {
+                        r = SSH_ERR_INVALID_FORMAT;
+                        goto out;
                 }
         }
-        explicit_bzero(buf, sizeof(buf));
         if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
-            st.st_size != buffer_len(blob)) {
-                debug("%s: key file %.200s%schanged size while reading",
-                    __func__, filename == NULL ? "" : filename,
-                    filename == NULL ? "" : " ");
-                buffer_clear(blob);
-                return 0;
+            st.st_size != (off_t)sshbuf_len(blob)) {
+                r = SSH_ERR_FILE_CHANGED;
+                goto out;
         }
+        r = 0;
 
-        return 1;
+ out:
+        explicit_bzero(buf, sizeof(buf));
+        if (r != 0)
+                sshbuf_reset(blob);
+        return r;
 }
 
+#ifdef WITH_SSH1
 /*
  * Loads the public part of the ssh v1 key file.  Returns NULL if an error was
  * encountered (the file does not exist or is not readable), and the key
  * otherwise.
  */
-static Key *
-key_load_public_rsa1(int fd, const char *filename, char **commentp)
+static int
+sshkey_load_public_rsa1(int fd, const char *filename,
+    struct sshkey **keyp, char **commentp)
 {
-        Buffer buffer;
-        Key *pub;
-
-        buffer_init(&buffer);
-        if (!key_load_file(fd, filename, &buffer)) {
-                buffer_free(&buffer);
-                return NULL;
-        }
+        struct sshbuf *b = NULL;
+        int r;
 
-        pub = key_parse_public_rsa1(&buffer, commentp);
-        if (pub == NULL)
-                debug3("Could not load \"%s\" as a RSA1 public key", filename);
-        buffer_free(&buffer);
-        return pub;
-}
-
-/* load public key from private-key file, works only for SSH v1 */
-Key *
-key_load_public_type(int type, const char *filename, char **commentp)
-{
-        Key *pub;
-        int fd;
+        *keyp = NULL;
+        if (commentp != NULL)
+                *commentp = NULL;
 
-        if (type == KEY_RSA1) {
-                fd = open(filename, O_RDONLY);
-                if (fd < 0)
-                        return NULL;
-                pub = key_load_public_rsa1(fd, filename, commentp);
-                close(fd);
-                return pub;
-        }
-        return NULL;
+        if ((b = sshbuf_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((r = sshkey_load_file(fd, filename, b)) != 0)
+                goto out;
+        if ((r = sshkey_parse_public_rsa1_fileblob(b, keyp, commentp)) != 0)
+                goto out;
+        r = 0;
+ out:
+        sshbuf_free(b);
+        return r;
 }
+#endif /* WITH_SSH1 */
 
-static Key *
-key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
+#ifdef WITH_OPENSSL
+/* XXX Deprecate? */
+int
+sshkey_load_private_pem(int fd, int type, const char *passphrase,
+    struct sshkey **keyp, char **commentp)
 {
-        int check1, check2, cipher_type;
-        Buffer decrypted;
-        u_char *cp;
-        CipherContext ciphercontext;
-        const Cipher *cipher;
-        Key *prv = NULL;
-        Buffer copy;
-
-        /* Check that it is at least big enough to contain the ID string. */
-        if (buffer_len(blob) < sizeof(authfile_id_string)) {
-                debug3("Truncated RSA1 identifier");
-                return NULL;
-        }
-
-        /*
-         * Make sure it begins with the id string.  Consume the id string
-         * from the buffer.
-         */
-        if (memcmp(buffer_ptr(blob), authfile_id_string,
-            sizeof(authfile_id_string)) != 0) {
-                debug3("Incorrect RSA1 identifier");
-                return NULL;
-        }
-        buffer_init(&copy);
-        buffer_append(&copy, buffer_ptr(blob), buffer_len(blob));
-        buffer_consume(&copy, sizeof(authfile_id_string));
-
-        /* Read cipher type. */
-        cipher_type = buffer_get_char(&copy);
-        (void) buffer_get_int(&copy);   /* Reserved data. */
-
-        /* Read the public key from the buffer. */
-        (void) buffer_get_int(&copy);
-        prv = key_new_private(KEY_RSA1);
-
-        buffer_get_bignum(&copy, prv->rsa->n);
-        buffer_get_bignum(&copy, prv->rsa->e);
-        if (commentp)
-                *commentp = buffer_get_string(&copy, NULL);
-        else
-                (void)buffer_get_string_ptr(&copy, NULL);
+        struct sshbuf *buffer = NULL;
+        int r;
 
-        /* Check that it is a supported cipher. */
-        cipher = cipher_by_number(cipher_type);
-        if (cipher == NULL) {
-                debug("Unsupported RSA1 cipher %d", cipher_type);
-                buffer_free(&copy);
-                goto fail;
-        }
-        /* Initialize space for decrypted data. */
-        buffer_init(&decrypted);
-        cp = buffer_append_space(&decrypted, buffer_len(&copy));
-
-        /* Rest of the buffer is encrypted.  Decrypt it using the passphrase. */
-        cipher_set_key_string(&ciphercontext, cipher, passphrase,
-            CIPHER_DECRYPT);
-        if (cipher_crypt(&ciphercontext, 0, cp,
-            buffer_ptr(&copy), buffer_len(&copy), 0, 0) != 0)
-                fatal("%s: cipher_crypt failed", __func__);
-        cipher_cleanup(&ciphercontext);
-        explicit_bzero(&ciphercontext, sizeof(ciphercontext));
-        buffer_free(&copy);
-
-        check1 = buffer_get_char(&decrypted);
-        check2 = buffer_get_char(&decrypted);
-        if (check1 != buffer_get_char(&decrypted) ||
-            check2 != buffer_get_char(&decrypted)) {
-                if (strcmp(passphrase, "") != 0)
-                        debug("Bad passphrase supplied for RSA1 key");
-                /* Bad passphrase. */
-                buffer_free(&decrypted);
-                goto fail;
-        }
-        /* Read the rest of the private key. */
-        buffer_get_bignum(&decrypted, prv->rsa->d);
-        buffer_get_bignum(&decrypted, prv->rsa->iqmp);          /* u */
-        /* in SSL and SSH v1 p and q are exchanged */
-        buffer_get_bignum(&decrypted, prv->rsa->q);             /* p */
-        buffer_get_bignum(&decrypted, prv->rsa->p);             /* q */
-
-        /* calculate p-1 and q-1 */
-        rsa_generate_additional_parameters(prv->rsa);
-
-        buffer_free(&decrypted);
-
-        /* enable blinding */
-        if (RSA_blinding_on(prv->rsa, NULL) != 1) {
-                error("%s: RSA_blinding_on failed", __func__);
-                goto fail;
-        }
-        return prv;
-
-fail:
+        *keyp = NULL;
         if (commentp != NULL)
-                free(*commentp);
-        key_free(prv);
-        return NULL;
-}
-
-static Key *
-key_parse_private_pem(Buffer *blob, int type, const char *passphrase,
-    char **commentp)
-{
-        EVP_PKEY *pk = NULL;
-        Key *prv = NULL;
-        char *name = "<no key>";
-        BIO *bio;
+                *commentp = NULL;
 
-        if ((bio = BIO_new_mem_buf(buffer_ptr(blob),
-            buffer_len(blob))) == NULL) {
-                error("%s: BIO_new_mem_buf failed", __func__);
-                return NULL;
-        }
-        
-        pk = PEM_read_bio_PrivateKey(bio, NULL, NULL, (char *)passphrase);
-        BIO_free(bio);
-        if (pk == NULL) {
-                debug("%s: PEM_read_PrivateKey failed", __func__);
-                (void)ERR_get_error();
-        } else if (pk->type == EVP_PKEY_RSA &&
-            (type == KEY_UNSPEC||type==KEY_RSA)) {
-                prv = key_new(KEY_UNSPEC);
-                prv->rsa = EVP_PKEY_get1_RSA(pk);
-                prv->type = KEY_RSA;
-                name = "rsa w/o comment";
-#ifdef DEBUG_PK
-                RSA_print_fp(stderr, prv->rsa, 8);
-#endif
-                if (RSA_blinding_on(prv->rsa, NULL) != 1) {
-                        error("%s: RSA_blinding_on failed", __func__);
-                        key_free(prv);
-                        prv = NULL;
-                }
-        } else if (pk->type == EVP_PKEY_DSA &&
-            (type == KEY_UNSPEC||type==KEY_DSA)) {
-                prv = key_new(KEY_UNSPEC);
-                prv->dsa = EVP_PKEY_get1_DSA(pk);
-                prv->type = KEY_DSA;
-                name = "dsa w/o comment";
-#ifdef DEBUG_PK
-                DSA_print_fp(stderr, prv->dsa, 8);
-#endif
-#ifdef OPENSSL_HAS_ECC
-        } else if (pk->type == EVP_PKEY_EC &&
-            (type == KEY_UNSPEC||type==KEY_ECDSA)) {
-                prv = key_new(KEY_UNSPEC);
-                prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
-                prv->type = KEY_ECDSA;
-                if ((prv->ecdsa_nid = key_ecdsa_key_to_nid(prv->ecdsa)) == -1 ||
-                    key_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
-                    key_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
-                    EC_KEY_get0_public_key(prv->ecdsa)) != 0 ||
-                    key_ec_validate_private(prv->ecdsa) != 0) {
-                        error("%s: bad ECDSA key", __func__);
-                        key_free(prv);
-                        prv = NULL;
-                }
-                name = "ecdsa w/o comment";
-#ifdef DEBUG_PK
-                if (prv != NULL && prv->ecdsa != NULL)
-                        key_dump_ec_key(prv->ecdsa);
-#endif
-#endif /* OPENSSL_HAS_ECC */
-        } else {
-                error("%s: PEM_read_PrivateKey: mismatch or "
-                    "unknown EVP_PKEY save_type %d", __func__, pk->save_type);
-        }
-        if (pk != NULL)
-                EVP_PKEY_free(pk);
-        if (prv != NULL && commentp)
-                *commentp = xstrdup(name);
-        debug("read PEM private key done: type %s",
-            prv ? key_type(prv) : "<unknown>");
-        return prv;
-}
-
-Key *
-key_load_private_pem(int fd, int type, const char *passphrase,
-    char **commentp)
-{
-        Buffer buffer;
-        Key *prv;
-
-        buffer_init(&buffer);
-        if (!key_load_file(fd, NULL, &buffer)) {
-                buffer_free(&buffer);
-                return NULL;
-        }
-        prv = key_parse_private_pem(&buffer, type, passphrase, commentp);
-        buffer_free(&buffer);
-        return prv;
+        if ((buffer = sshbuf_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((r = sshkey_load_file(fd, NULL, buffer)) != 0)
+                goto out;
+        if ((r = sshkey_parse_private_pem_fileblob(buffer, type, passphrase,
+            keyp, commentp)) != 0)
+                goto out;
+        r = 0;
+ out:
+        sshbuf_free(buffer);
+        return r;
 }
+#endif /* WITH_OPENSSL */
 
+/* XXX remove error() calls from here? */
 int
-key_perm_ok(int fd, const char *filename)
+sshkey_perm_ok(int fd, const char *filename)
 {
         struct stat st;
 
         if (fstat(fd, &st) < 0)
-                return 0;
+                return SSH_ERR_SYSTEM_ERROR;
         /*
          * if a key owned by the user is accessed, then we check the
          * permissions of the file. if the key owned by a different user,
@@ -985,298 +213,311 @@ key_perm_ok(int fd, const char *filename)
                 error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
                 error("Permissions 0%3.3o for '%s' are too open.",
                     (u_int)st.st_mode & 0777, filename);
-                error("It is required that your private key files are NOT accessible by others.");
+                error("It is recommended that your private key files are NOT accessible by others.");
                 error("This private key will be ignored.");
-                return 0;
+                return SSH_ERR_KEY_BAD_PERMISSIONS;
         }
-        return 1;
+        return 0;
 }
 
-static Key *
-key_parse_private_type(Buffer *blob, int type, const char *passphrase,
-    char **commentp)
+/* XXX kill perm_ok now that we have SSH_ERR_KEY_BAD_PERMISSIONS? */
+int
+sshkey_load_private_type(int type, const char *filename, const char *passphrase,
+    struct sshkey **keyp, char **commentp, int *perm_ok)
 {
-        Key *k;
+        int fd, r;
+        struct sshbuf *buffer = NULL;
 
-        switch (type) {
-        case KEY_RSA1:
-                return key_parse_private_rsa1(blob, passphrase, commentp);
-        case KEY_DSA:
-        case KEY_ECDSA:
-        case KEY_RSA:
-                return key_parse_private_pem(blob, type, passphrase, commentp);
-        case KEY_ED25519:
-                return key_parse_private2(blob, type, passphrase, commentp);
-        case KEY_UNSPEC:
-                if ((k = key_parse_private2(blob, type, passphrase, commentp)))
-                        return k;
-                return key_parse_private_pem(blob, type, passphrase, commentp);
-        default:
-                error("%s: cannot parse key type %d", __func__, type);
-                break;
-        }
-        return NULL;
-}
-
-Key *
-key_load_private_type(int type, const char *filename, const char *passphrase,
-    char **commentp, int *perm_ok)
-{
-        int fd;
-        Key *ret;
-        Buffer buffer;
+        *keyp = NULL;
+        if (commentp != NULL)
+                *commentp = NULL;
 
-        fd = open(filename, O_RDONLY);
-        if (fd < 0) {
-                debug("could not open key file '%s': %s", filename,
-                    strerror(errno));
+        if ((fd = open(filename, O_RDONLY)) < 0) {
                 if (perm_ok != NULL)
                         *perm_ok = 0;
-                return NULL;
+                return SSH_ERR_SYSTEM_ERROR;
         }
-        if (!key_perm_ok(fd, filename)) {
+        if (sshkey_perm_ok(fd, filename) != 0) {
                 if (perm_ok != NULL)
                         *perm_ok = 0;
-                error("bad permissions: ignore key: %s", filename);
-                close(fd);
-                return NULL;
+                r = SSH_ERR_KEY_BAD_PERMISSIONS;
+                goto out;
         }
         if (perm_ok != NULL)
                 *perm_ok = 1;
 
-        buffer_init(&buffer);
-        if (!key_load_file(fd, filename, &buffer)) {
-                buffer_free(&buffer);
-                close(fd);
-                return NULL;
+        if ((buffer = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
         }
+        if ((r = sshkey_load_file(fd, filename, buffer)) != 0)
+                goto out;
+        if ((r = sshkey_parse_private_fileblob_type(buffer, type, passphrase,
+            keyp, commentp)) != 0)
+                goto out;
+        r = 0;
+ out:
         close(fd);
-        ret = key_parse_private_type(&buffer, type, passphrase, commentp);
-        buffer_free(&buffer);
-        return ret;
+        if (buffer != NULL)
+                sshbuf_free(buffer);
+        return r;
 }
 
-Key *
-key_parse_private(Buffer *buffer, const char *filename,
-    const char *passphrase, char **commentp)
+/* XXX this is almost identical to sshkey_load_private_type() */
+int
+sshkey_load_private(const char *filename, const char *passphrase,
+    struct sshkey **keyp, char **commentp)
 {
-        Key *pub, *prv;
-
-        /* it's a SSH v1 key if the public key part is readable */
-        pub = key_parse_public_rsa1(buffer, commentp);
-        if (pub == NULL) {
-                prv = key_parse_private_type(buffer, KEY_UNSPEC,
-                    passphrase, NULL);
-                /* use the filename as a comment for PEM */
-                if (commentp && prv)
-                        *commentp = xstrdup(filename);
-        } else {
-                key_free(pub);
-                /* key_parse_public_rsa1() has already loaded the comment */
-                prv = key_parse_private_type(buffer, KEY_RSA1, passphrase,
-                    NULL);
-        }
-        return prv;
-}
+        struct sshbuf *buffer = NULL;
+        int r, fd;
 
-Key *
-key_load_private(const char *filename, const char *passphrase,
-    char **commentp)
-{
-        Key *prv;
-        Buffer buffer;
-        int fd;
+        *keyp = NULL;
+        if (commentp != NULL)
+                *commentp = NULL;
 
-        fd = open(filename, O_RDONLY);
-        if (fd < 0) {
-                debug("could not open key file '%s': %s", filename,
-                    strerror(errno));
-                return NULL;
-        }
-        if (!key_perm_ok(fd, filename)) {
-                error("bad permissions: ignore key: %s", filename);
-                close(fd);
-                return NULL;
+        if ((fd = open(filename, O_RDONLY)) < 0)
+                return SSH_ERR_SYSTEM_ERROR;
+        if (sshkey_perm_ok(fd, filename) != 0) {
+                r = SSH_ERR_KEY_BAD_PERMISSIONS;
+                goto out;
         }
 
-        buffer_init(&buffer);
-        if (!key_load_file(fd, filename, &buffer)) {
-                buffer_free(&buffer);
-                close(fd);
-                return NULL;
+        if ((buffer = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
         }
+        if ((r = sshkey_load_file(fd, filename, buffer)) != 0 ||
+            (r = sshkey_parse_private_fileblob(buffer, passphrase, filename,
+            keyp, commentp)) != 0)
+                goto out;
+        r = 0;
+ out:
         close(fd);
-
-        prv = key_parse_private(&buffer, filename, passphrase, commentp);
-        buffer_free(&buffer);
-        return prv;
+        if (buffer != NULL)
+                sshbuf_free(buffer);
+        return r;
 }
 
 static int
-key_try_load_public(Key *k, const char *filename, char **commentp)
+sshkey_try_load_public(struct sshkey *k, const char *filename, char **commentp)
 {
         FILE *f;
         char line[SSH_MAX_PUBKEY_BYTES];
         char *cp;
         u_long linenum = 0;
+        int r;
 
-        f = fopen(filename, "r");
-        if (f != NULL) {
-                while (read_keyfile_line(f, filename, line, sizeof(line),
-                            &linenum) != -1) {
-                        cp = line;
-                        switch (*cp) {
-                        case '#':
-                        case '\n':
-                        case '\0':
-                                continue;
-                        }
-                        /* Abort loading if this looks like a private key */
-                        if (strncmp(cp, "-----BEGIN", 10) == 0)
-                                break;
-                        /* Skip leading whitespace. */
-                        for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
-                                ;
-                        if (*cp) {
-                                if (key_read(k, &cp) == 1) {
-                                        cp[strcspn(cp, "\r\n")] = '\0';
-                                        if (commentp) {
-                                                *commentp = xstrdup(*cp ?
-                                                    cp : filename);
-                                        }
-                                        fclose(f);
-                                        return 1;
+        if (commentp != NULL)
+                *commentp = NULL;
+        if ((f = fopen(filename, "r")) == NULL)
+                return SSH_ERR_SYSTEM_ERROR;
+        while (read_keyfile_line(f, filename, line, sizeof(line),
+                    &linenum) != -1) {
+                cp = line;
+                switch (*cp) {
+                case '#':
+                case '\n':
+                case '\0':
+                        continue;
+                }
+                /* Abort loading if this looks like a private key */
+                if (strncmp(cp, "-----BEGIN", 10) == 0 ||
+                    strcmp(cp, "SSH PRIVATE KEY FILE") == 0)
+                        break;
+                /* Skip leading whitespace. */
+                for (; *cp && (*cp == ' ' || *cp == '\t'); cp++)
+                        ;
+                if (*cp) {
+                        if ((r = sshkey_read(k, &cp)) == 0) {
+                                cp[strcspn(cp, "\r\n")] = '\0';
+                                if (commentp) {
+                                        *commentp = strdup(*cp ?
+                                            cp : filename);
+                                        if (*commentp == NULL)
+                                                r = SSH_ERR_ALLOC_FAIL;
                                 }
+                                fclose(f);
+                                return r;
                         }
                 }
-                fclose(f);
         }
-        return 0;
+        fclose(f);
+        return SSH_ERR_INVALID_FORMAT;
 }
 
 /* load public key from ssh v1 private or any pubkey file */
-Key *
-key_load_public(const char *filename, char **commentp)
+int
+sshkey_load_public(const char *filename, struct sshkey **keyp, char **commentp)
 {
-        Key *pub;
+        struct sshkey *pub = NULL;
         char file[MAXPATHLEN];
+        int r, fd;
+
+        if (keyp != NULL)
+                *keyp = NULL;
+        if (commentp != NULL)
+                *commentp = NULL;
 
+        if ((fd = open(filename, O_RDONLY)) < 0)
+                goto skip;
+#ifdef WITH_SSH1
         /* try rsa1 private key */
-        pub = key_load_public_type(KEY_RSA1, filename, commentp);
-        if (pub != NULL)
-                return pub;
+        r = sshkey_load_public_rsa1(fd, filename, keyp, commentp);
+        close(fd);
+        switch (r) {
+        case SSH_ERR_INTERNAL_ERROR:
+        case SSH_ERR_ALLOC_FAIL:
+        case SSH_ERR_INVALID_ARGUMENT:
+        case SSH_ERR_SYSTEM_ERROR:
+        case 0:
+                return r;
+        }
+#endif /* WITH_SSH1 */
 
+        /* try ssh2 public key */
+        if ((pub = sshkey_new(KEY_UNSPEC)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((r = sshkey_try_load_public(pub, filename, commentp)) == 0) {
+                if (keyp != NULL)
+                        *keyp = pub;
+                return 0;
+        }
+        sshkey_free(pub);
+
+#ifdef WITH_SSH1
         /* try rsa1 public key */
-        pub = key_new(KEY_RSA1);
-        if (key_try_load_public(pub, filename, commentp) == 1)
-                return pub;
-        key_free(pub);
+        if ((pub = sshkey_new(KEY_RSA1)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((r = sshkey_try_load_public(pub, filename, commentp)) == 0) {
+                if (keyp != NULL)
+                        *keyp = pub;
+                return 0;
+        }
+        sshkey_free(pub);
+#endif /* WITH_SSH1 */
 
-        /* try ssh2 public key */
-        pub = key_new(KEY_UNSPEC);
-        if (key_try_load_public(pub, filename, commentp) == 1)
-                return pub;
+ skip:
+        /* try .pub suffix */
+        if ((pub = sshkey_new(KEY_UNSPEC)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        r = SSH_ERR_ALLOC_FAIL; /* in case strlcpy or strlcat fail */
         if ((strlcpy(file, filename, sizeof file) < sizeof(file)) &&
             (strlcat(file, ".pub", sizeof file) < sizeof(file)) &&
-            (key_try_load_public(pub, file, commentp) == 1))
-                return pub;
-        key_free(pub);
-        return NULL;
+            (r = sshkey_try_load_public(pub, file, commentp)) == 0) {
+                if (keyp != NULL)
+                        *keyp = pub;
+                return 0;
+        }
+        sshkey_free(pub);
+        return r;
 }
 
 /* Load the certificate associated with the named private key */
-Key *
-key_load_cert(const char *filename)
+int
+sshkey_load_cert(const char *filename, struct sshkey **keyp)
 {
-        Key *pub;
-        char *file;
+        struct sshkey *pub = NULL;
+        char *file = NULL;
+        int r = SSH_ERR_INTERNAL_ERROR;
 
-        pub = key_new(KEY_UNSPEC);
-        xasprintf(&file, "%s-cert.pub", filename);
-        if (key_try_load_public(pub, file, NULL) == 1) {
-                free(file);
-                return pub;
+        *keyp = NULL;
+
+        if (asprintf(&file, "%s-cert.pub", filename) == -1)
+                return SSH_ERR_ALLOC_FAIL;
+
+        if ((pub = sshkey_new(KEY_UNSPEC)) == NULL) {
+                goto out;
         }
-        free(file);
-        key_free(pub);
-        return NULL;
+        if ((r = sshkey_try_load_public(pub, file, NULL)) != 0)
+                goto out;
+
+        *keyp = pub;
+        pub = NULL;
+        r = 0;
+
+ out:
+        if (file != NULL)
+                free(file);
+        if (pub != NULL)
+                sshkey_free(pub);
+        return r;
 }
 
 /* Load private key and certificate */
-Key *
-key_load_private_cert(int type, const char *filename, const char *passphrase,
-    int *perm_ok)
+int
+sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
+    struct sshkey **keyp, int *perm_ok)
 {
-        Key *key, *pub;
+        struct sshkey *key = NULL, *cert = NULL;
+        int r;
+
+        *keyp = NULL;
 
         switch (type) {
+#ifdef WITH_OPENSSL
         case KEY_RSA:
         case KEY_DSA:
         case KEY_ECDSA:
         case KEY_ED25519:
+#endif /* WITH_OPENSSL */
+        case KEY_UNSPEC:
                 break;
         default:
-                error("%s: unsupported key type", __func__);
-                return NULL;
+                return SSH_ERR_KEY_TYPE_UNKNOWN;
         }
 
-        if ((key = key_load_private_type(type, filename, 
-            passphrase, NULL, perm_ok)) == NULL)
-                return NULL;
-
-        if ((pub = key_load_cert(filename)) == NULL) {
-                key_free(key);
-                return NULL;
-        }
+        if ((r = sshkey_load_private_type(type, filename,
+            passphrase, &key, NULL, perm_ok)) != 0 ||
+            (r = sshkey_load_cert(filename, &cert)) != 0)
+                goto out;
 
         /* Make sure the private key matches the certificate */
-        if (key_equal_public(key, pub) == 0) {
-                error("%s: certificate does not match private key %s",
-                    __func__, filename);
-        } else if (key_to_certified(key, key_cert_is_legacy(pub)) != 0) {
-                error("%s: key_to_certified failed", __func__);
-        } else {
-                key_cert_copy(pub, key);
-                key_free(pub);
-                return key;
+        if (sshkey_equal_public(key, cert) == 0) {
+                r = SSH_ERR_KEY_CERT_MISMATCH;
+                goto out;
         }
 
-        key_free(key);
-        key_free(pub);
-        return NULL;
+        if ((r = sshkey_to_certified(key, sshkey_cert_is_legacy(cert))) != 0 ||
+            (r = sshkey_cert_copy(cert, key)) != 0)
+                goto out;
+        r = 0;
+        *keyp = key;
+        key = NULL;
+ out:
+        if (key != NULL)
+                sshkey_free(key);
+        if (cert != NULL)
+                sshkey_free(cert);
+        return r;
 }
 
 /*
- * Returns 1 if the specified "key" is listed in the file "filename",
- * 0 if the key is not listed or -1 on error.
+ * Returns success if the specified "key" is listed in the file "filename",
+ * SSH_ERR_KEY_NOT_FOUND: if the key is not listed or another error.
  * If strict_type is set then the key type must match exactly,
  * otherwise a comparison that ignores certficiate data is performed.
  */
 int
-key_in_file(Key *key, const char *filename, int strict_type)
+sshkey_in_file(struct sshkey *key, const char *filename, int strict_type)
 {
         FILE *f;
         char line[SSH_MAX_PUBKEY_BYTES];
         char *cp;
         u_long linenum = 0;
-        int ret = 0;
-        Key *pub;
-        int (*key_compare)(const Key *, const Key *) = strict_type ?
-            key_equal : key_equal_public;
+        int r = 0;
+        struct sshkey *pub = NULL;
+        int (*sshkey_compare)(const struct sshkey *, const struct sshkey *) =
+            strict_type ?  sshkey_equal : sshkey_equal_public;
 
         if ((f = fopen(filename, "r")) == NULL) {
-                if (errno == ENOENT) {
-                        debug("%s: keyfile \"%s\" missing", __func__, filename);
-                        return 0;
-                } else {
-                        error("%s: could not open keyfile \"%s\": %s", __func__,
-                            filename, strerror(errno));
-                        return -1;
-                }
+                if (errno == ENOENT)
+                        return SSH_ERR_KEY_NOT_FOUND;
+                else
+                        return SSH_ERR_SYSTEM_ERROR;
         }
 
         while (read_keyfile_line(f, filename, line, sizeof(line),
-                    &linenum) != -1) {
+            &linenum) != -1) {
                 cp = line;
 
                 /* Skip leading whitespace. */
@@ -1291,18 +532,24 @@ key_in_file(Key *key, const char *filename, int strict_type)
                         continue;
                 }
 
-                pub = key_new(KEY_UNSPEC);
-                if (key_read(pub, &cp) != 1) {
-                        key_free(pub);
-                        continue;
+                if ((pub = sshkey_new(KEY_UNSPEC)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
                 }
-                if (key_compare(key, pub)) {
-                        ret = 1;
-                        key_free(pub);
-                        break;
+                if ((r = sshkey_read(pub, &cp)) != 0)
+                        goto out;
+                if (sshkey_compare(key, pub)) {
+                        r = 0;
+                        goto out;
                 }
-                key_free(pub);
+                sshkey_free(pub);
+                pub = NULL;
         }
+        r = SSH_ERR_KEY_NOT_FOUND;
+ out:
+        if (pub != NULL)
+                sshkey_free(pub);
         fclose(f);
-        return ret;
+        return r;
 }
+
diff --git a/authfile.h b/authfile.h
index 8ba1c2dbe..03bc3958c 100644
--- a/authfile.h
+++ b/authfile.h
@@ -1,32 +1,47 @@
-/* $OpenBSD: authfile.h,v 1.17 2013/12/06 13:34:54 markus Exp $ */
+/* $OpenBSD: authfile.h,v 1.19 2014/07/03 23:18:35 djm Exp $ */
 
 /*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
+ * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
  *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
 
 #ifndef AUTHFILE_H
 #define AUTHFILE_H
 
-int      key_save_private(Key *, const char *, const char *, const char *,
-    int, const char *, int);
-int      key_load_file(int, const char *, Buffer *);
-Key     *key_load_cert(const char *);
-Key     *key_load_public(const char *, char **);
-Key     *key_load_public_type(int, const char *, char **);
-Key     *key_parse_private(Buffer *, const char *, const char *, char **);
-Key     *key_load_private(const char *, const char *, char **);
-Key     *key_load_private_cert(int, const char *, const char *, int *);
-Key     *key_load_private_type(int, const char *, const char *, char **, int *);
-Key     *key_load_private_pem(int, int, const char *, char **);
-int      key_perm_ok(int, const char *);
-int      key_in_file(Key *, const char *, int);
+struct sshbuf;
+struct sshkey;
+
+int sshkey_save_private(struct sshkey *, const char *,
+    const char *, const char *, int, const char *, int);
+int sshkey_load_file(int, const char *, struct sshbuf *);
+int sshkey_load_cert(const char *, struct sshkey **);
+int sshkey_load_public(const char *, struct sshkey **, char **);
+int sshkey_load_private(const char *, const char *, struct sshkey **, char **);
+int sshkey_load_private_cert(int, const char *, const char *,
+    struct sshkey **, int *);
+int sshkey_load_private_type(int, const char *, const char *,
+    struct sshkey **, char **, int *);
+int sshkey_load_private_pem(int, int, const char *, struct sshkey **, char **);
+int sshkey_perm_ok(int, const char *);
+int sshkey_in_file(struct sshkey *, const char *, int);
 
 #endif
diff --git a/bufaux.c b/bufaux.c
index e24b5fc0a..3976896a9 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -1,70 +1,40 @@
-/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: bufaux.c,v 1.60 2014/04/30 05:29:56 djm Exp $ */
 /*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Auxiliary functions for storing and retrieving various data types to/from
- * Buffers.
+ * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
  *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
  *
- *
- * SSH2 packet format added by Markus Friedl
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
+
 #include "includes.h"
 
 #include <sys/types.h>
 
-#include <openssl/bn.h>
-
-#include <string.h>
-#include <stdarg.h>
-#include <stdlib.h>
-
-#include "xmalloc.h"
 #include "buffer.h"
 #include "log.h"
-#include "misc.h"
-
-/*
- * Returns integers from the buffer (msb first).
- */
+#include "ssherr.h"
 
 int
-buffer_get_short_ret(u_short *ret, Buffer *buffer)
+buffer_get_short_ret(u_short *v, Buffer *buffer)
 {
-        u_char buf[2];
+        int ret;
 
-        if (buffer_get_ret(buffer, (char *) buf, 2) == -1)
-                return (-1);
-        *ret = get_u16(buf);
-        return (0);
+        if ((ret = sshbuf_get_u16(buffer, v)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return -1;
+        }
+        return 0;
 }
 
 u_short
@@ -73,21 +43,21 @@ buffer_get_short(Buffer *buffer)
         u_short ret;
 
         if (buffer_get_short_ret(&ret, buffer) == -1)
-                fatal("buffer_get_short: buffer error");
+                fatal("%s: buffer error", __func__);
 
         return (ret);
 }
 
 int
-buffer_get_int_ret(u_int *ret, Buffer *buffer)
+buffer_get_int_ret(u_int *v, Buffer *buffer)
 {
-        u_char buf[4];
+        int ret;
 
-        if (buffer_get_ret(buffer, (char *) buf, 4) == -1)
-                return (-1);
-        if (ret != NULL)
-                *ret = get_u32(buf);
-        return (0);
+        if ((ret = sshbuf_get_u32(buffer, v)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return -1;
+        }
+        return 0;
 }
 
 u_int
@@ -96,21 +66,21 @@ buffer_get_int(Buffer *buffer)
         u_int ret;
 
         if (buffer_get_int_ret(&ret, buffer) == -1)
-                fatal("buffer_get_int: buffer error");
+                fatal("%s: buffer error", __func__);
 
         return (ret);
 }
 
 int
-buffer_get_int64_ret(u_int64_t *ret, Buffer *buffer)
+buffer_get_int64_ret(u_int64_t *v, Buffer *buffer)
 {
-        u_char buf[8];
+        int ret;
 
-        if (buffer_get_ret(buffer, (char *) buf, 8) == -1)
-                return (-1);
-        if (ret != NULL)
-                *ret = get_u64(buf);
-        return (0);
+        if ((ret = sshbuf_get_u64(buffer, v)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return -1;
+        }
+        return 0;
 }
 
 u_int64_t
@@ -119,78 +89,52 @@ buffer_get_int64(Buffer *buffer)
         u_int64_t ret;
 
         if (buffer_get_int64_ret(&ret, buffer) == -1)
-                fatal("buffer_get_int: buffer error");
+                fatal("%s: buffer error", __func__);
 
         return (ret);
 }
 
-/*
- * Stores integers in the buffer, msb first.
- */
 void
 buffer_put_short(Buffer *buffer, u_short value)
 {
-        char buf[2];
+        int ret;
 
-        put_u16(buf, value);
-        buffer_append(buffer, buf, 2);
+        if ((ret = sshbuf_put_u16(buffer, value)) != 0)
+                fatal("%s: %s", __func__, ssh_err(ret));
 }
 
 void
 buffer_put_int(Buffer *buffer, u_int value)
 {
-        char buf[4];
+        int ret;
 
-        put_u32(buf, value);
-        buffer_append(buffer, buf, 4);
+        if ((ret = sshbuf_put_u32(buffer, value)) != 0)
+                fatal("%s: %s", __func__, ssh_err(ret));
 }
 
 void
 buffer_put_int64(Buffer *buffer, u_int64_t value)
 {
-        char buf[8];
+        int ret;
 
-        put_u64(buf, value);
-        buffer_append(buffer, buf, 8);
+        if ((ret = sshbuf_put_u64(buffer, value)) != 0)
+                fatal("%s: %s", __func__, ssh_err(ret));
 }
 
-/*
- * Returns an arbitrary binary string from the buffer.  The string cannot
- * be longer than 256k.  The returned value points to memory allocated
- * with xmalloc; it is the responsibility of the calling function to free
- * the data.  If length_ptr is non-NULL, the length of the returned data
- * will be stored there.  A null character will be automatically appended
- * to the returned string, and is not counted in length.
- */
 void *
 buffer_get_string_ret(Buffer *buffer, u_int *length_ptr)
 {
+        size_t len;
+        int ret;
         u_char *value;
-        u_int len;
 
-        /* Get the length. */
-        if (buffer_get_int_ret(&len, buffer) != 0) {
-                error("buffer_get_string_ret: cannot extract length");
-                return (NULL);
-        }
-        if (len > 256 * 1024) {
-                error("buffer_get_string_ret: bad string length %u", len);
-                return (NULL);
-        }
-        /* Allocate space for the string.  Add one byte for a null character. */
-        value = xmalloc(len + 1);
-        /* Get the string. */
-        if (buffer_get_ret(buffer, value, len) == -1) {
-                error("buffer_get_string_ret: buffer_get failed");
-                free(value);
-                return (NULL);
+        if ((ret = sshbuf_get_string(buffer, &value, &len)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return NULL;
         }
-        /* Append a null character to make processing easier. */
-        value[len] = '\0';
-        /* Optionally return the length of the string. */
-        if (length_ptr)
-                *length_ptr = len;
-        return (value);
+        if (length_ptr != NULL)
+                *length_ptr = len;  /* Safe: sshbuf never stores len > 2^31 */
+        return value;
 }
 
 void *
@@ -199,31 +143,24 @@ buffer_get_string(Buffer *buffer, u_int *length_ptr)
         void *ret;
 
         if ((ret = buffer_get_string_ret(buffer, length_ptr)) == NULL)
-                fatal("buffer_get_string: buffer error");
+                fatal("%s: buffer error", __func__);
         return (ret);
 }
 
 char *
 buffer_get_cstring_ret(Buffer *buffer, u_int *length_ptr)
 {
-        u_int length;
-        char *cp, *ret = buffer_get_string_ret(buffer, &length);
+        size_t len;
+        int ret;
+        char *value;
 
-        if (ret == NULL)
+        if ((ret = sshbuf_get_cstring(buffer, &value, &len)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
                 return NULL;
-        if ((cp = memchr(ret, '\0', length)) != NULL) {
-                /* XXX allow \0 at end-of-string for a while, remove later */
-                if (cp == ret + length - 1)
-                        error("buffer_get_cstring_ret: string contains \\0");
-                else {
-                        explicit_bzero(ret, length);
-                        free(ret);
-                        return NULL;
-                }
         }
         if (length_ptr != NULL)
-                *length_ptr = length;
-        return ret;
+                *length_ptr = len;  /* Safe: sshbuf never stores len > 2^31 */
+        return value;
 }
 
 char *
@@ -232,159 +169,91 @@ buffer_get_cstring(Buffer *buffer, u_int *length_ptr)
         char *ret;
 
         if ((ret = buffer_get_cstring_ret(buffer, length_ptr)) == NULL)
-                fatal("buffer_get_cstring: buffer error");
+                fatal("%s: buffer error", __func__);
         return ret;
 }
 
-void *
+const void *
 buffer_get_string_ptr_ret(Buffer *buffer, u_int *length_ptr)
 {
-        void *ptr;
-        u_int len;
+        size_t len;
+        int ret;
+        const u_char *value;
 
-        if (buffer_get_int_ret(&len, buffer) != 0)
-                return NULL;
-        if (len > 256 * 1024) {
-                error("buffer_get_string_ptr: bad string length %u", len);
+        if ((ret = sshbuf_get_string_direct(buffer, &value, &len)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
                 return NULL;
         }
-        ptr = buffer_ptr(buffer);
-        buffer_consume(buffer, len);
-        if (length_ptr)
-                *length_ptr = len;
-        return (ptr);
+        if (length_ptr != NULL)
+                *length_ptr = len;  /* Safe: sshbuf never stores len > 2^31 */
+        return value;
 }
 
-void *
+const void *
 buffer_get_string_ptr(Buffer *buffer, u_int *length_ptr)
 {
-        void *ret;
+        const void *ret;
 
         if ((ret = buffer_get_string_ptr_ret(buffer, length_ptr)) == NULL)
-                fatal("buffer_get_string_ptr: buffer error");
+                fatal("%s: buffer error", __func__);
         return (ret);
 }
 
-/*
- * Stores and arbitrary binary string in the buffer.
- */
 void
 buffer_put_string(Buffer *buffer, const void *buf, u_int len)
 {
-        buffer_put_int(buffer, len);
-        buffer_append(buffer, buf, len);
+        int ret;
+
+        if ((ret = sshbuf_put_string(buffer, buf, len)) != 0)
+                fatal("%s: %s", __func__, ssh_err(ret));
 }
+
 void
 buffer_put_cstring(Buffer *buffer, const char *s)
 {
-        if (s == NULL)
-                fatal("buffer_put_cstring: s == NULL");
-        buffer_put_string(buffer, s, strlen(s));
+        int ret;
+
+        if ((ret = sshbuf_put_cstring(buffer, s)) != 0)
+                fatal("%s: %s", __func__, ssh_err(ret));
 }
 
-/*
- * Returns a character from the buffer (0 - 255).
- */
 int
-buffer_get_char_ret(u_char *ret, Buffer *buffer)
+buffer_get_char_ret(char *v, Buffer *buffer)
 {
-        if (buffer_get_ret(buffer, ret, 1) == -1) {
-                error("buffer_get_char_ret: buffer_get_ret failed");
-                return (-1);
+        int ret;
+
+        if ((ret = sshbuf_get_u8(buffer, (u_char *)v)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return -1;
         }
-        return (0);
+        return 0;
 }
 
 int
 buffer_get_char(Buffer *buffer)
 {
-        u_char ch;
+        char ch;
 
         if (buffer_get_char_ret(&ch, buffer) == -1)
-                fatal("buffer_get_char: buffer error");
-        return ch;
+                fatal("%s: buffer error", __func__);
+        return (u_char) ch;
 }
 
-/*
- * Stores a character in the buffer.
- */
 void
 buffer_put_char(Buffer *buffer, int value)
 {
-        char ch = value;
+        int ret;
 
-        buffer_append(buffer, &ch, 1);
+        if ((ret = sshbuf_put_u8(buffer, value)) != 0)
+                fatal("%s: %s", __func__, ssh_err(ret));
 }
 
-/* Pseudo bignum functions */
-
-void *
-buffer_get_bignum2_as_string_ret(Buffer *buffer, u_int *length_ptr)
-{
-        u_int len;
-        u_char *bin, *p, *ret;
-
-        if ((p = bin = buffer_get_string_ret(buffer, &len)) == NULL) {
-                error("%s: invalid bignum", __func__);
-                return NULL;
-        }
-
-        if (len > 0 && (bin[0] & 0x80)) {
-                error("%s: negative numbers not supported", __func__);
-                free(bin);
-                return NULL;
-        }
-        if (len > 8 * 1024) {
-                error("%s: cannot handle BN of size %d", __func__, len);
-                free(bin);
-                return NULL;
-        }
-        /* Skip zero prefix on numbers with the MSB set */
-        if (len > 1 && bin[0] == 0x00 && (bin[1] & 0x80) != 0) {
-                p++;
-                len--;
-        }
-        ret = xmalloc(len);
-        memcpy(ret, p, len);
-        explicit_bzero(p, len);
-        free(bin);
-        return ret;
-}
-
-void *
-buffer_get_bignum2_as_string(Buffer *buffer, u_int *l)
-{
-        void *ret = buffer_get_bignum2_as_string_ret(buffer, l);
-
-        if (ret == NULL)
-                fatal("%s: buffer error", __func__);
-        return ret;
-}
-
-/*
- * Stores a string using the bignum encoding rules (\0 pad if MSB set).
- */
 void
 buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
 {
-        u_char *buf, *p;
-        int pad = 0;
-
-        if (l > 8 * 1024)
-                fatal("%s: length %u too long", __func__, l);
-        p = buf = xmalloc(l + 1);
-        /*
-         * If most significant bit is set then prepend a zero byte to
-         * avoid interpretation as a negative number.
-         */
-        if (l > 0 && (s[0] & 0x80) != 0) {
-                *p++ = '\0';
-                pad = 1;
-        }
-        memcpy(p, s, l);
-        buffer_put_string(buffer, buf, l + pad);
-        explicit_bzero(buf, l + pad);
-        free(buf);
-}
+        int ret;
 
+        if ((ret = sshbuf_put_bignum2_bytes(buffer, s, l)) != 0)
+                fatal("%s: %s", __func__, ssh_err(ret));
+}
 
diff --git a/bufbn.c b/bufbn.c
index 1d2e01266..b7f7cb122 100644
--- a/bufbn.c
+++ b/bufbn.c
@@ -1,229 +1,103 @@
-/* $OpenBSD: bufbn.c,v 1.11 2014/02/27 08:25:09 djm Exp $*/
+/* $OpenBSD: bufbn.c,v 1.12 2014/04/30 05:29:56 djm Exp $ */
+
 /*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Auxiliary functions for storing and retrieving various data types to/from
- * Buffers.
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * SSH2 packet format added by Markus Friedl
- * Copyright (c) 2000 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
  *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
  *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
+
 #include "includes.h"
 
 #include <sys/types.h>
 
-#include <openssl/bn.h>
-
-#include <string.h>
-#include <stdarg.h>
-#include <stdlib.h>
-
-#include "xmalloc.h"
 #include "buffer.h"
 #include "log.h"
-#include "misc.h"
+#include "ssherr.h"
 
-/*
- * Stores an BIGNUM in the buffer with a 2-byte msb first bit count, followed
- * by (bits+7)/8 bytes of binary data, msb first.
- */
 int
 buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
 {
-        int bits = BN_num_bits(value);
-        int bin_size = (bits + 7) / 8;
-        u_char *buf = xmalloc(bin_size);
-        int oi;
-        char msg[2];
-
-        /* Get the value of in binary */
-        oi = BN_bn2bin(value, buf);
-        if (oi != bin_size) {
-                error("buffer_put_bignum_ret: BN_bn2bin() failed: oi %d != bin_size %d",
-                    oi, bin_size);
-                free(buf);
-                return (-1);
-        }
-
-        /* Store the number of bits in the buffer in two bytes, msb first. */
-        put_u16(msg, bits);
-        buffer_append(buffer, msg, 2);
-        /* Store the binary data. */
-        buffer_append(buffer, buf, oi);
-
-        explicit_bzero(buf, bin_size);
-        free(buf);
+        int ret;
 
-        return (0);
+        if ((ret = sshbuf_put_bignum1(buffer, value)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return -1;
+        }
+        return 0;
 }
 
 void
 buffer_put_bignum(Buffer *buffer, const BIGNUM *value)
 {
         if (buffer_put_bignum_ret(buffer, value) == -1)
-                fatal("buffer_put_bignum: buffer error");
+                fatal("%s: buffer error", __func__);
 }
 
-/*
- * Retrieves a BIGNUM from the buffer.
- */
 int
 buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
 {
-        u_int bits, bytes;
-        u_char buf[2], *bin;
+        int ret;
 
-        /* Get the number of bits. */
-        if (buffer_get_ret(buffer, (char *) buf, 2) == -1) {
-                error("buffer_get_bignum_ret: invalid length");
-                return (-1);
+        if ((ret = sshbuf_get_bignum1(buffer, value)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return -1;
         }
-        bits = get_u16(buf);
-        if (bits > 65535-7) {
-                error("buffer_get_bignum_ret: cannot handle BN of size %d",
-                    bits);
-                return (-1);
-        }
-        /* Compute the number of binary bytes that follow. */
-        bytes = (bits + 7) / 8;
-        if (bytes > 8 * 1024) {
-                error("buffer_get_bignum_ret: cannot handle BN of size %d", bytes);
-                return (-1);
-        }
-        if (buffer_len(buffer) < bytes) {
-                error("buffer_get_bignum_ret: input buffer too small");
-                return (-1);
-        }
-        bin = buffer_ptr(buffer);
-        if (BN_bin2bn(bin, bytes, value) == NULL) {
-                error("buffer_get_bignum_ret: BN_bin2bn failed");
-                return (-1);
-        }
-        if (buffer_consume_ret(buffer, bytes) == -1) {
-                error("buffer_get_bignum_ret: buffer_consume failed");
-                return (-1);
-        }
-        return (0);
+        return 0;
 }
 
 void
 buffer_get_bignum(Buffer *buffer, BIGNUM *value)
 {
         if (buffer_get_bignum_ret(buffer, value) == -1)
-                fatal("buffer_get_bignum: buffer error");
+                fatal("%s: buffer error", __func__);
 }
 
-/*
- * Stores a BIGNUM in the buffer in SSH2 format.
- */
 int
 buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
 {
-        u_int bytes;
-        u_char *buf;
-        int oi;
-        u_int hasnohigh = 0;
-
-        if (BN_is_zero(value)) {
-                buffer_put_int(buffer, 0);
-                return 0;
-        }
-        if (value->neg) {
-                error("buffer_put_bignum2_ret: negative numbers not supported");
-                return (-1);
-        }
-        bytes = BN_num_bytes(value) + 1; /* extra padding byte */
-        if (bytes < 2) {
-                error("buffer_put_bignum2_ret: BN too small");
-                return (-1);
-        }
-        buf = xmalloc(bytes);
-        buf[0] = 0x00;
-        /* Get the value of in binary */
-        oi = BN_bn2bin(value, buf+1);
-        if (oi < 0 || (u_int)oi != bytes - 1) {
-                error("buffer_put_bignum2_ret: BN_bn2bin() failed: "
-                    "oi %d != bin_size %d", oi, bytes);
-                free(buf);
-                return (-1);
+        int ret;
+
+        if ((ret = sshbuf_put_bignum2(buffer, value)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return -1;
         }
-        hasnohigh = (buf[1] & 0x80) ? 0 : 1;
-        buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
-        explicit_bzero(buf, bytes);
-        free(buf);
-        return (0);
+        return 0;
 }
 
 void
 buffer_put_bignum2(Buffer *buffer, const BIGNUM *value)
 {
         if (buffer_put_bignum2_ret(buffer, value) == -1)
-                fatal("buffer_put_bignum2: buffer error");
+                fatal("%s: buffer error", __func__);
 }
 
 int
 buffer_get_bignum2_ret(Buffer *buffer, BIGNUM *value)
 {
-        u_int len;
-        u_char *bin;
+        int ret;
 
-        if ((bin = buffer_get_string_ret(buffer, &len)) == NULL) {
-                error("buffer_get_bignum2_ret: invalid bignum");
-                return (-1);
-        }
-
-        if (len > 0 && (bin[0] & 0x80)) {
-                error("buffer_get_bignum2_ret: negative numbers not supported");
-                free(bin);
-                return (-1);
-        }
-        if (len > 8 * 1024) {
-                error("buffer_get_bignum2_ret: cannot handle BN of size %d",
-                    len);
-                free(bin);
-                return (-1);
-        }
-        if (BN_bin2bn(bin, len, value) == NULL) {
-                error("buffer_get_bignum2_ret: BN_bin2bn failed");
-                free(bin);
-                return (-1);
+        if ((ret = sshbuf_get_bignum2(buffer, value)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return -1;
         }
-        free(bin);
-        return (0);
+        return 0;
 }
 
 void
 buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
 {
         if (buffer_get_bignum2_ret(buffer, value) == -1)
-                fatal("buffer_get_bignum2: buffer error");
+                fatal("%s: buffer error", __func__);
 }
diff --git a/bufec.c b/bufec.c
index 89482b906..749ce9d4c 100644
--- a/bufec.c
+++ b/bufec.c
@@ -1,6 +1,7 @@
-/* $OpenBSD: bufec.c,v 1.3 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: bufec.c,v 1.4 2014/04/30 05:29:56 djm Exp $ */
+
 /*
- * Copyright (c) 2010 Damien Miller <djm@mindrot.org>
+ * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -15,73 +16,29 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include "includes.h"
+/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
 
-#ifdef OPENSSL_HAS_ECC
+#include "includes.h"
 
 #include <sys/types.h>
 
-#include <openssl/bn.h>
-#include <openssl/ec.h>
-
-#include <string.h>
-#include <stdarg.h>
-
-#include "xmalloc.h"
 #include "buffer.h"
 #include "log.h"
-#include "misc.h"
+#include "ssherr.h"
 
-/*
- * Maximum supported EC GFp field length is 528 bits. SEC1 uncompressed
- * encoding represents this as two bitstring points that should each
- * be no longer than the field length, SEC1 specifies a 1 byte
- * point type header.
- * Being paranoid here may insulate us to parsing problems in
- * EC_POINT_oct2point.
- */
-#define BUFFER_MAX_ECPOINT_LEN ((528*2 / 8) + 1)
+#ifdef OPENSSL_HAS_ECC
 
-/*
- * Append an EC_POINT to the buffer as a string containing a SEC1 encoded
- * uncompressed point. Fortunately OpenSSL handles the gory details for us.
- */
 int
 buffer_put_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
     const EC_POINT *point)
 {
-        u_char *buf = NULL;
-        size_t len;
-        BN_CTX *bnctx;
-        int ret = -1;
+        int ret;
 
-        /* Determine length */
-        if ((bnctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new failed", __func__);
-        len = EC_POINT_point2oct(curve, point, POINT_CONVERSION_UNCOMPRESSED,
-            NULL, 0, bnctx);
-        if (len > BUFFER_MAX_ECPOINT_LEN) {
-                error("%s: giant EC point: len = %lu (max %u)",
-                    __func__, (u_long)len, BUFFER_MAX_ECPOINT_LEN);
-                goto out;
-        }
-        /* Convert */
-        buf = xmalloc(len);
-        if (EC_POINT_point2oct(curve, point, POINT_CONVERSION_UNCOMPRESSED,
-            buf, len, bnctx) != len) {
-                error("%s: EC_POINT_point2oct length mismatch", __func__);
-                goto out;
-        }
-        /* Append */
-        buffer_put_string(buffer, buf, len);
-        ret = 0;
- out:
-        if (buf != NULL) {
-                explicit_bzero(buf, len);
-                free(buf);
+        if ((ret = sshbuf_put_ec(buffer, point, curve)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return -1;
         }
-        BN_CTX_free(bnctx);
-        return ret;
+        return 0;
 }
 
 void
@@ -96,43 +53,13 @@ int
 buffer_get_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
     EC_POINT *point)
 {
-        u_char *buf;
-        u_int len;
-        BN_CTX *bnctx;
-        int ret = -1;
+        int ret;
 
-        if ((buf = buffer_get_string_ret(buffer, &len)) == NULL) {
-                error("%s: invalid point", __func__);
+        if ((ret = sshbuf_get_ec(buffer, point, curve)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
                 return -1;
         }
-        if ((bnctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new failed", __func__);
-        if (len > BUFFER_MAX_ECPOINT_LEN) {
-                error("%s: EC_POINT too long: %u > max %u", __func__,
-                    len, BUFFER_MAX_ECPOINT_LEN);
-                goto out;
-        }
-        if (len == 0) {
-                error("%s: EC_POINT buffer is empty", __func__);
-                goto out;
-        }
-        if (buf[0] != POINT_CONVERSION_UNCOMPRESSED) {
-                error("%s: EC_POINT is in an incorrect form: "
-                    "0x%02x (want 0x%02x)", __func__, buf[0],
-                    POINT_CONVERSION_UNCOMPRESSED);
-                goto out;
-        }
-        if (EC_POINT_oct2point(curve, point, buf, len, bnctx) != 1) {
-                error("buffer_get_bignum2_ret: BN_bin2bn failed");
-                goto out;
-        }
-        /* EC_POINT_oct2point verifies that the point is on the curve for us */
-        ret = 0;
- out:
-        BN_CTX_free(bnctx);
-        explicit_bzero(buf, len);
-        free(buf);
-        return ret;
+        return 0;
 }
 
 void
@@ -144,3 +71,4 @@ buffer_get_ecpoint(Buffer *buffer, const EC_GROUP *curve,
 }
 
 #endif /* OPENSSL_HAS_ECC */
+
diff --git a/buffer.c b/buffer.c
index d240f6753..c5f708ab2 100644
--- a/buffer.c
+++ b/buffer.c
@@ -1,253 +1,118 @@
-/* $OpenBSD: buffer.c,v 1.35 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: buffer.c,v 1.36 2014/04/30 05:29:56 djm Exp $ */
+
 /*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Functions for manipulating fifo buffers (that can grow if needed).
+ * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
  *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-#include "includes.h"
+/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
 
-#include <sys/param.h>
+#include "includes.h"
 
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-#include <stdlib.h>
+#include <sys/types.h>
 
-#include "xmalloc.h"
 #include "buffer.h"
 #include "log.h"
-
-#define BUFFER_MAX_CHUNK        0x100000
-#define BUFFER_MAX_LEN          0xa00000
-#define BUFFER_ALLOCSZ          0x008000
-
-/* Initializes the buffer structure. */
-
-void
-buffer_init(Buffer *buffer)
-{
-        const u_int len = 4096;
-
-        buffer->alloc = 0;
-        buffer->buf = xmalloc(len);
-        buffer->alloc = len;
-        buffer->offset = 0;
-        buffer->end = 0;
-}
-
-/* Frees any memory used for the buffer. */
-
-void
-buffer_free(Buffer *buffer)
-{
-        if (buffer->alloc > 0) {
-                explicit_bzero(buffer->buf, buffer->alloc);
-                buffer->alloc = 0;
-                free(buffer->buf);
-        }
-}
-
-/*
- * Clears any data from the buffer, making it empty.  This does not actually
- * zero the memory.
- */
-
-void
-buffer_clear(Buffer *buffer)
-{
-        buffer->offset = 0;
-        buffer->end = 0;
-}
-
-/* Appends data to the buffer, expanding it if necessary. */
+#include "ssherr.h"
 
 void
 buffer_append(Buffer *buffer, const void *data, u_int len)
 {
-        void *p;
-        p = buffer_append_space(buffer, len);
-        memcpy(p, data, len);
-}
+        int ret;
 
-static int
-buffer_compact(Buffer *buffer)
-{
-        /*
-         * If the buffer is quite empty, but all data is at the end, move the
-         * data to the beginning.
-         */
-        if (buffer->offset > MIN(buffer->alloc, BUFFER_MAX_CHUNK)) {
-                memmove(buffer->buf, buffer->buf + buffer->offset,
-                        buffer->end - buffer->offset);
-                buffer->end -= buffer->offset;
-                buffer->offset = 0;
-                return (1);
-        }
-        return (0);
+        if ((ret = sshbuf_put(buffer, data, len)) != 0)
+                fatal("%s: %s", __func__, ssh_err(ret));
 }
 
-/*
- * Appends space to the buffer, expanding the buffer if necessary. This does
- * not actually copy the data into the buffer, but instead returns a pointer
- * to the allocated region.
- */
-
 void *
 buffer_append_space(Buffer *buffer, u_int len)
 {
-        u_int newlen;
-        void *p;
+        int ret;
+        u_char *p;
 
-        if (len > BUFFER_MAX_CHUNK)
-                fatal("buffer_append_space: len %u not supported", len);
-
-        /* If the buffer is empty, start using it from the beginning. */
-        if (buffer->offset == buffer->end) {
-                buffer->offset = 0;
-                buffer->end = 0;
-        }
-restart:
-        /* If there is enough space to store all data, store it now. */
-        if (buffer->end + len < buffer->alloc) {
-                p = buffer->buf + buffer->end;
-                buffer->end += len;
-                return p;
-        }
-
-        /* Compact data back to the start of the buffer if necessary */
-        if (buffer_compact(buffer))
-                goto restart;
-
-        /* Increase the size of the buffer and retry. */
-        newlen = roundup(buffer->alloc + len, BUFFER_ALLOCSZ);
-        if (newlen > BUFFER_MAX_LEN)
-                fatal("buffer_append_space: alloc %u not supported",
-                    newlen);
-        buffer->buf = xrealloc(buffer->buf, 1, newlen);
-        buffer->alloc = newlen;
-        goto restart;
-        /* NOTREACHED */
+        if ((ret = sshbuf_reserve(buffer, len, &p)) != 0)
+                fatal("%s: %s", __func__, ssh_err(ret));
+        return p;
 }
 
-/*
- * Check whether an allocation of 'len' will fit in the buffer
- * This must follow the same math as buffer_append_space
- */
 int
 buffer_check_alloc(Buffer *buffer, u_int len)
 {
-        if (buffer->offset == buffer->end) {
-                buffer->offset = 0;
-                buffer->end = 0;
-        }
- restart:
-        if (buffer->end + len < buffer->alloc)
-                return (1);
-        if (buffer_compact(buffer))
-                goto restart;
-        if (roundup(buffer->alloc + len, BUFFER_ALLOCSZ) <= BUFFER_MAX_LEN)
-                return (1);
-        return (0);
-}
-
-/* Returns the number of bytes of data in the buffer. */
+        int ret = sshbuf_check_reserve(buffer, len);
 
-u_int
-buffer_len(const Buffer *buffer)
-{
-        return buffer->end - buffer->offset;
+        if (ret == 0)
+                return 1;
+        if (ret == SSH_ERR_NO_BUFFER_SPACE)
+                return 0;
+        fatal("%s: %s", __func__, ssh_err(ret));
 }
 
-/* Gets data from the beginning of the buffer. */
-
 int
 buffer_get_ret(Buffer *buffer, void *buf, u_int len)
 {
-        if (len > buffer->end - buffer->offset) {
-                error("buffer_get_ret: trying to get more bytes %d than in buffer %d",
-                    len, buffer->end - buffer->offset);
-                return (-1);
+        int ret;
+
+        if ((ret = sshbuf_get(buffer, buf, len)) != 0) {
+                error("%s: %s", __func__, ssh_err(ret));
+                return -1;
         }
-        memcpy(buf, buffer->buf + buffer->offset, len);
-        buffer->offset += len;
-        return (0);
+        return 0;
 }
 
 void
 buffer_get(Buffer *buffer, void *buf, u_int len)
 {
         if (buffer_get_ret(buffer, buf, len) == -1)
-                fatal("buffer_get: buffer error");
+                fatal("%s: buffer error", __func__);
 }
 
-/* Consumes the given number of bytes from the beginning of the buffer. */
-
 int
 buffer_consume_ret(Buffer *buffer, u_int bytes)
 {
-        if (bytes > buffer->end - buffer->offset) {
-                error("buffer_consume_ret: trying to get more bytes than in buffer");
-                return (-1);
-        }
-        buffer->offset += bytes;
-        return (0);
+        int ret = sshbuf_consume(buffer, bytes);
+
+        if (ret == 0)
+                return 0;
+        if (ret == SSH_ERR_MESSAGE_INCOMPLETE)
+                return -1;
+        fatal("%s: %s", __func__, ssh_err(ret));
 }
 
 void
 buffer_consume(Buffer *buffer, u_int bytes)
 {
         if (buffer_consume_ret(buffer, bytes) == -1)
-                fatal("buffer_consume: buffer error");
+                fatal("%s: buffer error", __func__);
 }
 
-/* Consumes the given number of bytes from the end of the buffer. */
-
 int
 buffer_consume_end_ret(Buffer *buffer, u_int bytes)
 {
-        if (bytes > buffer->end - buffer->offset)
-                return (-1);
-        buffer->end -= bytes;
-        return (0);
+        int ret = sshbuf_consume_end(buffer, bytes);
+
+        if (ret == 0)
+                return 0;
+        if (ret == SSH_ERR_MESSAGE_INCOMPLETE)
+                return -1;
+        fatal("%s: %s", __func__, ssh_err(ret));
 }
 
 void
 buffer_consume_end(Buffer *buffer, u_int bytes)
 {
         if (buffer_consume_end_ret(buffer, bytes) == -1)
-                fatal("buffer_consume_end: trying to get more bytes than in buffer");
-}
-
-/* Returns a pointer to the first used byte in the buffer. */
-
-void *
-buffer_ptr(const Buffer *buffer)
-{
-        return buffer->buf + buffer->offset;
+                fatal("%s: buffer error", __func__);
 }
 
-/* Dumps the contents of the buffer to stderr. */
 
-void
-buffer_dump(const Buffer *buffer)
-{
-        u_int i;
-        u_char *ucp = buffer->buf;
-
-        for (i = buffer->offset; i < buffer->end; i++) {
-                fprintf(stderr, "%02x", ucp[i]);
-                if ((i-buffer->offset)%16==15)
-                        fprintf(stderr, "\r\n");
-                else if ((i-buffer->offset)%2==1)
-                        fprintf(stderr, " ");
-        }
-        fprintf(stderr, "\r\n");
-}
diff --git a/buffer.h b/buffer.h
index 7df8a38fa..9d853edf2 100644
--- a/buffer.h
+++ b/buffer.h
@@ -1,57 +1,58 @@
-/* $OpenBSD: buffer.h,v 1.23 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: buffer.h,v 1.25 2014/04/30 05:29:56 djm Exp $ */
 
 /*
- * Author: Tatu Ylonen <ylo@cs.hut.fi>
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *                    All rights reserved
- * Code for manipulating FIFO buffers.
+ * Copyright (c) 2012 Damien Miller <djm@mindrot.org>
  *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+/* Emulation wrappers for legacy OpenSSH buffer API atop sshbuf */
+
 #ifndef BUFFER_H
 #define BUFFER_H
 
-typedef struct {
-        u_char  *buf;           /* Buffer for data. */
-        u_int    alloc;         /* Number of bytes allocated for data. */
-        u_int    offset;        /* Offset of first byte containing data. */
-        u_int    end;           /* Offset of last byte containing data. */
-}       Buffer;
+#include "sshbuf.h"
+
+typedef struct sshbuf Buffer;
 
-void     buffer_init(Buffer *);
-void     buffer_clear(Buffer *);
-void     buffer_free(Buffer *);
+#define buffer_init(b)          sshbuf_init(b)
+#define buffer_clear(b)         sshbuf_reset(b)
+#define buffer_free(b)          sshbuf_free(b)
+#define buffer_dump(b)          sshbuf_dump(b, stderr)
 
-u_int    buffer_len(const Buffer *);
-void    *buffer_ptr(const Buffer *);
+/* XXX cast is safe: sshbuf never stores more than len 2^31 */
+#define buffer_len(b)           ((u_int) sshbuf_len(b))
+#define buffer_ptr(b)           sshbuf_mutable_ptr(b)
 
 void     buffer_append(Buffer *, const void *, u_int);
 void    *buffer_append_space(Buffer *, u_int);
-
 int      buffer_check_alloc(Buffer *, u_int);
-
 void     buffer_get(Buffer *, void *, u_int);
 
 void     buffer_consume(Buffer *, u_int);
 void     buffer_consume_end(Buffer *, u_int);
 
-void     buffer_dump(const Buffer *);
 
 int      buffer_get_ret(Buffer *, void *, u_int);
 int      buffer_consume_ret(Buffer *, u_int);
 int      buffer_consume_end_ret(Buffer *, u_int);
 
 #include <openssl/bn.h>
-
 void    buffer_put_bignum(Buffer *, const BIGNUM *);
 void    buffer_put_bignum2(Buffer *, const BIGNUM *);
 void    buffer_get_bignum(Buffer *, BIGNUM *);
 void    buffer_get_bignum2(Buffer *, BIGNUM *);
+void    buffer_put_bignum2_from_string(Buffer *, const u_char *, u_int);
 
 u_short buffer_get_short(Buffer *);
 void    buffer_put_short(Buffer *, u_short);
@@ -66,13 +67,12 @@ int     buffer_get_char(Buffer *);
 void    buffer_put_char(Buffer *, int);
 
 void   *buffer_get_string(Buffer *, u_int *);
-void   *buffer_get_string_ptr(Buffer *, u_int *);
+const void *buffer_get_string_ptr(Buffer *, u_int *);
 void    buffer_put_string(Buffer *, const void *, u_int);
 char   *buffer_get_cstring(Buffer *, u_int *);
 void    buffer_put_cstring(Buffer *, const char *);
 
-#define buffer_skip_string(b) \
-    do { u_int l = buffer_get_int(b); buffer_consume(b, l); } while (0)
+#define buffer_skip_string(b) (void)buffer_get_string_ptr(b, NULL);
 
 int     buffer_put_bignum_ret(Buffer *, const BIGNUM *);
 int     buffer_get_bignum_ret(Buffer *, BIGNUM *);
@@ -83,20 +83,16 @@ int	buffer_get_int_ret(u_int *, Buffer *);
 int     buffer_get_int64_ret(u_int64_t *, Buffer *);
 void    *buffer_get_string_ret(Buffer *, u_int *);
 char    *buffer_get_cstring_ret(Buffer *, u_int *);
-void    *buffer_get_string_ptr_ret(Buffer *, u_int *);
-int     buffer_get_char_ret(u_char *, Buffer *);
-
-void *buffer_get_bignum2_as_string_ret(Buffer *, u_int *);
-void *buffer_get_bignum2_as_string(Buffer *, u_int *);
-void  buffer_put_bignum2_from_string(Buffer *, const u_char *, u_int);
+const void *buffer_get_string_ptr_ret(Buffer *, u_int *);
+int     buffer_get_char_ret(char *, Buffer *);
 
 #ifdef OPENSSL_HAS_ECC
 #include <openssl/ec.h>
-
 int     buffer_put_ecpoint_ret(Buffer *, const EC_GROUP *, const EC_POINT *);
 void    buffer_put_ecpoint(Buffer *, const EC_GROUP *, const EC_POINT *);
 int     buffer_get_ecpoint_ret(Buffer *, const EC_GROUP *, EC_POINT *);
 void    buffer_get_ecpoint(Buffer *, const EC_GROUP *, EC_POINT *);
 #endif
 
-#endif                          /* BUFFER_H */
+#endif  /* BUFFER_H */
+
diff --git a/canohost.c b/canohost.c
index a61a8c94d..a3e3bbff8 100644
--- a/canohost.c
+++ b/canohost.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: canohost.c,v 1.70 2014/01/19 04:17:29 dtucker Exp $ */
+/* $OpenBSD: canohost.c,v 1.71 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -16,6 +16,7 @@
 
 #include <sys/types.h>
 #include <sys/socket.h>
+#include <sys/un.h>
 
 #include <netinet/in.h>
 #include <arpa/inet.h>
@@ -262,6 +263,11 @@ get_socket_address(int sock, int remote, int flags)
         if (addr.ss_family == AF_INET6)
                 addrlen = sizeof(struct sockaddr_in6);
 
+        if (addr.ss_family == AF_UNIX) {
+                /* Get the Unix domain socket path. */
+                return xstrdup(((struct sockaddr_un *)&addr)->sun_path);
+        }
+
         ipv64_normalise_mapped(&addr, &addrlen);
 
         /* Get the address in ascii. */
@@ -384,6 +390,10 @@ get_sock_port(int sock, int local)
         if (from.ss_family == AF_INET6)
                 fromlen = sizeof(struct sockaddr_in6);
 
+        /* Unix domain sockets don't have a port number. */
+        if (from.ss_family == AF_UNIX)
+                return 0;
+
         /* Return port number. */
         if ((r = getnameinfo((struct sockaddr *)&from, fromlen, NULL, 0,
             strport, sizeof(strport), NI_NUMERICSERV)) != 0)
diff --git a/chacha.h b/chacha.h
index 4ef42cc70..40eaf2d90 100644
--- a/chacha.h
+++ b/chacha.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha.h,v 1.1 2013/11/21 00:45:44 djm Exp $ */
+/* $OpenBSD: chacha.h,v 1.3 2014/05/02 03:27:54 djm Exp $ */
 
 /*
 chacha-merged.c version 20080118
diff --git a/channels.c b/channels.c
index 9efe89c9c..d67fdf48b 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.331 2014/02/26 20:29:29 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.336 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -42,6 +42,7 @@
 #include "includes.h"
 
 #include <sys/types.h>
+#include <sys/stat.h>
 #include <sys/ioctl.h>
 #include <sys/un.h>
 #include <sys/socket.h>
@@ -107,10 +108,15 @@ static int channel_max_fd = 0;
  * a corrupt remote server from accessing arbitrary TCP/IP ports on our local
  * network (which might be behind a firewall).
  */
+/* XXX: streamlocal wants a path instead of host:port */
+/*      Overload host_to_connect; we could just make this match Forward */
+/*      XXX - can we use listen_host instead of listen_path? */
 typedef struct {
         char *host_to_connect;          /* Connect to 'host'. */
-        u_short port_to_connect;        /* Connect to 'port'. */
-        u_short listen_port;            /* Remote side should listen port number. */
+        int port_to_connect;            /* Connect to 'port'. */
+        char *listen_host;              /* Remote side should listen address. */
+        char *listen_path;              /* Remote side should listen path. */
+        int listen_port;                /* Remote side should listen port. */
 } ForwardPermission;
 
 /* List of all permitted host/port pairs to connect by the user. */
@@ -473,6 +479,8 @@ channel_stop_listening(void)
                         case SSH_CHANNEL_PORT_LISTENER:
                         case SSH_CHANNEL_RPORT_LISTENER:
                         case SSH_CHANNEL_X11_LISTENER:
+                        case SSH_CHANNEL_UNIX_LISTENER:
+                        case SSH_CHANNEL_RUNIX_LISTENER:
                                 channel_close_fd(&c->sock);
                                 channel_free(c);
                                 break;
@@ -535,6 +543,8 @@ channel_still_open(void)
                 case SSH_CHANNEL_CONNECTING:
                 case SSH_CHANNEL_ZOMBIE:
                 case SSH_CHANNEL_ABANDONED:
+                case SSH_CHANNEL_UNIX_LISTENER:
+                case SSH_CHANNEL_RUNIX_LISTENER:
                         continue;
                 case SSH_CHANNEL_LARVAL:
                         if (!compat20)
@@ -581,6 +591,8 @@ channel_find_open(void)
                 case SSH_CHANNEL_CONNECTING:
                 case SSH_CHANNEL_ZOMBIE:
                 case SSH_CHANNEL_ABANDONED:
+                case SSH_CHANNEL_UNIX_LISTENER:
+                case SSH_CHANNEL_RUNIX_LISTENER:
                         continue;
                 case SSH_CHANNEL_LARVAL:
                 case SSH_CHANNEL_AUTH_SOCKET:
@@ -631,6 +643,8 @@ channel_open_message(void)
                 case SSH_CHANNEL_ABANDONED:
                 case SSH_CHANNEL_MUX_CLIENT:
                 case SSH_CHANNEL_MUX_LISTENER:
+                case SSH_CHANNEL_UNIX_LISTENER:
+                case SSH_CHANNEL_RUNIX_LISTENER:
                         continue;
                 case SSH_CHANNEL_LARVAL:
                 case SSH_CHANNEL_OPENING:
@@ -1386,7 +1400,6 @@ channel_post_x11_listener(Channel *c, fd_set *readset, fd_set *writeset)
 static void
 port_open_helper(Channel *c, char *rtype)
 {
-        int direct;
         char buf[1024];
         char *local_ipaddr = get_local_ipaddr(c->sock);
         int local_port = c->sock == -1 ? 65536 : get_sock_port(c->sock, 1);
@@ -1400,8 +1413,6 @@ port_open_helper(Channel *c, char *rtype)
                 remote_port = 65535;
         }
 
-        direct = (strcmp(rtype, "direct-tcpip") == 0);
-
         snprintf(buf, sizeof buf,
             "%s: listening port %d for %.100s port %d, "
             "connect from %.200s port %d to %.100s port %d",
@@ -1417,18 +1428,29 @@ port_open_helper(Channel *c, char *rtype)
                 packet_put_int(c->self);
                 packet_put_int(c->local_window_max);
                 packet_put_int(c->local_maxpacket);
-                if (direct) {
+                if (strcmp(rtype, "direct-tcpip") == 0) {
                         /* target host, port */
                         packet_put_cstring(c->path);
                         packet_put_int(c->host_port);
+                } else if (strcmp(rtype, "direct-streamlocal@openssh.com") == 0) {
+                        /* target path */
+                        packet_put_cstring(c->path);
+                } else if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
+                        /* listen path */
+                        packet_put_cstring(c->path);
                 } else {
                         /* listen address, port */
                         packet_put_cstring(c->path);
                         packet_put_int(local_port);
                 }
-                /* originator host and port */
-                packet_put_cstring(remote_ipaddr);
-                packet_put_int((u_int)remote_port);
+                if (strcmp(rtype, "forwarded-streamlocal@openssh.com") == 0) {
+                        /* reserved for future owner/mode info */
+                        packet_put_cstring("");
+                } else {
+                        /* originator host and port */
+                        packet_put_cstring(remote_ipaddr);
+                        packet_put_int((u_int)remote_port);
+                }
                 packet_send();
         } else {
                 packet_start(SSH_MSG_PORT_OPEN);
@@ -1478,14 +1500,18 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
                 if (c->type == SSH_CHANNEL_RPORT_LISTENER) {
                         nextstate = SSH_CHANNEL_OPENING;
                         rtype = "forwarded-tcpip";
+                } else if (c->type == SSH_CHANNEL_RUNIX_LISTENER) {
+                        nextstate = SSH_CHANNEL_OPENING;
+                        rtype = "forwarded-streamlocal@openssh.com";
+                } else if (c->host_port == PORT_STREAMLOCAL) {
+                        nextstate = SSH_CHANNEL_OPENING;
+                        rtype = "direct-streamlocal@openssh.com";
+                } else if (c->host_port == 0) {
+                        nextstate = SSH_CHANNEL_DYNAMIC;
+                        rtype = "dynamic-tcpip";
                 } else {
-                        if (c->host_port == 0) {
-                                nextstate = SSH_CHANNEL_DYNAMIC;
-                                rtype = "dynamic-tcpip";
-                        } else {
-                                nextstate = SSH_CHANNEL_OPENING;
-                                rtype = "direct-tcpip";
-                        }
+                        nextstate = SSH_CHANNEL_OPENING;
+                        rtype = "direct-tcpip";
                 }
 
                 addrlen = sizeof(addr);
@@ -1498,7 +1524,8 @@ channel_post_port_listener(Channel *c, fd_set *readset, fd_set *writeset)
                                 c->notbefore = monotime() + 1;
                         return;
                 }
-                set_nodelay(newsock);
+                if (c->host_port != PORT_STREAMLOCAL)
+                        set_nodelay(newsock);
                 nc = channel_new(rtype, nextstate, newsock, newsock, -1,
                     c->local_window_max, c->local_maxpacket, 0, rtype, 1);
                 nc->listening_port = c->listening_port;
@@ -1987,6 +2014,8 @@ channel_handler_init_20(void)
         channel_pre[SSH_CHANNEL_X11_OPEN] =             &channel_pre_x11_open;
         channel_pre[SSH_CHANNEL_PORT_LISTENER] =        &channel_pre_listener;
         channel_pre[SSH_CHANNEL_RPORT_LISTENER] =       &channel_pre_listener;
+        channel_pre[SSH_CHANNEL_UNIX_LISTENER] =        &channel_pre_listener;
+        channel_pre[SSH_CHANNEL_RUNIX_LISTENER] =       &channel_pre_listener;
         channel_pre[SSH_CHANNEL_X11_LISTENER] =         &channel_pre_listener;
         channel_pre[SSH_CHANNEL_AUTH_SOCKET] =          &channel_pre_listener;
         channel_pre[SSH_CHANNEL_CONNECTING] =           &channel_pre_connecting;
@@ -1997,6 +2026,8 @@ channel_handler_init_20(void)
         channel_post[SSH_CHANNEL_OPEN] =                &channel_post_open;
         channel_post[SSH_CHANNEL_PORT_LISTENER] =       &channel_post_port_listener;
         channel_post[SSH_CHANNEL_RPORT_LISTENER] =      &channel_post_port_listener;
+        channel_post[SSH_CHANNEL_UNIX_LISTENER] =       &channel_post_port_listener;
+        channel_post[SSH_CHANNEL_RUNIX_LISTENER] =      &channel_post_port_listener;
         channel_post[SSH_CHANNEL_X11_LISTENER] =        &channel_post_x11_listener;
         channel_post[SSH_CHANNEL_AUTH_SOCKET] =         &channel_post_auth_listener;
         channel_post[SSH_CHANNEL_CONNECTING] =          &channel_post_connecting;
@@ -2315,7 +2346,7 @@ void
 channel_input_data(int type, u_int32_t seq, void *ctxt)
 {
         int id;
-        char *data;
+        const u_char *data;
         u_int data_len, win_len;
         Channel *c;
 
@@ -2637,7 +2668,7 @@ channel_input_port_open(int type, u_int32_t seq, void *ctxt)
                 originator_string = xstrdup("unknown (remote did not supply name)");
         }
         packet_check_eom();
-        c = channel_connect_to(host, host_port,
+        c = channel_connect_to_port(host, host_port,
             "connected socket", originator_string);
         free(originator_string);
         free(host);
@@ -2700,23 +2731,24 @@ channel_set_af(int af)
  * "0.0.0.0"               -> wildcard v4/v6 if SSH_OLD_FORWARD_ADDR
  * "" (empty string), "*"  -> wildcard v4/v6
  * "localhost"             -> loopback v4/v6
+ * "127.0.0.1" / "::1"     -> accepted even if gateway_ports isn't set
  */
 static const char *
 channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
-    int is_client, int gateway_ports)
+    int is_client, struct ForwardOptions *fwd_opts)
 {
         const char *addr = NULL;
         int wildcard = 0;
 
         if (listen_addr == NULL) {
                 /* No address specified: default to gateway_ports setting */
-                if (gateway_ports)
+                if (fwd_opts->gateway_ports)
                         wildcard = 1;
-        } else if (gateway_ports || is_client) {
+        } else if (fwd_opts->gateway_ports || is_client) {
                 if (((datafellows & SSH_OLD_FORWARD_ADDR) &&
                     strcmp(listen_addr, "0.0.0.0") == 0 && is_client == 0) ||
                     *listen_addr == '\0' || strcmp(listen_addr, "*") == 0 ||
-                    (!is_client && gateway_ports == 1)) {
+                    (!is_client && fwd_opts->gateway_ports == 1)) {
                         wildcard = 1;
                         /*
                          * Notify client if they requested a specific listen
@@ -2729,9 +2761,20 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
                                     "\"%s\" overridden by server "
                                     "GatewayPorts", listen_addr);
                         }
-                }
-                else if (strcmp(listen_addr, "localhost") != 0)
+                } else if (strcmp(listen_addr, "localhost") != 0 ||
+                    strcmp(listen_addr, "127.0.0.1") == 0 ||
+                    strcmp(listen_addr, "::1") == 0) {
+                        /* Accept localhost address when GatewayPorts=yes */
                         addr = listen_addr;
+                }
+        } else if (strcmp(listen_addr, "127.0.0.1") == 0 ||
+            strcmp(listen_addr, "::1") == 0) {
+                /*
+                 * If a specific IPv4/IPv6 localhost address has been
+                 * requested then accept it even if gateway_ports is in
+                 * effect. This allows the client to prefer IPv4 or IPv6.
+                 */
+                addr = listen_addr;
         }
         if (wildcardp != NULL)
                 *wildcardp = wildcard;
@@ -2739,9 +2782,8 @@ channel_fwd_bind_addr(const char *listen_addr, int *wildcardp,
 }
 
 static int
-channel_setup_fwd_listener(int type, const char *listen_addr,
-    u_short listen_port, int *allocated_listen_port,
-    const char *host_to_connect, u_short port_to_connect, int gateway_ports)
+channel_setup_fwd_listener_tcpip(int type, struct Forward *fwd,
+    int *allocated_listen_port, struct ForwardOptions *fwd_opts)
 {
         Channel *c;
         int sock, r, success = 0, wildcard = 0, is_client;
@@ -2751,7 +2793,7 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
         in_port_t *lport_p;
 
         host = (type == SSH_CHANNEL_RPORT_LISTENER) ?
-            listen_addr : host_to_connect;
+            fwd->listen_host : fwd->connect_host;
         is_client = (type == SSH_CHANNEL_PORT_LISTENER);
 
         if (host == NULL) {
@@ -2764,9 +2806,9 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
         }
 
         /* Determine the bind address, cf. channel_fwd_bind_addr() comment */
-        addr = channel_fwd_bind_addr(listen_addr, &wildcard,
-            is_client, gateway_ports);
-        debug3("channel_setup_fwd_listener: type %d wildcard %d addr %s",
+        addr = channel_fwd_bind_addr(fwd->listen_host, &wildcard,
+            is_client, fwd_opts);
+        debug3("%s: type %d wildcard %d addr %s", __func__,
             type, wildcard, (addr == NULL) ? "NULL" : addr);
 
         /*
@@ -2777,15 +2819,14 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
         hints.ai_family = IPv4or6;
         hints.ai_flags = wildcard ? AI_PASSIVE : 0;
         hints.ai_socktype = SOCK_STREAM;
-        snprintf(strport, sizeof strport, "%d", listen_port);
+        snprintf(strport, sizeof strport, "%d", fwd->listen_port);
         if ((r = getaddrinfo(addr, strport, &hints, &aitop)) != 0) {
                 if (addr == NULL) {
                         /* This really shouldn't happen */
                         packet_disconnect("getaddrinfo: fatal error: %s",
                             ssh_gai_strerror(r));
                 } else {
-                        error("channel_setup_fwd_listener: "
-                            "getaddrinfo(%.64s): %s", addr,
+                        error("%s: getaddrinfo(%.64s): %s", __func__, addr,
                             ssh_gai_strerror(r));
                 }
                 return 0;
@@ -2809,13 +2850,13 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
                  * If allocating a port for -R forwards, then use the
                  * same port for all address families.
                  */
-                if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 &&
+                if (type == SSH_CHANNEL_RPORT_LISTENER && fwd->listen_port == 0 &&
                     allocated_listen_port != NULL && *allocated_listen_port > 0)
                         *lport_p = htons(*allocated_listen_port);
 
                 if (getnameinfo(ai->ai_addr, ai->ai_addrlen, ntop, sizeof(ntop),
                     strport, sizeof(strport), NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
-                        error("channel_setup_fwd_listener: getnameinfo failed");
+                        error("%s: getnameinfo failed", __func__);
                         continue;
                 }
                 /* Create a port to listen for the host. */
@@ -2852,10 +2893,10 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
                 }
 
                 /*
-                 * listen_port == 0 requests a dynamically allocated port -
+                 * fwd->listen_port == 0 requests a dynamically allocated port -
                  * record what we got.
                  */
-                if (type == SSH_CHANNEL_RPORT_LISTENER && listen_port == 0 &&
+                if (type == SSH_CHANNEL_RPORT_LISTENER && fwd->listen_port == 0 &&
                     allocated_listen_port != NULL &&
                     *allocated_listen_port == 0) {
                         *allocated_listen_port = get_sock_port(sock, 1);
@@ -2868,24 +2909,98 @@ channel_setup_fwd_listener(int type, const char *listen_addr,
                     CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
                     0, "port listener", 1);
                 c->path = xstrdup(host);
-                c->host_port = port_to_connect;
+                c->host_port = fwd->connect_port;
                 c->listening_addr = addr == NULL ? NULL : xstrdup(addr);
-                if (listen_port == 0 && allocated_listen_port != NULL &&
+                if (fwd->listen_port == 0 && allocated_listen_port != NULL &&
                     !(datafellows & SSH_BUG_DYNAMIC_RPORT))
                         c->listening_port = *allocated_listen_port;
                 else
-                        c->listening_port = listen_port;
+                        c->listening_port = fwd->listen_port;
                 success = 1;
         }
         if (success == 0)
-                error("channel_setup_fwd_listener: cannot listen to port: %d",
-                    listen_port);
+                error("%s: cannot listen to port: %d", __func__,
+                    fwd->listen_port);
         freeaddrinfo(aitop);
         return success;
 }
 
-int
-channel_cancel_rport_listener(const char *host, u_short port)
+static int
+channel_setup_fwd_listener_streamlocal(int type, struct Forward *fwd,
+    struct ForwardOptions *fwd_opts)
+{
+        struct sockaddr_un sunaddr;
+        const char *path;
+        Channel *c;
+        int port, sock;
+        mode_t omask;
+
+        switch (type) {
+        case SSH_CHANNEL_UNIX_LISTENER:
+                if (fwd->connect_path != NULL) {
+                        if (strlen(fwd->connect_path) > sizeof(sunaddr.sun_path)) {
+                                error("Local connecting path too long: %s",
+                                    fwd->connect_path);
+                                return 0;
+                        }
+                        path = fwd->connect_path;
+                        port = PORT_STREAMLOCAL;
+                } else {
+                        if (fwd->connect_host == NULL) {
+                                error("No forward host name.");
+                                return 0;
+                        }
+                        if (strlen(fwd->connect_host) >= NI_MAXHOST) {
+                                error("Forward host name too long.");
+                                return 0;
+                        }
+                        path = fwd->connect_host;
+                        port = fwd->connect_port;
+                }
+                break;
+        case SSH_CHANNEL_RUNIX_LISTENER:
+                path = fwd->listen_path;
+                port = PORT_STREAMLOCAL;
+                break;
+        default:
+                error("%s: unexpected channel type %d", __func__, type);
+                return 0;
+        }
+
+        if (fwd->listen_path == NULL) {
+                error("No forward path name.");
+                return 0;
+        }
+        if (strlen(fwd->listen_path) > sizeof(sunaddr.sun_path)) {
+                error("Local listening path too long: %s", fwd->listen_path);
+                return 0;
+        }
+
+        debug3("%s: type %d path %s", __func__, type, fwd->listen_path);
+
+        /* Start a Unix domain listener. */
+        omask = umask(fwd_opts->streamlocal_bind_mask);
+        sock = unix_listener(fwd->listen_path, SSH_LISTEN_BACKLOG,
+            fwd_opts->streamlocal_bind_unlink);
+        umask(omask);
+        if (sock < 0)
+                return 0;
+
+        debug("Local forwarding listening on path %s.", fwd->listen_path);
+
+        /* Allocate a channel number for the socket. */
+        c = channel_new("unix listener", type, sock, sock, -1,
+            CHAN_TCP_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT,
+            0, "unix listener", 1);
+        c->path = xstrdup(path);
+        c->host_port = port;
+        c->listening_port = PORT_STREAMLOCAL;
+        c->listening_addr = xstrdup(fwd->listen_path);
+        return 1;
+}
+
+static int
+channel_cancel_rport_listener_tcpip(const char *host, u_short port)
 {
         u_int i;
         int found = 0;
@@ -2904,13 +3019,44 @@ channel_cancel_rport_listener(const char *host, u_short port)
         return (found);
 }
 
+static int
+channel_cancel_rport_listener_streamlocal(const char *path)
+{
+        u_int i;
+        int found = 0;
+
+        for (i = 0; i < channels_alloc; i++) {
+                Channel *c = channels[i];
+                if (c == NULL || c->type != SSH_CHANNEL_RUNIX_LISTENER)
+                        continue;
+                if (c->path == NULL)
+                        continue;
+                if (strcmp(c->path, path) == 0) {
+                        debug2("%s: close channel %d", __func__, i);
+                        channel_free(c);
+                        found = 1;
+                }
+        }
+
+        return (found);
+}
+
 int
-channel_cancel_lport_listener(const char *lhost, u_short lport,
-    int cport, int gateway_ports)
+channel_cancel_rport_listener(struct Forward *fwd)
+{
+        if (fwd->listen_path != NULL)
+                return channel_cancel_rport_listener_streamlocal(fwd->listen_path);
+        else
+                return channel_cancel_rport_listener_tcpip(fwd->listen_host, fwd->listen_port);
+}
+
+static int
+channel_cancel_lport_listener_tcpip(const char *lhost, u_short lport,
+    int cport, struct ForwardOptions *fwd_opts)
 {
         u_int i;
         int found = 0;
-        const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, gateway_ports);
+        const char *addr = channel_fwd_bind_addr(lhost, NULL, 1, fwd_opts);
 
         for (i = 0; i < channels_alloc; i++) {
                 Channel *c = channels[i];
@@ -2939,24 +3085,68 @@ channel_cancel_lport_listener(const char *lhost, u_short lport,
         return (found);
 }
 
+static int
+channel_cancel_lport_listener_streamlocal(const char *path)
+{
+        u_int i;
+        int found = 0;
+
+        if (path == NULL) {
+                error("%s: no path specified.", __func__);
+                return 0;
+        }
+
+        for (i = 0; i < channels_alloc; i++) {
+                Channel *c = channels[i];
+                if (c == NULL || c->type != SSH_CHANNEL_UNIX_LISTENER)
+                        continue;
+                if (c->listening_addr == NULL)
+                        continue;
+                if (strcmp(c->listening_addr, path) == 0) {
+                        debug2("%s: close channel %d", __func__, i);
+                        channel_free(c);
+                        found = 1;
+                }
+        }
+
+        return (found);
+}
+
+int
+channel_cancel_lport_listener(struct Forward *fwd, int cport, struct ForwardOptions *fwd_opts)
+{
+        if (fwd->listen_path != NULL)
+                return channel_cancel_lport_listener_streamlocal(fwd->listen_path);
+        else
+                return channel_cancel_lport_listener_tcpip(fwd->listen_host, fwd->listen_port, cport, fwd_opts);
+}
+
 /* protocol local port fwd, used by ssh (and sshd in v1) */
 int
-channel_setup_local_fwd_listener(const char *listen_host, u_short listen_port,
-    const char *host_to_connect, u_short port_to_connect, int gateway_ports)
+channel_setup_local_fwd_listener(struct Forward *fwd, struct ForwardOptions *fwd_opts)
 {
-        return channel_setup_fwd_listener(SSH_CHANNEL_PORT_LISTENER,
-            listen_host, listen_port, NULL, host_to_connect, port_to_connect,
-            gateway_ports);
+        if (fwd->listen_path != NULL) {
+                return channel_setup_fwd_listener_streamlocal(
+                    SSH_CHANNEL_UNIX_LISTENER, fwd, fwd_opts);
+        } else {
+                return channel_setup_fwd_listener_tcpip(SSH_CHANNEL_PORT_LISTENER,
+                    fwd, NULL, fwd_opts);
+        }
 }
 
 /* protocol v2 remote port fwd, used by sshd */
 int
-channel_setup_remote_fwd_listener(const char *listen_address,
-    u_short listen_port, int *allocated_listen_port, int gateway_ports)
+channel_setup_remote_fwd_listener(struct Forward *fwd,
+    int *allocated_listen_port, struct ForwardOptions *fwd_opts)
 {
-        return channel_setup_fwd_listener(SSH_CHANNEL_RPORT_LISTENER,
-            listen_address, listen_port, allocated_listen_port,
-            NULL, 0, gateway_ports);
+        if (fwd->listen_path != NULL) {
+                return channel_setup_fwd_listener_streamlocal(
+                    SSH_CHANNEL_RUNIX_LISTENER, fwd, fwd_opts);
+        } else {
+                return channel_setup_fwd_listener_tcpip(
+                    SSH_CHANNEL_RPORT_LISTENER, fwd, allocated_listen_port,
+                    fwd_opts);
+        }
 }
 
 /*
@@ -2987,27 +3177,32 @@ channel_rfwd_bind_host(const char *listen_host)
  * channel_update_permitted_opens().
  */
 int
-channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
-    const char *host_to_connect, u_short port_to_connect)
+channel_request_remote_forwarding(struct Forward *fwd)
 {
         int type, success = 0, idx = -1;
 
         /* Send the forward request to the remote side. */
         if (compat20) {
                 packet_start(SSH2_MSG_GLOBAL_REQUEST);
-                packet_put_cstring("tcpip-forward");
-                packet_put_char(1);             /* boolean: want reply */
-                packet_put_cstring(channel_rfwd_bind_host(listen_host));
-                packet_put_int(listen_port);
+                if (fwd->listen_path != NULL) {
+                    packet_put_cstring("streamlocal-forward@openssh.com");
+                    packet_put_char(1);         /* boolean: want reply */
+                    packet_put_cstring(fwd->listen_path);
+                } else {
+                    packet_put_cstring("tcpip-forward");
+                    packet_put_char(1);         /* boolean: want reply */
+                    packet_put_cstring(channel_rfwd_bind_host(fwd->listen_host));
+                    packet_put_int(fwd->listen_port);
+                }
                 packet_send();
                 packet_write_wait();
                 /* Assume that server accepts the request */
                 success = 1;
-        } else {
+        } else if (fwd->listen_path == NULL) {
                 packet_start(SSH_CMSG_PORT_FORWARD_REQUEST);
-                packet_put_int(listen_port);
-                packet_put_cstring(host_to_connect);
-                packet_put_int(port_to_connect);
+                packet_put_int(fwd->listen_port);
+                packet_put_cstring(fwd->connect_host);
+                packet_put_int(fwd->connect_port);
                 packet_send();
                 packet_write_wait();
 
@@ -3024,25 +3219,102 @@ channel_request_remote_forwarding(const char *listen_host, u_short listen_port,
                         packet_disconnect("Protocol error for port forward request:"
                             "received packet type %d.", type);
                 }
+        } else {
+                logit("Warning: Server does not support remote stream local forwarding.");
         }
         if (success) {
                 /* Record that connection to this host/port is permitted. */
                 permitted_opens = xrealloc(permitted_opens,
                     num_permitted_opens + 1, sizeof(*permitted_opens));
                 idx = num_permitted_opens++;
-                permitted_opens[idx].host_to_connect = xstrdup(host_to_connect);
-                permitted_opens[idx].port_to_connect = port_to_connect;
-                permitted_opens[idx].listen_port = listen_port;
+                if (fwd->connect_path != NULL) {
+                        permitted_opens[idx].host_to_connect =
+                            xstrdup(fwd->connect_path);
+                        permitted_opens[idx].port_to_connect =
+                            PORT_STREAMLOCAL;
+                } else {
+                        permitted_opens[idx].host_to_connect =
+                            xstrdup(fwd->connect_host);
+                        permitted_opens[idx].port_to_connect =
+                            fwd->connect_port;
+                }
+                if (fwd->listen_path != NULL) {
+                        permitted_opens[idx].listen_host = NULL;
+                        permitted_opens[idx].listen_path =
+                            xstrdup(fwd->listen_path);
+                        permitted_opens[idx].listen_port = PORT_STREAMLOCAL;
+                } else {
+                        permitted_opens[idx].listen_host =
+                            fwd->listen_host ? xstrdup(fwd->listen_host) : NULL;
+                        permitted_opens[idx].listen_path = NULL;
+                        permitted_opens[idx].listen_port = fwd->listen_port;
+                }
         }
         return (idx);
 }
 
+static int
+open_match(ForwardPermission *allowed_open, const char *requestedhost,
+    int requestedport)
+{
+        if (allowed_open->host_to_connect == NULL)
+                return 0;
+        if (allowed_open->port_to_connect != FWD_PERMIT_ANY_PORT &&
+            allowed_open->port_to_connect != requestedport)
+                return 0;
+        if (strcmp(allowed_open->host_to_connect, requestedhost) != 0)
+                return 0;
+        return 1;
+}
+
+/*
+ * Note that in the listen host/port case
+ * we don't support FWD_PERMIT_ANY_PORT and
+ * need to translate between the configured-host (listen_host)
+ * and what we've sent to the remote server (channel_rfwd_bind_host)
+ */
+static int
+open_listen_match_tcpip(ForwardPermission *allowed_open,
+    const char *requestedhost, u_short requestedport, int translate)
+{
+        const char *allowed_host;
+
+        if (allowed_open->host_to_connect == NULL)
+                return 0;
+        if (allowed_open->listen_port != requestedport)
+                return 0;
+        if (!translate && allowed_open->listen_host == NULL &&
+            requestedhost == NULL)
+                return 1;
+        allowed_host = translate ?
+            channel_rfwd_bind_host(allowed_open->listen_host) :
+            allowed_open->listen_host;
+        if (allowed_host == NULL ||
+            strcmp(allowed_host, requestedhost) != 0)
+                return 0;
+        return 1;
+}
+
+static int
+open_listen_match_streamlocal(ForwardPermission *allowed_open,
+    const char *requestedpath)
+{
+        if (allowed_open->host_to_connect == NULL)
+                return 0;
+        if (allowed_open->listen_port != PORT_STREAMLOCAL)
+                return 0;
+        if (allowed_open->listen_path == NULL ||
+            strcmp(allowed_open->listen_path, requestedpath) != 0)
+                return 0;
+        return 1;
+}
+
 /*
  * Request cancellation of remote forwarding of connection host:port from
  * local side.
  */
-int
-channel_request_rforward_cancel(const char *host, u_short port)
+static int
+channel_request_rforward_cancel_tcpip(const char *host, u_short port)
 {
         int i;
 
@@ -3050,8 +3322,7 @@ channel_request_rforward_cancel(const char *host, u_short port)
                 return -1;
 
         for (i = 0; i < num_permitted_opens; i++) {
-                if (permitted_opens[i].host_to_connect != NULL &&
-                    permitted_opens[i].listen_port == port)
+                if (open_listen_match_tcpip(&permitted_opens[i], host, port, 0))
                         break;
         }
         if (i >= num_permitted_opens) {
@@ -3069,9 +3340,64 @@ channel_request_rforward_cancel(const char *host, u_short port)
         permitted_opens[i].port_to_connect = 0;
         free(permitted_opens[i].host_to_connect);
         permitted_opens[i].host_to_connect = NULL;
+        free(permitted_opens[i].listen_host);
+        permitted_opens[i].listen_host = NULL;
+        permitted_opens[i].listen_path = NULL;
+
+        return 0;
+}
+
+/*
+ * Request cancellation of remote forwarding of Unix domain socket
+ * path from local side.
+ */
+static int
+channel_request_rforward_cancel_streamlocal(const char *path)
+{
+        int i;
+
+        if (!compat20)
+                return -1;
+
+        for (i = 0; i < num_permitted_opens; i++) {
+                if (open_listen_match_streamlocal(&permitted_opens[i], path))
+                        break;
+        }
+        if (i >= num_permitted_opens) {
+                debug("%s: requested forward not found", __func__);
+                return -1;
+        }
+        packet_start(SSH2_MSG_GLOBAL_REQUEST);
+        packet_put_cstring("cancel-streamlocal-forward@openssh.com");
+        packet_put_char(0);
+        packet_put_cstring(path);
+        packet_send();
+
+        permitted_opens[i].listen_port = 0;
+        permitted_opens[i].port_to_connect = 0;
+        free(permitted_opens[i].host_to_connect);
+        permitted_opens[i].host_to_connect = NULL;
+        permitted_opens[i].listen_host = NULL;
+        free(permitted_opens[i].listen_path);
+        permitted_opens[i].listen_path = NULL;
 
         return 0;
 }
+ 
+/*
+ * Request cancellation of remote forwarding of a connection from local side.
+ */
+int
+channel_request_rforward_cancel(struct Forward *fwd)
+{
+        if (fwd->listen_path != NULL) {
+                return (channel_request_rforward_cancel_streamlocal(
+                    fwd->listen_path));
+        } else {
+                return (channel_request_rforward_cancel_tcpip(fwd->listen_host,
+                    fwd->listen_port ? fwd->listen_port : fwd->allocated_port));
+        }
+}
 
 /*
  * This is called after receiving CHANNEL_FORWARDING_REQUEST.  This initates
@@ -3079,36 +3405,35 @@ channel_request_rforward_cancel(const char *host, u_short port)
  * message if there was an error).
  */
 int
-channel_input_port_forward_request(int is_root, int gateway_ports)
+channel_input_port_forward_request(int is_root, struct ForwardOptions *fwd_opts)
 {
-        u_short port, host_port;
         int success = 0;
-        char *hostname;
+        struct Forward fwd;
 
         /* Get arguments from the packet. */
-        port = packet_get_int();
-        hostname = packet_get_string(NULL);
-        host_port = packet_get_int();
+        memset(&fwd, 0, sizeof(fwd));
+        fwd.listen_port = packet_get_int();
+        fwd.connect_host = packet_get_string(NULL);
+        fwd.connect_port = packet_get_int();
 
 #ifndef HAVE_CYGWIN
         /*
          * Check that an unprivileged user is not trying to forward a
          * privileged port.
          */
-        if (port < IPPORT_RESERVED && !is_root)
+        if (fwd.listen_port < IPPORT_RESERVED && !is_root)
                 packet_disconnect(
                     "Requested forwarding of port %d but user is not root.",
-                    port);
-        if (host_port == 0)
+                    fwd.listen_port);
+        if (fwd.connect_port == 0)
                 packet_disconnect("Dynamic forwarding denied.");
 #endif
 
         /* Initiate forwarding */
-        success = channel_setup_local_fwd_listener(NULL, port, hostname,
-            host_port, gateway_ports);
+        success = channel_setup_local_fwd_listener(&fwd, fwd_opts);
 
         /* Free the argument string. */
-        free(hostname);
+        free(fwd.connect_host);
 
         return (success ? 0 : -1);
 }
@@ -3134,6 +3459,9 @@ channel_add_permitted_opens(char *host, int port)
             num_permitted_opens + 1, sizeof(*permitted_opens));
         permitted_opens[num_permitted_opens].host_to_connect = xstrdup(host);
         permitted_opens[num_permitted_opens].port_to_connect = port;
+        permitted_opens[num_permitted_opens].listen_host = NULL;
+        permitted_opens[num_permitted_opens].listen_path = NULL;
+        permitted_opens[num_permitted_opens].listen_port = 0;
         num_permitted_opens++;
 
         all_opens_permitted = 0;
@@ -3165,6 +3493,10 @@ channel_update_permitted_opens(int idx, int newport)
                 permitted_opens[idx].port_to_connect = 0;
                 free(permitted_opens[idx].host_to_connect);
                 permitted_opens[idx].host_to_connect = NULL;
+                free(permitted_opens[idx].listen_host);
+                permitted_opens[idx].listen_host = NULL;
+                free(permitted_opens[idx].listen_path);
+                permitted_opens[idx].listen_path = NULL;
         }
 }
 
@@ -3178,6 +3510,9 @@ channel_add_adm_permitted_opens(char *host, int port)
         permitted_adm_opens[num_adm_permitted_opens].host_to_connect
              = xstrdup(host);
         permitted_adm_opens[num_adm_permitted_opens].port_to_connect = port;
+        permitted_adm_opens[num_adm_permitted_opens].listen_host = NULL;
+        permitted_adm_opens[num_adm_permitted_opens].listen_path = NULL;
+        permitted_adm_opens[num_adm_permitted_opens].listen_port = 0;
         return ++num_adm_permitted_opens;
 }
 
@@ -3195,8 +3530,11 @@ channel_clear_permitted_opens(void)
 {
         int i;
 
-        for (i = 0; i < num_permitted_opens; i++)
+        for (i = 0; i < num_permitted_opens; i++) {
                 free(permitted_opens[i].host_to_connect);
+                free(permitted_opens[i].listen_host);
+                free(permitted_opens[i].listen_path);
+        }
         free(permitted_opens);
         permitted_opens = NULL;
         num_permitted_opens = 0;
@@ -3207,8 +3545,11 @@ channel_clear_adm_permitted_opens(void)
 {
         int i;
 
-        for (i = 0; i < num_adm_permitted_opens; i++)
+        for (i = 0; i < num_adm_permitted_opens; i++) {
                 free(permitted_adm_opens[i].host_to_connect);
+                free(permitted_adm_opens[i].listen_host);
+                free(permitted_adm_opens[i].listen_path);
+        }
         free(permitted_adm_opens);
         permitted_adm_opens = NULL;
         num_adm_permitted_opens = 0;
@@ -3246,30 +3587,32 @@ permitopen_port(const char *p)
         return -1;
 }
 
-static int
-port_match(u_short allowedport, u_short requestedport)
-{
-        if (allowedport == FWD_PERMIT_ANY_PORT ||
-            allowedport == requestedport)
-                return 1;
-        return 0;
-}
-
 /* Try to start non-blocking connect to next host in cctx list */
 static int
 connect_next(struct channel_connect *cctx)
 {
         int sock, saved_errno;
-        char ntop[NI_MAXHOST], strport[NI_MAXSERV];
+        struct sockaddr_un *sunaddr;
+        char ntop[NI_MAXHOST], strport[MAX(NI_MAXSERV,sizeof(sunaddr->sun_path))];
 
         for (; cctx->ai; cctx->ai = cctx->ai->ai_next) {
-                if (cctx->ai->ai_family != AF_INET &&
-                    cctx->ai->ai_family != AF_INET6)
-                        continue;
-                if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
-                    ntop, sizeof(ntop), strport, sizeof(strport),
-                    NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
-                        error("connect_next: getnameinfo failed");
+                switch (cctx->ai->ai_family) {
+                case AF_UNIX:
+                        /* unix:pathname instead of host:port */
+                        sunaddr = (struct sockaddr_un *)cctx->ai->ai_addr;
+                        strlcpy(ntop, "unix", sizeof(ntop));
+                        strlcpy(strport, sunaddr->sun_path, sizeof(strport));
+                        break;
+                case AF_INET:
+                case AF_INET6:
+                        if (getnameinfo(cctx->ai->ai_addr, cctx->ai->ai_addrlen,
+                            ntop, sizeof(ntop), strport, sizeof(strport),
+                            NI_NUMERICHOST|NI_NUMERICSERV) != 0) {
+                                error("connect_next: getnameinfo failed");
+                                continue;
+                        }
+                        break;
+                default:
                         continue;
                 }
                 if ((sock = socket(cctx->ai->ai_family, cctx->ai->ai_socktype,
@@ -3292,10 +3635,11 @@ connect_next(struct channel_connect *cctx)
                         errno = saved_errno;
                         continue;       /* fail -- try next */
                 }
+                if (cctx->ai->ai_family != AF_UNIX)
+                        set_nodelay(sock);
                 debug("connect_next: host %.100s ([%.100s]:%s) "
                     "in progress, fd=%d", cctx->host, ntop, strport, sock);
                 cctx->ai = cctx->ai->ai_next;
-                set_nodelay(sock);
                 return sock;
         }
         return -1;
@@ -3305,14 +3649,18 @@ static void
 channel_connect_ctx_free(struct channel_connect *cctx)
 {
         free(cctx->host);
-        if (cctx->aitop)
-                freeaddrinfo(cctx->aitop);
+        if (cctx->aitop) {
+                if (cctx->aitop->ai_family == AF_UNIX)
+                        free(cctx->aitop);
+                else
+                        freeaddrinfo(cctx->aitop);
+        }
         memset(cctx, 0, sizeof(*cctx));
 }
 
-/* Return CONNECTING channel to remote host, port */
+/* Return CONNECTING channel to remote host:port or local socket path */
 static Channel *
-connect_to(const char *host, u_short port, char *ctype, char *rname)
+connect_to(const char *name, int port, char *ctype, char *rname)
 {
         struct addrinfo hints;
         int gaierr;
@@ -3322,23 +3670,51 @@ connect_to(const char *host, u_short port, char *ctype, char *rname)
         Channel *c;
 
         memset(&cctx, 0, sizeof(cctx));
-        memset(&hints, 0, sizeof(hints));
-        hints.ai_family = IPv4or6;
-        hints.ai_socktype = SOCK_STREAM;
-        snprintf(strport, sizeof strport, "%d", port);
-        if ((gaierr = getaddrinfo(host, strport, &hints, &cctx.aitop)) != 0) {
-                error("connect_to %.100s: unknown host (%s)", host,
-                    ssh_gai_strerror(gaierr));
-                return NULL;
+
+        if (port == PORT_STREAMLOCAL) {
+                struct sockaddr_un *sunaddr;
+                struct addrinfo *ai;
+
+                if (strlen(name) > sizeof(sunaddr->sun_path)) {
+                        error("%.100s: %.100s", name, strerror(ENAMETOOLONG));
+                        return (NULL);
+                }
+
+                /*
+                 * Fake up a struct addrinfo for AF_UNIX connections.
+                 * channel_connect_ctx_free() must check ai_family
+                 * and use free() not freeaddirinfo() for AF_UNIX.
+                 */
+                ai = xmalloc(sizeof(*ai) + sizeof(*sunaddr));
+                memset(ai, 0, sizeof(*ai) + sizeof(*sunaddr));
+                ai->ai_addr = (struct sockaddr *)(ai + 1);
+                ai->ai_addrlen = sizeof(*sunaddr);
+                ai->ai_family = AF_UNIX;
+                ai->ai_socktype = SOCK_STREAM;
+                ai->ai_protocol = PF_UNSPEC;
+                sunaddr = (struct sockaddr_un *)ai->ai_addr;
+                sunaddr->sun_family = AF_UNIX;
+                strlcpy(sunaddr->sun_path, name, sizeof(sunaddr->sun_path));
+                cctx.aitop = ai;
+        } else {
+                memset(&hints, 0, sizeof(hints));
+                hints.ai_family = IPv4or6;
+                hints.ai_socktype = SOCK_STREAM;
+                snprintf(strport, sizeof strport, "%d", port);
+                if ((gaierr = getaddrinfo(name, strport, &hints, &cctx.aitop)) != 0) {
+                        error("connect_to %.100s: unknown host (%s)", name,
+                            ssh_gai_strerror(gaierr));
+                        return NULL;
+                }
         }
 
-        cctx.host = xstrdup(host);
+        cctx.host = xstrdup(name);
         cctx.port = port;
         cctx.ai = cctx.aitop;
 
         if ((sock = connect_next(&cctx)) == -1) {
                 error("connect to %.100s port %d failed: %s",
-                    host, port, strerror(errno));
+                    name, port, strerror(errno));
                 channel_connect_ctx_free(&cctx);
                 return NULL;
         }
@@ -3349,13 +3725,14 @@ connect_to(const char *host, u_short port, char *ctype, char *rname)
 }
 
 Channel *
-channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname)
+channel_connect_by_listen_address(const char *listen_host,
+    u_short listen_port, char *ctype, char *rname)
 {
         int i;
 
         for (i = 0; i < num_permitted_opens; i++) {
-                if (permitted_opens[i].host_to_connect != NULL &&
-                    port_match(permitted_opens[i].listen_port, listen_port)) {
+                if (open_listen_match_tcpip(&permitted_opens[i], listen_host,
+                    listen_port, 1)) {
                         return connect_to(
                             permitted_opens[i].host_to_connect,
                             permitted_opens[i].port_to_connect, ctype, rname);
@@ -3366,29 +3743,45 @@ channel_connect_by_listen_address(u_short listen_port, char *ctype, char *rname)
         return NULL;
 }
 
+Channel *
+channel_connect_by_listen_path(const char *path, char *ctype, char *rname)
+{
+        int i;
+
+        for (i = 0; i < num_permitted_opens; i++) {
+                if (open_listen_match_streamlocal(&permitted_opens[i], path)) {
+                        return connect_to(
+                            permitted_opens[i].host_to_connect,
+                            permitted_opens[i].port_to_connect, ctype, rname);
+                }
+        }
+        error("WARNING: Server requests forwarding for unknown path %.100s",
+            path);
+        return NULL;
+}
+
 /* Check if connecting to that port is permitted and connect. */
 Channel *
-channel_connect_to(const char *host, u_short port, char *ctype, char *rname)
+channel_connect_to_port(const char *host, u_short port, char *ctype, char *rname)
 {
         int i, permit, permit_adm = 1;
 
         permit = all_opens_permitted;
         if (!permit) {
                 for (i = 0; i < num_permitted_opens; i++)
-                        if (permitted_opens[i].host_to_connect != NULL &&
-                            port_match(permitted_opens[i].port_to_connect, port) &&
-                            strcmp(permitted_opens[i].host_to_connect, host) == 0)
+                        if (open_match(&permitted_opens[i], host, port)) {
                                 permit = 1;
+                                break;
+                        }
         }
 
         if (num_adm_permitted_opens > 0) {
                 permit_adm = 0;
                 for (i = 0; i < num_adm_permitted_opens; i++)
-                        if (permitted_adm_opens[i].host_to_connect != NULL &&
-                            port_match(permitted_adm_opens[i].port_to_connect, port) &&
-                            strcmp(permitted_adm_opens[i].host_to_connect, host)
-                            == 0)
+                        if (open_match(&permitted_adm_opens[i], host, port)) {
                                 permit_adm = 1;
+                                break;
+                        }
         }
 
         if (!permit || !permit_adm) {
@@ -3399,6 +3792,38 @@ channel_connect_to(const char *host, u_short port, char *ctype, char *rname)
         return connect_to(host, port, ctype, rname);
 }
 
+/* Check if connecting to that path is permitted and connect. */
+Channel *
+channel_connect_to_path(const char *path, char *ctype, char *rname)
+{
+        int i, permit, permit_adm = 1;
+
+        permit = all_opens_permitted;
+        if (!permit) {
+                for (i = 0; i < num_permitted_opens; i++)
+                        if (open_match(&permitted_opens[i], path, PORT_STREAMLOCAL)) {
+                                permit = 1;
+                                break;
+                        }
+        }
+
+        if (num_adm_permitted_opens > 0) {
+                permit_adm = 0;
+                for (i = 0; i < num_adm_permitted_opens; i++)
+                        if (open_match(&permitted_adm_opens[i], path, PORT_STREAMLOCAL)) {
+                                permit_adm = 1;
+                                break;
+                        }
+        }
+
+        if (!permit || !permit_adm) {
+                logit("Received request to connect to path %.100s, "
+                    "but the request was denied.", path);
+                return NULL;
+        }
+        return connect_to(path, PORT_STREAMLOCAL, ctype, rname);
+}
+
 void
 channel_send_window_changes(void)
 {
diff --git a/channels.h b/channels.h
index 4fab9d7c4..a000c98e5 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.113 2013/06/07 15:37:52 dtucker Exp $ */
+/* $OpenBSD: channels.h,v 1.115 2014/07/15 15:54:14 millert Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -56,7 +56,9 @@
 #define SSH_CHANNEL_MUX_LISTENER        15      /* Listener for mux conn. */
 #define SSH_CHANNEL_MUX_CLIENT          16      /* Conn. to mux slave */
 #define SSH_CHANNEL_ABANDONED           17      /* Abandoned session, eg mux */
-#define SSH_CHANNEL_MAX_TYPE            18
+#define SSH_CHANNEL_UNIX_LISTENER       18      /* Listening on a domain socket. */
+#define SSH_CHANNEL_RUNIX_LISTENER      19      /* Listening to a R-style domain socket. */
+#define SSH_CHANNEL_MAX_TYPE            20
 
 #define CHANNEL_CANCEL_PORT_STATIC      -1
 
@@ -254,6 +256,8 @@ char	*channel_open_message(void);
 int      channel_find_open(void);
 
 /* tcp forwarding */
+struct Forward;
+struct ForwardOptions;
 void     channel_set_af(int af);
 void     channel_permit_all_opens(void);
 void     channel_add_permitted_opens(char *, int);
@@ -263,18 +267,19 @@ void	 channel_update_permitted_opens(int, int);
 void     channel_clear_permitted_opens(void);
 void     channel_clear_adm_permitted_opens(void);
 void     channel_print_adm_permitted_opens(void);
-int      channel_input_port_forward_request(int, int);
-Channel *channel_connect_to(const char *, u_short, char *, char *);
+int      channel_input_port_forward_request(int, struct ForwardOptions *);
+Channel *channel_connect_to_port(const char *, u_short, char *, char *);
+Channel *channel_connect_to_path(const char *, char *, char *);
 Channel *channel_connect_stdio_fwd(const char*, u_short, int, int);
-Channel *channel_connect_by_listen_address(u_short, char *, char *);
-int      channel_request_remote_forwarding(const char *, u_short,
-             const char *, u_short);
-int      channel_setup_local_fwd_listener(const char *, u_short,
-             const char *, u_short, int);
-int      channel_request_rforward_cancel(const char *host, u_short port);
-int      channel_setup_remote_fwd_listener(const char *, u_short, int *, int);
-int      channel_cancel_rport_listener(const char *, u_short);
-int      channel_cancel_lport_listener(const char *, u_short, int, int);
+Channel *channel_connect_by_listen_address(const char *, u_short,
+             char *, char *);
+Channel *channel_connect_by_listen_path(const char *, char *, char *);
+int      channel_request_remote_forwarding(struct Forward *);
+int      channel_setup_local_fwd_listener(struct Forward *, struct ForwardOptions *);
+int      channel_request_rforward_cancel(struct Forward *);
+int      channel_setup_remote_fwd_listener(struct Forward *, int *, struct ForwardOptions *);
+int      channel_cancel_rport_listener(struct Forward *);
+int      channel_cancel_lport_listener(struct Forward *, int, struct ForwardOptions *);
 int      permitopen_port(const char *);
 
 /* x11 forwarding */
diff --git a/cipher-3des1.c b/cipher-3des1.c
index b2823592b..2753f9a0e 100644
--- a/cipher-3des1.c
+++ b/cipher-3des1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher-3des1.c,v 1.10 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: cipher-3des1.c,v 1.11 2014/07/02 04:59:06 djm Exp $ */
 /*
  * Copyright (c) 2003 Markus Friedl.  All rights reserved.
  *
@@ -29,13 +29,11 @@
 
 #include <openssl/evp.h>
 
-#include <stdarg.h>
 #include <string.h>
 
 #include "xmalloc.h"
 #include "log.h"
-
-#include "openbsd-compat/openssl-compat.h"
+#include "ssherr.h"
 
 /*
  * This is used by SSH1:
@@ -57,7 +55,7 @@ struct ssh1_3des_ctx
 };
 
 const EVP_CIPHER * evp_ssh1_3des(void);
-void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
+int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
 
 static int
 ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
@@ -67,11 +65,12 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
         u_char *k1, *k2, *k3;
 
         if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-                c = xcalloc(1, sizeof(*c));
+                if ((c = calloc(1, sizeof(*c))) == NULL)
+                        return 0;
                 EVP_CIPHER_CTX_set_app_data(ctx, c);
         }
         if (key == NULL)
-                return (1);
+                return 1;
         if (enc == -1)
                 enc = ctx->encrypt;
         k1 = k2 = k3 = (u_char *) key;
@@ -85,44 +84,29 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
         EVP_CIPHER_CTX_init(&c->k1);
         EVP_CIPHER_CTX_init(&c->k2);
         EVP_CIPHER_CTX_init(&c->k3);
-#ifdef SSH_OLD_EVP
-        EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc);
-        EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc);
-        EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc);
-#else
         if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
             EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
             EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
                 explicit_bzero(c, sizeof(*c));
                 free(c);
                 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-                return (0);
+                return 0;
         }
-#endif
-        return (1);
+        return 1;
 }
 
 static int
-ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-    LIBCRYPTO_EVP_INL_TYPE len)
+ssh1_3des_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, size_t len)
 {
         struct ssh1_3des_ctx *c;
 
-        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-                error("ssh1_3des_cbc: no context");
-                return (0);
-        }
-#ifdef SSH_OLD_EVP
-        EVP_Cipher(&c->k1, dest, (u_char *)src, len);
-        EVP_Cipher(&c->k2, dest, dest, len);
-        EVP_Cipher(&c->k3, dest, dest, len);
-#else
+        if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
+                return 0;
         if (EVP_Cipher(&c->k1, dest, (u_char *)src, len) == 0 ||
             EVP_Cipher(&c->k2, dest, dest, len) == 0 ||
             EVP_Cipher(&c->k3, dest, dest, len) == 0)
-                return (0);
-#endif
-        return (1);
+                return 0;
+        return 1;
 }
 
 static int
@@ -138,29 +122,28 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
                 free(c);
                 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
         }
-        return (1);
+        return 1;
 }
 
-void
+int
 ssh1_3des_iv(EVP_CIPHER_CTX *evp, int doset, u_char *iv, int len)
 {
         struct ssh1_3des_ctx *c;
 
         if (len != 24)
-                fatal("%s: bad 3des iv length: %d", __func__, len);
+                return SSH_ERR_INVALID_ARGUMENT;
         if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
-                fatal("%s: no 3des context", __func__);
+                return SSH_ERR_INTERNAL_ERROR;
         if (doset) {
-                debug3("%s: Installed 3DES IV", __func__);
                 memcpy(c->k1.iv, iv, 8);
                 memcpy(c->k2.iv, iv + 8, 8);
                 memcpy(c->k3.iv, iv + 16, 8);
         } else {
-                debug3("%s: Copying 3DES IV", __func__);
                 memcpy(iv, c->k1.iv, 8);
                 memcpy(iv + 8, c->k2.iv, 8);
                 memcpy(iv + 16, c->k3.iv, 8);
         }
+        return 0;
 }
 
 const EVP_CIPHER *
@@ -176,8 +159,6 @@ evp_ssh1_3des(void)
         ssh1_3des.init = ssh1_3des_init;
         ssh1_3des.cleanup = ssh1_3des_cleanup;
         ssh1_3des.do_cipher = ssh1_3des_cbc;
-#ifndef SSH_OLD_EVP
         ssh1_3des.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH;
-#endif
-        return (&ssh1_3des);
+        return &ssh1_3des;
 }
diff --git a/cipher-aesctr.c b/cipher-aesctr.c
new file mode 100644
index 000000000..a4cf61e41
--- /dev/null
+++ b/cipher-aesctr.c
@@ -0,0 +1,78 @@
+/* $OpenBSD: cipher-aesctr.c,v 1.1 2014/04/29 15:39:33 markus Exp $ */
+/*
+ * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <string.h>
+
+#include "cipher-aesctr.h"
+
+/*
+ * increment counter 'ctr',
+ * the counter is of size 'len' bytes and stored in network-byte-order.
+ * (LSB at ctr[len-1], MSB at ctr[0])
+ */
+static __inline__ void
+aesctr_inc(u8 *ctr, u32 len)
+{
+        ssize_t i;
+
+#ifndef CONSTANT_TIME_INCREMENT
+        for (i = len - 1; i >= 0; i--)
+                if (++ctr[i])   /* continue on overflow */
+                        return;
+#else
+        u8 x, add = 1;
+
+        for (i = len - 1; i >= 0; i--) {
+                ctr[i] += add;
+                /* constant time for: x = ctr[i] ? 1 : 0 */
+                x = ctr[i];
+                x = (x | (x >> 4)) & 0xf;
+                x = (x | (x >> 2)) & 0x3;
+                x = (x | (x >> 1)) & 0x1;
+                add *= (x^1);
+        }
+#endif
+}
+
+void
+aesctr_keysetup(aesctr_ctx *x,const u8 *k,u32 kbits,u32 ivbits)
+{
+        x->rounds = rijndaelKeySetupEnc(x->ek, k, kbits);
+}
+
+void
+aesctr_ivsetup(aesctr_ctx *x,const u8 *iv)
+{
+        memcpy(x->ctr, iv, AES_BLOCK_SIZE);
+}
+
+void
+aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes)
+{
+        u32 n = 0;
+        u8 buf[AES_BLOCK_SIZE];
+
+        while ((bytes--) > 0) {
+                if (n == 0) {
+                        rijndaelEncrypt(x->ek, x->rounds, x->ctr, buf);
+                        aesctr_inc(x->ctr, AES_BLOCK_SIZE);
+                }
+                *(c++) = *(m++) ^ buf[n];
+                n = (n + 1) % AES_BLOCK_SIZE;
+        }
+}
diff --git a/cipher-aesctr.h b/cipher-aesctr.h
new file mode 100644
index 000000000..85d55bba2
--- /dev/null
+++ b/cipher-aesctr.h
@@ -0,0 +1,35 @@
+/* $OpenBSD: cipher-aesctr.h,v 1.1 2014/04/29 15:39:33 markus Exp $ */
+/*
+ * Copyright (c) 2014 Markus Friedl
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef OPENSSH_AESCTR_H
+#define OPENSSH_AESCTR_H
+
+#include "rijndael.h"
+
+#define AES_BLOCK_SIZE 16
+
+typedef struct aesctr_ctx {
+        int     rounds;                         /* keylen-dependent #rounds */
+        u32     ek[4*(AES_MAXROUNDS + 1)];      /* encrypt key schedule */
+        u8      ctr[AES_BLOCK_SIZE];            /* counter */
+} aesctr_ctx;
+
+void aesctr_keysetup(aesctr_ctx *x,const u8 *k,u32 kbits,u32 ivbits);
+void aesctr_ivsetup(aesctr_ctx *x,const u8 *iv);
+void aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes);
+
+#endif
diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c
index 251b94ec8..8665b41a3 100644
--- a/cipher-chachapoly.c
+++ b/cipher-chachapoly.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: cipher-chachapoly.c,v 1.4 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: cipher-chachapoly.c,v 1.6 2014/07/03 12:42:16 jsing Exp $ */
 
 #include "includes.h"
 
@@ -24,16 +24,18 @@
 #include <stdio.h>  /* needed for misc.h */
 
 #include "log.h"
-#include "misc.h"
+#include "sshbuf.h"
+#include "ssherr.h"
 #include "cipher-chachapoly.h"
 
-void chachapoly_init(struct chachapoly_ctx *ctx,
+int chachapoly_init(struct chachapoly_ctx *ctx,
     const u_char *key, u_int keylen)
 {
         if (keylen != (32 + 32)) /* 2 x 256 bit keys */
-                fatal("%s: invalid keylen %u", __func__, keylen);
+                return SSH_ERR_INVALID_ARGUMENT;
         chacha_keysetup(&ctx->main_ctx, key, 256);
         chacha_keysetup(&ctx->header_ctx, key + 32, 256);
+        return 0;
 }
 
 /*
@@ -52,33 +54,37 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
         u_char seqbuf[8];
         const u_char one[8] = { 1, 0, 0, 0, 0, 0, 0, 0 }; /* NB little-endian */
         u_char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
-        int r = -1;
+        int r = SSH_ERR_INTERNAL_ERROR;
 
         /*
          * Run ChaCha20 once to generate the Poly1305 key. The IV is the
          * packet sequence number.
          */
         memset(poly_key, 0, sizeof(poly_key));
-        put_u64(seqbuf, seqnr);
+        POKE_U64(seqbuf, seqnr);
         chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
         chacha_encrypt_bytes(&ctx->main_ctx,
             poly_key, poly_key, sizeof(poly_key));
-        /* Set Chacha's block counter to 1 */
-        chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
 
         /* If decrypting, check tag before anything else */
         if (!do_encrypt) {
                 const u_char *tag = src + aadlen + len;
 
                 poly1305_auth(expected_tag, src, aadlen + len, poly_key);
-                if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0)
+                if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) {
+                        r = SSH_ERR_MAC_INVALID;
                         goto out;
+                }
         }
+
         /* Crypt additional data */
         if (aadlen) {
                 chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
                 chacha_encrypt_bytes(&ctx->header_ctx, src, dest, aadlen);
         }
+
+        /* Set Chacha's block counter to 1 */
+        chacha_ivsetup(&ctx->main_ctx, seqbuf, one);
         chacha_encrypt_bytes(&ctx->main_ctx, src + aadlen,
             dest + aadlen, len);
 
@@ -88,7 +94,6 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
                     poly_key);
         }
         r = 0;
-
  out:
         explicit_bzero(expected_tag, sizeof(expected_tag));
         explicit_bzero(seqbuf, sizeof(seqbuf));
@@ -104,11 +109,11 @@ chachapoly_get_length(struct chachapoly_ctx *ctx,
         u_char buf[4], seqbuf[8];
 
         if (len < 4)
-                return -1; /* Insufficient length */
-        put_u64(seqbuf, seqnr);
+                return SSH_ERR_MESSAGE_INCOMPLETE;
+        POKE_U64(seqbuf, seqnr);
         chacha_ivsetup(&ctx->header_ctx, seqbuf, NULL);
         chacha_encrypt_bytes(&ctx->header_ctx, cp, buf, 4);
-        *plenp = get_u32(buf);
+        *plenp = PEEK_U32(buf);
         return 0;
 }
 
diff --git a/cipher-chachapoly.h b/cipher-chachapoly.h
index 1628693b2..b7072be7d 100644
--- a/cipher-chachapoly.h
+++ b/cipher-chachapoly.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher-chachapoly.h,v 1.1 2013/11/21 00:45:44 djm Exp $ */
+/* $OpenBSD: cipher-chachapoly.h,v 1.4 2014/06/24 01:13:21 djm Exp $ */
 
 /*
  * Copyright (c) Damien Miller 2013 <djm@mindrot.org>
@@ -28,7 +28,7 @@ struct chachapoly_ctx {
         struct chacha_ctx main_ctx, header_ctx;
 };
 
-void    chachapoly_init(struct chachapoly_ctx *cpctx,
+int     chachapoly_init(struct chachapoly_ctx *cpctx,
     const u_char *key, u_int keylen)
     __attribute__((__bounded__(__buffer__, 2, 3)));
 int     chachapoly_crypt(struct chachapoly_ctx *cpctx, u_int seqnr,
diff --git a/cipher.c b/cipher.c
index 53d9b4fb7..638ca2d97 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.97 2014/02/07 06:55:54 djm Exp $ */
+/* $OpenBSD: cipher.c,v 1.99 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -43,21 +43,21 @@
 #include <stdarg.h>
 #include <stdio.h>
 
-#include "xmalloc.h"
-#include "log.h"
-#include "misc.h"
 #include "cipher.h"
-#include "buffer.h"
+#include "misc.h"
+#include "sshbuf.h"
+#include "ssherr.h"
 #include "digest.h"
 
-/* compatibility with old or broken OpenSSL versions */
 #include "openbsd-compat/openssl-compat.h"
 
+#ifdef WITH_SSH1
 extern const EVP_CIPHER *evp_ssh1_bf(void);
 extern const EVP_CIPHER *evp_ssh1_3des(void);
-extern void ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
+extern int ssh1_3des_iv(EVP_CIPHER_CTX *, int, u_char *, int);
+#endif
 
-struct Cipher {
+struct sshcipher {
         char    *name;
         int     number;         /* for ssh1 only */
         u_int   block_size;
@@ -68,15 +68,23 @@ struct Cipher {
         u_int   flags;
 #define CFLAG_CBC               (1<<0)
 #define CFLAG_CHACHAPOLY        (1<<1)
+#define CFLAG_AESCTR            (1<<2)
+#define CFLAG_NONE              (1<<3)
+#ifdef WITH_OPENSSL
         const EVP_CIPHER        *(*evptype)(void);
+#else
+        void    *ignored;
+#endif
 };
 
-static const struct Cipher ciphers[] = {
-        { "none",       SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+static const struct sshcipher ciphers[] = {
+#ifdef WITH_SSH1
         { "des",        SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
         { "3des",       SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
         { "blowfish",   SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, 0, 1, evp_ssh1_bf },
-
+#endif /* WITH_SSH1 */
+#ifdef WITH_OPENSSL
+        { "none",       SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
         { "3des-cbc",   SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
         { "blowfish-cbc",
                         SSH_CIPHER_SSH2, 8, 16, 0, 0, 0, 1, EVP_bf_cbc },
@@ -93,26 +101,33 @@ static const struct Cipher ciphers[] = {
         { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
         { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
         { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
-#ifdef OPENSSL_HAVE_EVPGCM
+# ifdef OPENSSL_HAVE_EVPGCM
         { "aes128-gcm@openssh.com",
                         SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
         { "aes256-gcm@openssh.com",
                         SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
-#endif
+# endif /* OPENSSL_HAVE_EVPGCM */
+#else /* WITH_OPENSSL */
+        { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL },
+        { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL },
+        { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL },
+        { "none",       SSH_CIPHER_NONE, 8, 0, 0, 0, 0, CFLAG_NONE, NULL },
+#endif /* WITH_OPENSSL */
         { "chacha20-poly1305@openssh.com",
                         SSH_CIPHER_SSH2, 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL },
+
         { NULL,         SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 };
 
 /*--*/
 
-/* Returns a list of supported ciphers separated by the specified char. */
+/* Returns a comma-separated list of supported ciphers. */
 char *
 cipher_alg_list(char sep, int auth_only)
 {
-        char *ret = NULL;
+        char *tmp, *ret = NULL;
         size_t nlen, rlen = 0;
-        const Cipher *c;
+        const struct sshcipher *c;
 
         for (c = ciphers; c->name != NULL; c++) {
                 if (c->number != SSH_CIPHER_SSH2)
@@ -122,7 +137,11 @@ cipher_alg_list(char sep, int auth_only)
                 if (ret != NULL)
                         ret[rlen++] = sep;
                 nlen = strlen(c->name);
-                ret = xrealloc(ret, 1, rlen + nlen + 2);
+                if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
+                        free(ret);
+                        return NULL;
+                }
+                ret = tmp;
                 memcpy(ret + rlen, c->name, nlen + 1);
                 rlen += nlen;
         }
@@ -130,19 +149,19 @@ cipher_alg_list(char sep, int auth_only)
 }
 
 u_int
-cipher_blocksize(const Cipher *c)
+cipher_blocksize(const struct sshcipher *c)
 {
         return (c->block_size);
 }
 
 u_int
-cipher_keylen(const Cipher *c)
+cipher_keylen(const struct sshcipher *c)
 {
         return (c->key_len);
 }
 
 u_int
-cipher_seclen(const Cipher *c)
+cipher_seclen(const struct sshcipher *c)
 {
         if (strcmp("3des-cbc", c->name) == 0)
                 return 14;
@@ -150,13 +169,13 @@ cipher_seclen(const Cipher *c)
 }
 
 u_int
-cipher_authlen(const Cipher *c)
+cipher_authlen(const struct sshcipher *c)
 {
         return (c->auth_len);
 }
 
 u_int
-cipher_ivlen(const Cipher *c)
+cipher_ivlen(const struct sshcipher *c)
 {
         /*
          * Default is cipher block size, except for chacha20+poly1305 that
@@ -167,13 +186,13 @@ cipher_ivlen(const Cipher *c)
 }
 
 u_int
-cipher_get_number(const Cipher *c)
+cipher_get_number(const struct sshcipher *c)
 {
         return (c->number);
 }
 
 u_int
-cipher_is_cbc(const Cipher *c)
+cipher_is_cbc(const struct sshcipher *c)
 {
         return (c->flags & CFLAG_CBC) != 0;
 }
@@ -190,20 +209,20 @@ cipher_mask_ssh1(int client)
         return mask;
 }
 
-const Cipher *
+const struct sshcipher *
 cipher_by_name(const char *name)
 {
-        const Cipher *c;
+        const struct sshcipher *c;
         for (c = ciphers; c->name != NULL; c++)
                 if (strcmp(c->name, name) == 0)
                         return c;
         return NULL;
 }
 
-const Cipher *
+const struct sshcipher *
 cipher_by_number(int id)
 {
-        const Cipher *c;
+        const struct sshcipher *c;
         for (c = ciphers; c->name != NULL; c++)
                 if (c->number == id)
                         return c;
@@ -214,23 +233,22 @@ cipher_by_number(int id)
 int
 ciphers_valid(const char *names)
 {
-        const Cipher *c;
+        const struct sshcipher *c;
         char *cipher_list, *cp;
         char *p;
 
         if (names == NULL || strcmp(names, "") == 0)
                 return 0;
-        cipher_list = cp = xstrdup(names);
+        if ((cipher_list = cp = strdup(names)) == NULL)
+                return 0;
         for ((p = strsep(&cp, CIPHER_SEP)); p && *p != '\0';
             (p = strsep(&cp, CIPHER_SEP))) {
                 c = cipher_by_name(p);
                 if (c == NULL || c->number != SSH_CIPHER_SSH2) {
-                        debug("bad cipher %s [%s]", p, names);
                         free(cipher_list);
                         return 0;
                 }
         }
-        debug3("ciphers ok: [%s]", names);
         free(cipher_list);
         return 1;
 }
@@ -243,7 +261,7 @@ ciphers_valid(const char *names)
 int
 cipher_number(const char *name)
 {
-        const Cipher *c;
+        const struct sshcipher *c;
         if (name == NULL)
                 return -1;
         for (c = ciphers; c->name != NULL; c++)
@@ -255,90 +273,104 @@ cipher_number(const char *name)
 char *
 cipher_name(int id)
 {
-        const Cipher *c = cipher_by_number(id);
+        const struct sshcipher *c = cipher_by_number(id);
         return (c==NULL) ? "<unknown>" : c->name;
 }
 
-void
-cipher_init(CipherContext *cc, const Cipher *cipher,
+const char *
+cipher_warning_message(const struct sshcipher_ctx *cc)
+{
+        if (cc == NULL || cc->cipher == NULL)
+                return NULL;
+        if (cc->cipher->number == SSH_CIPHER_DES)
+                return "use of DES is strongly discouraged due to "
+                    "cryptographic weaknesses";
+        return NULL;
+}
+
+int
+cipher_init(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
     const u_char *key, u_int keylen, const u_char *iv, u_int ivlen,
     int do_encrypt)
 {
-        static int dowarn = 1;
-#ifdef SSH_OLD_EVP
-        EVP_CIPHER *type;
-#else
+#ifdef WITH_OPENSSL
+        int ret = SSH_ERR_INTERNAL_ERROR;
         const EVP_CIPHER *type;
         int klen;
-#endif
         u_char *junk, *discard;
 
         if (cipher->number == SSH_CIPHER_DES) {
-                if (dowarn) {
-                        error("Warning: use of DES is strongly discouraged "
-                            "due to cryptographic weaknesses");
-                        dowarn = 0;
-                }
                 if (keylen > 8)
                         keylen = 8;
         }
+#endif
         cc->plaintext = (cipher->number == SSH_CIPHER_NONE);
         cc->encrypt = do_encrypt;
 
-        if (keylen < cipher->key_len)
-                fatal("cipher_init: key length %d is insufficient for %s.",
-                    keylen, cipher->name);
-        if (iv != NULL && ivlen < cipher_ivlen(cipher))
-                fatal("cipher_init: iv length %d is insufficient for %s.",
-                    ivlen, cipher->name);
-        cc->cipher = cipher;
+        if (keylen < cipher->key_len ||
+            (iv != NULL && ivlen < cipher_ivlen(cipher)))
+                return SSH_ERR_INVALID_ARGUMENT;
 
+        cc->cipher = cipher;
         if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
-                chachapoly_init(&cc->cp_ctx, key, keylen);
-                return;
+                return chachapoly_init(&cc->cp_ctx, key, keylen);
         }
-        type = (*cipher->evptype)();
-        EVP_CIPHER_CTX_init(&cc->evp);
-#ifdef SSH_OLD_EVP
-        if (type->key_len > 0 && type->key_len != keylen) {
-                debug("cipher_init: set keylen (%d -> %d)",
-                    type->key_len, keylen);
-                type->key_len = keylen;
+#ifndef WITH_OPENSSL
+        if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
+                aesctr_keysetup(&cc->ac_ctx, key, 8 * keylen, 8 * ivlen);
+                aesctr_ivsetup(&cc->ac_ctx, iv);
+                return 0;
         }
-        EVP_CipherInit(&cc->evp, type, (u_char *)key, (u_char *)iv,
-            (do_encrypt == CIPHER_ENCRYPT));
+        if ((cc->cipher->flags & CFLAG_NONE) != 0)
+                return 0;
+        return SSH_ERR_INVALID_ARGUMENT;
 #else
+        type = (*cipher->evptype)();
+        EVP_CIPHER_CTX_init(&cc->evp);
         if (EVP_CipherInit(&cc->evp, type, NULL, (u_char *)iv,
-            (do_encrypt == CIPHER_ENCRYPT)) == 0)
-                fatal("cipher_init: EVP_CipherInit failed for %s",
-                    cipher->name);
+            (do_encrypt == CIPHER_ENCRYPT)) == 0) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto bad;
+        }
         if (cipher_authlen(cipher) &&
             !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_IV_FIXED,
-            -1, (u_char *)iv))
-                fatal("cipher_init: EVP_CTRL_GCM_SET_IV_FIXED failed for %s",
-                    cipher->name);
+            -1, (u_char *)iv)) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto bad;
+        }
         klen = EVP_CIPHER_CTX_key_length(&cc->evp);
         if (klen > 0 && keylen != (u_int)klen) {
-                debug2("cipher_init: set keylen (%d -> %d)", klen, keylen);
-                if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0)
-                        fatal("cipher_init: set keylen failed (%d -> %d)",
-                            klen, keylen);
+                if (EVP_CIPHER_CTX_set_key_length(&cc->evp, keylen) == 0) {
+                        ret = SSH_ERR_LIBCRYPTO_ERROR;
+                        goto bad;
+                }
+        }
+        if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto bad;
         }
-        if (EVP_CipherInit(&cc->evp, NULL, (u_char *)key, NULL, -1) == 0)
-                fatal("cipher_init: EVP_CipherInit: set key failed for %s",
-                    cipher->name);
-#endif
 
         if (cipher->discard_len > 0) {
-                junk = xmalloc(cipher->discard_len);
-                discard = xmalloc(cipher->discard_len);
-                if (EVP_Cipher(&cc->evp, discard, junk,
-                    cipher->discard_len) == 0)
-                        fatal("evp_crypt: EVP_Cipher failed during discard");
+                if ((junk = malloc(cipher->discard_len)) == NULL ||
+                    (discard = malloc(cipher->discard_len)) == NULL) {
+                        if (junk != NULL)
+                                free(junk);
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto bad;
+                }
+                ret = EVP_Cipher(&cc->evp, discard, junk, cipher->discard_len);
                 explicit_bzero(discard, cipher->discard_len);
                 free(junk);
                 free(discard);
+                if (ret != 1) {
+                        ret = SSH_ERR_LIBCRYPTO_ERROR;
+ bad:
+                        EVP_CIPHER_CTX_cleanup(&cc->evp);
+                        return ret;
+                }
         }
+#endif
+        return 0;
 }
 
 /*
@@ -350,204 +382,244 @@ cipher_init(CipherContext *cc, const Cipher *cipher,
  * Use 'authlen' bytes at offset 'len'+'aadlen' as the authentication tag.
  * This tag is written on encryption and verified on decryption.
  * Both 'aadlen' and 'authlen' can be set to 0.
- * cipher_crypt() returns 0 on success and -1 if the decryption integrity
- * check fails.
  */
 int
-cipher_crypt(CipherContext *cc, u_int seqnr, u_char *dest, const u_char *src,
-    u_int len, u_int aadlen, u_int authlen)
+cipher_crypt(struct sshcipher_ctx *cc, u_int seqnr, u_char *dest,
+   const u_char *src, u_int len, u_int aadlen, u_int authlen)
 {
-        if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
-                return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src, len,
-                    aadlen, authlen, cc->encrypt);
+        if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
+                return chachapoly_crypt(&cc->cp_ctx, seqnr, dest, src,
+                    len, aadlen, authlen, cc->encrypt);
+        }
+#ifndef WITH_OPENSSL
+        if ((cc->cipher->flags & CFLAG_AESCTR) != 0) {
+                if (aadlen)
+                        memcpy(dest, src, aadlen);
+                aesctr_encrypt_bytes(&cc->ac_ctx, src + aadlen,
+                    dest + aadlen, len);
+                return 0;
+        }
+        if ((cc->cipher->flags & CFLAG_NONE) != 0) {
+                memcpy(dest, src, aadlen + len);
+                return 0;
+        }
+        return SSH_ERR_INVALID_ARGUMENT;
+#else
         if (authlen) {
                 u_char lastiv[1];
 
                 if (authlen != cipher_authlen(cc->cipher))
-                        fatal("%s: authlen mismatch %d", __func__, authlen);
+                        return SSH_ERR_INVALID_ARGUMENT;
                 /* increment IV */
                 if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
                     1, lastiv))
-                        fatal("%s: EVP_CTRL_GCM_IV_GEN", __func__);
+                        return SSH_ERR_LIBCRYPTO_ERROR;
                 /* set tag on decyption */
                 if (!cc->encrypt &&
                     !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_SET_TAG,
                     authlen, (u_char *)src + aadlen + len))
-                        fatal("%s: EVP_CTRL_GCM_SET_TAG", __func__);
+                        return SSH_ERR_LIBCRYPTO_ERROR;
         }
         if (aadlen) {
                 if (authlen &&
                     EVP_Cipher(&cc->evp, NULL, (u_char *)src, aadlen) < 0)
-                        fatal("%s: EVP_Cipher(aad) failed", __func__);
+                        return SSH_ERR_LIBCRYPTO_ERROR;
                 memcpy(dest, src, aadlen);
         }
         if (len % cc->cipher->block_size)
-                fatal("%s: bad plaintext length %d", __func__, len);
+                return SSH_ERR_INVALID_ARGUMENT;
         if (EVP_Cipher(&cc->evp, dest + aadlen, (u_char *)src + aadlen,
             len) < 0)
-                fatal("%s: EVP_Cipher failed", __func__);
+                return SSH_ERR_LIBCRYPTO_ERROR;
         if (authlen) {
                 /* compute tag (on encrypt) or verify tag (on decrypt) */
-                if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0) {
-                        if (cc->encrypt)
-                                fatal("%s: EVP_Cipher(final) failed", __func__);
-                        else
-                                return -1;
-                }
+                if (EVP_Cipher(&cc->evp, NULL, NULL, 0) < 0)
+                        return cc->encrypt ?
+                            SSH_ERR_LIBCRYPTO_ERROR : SSH_ERR_MAC_INVALID;
                 if (cc->encrypt &&
                     !EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_GET_TAG,
                     authlen, dest + aadlen + len))
-                        fatal("%s: EVP_CTRL_GCM_GET_TAG", __func__);
+                        return SSH_ERR_LIBCRYPTO_ERROR;
         }
         return 0;
+#endif
 }
 
 /* Extract the packet length, including any decryption necessary beforehand */
 int
-cipher_get_length(CipherContext *cc, u_int *plenp, u_int seqnr,
+cipher_get_length(struct sshcipher_ctx *cc, u_int *plenp, u_int seqnr,
     const u_char *cp, u_int len)
 {
         if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
                 return chachapoly_get_length(&cc->cp_ctx, plenp, seqnr,
                     cp, len);
         if (len < 4)
-                return -1;
+                return SSH_ERR_MESSAGE_INCOMPLETE;
         *plenp = get_u32(cp);
         return 0;
 }
 
-void
-cipher_cleanup(CipherContext *cc)
+int
+cipher_cleanup(struct sshcipher_ctx *cc)
 {
+        if (cc == NULL || cc->cipher == NULL)
+                return 0;
         if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
                 explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
+        else if ((cc->cipher->flags & CFLAG_AESCTR) != 0)
+                explicit_bzero(&cc->ac_ctx, sizeof(cc->ac_ctx));
+#ifdef WITH_OPENSSL
         else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
-                error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
+                return SSH_ERR_LIBCRYPTO_ERROR;
+#endif
+        return 0;
 }
 
 /*
  * Selects the cipher, and keys if by computing the MD5 checksum of the
  * passphrase and using the resulting 16 bytes as the key.
  */
-
-void
-cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
+int
+cipher_set_key_string(struct sshcipher_ctx *cc, const struct sshcipher *cipher,
     const char *passphrase, int do_encrypt)
 {
         u_char digest[16];
+        int r = SSH_ERR_INTERNAL_ERROR;
 
-        if (ssh_digest_memory(SSH_DIGEST_MD5, passphrase, strlen(passphrase),
-            digest, sizeof(digest)) < 0)
-                fatal("%s: md5 failed", __func__);
-
-        cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
+        if ((r = ssh_digest_memory(SSH_DIGEST_MD5,
+            passphrase, strlen(passphrase),
+            digest, sizeof(digest))) != 0)
+                goto out;
 
+        r = cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
+ out:
         explicit_bzero(digest, sizeof(digest));
+        return r;
 }
 
 /*
- * Exports an IV from the CipherContext required to export the key
+ * Exports an IV from the sshcipher_ctx required to export the key
  * state back from the unprivileged child to the privileged parent
  * process.
  */
-
 int
-cipher_get_keyiv_len(const CipherContext *cc)
+cipher_get_keyiv_len(const struct sshcipher_ctx *cc)
 {
-        const Cipher *c = cc->cipher;
-        int ivlen;
+        const struct sshcipher *c = cc->cipher;
+        int ivlen = 0;
 
         if (c->number == SSH_CIPHER_3DES)
                 ivlen = 24;
         else if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
                 ivlen = 0;
+#ifdef WITH_OPENSSL
         else
                 ivlen = EVP_CIPHER_CTX_iv_length(&cc->evp);
+#endif /* WITH_OPENSSL */
         return (ivlen);
 }
 
-void
-cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
+int
+cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, u_int len)
 {
-        const Cipher *c = cc->cipher;
-        int evplen;
+        const struct sshcipher *c = cc->cipher;
+#ifdef WITH_OPENSSL
+        int evplen;
+#endif
 
         if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0) {
                 if (len != 0)
-                        fatal("%s: wrong iv length %d != %d", __func__, len, 0);
-                return;
+                        return SSH_ERR_INVALID_ARGUMENT;
+                return 0;
         }
+        if ((cc->cipher->flags & CFLAG_NONE) != 0)
+                return 0;
 
         switch (c->number) {
+#ifdef WITH_OPENSSL
         case SSH_CIPHER_SSH2:
         case SSH_CIPHER_DES:
         case SSH_CIPHER_BLOWFISH:
                 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
-                if (evplen <= 0)
-                        return;
+                if (evplen == 0)
+                        return 0;
+                else if (evplen < 0)
+                        return SSH_ERR_LIBCRYPTO_ERROR;
                 if ((u_int)evplen != len)
-                        fatal("%s: wrong iv length %d != %d", __func__,
-                            evplen, len);
-#ifdef USE_BUILTIN_RIJNDAEL
-                if (c->evptype == evp_rijndael)
-                        ssh_rijndael_iv(&cc->evp, 0, iv, len);
-                else
-#endif
+                        return SSH_ERR_INVALID_ARGUMENT;
 #ifndef OPENSSL_HAVE_EVPCTR
                 if (c->evptype == evp_aes_128_ctr)
                         ssh_aes_ctr_iv(&cc->evp, 0, iv, len);
                 else
 #endif
-                memcpy(iv, cc->evp.iv, len);
+                if (cipher_authlen(c)) {
+                        if (!EVP_CIPHER_CTX_ctrl(&cc->evp, EVP_CTRL_GCM_IV_GEN,
+                           len, iv))
+                               return SSH_ERR_LIBCRYPTO_ERROR;
+                } else
+                        memcpy(iv, cc->evp.iv, len);
                 break;
+#endif
+#ifdef WITH_SSH1
         case SSH_CIPHER_3DES:
-                ssh1_3des_iv(&cc->evp, 0, iv, 24);
-                break;
+                return ssh1_3des_iv(&cc->evp, 0, iv, 24);
+#endif
         default:
-                fatal("%s: bad cipher %d", __func__, c->number);
+                return SSH_ERR_INVALID_ARGUMENT;
         }
+        return 0;
 }
 
-void
-cipher_set_keyiv(CipherContext *cc, u_char *iv)
+int
+cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv)
 {
-        const Cipher *c = cc->cipher;
-        int evplen = 0;
+        const struct sshcipher *c = cc->cipher;
+#ifdef WITH_OPENSSL
+        int evplen = 0;
+#endif
 
         if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
-                return;
+                return 0;
+        if ((cc->cipher->flags & CFLAG_NONE) != 0)
+                return 0;
 
         switch (c->number) {
+#ifdef WITH_OPENSSL
         case SSH_CIPHER_SSH2:
         case SSH_CIPHER_DES:
         case SSH_CIPHER_BLOWFISH:
                 evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
-                if (evplen == 0)
-                        return;
-#ifdef USE_BUILTIN_RIJNDAEL
-                if (c->evptype == evp_rijndael)
-                        ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
-                else
-#endif
-#ifndef OPENSSL_HAVE_EVPCTR
-                if (c->evptype == evp_aes_128_ctr)
-                        ssh_aes_ctr_iv(&cc->evp, 1, iv, evplen);
-                else
-#endif
-                memcpy(cc->evp.iv, iv, evplen);
+                if (evplen <= 0)
+                        return SSH_ERR_LIBCRYPTO_ERROR;
+                if (cipher_authlen(c)) {
+                        /* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
+                        if (!EVP_CIPHER_CTX_ctrl(&cc->evp,
+                            EVP_CTRL_GCM_SET_IV_FIXED, -1, (void *)iv))
+                                return SSH_ERR_LIBCRYPTO_ERROR;
+                } else
+                        memcpy(cc->evp.iv, iv, evplen);
                 break;
+#endif
+#ifdef WITH_SSH1
         case SSH_CIPHER_3DES:
-                ssh1_3des_iv(&cc->evp, 1, iv, 24);
-                break;
+                return ssh1_3des_iv(&cc->evp, 1, (u_char *)iv, 24);
+#endif
         default:
-                fatal("%s: bad cipher %d", __func__, c->number);
+                return SSH_ERR_INVALID_ARGUMENT;
         }
+        return 0;
 }
 
+#ifdef WITH_OPENSSL
+#define EVP_X_STATE(evp)        (evp).cipher_data
+#define EVP_X_STATE_LEN(evp)    (evp).cipher->ctx_size
+#endif
+
 int
-cipher_get_keycontext(const CipherContext *cc, u_char *dat)
+cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat)
 {
-        const Cipher *c = cc->cipher;
+#ifdef WITH_OPENSSL
+        const struct sshcipher *c = cc->cipher;
         int plen = 0;
 
         if (c->evptype == EVP_rc4) {
@@ -557,16 +629,21 @@ cipher_get_keycontext(const CipherContext *cc, u_char *dat)
                 memcpy(dat, EVP_X_STATE(cc->evp), plen);
         }
         return (plen);
+#else
+        return 0;
+#endif
 }
 
 void
-cipher_set_keycontext(CipherContext *cc, u_char *dat)
+cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat)
 {
-        const Cipher *c = cc->cipher;
+#ifdef WITH_OPENSSL
+        const struct sshcipher *c = cc->cipher;
         int plen;
 
         if (c->evptype == EVP_rc4) {
                 plen = EVP_X_STATE_LEN(cc->evp);
                 memcpy(EVP_X_STATE(cc->evp), dat, plen);
         }
+#endif
 }
diff --git a/cipher.h b/cipher.h
index 133d2e73d..de74c1e3b 100644
--- a/cipher.h
+++ b/cipher.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.h,v 1.44 2014/01/25 10:12:50 dtucker Exp $ */
+/* $OpenBSD: cipher.h,v 1.46 2014/06/24 01:13:21 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -37,8 +37,10 @@
 #ifndef CIPHER_H
 #define CIPHER_H
 
+#include <sys/types.h>
 #include <openssl/evp.h>
 #include "cipher-chachapoly.h"
+#include "cipher-aesctr.h"
 
 /*
  * Cipher types for SSH-1.  New types can be added, but old types should not
@@ -60,44 +62,47 @@
 #define CIPHER_ENCRYPT          1
 #define CIPHER_DECRYPT          0
 
-typedef struct Cipher Cipher;
-typedef struct CipherContext CipherContext;
-
-struct Cipher;
-struct CipherContext {
+struct sshcipher;
+struct sshcipher_ctx {
         int     plaintext;
         int     encrypt;
         EVP_CIPHER_CTX evp;
         struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
-        const Cipher *cipher;
+        struct aesctr_ctx ac_ctx; /* XXX union with evp? */
+        const struct sshcipher *cipher;
 };
 
+typedef struct sshcipher Cipher ;
+typedef struct sshcipher_ctx CipherContext ;
+
 u_int    cipher_mask_ssh1(int);
-const Cipher    *cipher_by_name(const char *);
-const Cipher    *cipher_by_number(int);
+const struct sshcipher *cipher_by_name(const char *);
+const struct sshcipher *cipher_by_number(int);
 int      cipher_number(const char *);
 char    *cipher_name(int);
 int      ciphers_valid(const char *);
 char    *cipher_alg_list(char, int);
-void     cipher_init(CipherContext *, const Cipher *, const u_char *, u_int,
-    const u_char *, u_int, int);
-int      cipher_crypt(CipherContext *, u_int, u_char *, const u_char *,
+int      cipher_init(struct sshcipher_ctx *, const struct sshcipher *,
+    const u_char *, u_int, const u_char *, u_int, int);
+const char* cipher_warning_message(const struct sshcipher_ctx *);
+int      cipher_crypt(struct sshcipher_ctx *, u_int, u_char *, const u_char *,
     u_int, u_int, u_int);
-int      cipher_get_length(CipherContext *, u_int *, u_int,
+int      cipher_get_length(struct sshcipher_ctx *, u_int *, u_int,
     const u_char *, u_int);
-void     cipher_cleanup(CipherContext *);
-void     cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
-u_int    cipher_blocksize(const Cipher *);
-u_int    cipher_keylen(const Cipher *);
-u_int    cipher_seclen(const Cipher *);
-u_int    cipher_authlen(const Cipher *);
-u_int    cipher_ivlen(const Cipher *);
-u_int    cipher_is_cbc(const Cipher *);
+int      cipher_cleanup(struct sshcipher_ctx *);
+int      cipher_set_key_string(struct sshcipher_ctx *, const struct sshcipher *,
+    const char *, int);
+u_int    cipher_blocksize(const struct sshcipher *);
+u_int    cipher_keylen(const struct sshcipher *);
+u_int    cipher_seclen(const struct sshcipher *);
+u_int    cipher_authlen(const struct sshcipher *);
+u_int    cipher_ivlen(const struct sshcipher *);
+u_int    cipher_is_cbc(const struct sshcipher *);
 
-u_int    cipher_get_number(const Cipher *);
-void     cipher_get_keyiv(CipherContext *, u_char *, u_int);
-void     cipher_set_keyiv(CipherContext *, u_char *);
-int      cipher_get_keyiv_len(const CipherContext *);
-int      cipher_get_keycontext(const CipherContext *, u_char *);
-void     cipher_set_keycontext(CipherContext *, u_char *);
+u_int    cipher_get_number(const struct sshcipher *);
+int      cipher_get_keyiv(struct sshcipher_ctx *, u_char *, u_int);
+int      cipher_set_keyiv(struct sshcipher_ctx *, const u_char *);
+int      cipher_get_keyiv_len(const struct sshcipher_ctx *);
+int      cipher_get_keycontext(const struct sshcipher_ctx *, u_char *);
+void     cipher_set_keycontext(struct sshcipher_ctx *, const u_char *);
 #endif                          /* CIPHER_H */
diff --git a/clientloop.c b/clientloop.c
index 59ad3a2c3..397c96532 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.258 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: clientloop.c,v 1.261 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -100,13 +100,13 @@
 #include "cipher.h"
 #include "kex.h"
 #include "log.h"
+#include "misc.h"
 #include "readconf.h"
 #include "clientloop.h"
 #include "sshconnect.h"
 #include "authfd.h"
 #include "atomicio.h"
 #include "sshpty.h"
-#include "misc.h"
 #include "match.h"
 #include "msg.h"
 #include "roaming.h"
@@ -871,13 +871,11 @@ static void
 process_cmdline(void)
 {
         void (*handler)(int);
-        char *s, *cmd, *cancel_host;
-        int delete = 0, local = 0, remote = 0, dynamic = 0;
-        int cancel_port, ok;
-        Forward fwd;
+        char *s, *cmd;
+        int ok, delete = 0, local = 0, remote = 0, dynamic = 0;
+        struct Forward fwd;
 
         memset(&fwd, 0, sizeof(fwd));
-        fwd.listen_host = fwd.connect_host = NULL;
 
         leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
         handler = signal(SIGINT, SIG_IGN);
@@ -943,29 +941,20 @@ process_cmdline(void)
 
         /* XXX update list of forwards in options */
         if (delete) {
-                cancel_port = 0;
-                cancel_host = hpdelim(&s);      /* may be NULL */
-                if (s != NULL) {
-                        cancel_port = a2port(s);
-                        cancel_host = cleanhostname(cancel_host);
-                } else {
-                        cancel_port = a2port(cancel_host);
-                        cancel_host = NULL;
-                }
-                if (cancel_port <= 0) {
-                        logit("Bad forwarding close port");
+                /* We pass 1 for dynamicfwd to restrict to 1 or 2 fields. */
+                if (!parse_forward(&fwd, s, 1, 0)) {
+                        logit("Bad forwarding close specification.");
                         goto out;
                 }
                 if (remote)
-                        ok = channel_request_rforward_cancel(cancel_host,
-                            cancel_port) == 0;
+                        ok = channel_request_rforward_cancel(&fwd) == 0;
                 else if (dynamic)
-                        ok = channel_cancel_lport_listener(cancel_host,
-                            cancel_port, 0, options.gateway_ports) > 0;
+                        ok = channel_cancel_lport_listener(&fwd,
+                            0, &options.fwd_opts) > 0;
                 else
-                        ok = channel_cancel_lport_listener(cancel_host,
-                            cancel_port, CHANNEL_CANCEL_PORT_STATIC,
-                            options.gateway_ports) > 0;
+                        ok = channel_cancel_lport_listener(&fwd,
+                            CHANNEL_CANCEL_PORT_STATIC,
+                            &options.fwd_opts) > 0;
                 if (!ok) {
                         logit("Unkown port forwarding.");
                         goto out;
@@ -977,16 +966,13 @@ process_cmdline(void)
                         goto out;
                 }
                 if (local || dynamic) {
-                        if (!channel_setup_local_fwd_listener(fwd.listen_host,
-                            fwd.listen_port, fwd.connect_host,
-                            fwd.connect_port, options.gateway_ports)) {
+                        if (!channel_setup_local_fwd_listener(&fwd,
+                            &options.fwd_opts)) {
                                 logit("Port forwarding failed.");
                                 goto out;
                         }
                 } else {
-                        if (channel_request_remote_forwarding(fwd.listen_host,
-                            fwd.listen_port, fwd.connect_host,
-                            fwd.connect_port) < 0) {
+                        if (channel_request_remote_forwarding(&fwd) < 0) {
                                 logit("Port forwarding failed.");
                                 goto out;
                         }
@@ -999,7 +985,9 @@ out:
         enter_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
         free(cmd);
         free(fwd.listen_host);
+        free(fwd.listen_path);
         free(fwd.connect_host);
+        free(fwd.connect_path);
 }
 
 /* reasons to suppress output of an escape command in help output */
@@ -1845,11 +1833,10 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
         originator_port = packet_get_int();
         packet_check_eom();
 
-        debug("client_request_forwarded_tcpip: listen %s port %d, "
-            "originator %s port %d", listen_address, listen_port,
-            originator_address, originator_port);
+        debug("%s: listen %s port %d, originator %s port %d", __func__,
+            listen_address, listen_port, originator_address, originator_port);
 
-        c = channel_connect_by_listen_address(listen_port,
+        c = channel_connect_by_listen_address(listen_address, listen_port,
             "forwarded-tcpip", originator_address);
 
         free(originator_address);
@@ -1858,6 +1845,27 @@ client_request_forwarded_tcpip(const char *request_type, int rchan)
 }
 
 static Channel *
+client_request_forwarded_streamlocal(const char *request_type, int rchan)
+{
+        Channel *c = NULL;
+        char *listen_path;
+
+        /* Get the remote path. */
+        listen_path = packet_get_string(NULL);
+        /* XXX: Skip reserved field for now. */
+        if (packet_get_string_ptr(NULL) == NULL)
+                fatal("%s: packet_get_string_ptr failed", __func__);
+        packet_check_eom();
+
+        debug("%s: %s", __func__, listen_path);
+
+        c = channel_connect_by_listen_path(listen_path,
+            "forwarded-streamlocal@openssh.com", "forwarded-streamlocal");
+        free(listen_path);
+        return c;
+}
+
+static Channel *
 client_request_x11(const char *request_type, int rchan)
 {
         Channel *c = NULL;
@@ -1984,6 +1992,8 @@ client_input_channel_open(int type, u_int32_t seq, void *ctxt)
 
         if (strcmp(ctype, "forwarded-tcpip") == 0) {
                 c = client_request_forwarded_tcpip(ctype, rchan);
+        } else if (strcmp(ctype, "forwarded-streamlocal@openssh.com") == 0) {
+                c = client_request_forwarded_streamlocal(ctype, rchan);
         } else if (strcmp(ctype, "x11") == 0) {
                 c = client_request_x11(ctype, rchan);
         } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
@@ -2054,7 +2064,7 @@ client_input_channel_req(int type, u_int32_t seq, void *ctxt)
                 }
                 packet_check_eom();
         }
-        if (reply && c != NULL) {
+        if (reply && c != NULL && !(c->flags & CHAN_CLOSE_SENT)) {
                 packet_start(success ?
                     SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
                 packet_put_int(c->remote_id);
diff --git a/compat.c b/compat.c
index 9d9fabef3..4d286e8e9 100644
--- a/compat.c
+++ b/compat.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.c,v 1.82 2013/12/30 23:52:27 djm Exp $ */
+/* $OpenBSD: compat.c,v 1.85 2014/04/20 02:49:32 djm Exp $ */
 /*
  * Copyright (c) 1999, 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  *
@@ -95,6 +95,9 @@ compat_datafellows(const char *version)
                 { "Sun_SSH_1.0*",       SSH_BUG_NOREKEY|SSH_BUG_EXTEOF},
                 { "OpenSSH_4*",         0 },
                 { "OpenSSH_5*",         SSH_NEW_OPENSSH|SSH_BUG_DYNAMIC_RPORT},
+                { "OpenSSH_6.6.1*",     SSH_NEW_OPENSSH},
+                { "OpenSSH_6.5*,"
+                  "OpenSSH_6.6*",       SSH_NEW_OPENSSH|SSH_BUG_CURVE25519PAD},
                 { "OpenSSH*",           SSH_NEW_OPENSSH },
                 { "*MindTerm*",         0 },
                 { "2.1.0*",             SSH_BUG_SIGBLOB|SSH_BUG_HMAC|
@@ -251,7 +254,6 @@ compat_cipher_proposal(char *cipher_prop)
         return cipher_prop;
 }
 
-
 char *
 compat_pkalg_proposal(char *pkalg_prop)
 {
@@ -265,3 +267,16 @@ compat_pkalg_proposal(char *pkalg_prop)
         return pkalg_prop;
 }
 
+char *
+compat_kex_proposal(char *kex_prop)
+{
+        if (!(datafellows & SSH_BUG_CURVE25519PAD))
+                return kex_prop;
+        debug2("%s: original KEX proposal: %s", __func__, kex_prop);
+        kex_prop = filter_proposal(kex_prop, "curve25519-sha256@libssh.org");
+        debug2("%s: compat KEX proposal: %s", __func__, kex_prop);
+        if (*kex_prop == '\0')
+                fatal("No supported key exchange algorithms found");
+        return kex_prop;
+}
+
diff --git a/compat.h b/compat.h
index b174fa171..2e25d5ba9 100644
--- a/compat.h
+++ b/compat.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: compat.h,v 1.44 2013/12/30 23:52:27 djm Exp $ */
+/* $OpenBSD: compat.h,v 1.45 2014/04/18 23:52:25 djm Exp $ */
 
 /*
  * Copyright (c) 1999, 2000, 2001 Markus Friedl.  All rights reserved.
@@ -59,6 +59,7 @@
 #define SSH_BUG_RFWD_ADDR       0x02000000
 #define SSH_NEW_OPENSSH         0x04000000
 #define SSH_BUG_DYNAMIC_RPORT   0x08000000
+#define SSH_BUG_CURVE25519PAD   0x10000000
 
 void     enable_compat13(void);
 void     enable_compat20(void);
@@ -66,6 +67,7 @@ void     compat_datafellows(const char *);
 int      proto_spec(const char *);
 char    *compat_cipher_proposal(char *);
 char    *compat_pkalg_proposal(char *);
+char    *compat_kex_proposal(char *);
 
 extern int compat13;
 extern int compat20;
diff --git a/config.h.in b/config.h.in
index 0401ad181..16d620615 100644
--- a/config.h.in
+++ b/config.h.in
@@ -420,6 +420,9 @@
 /* Define to 1 if you have the `EVP_MD_CTX_init' function. */
 #undef HAVE_EVP_MD_CTX_INIT
 
+/* Define to 1 if you have the `EVP_ripemd160' function. */
+#undef HAVE_EVP_RIPEMD160
+
 /* Define to 1 if you have the `EVP_sha256' function. */
 #undef HAVE_EVP_SHA256
 
@@ -768,6 +771,9 @@
 /* Define to 1 if you have the <memory.h> header file. */
 #undef HAVE_MEMORY_H
 
+/* Define to 1 if you have the `memset_s' function. */
+#undef HAVE_MEMSET_S
+
 /* Define to 1 if you have the `mkdtemp' function. */
 #undef HAVE_MKDTEMP
 
@@ -1324,9 +1330,6 @@
 /* Define if va_copy exists */
 #undef HAVE_VA_COPY
 
-/* Define to 1 if you have the `vhangup' function. */
-#undef HAVE_VHANGUP
-
 /* Define to 1 if you have the <vis.h> header file. */
 #undef HAVE_VIS_H
 
@@ -1387,9 +1390,6 @@
 /* Define if pututxline updates lastlog too */
 #undef LASTLOG_WRITE_PUTUTXLINE
 
-/* Define if you want TCP Wrappers support */
-#undef LIBWRAP
-
 /* Define to whatever link() returns for "not supported" if it doesn't return
    EOPNOTSUPP. */
 #undef LINK_OPNOTSUPP_ERRNO
@@ -1662,9 +1662,15 @@
 /* Define if you want IRIX project management */
 #undef WITH_IRIX_PROJECT
 
+/* use libcrypto for cryptography */
+#undef WITH_OPENSSL
+
 /* Define if you want SELinux support. */
 #undef WITH_SELINUX
 
+/* include SSH protocol version 1 support */
+#undef WITH_SSH1
+
 /* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
    significant byte first (like Motorola and SPARC, unlike Intel). */
 #if defined AC_APPLE_UNIVERSAL_BUILD
diff --git a/configure b/configure
index d690393a3..6815388cc 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac Revision: 1.571 .
+# From configure.ac Revision: 1.583 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.68 for OpenSSH Portable.
 #
@@ -725,7 +725,6 @@ with_osfsia
 with_zlib
 with_zlib_version_check
 with_skey
-with_tcp_wrappers
 with_ldns
 with_libedit
 with_audit
@@ -1417,7 +1416,6 @@ Optional Packages:
   --with-zlib=PATH        Use zlib in PATH
   --without-zlib-version-check Disable zlib version check
   --with-skey[=PATH]      Enable S/Key support (optionally in PATH)
-  --with-tcp-wrappers[=PATH] Enable tcpwrappers support (optionally in PATH)
   --with-ldns[=PATH]      Use ldns for DNSSEC support (optionally in PATH)
   --with-libedit[=PATH]   Enable libedit support for sftp
   --with-audit=module     Enable audit support (modules=debug,bsm,linux)
@@ -9706,84 +9704,6 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
 
-# Check whether user wants TCP wrappers support
-TCPW_MSG="no"
-
-# Check whether --with-tcp-wrappers was given.
-if test "${with_tcp_wrappers+set}" = set; then :
-  withval=$with_tcp_wrappers;
-                if test "x$withval" != "xno" ; then
-                        saved_LIBS="$LIBS"
-                        saved_LDFLAGS="$LDFLAGS"
-                        saved_CPPFLAGS="$CPPFLAGS"
-                        if test -n "${withval}" && \
-                            test "x${withval}" != "xyes"; then
-                                if test -d "${withval}/lib"; then
-                                        if test -n "${need_dash_r}"; then
-                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-                                        else
-                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-                                        fi
-                                else
-                                        if test -n "${need_dash_r}"; then
-                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
-                                        else
-                                                LDFLAGS="-L${withval} ${LDFLAGS}"
-                                        fi
-                                fi
-                                if test -d "${withval}/include"; then
-                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
-                                else
-                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
-                                fi
-                        fi
-                        LIBS="-lwrap $LIBS"
-                        { $as_echo "$as_me:${as_lineno-$LINENO}: checking for libwrap" >&5
-$as_echo_n "checking for libwrap... " >&6; }
-                        cat confdefs.h - <<_ACEOF >conftest.$ac_ext
-/* end confdefs.h.  */
-
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <tcpd.h>
-int deny_severity = 0, allow_severity = 0;
-
-int
-main ()
-{
-
-        hosts_access(0);
-
-  ;
-  return 0;
-}
-_ACEOF
-if ac_fn_c_try_link "$LINENO"; then :
-
-                                        { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5
-$as_echo "yes" >&6; }
-
-$as_echo "#define LIBWRAP 1" >>confdefs.h
-
-                                        SSHDLIBS="$SSHDLIBS -lwrap"
-                                        TCPW_MSG="yes"
-
-else
-
-                                        as_fn_error $? "*** libwrap missing" "$LINENO" 5
-
-
-fi
-rm -f core conftest.err conftest.$ac_objext \
-    conftest$ac_exeext conftest.$ac_ext
-                        LIBS="$saved_LIBS"
-                fi
-
-
-fi
-
-
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 
@@ -10348,10 +10268,6 @@ for ac_func in  \
         Blowfish_expandstate \
         Blowfish_expand0state \
         Blowfish_stream2word \
-        arc4random \
-        arc4random_buf \
-        arc4random_stir \
-        arc4random_uniform \
         asprintf \
         b64_ntop \
         __b64_ntop \
@@ -10395,6 +10311,7 @@ for ac_func in  \
         mblen \
         md5_crypt \
         memmove \
+        memset_s \
         mkdtemp \
         mmap \
         ngetaddrinfo \
@@ -10453,7 +10370,6 @@ for ac_func in  \
         user_from_uid \
         usleep \
         vasprintf \
-        vhangup \
         vsnprintf \
         waitpid \
 
@@ -11269,11 +11185,9 @@ fi
 
 fi
 
-# If we don't have a working asprintf, then we strongly depend on vsnprintf
-# returning the right thing on overflow: the number of characters it tried to
-# create (as per SUSv3)
-if test "x$ac_cv_func_asprintf" != "xyes" && \
-   test "x$ac_cv_func_vsnprintf" = "xyes" ; then
+# We depend on vsnprintf returning the right thing on overflow: the
+# number of characters it tried to create (as per SUSv3)
+if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
         { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether vsnprintf returns correct values on overflow" >&5
 $as_echo_n "checking whether vsnprintf returns correct values on overflow... " >&6; }
         if test "$cross_compiling" = yes; then :
@@ -11288,10 +11202,14 @@ else
 #include <stdio.h>
 #include <stdarg.h>
 
-int x_snprintf(char *str,size_t count,const char *fmt,...)
+int x_snprintf(char *str, size_t count, const char *fmt, ...)
 {
-        size_t ret; va_list ap;
-        va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
+        size_t ret;
+        va_list ap;
+
+        va_start(ap, fmt);
+        ret = vsnprintf(str, count, fmt, ap);
+        va_end(ap);
         return ret;
 }
 
@@ -11299,8 +11217,12 @@ int
 main ()
 {
 
-        char x[1];
-        exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
+char x[1];
+if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
+        return 1;
+if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
+        return 1;
+return 0;
 
   ;
   return 0;
@@ -11897,7 +11819,7 @@ main ()
         if(fd == NULL)
                 exit(1);
 
-        if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+        if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
                 exit(1);
 
         exit(0);
@@ -11954,7 +11876,8 @@ main ()
         if(fd == NULL)
                 exit(1);
 
-        if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
+        if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
+            SSLeay_version(SSLEAY_VERSION))) <0)
                 exit(1);
 
         exit(0);
@@ -11966,6 +11889,13 @@ _ACEOF
 if ac_fn_c_try_run "$LINENO"; then :
 
                 ssl_library_ver=`cat conftest.ssllibver`
+                # Check version is supported.
+                case "$ssl_library_ver" in
+                        0090[0-7]*|009080[0-5]*)
+                                as_fn_error $? "OpenSSL >= 0.9.8f required" "$LINENO" 5
+                                ;;
+                        *) ;;
+                esac
                 { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ssl_library_ver" >&5
 $as_echo "$ssl_library_ver" >&6; }
 
@@ -11981,6 +11911,18 @@ rm -f core *.core core.conftest.* gmon.out bb.out conftest$ac_exeext \
 fi
 
 
+# XXX make --without-openssl work
+
+cat >>confdefs.h <<_ACEOF
+#define WITH_OPENSSL 1
+_ACEOF
+
+
+cat >>confdefs.h <<_ACEOF
+#define WITH_SSH1 1
+_ACEOF
+
+
 
 # Check whether --with-openssl-header-check was given.
 if test "${with_openssl_header_check+set}" = set; then :
@@ -12514,6 +12456,25 @@ else
 fi
 done
 
+# Search for RIPE-MD support in OpenSSL
+for ac_func in EVP_ripemd160
+do :
+  ac_fn_c_check_func "$LINENO" "EVP_ripemd160" "ac_cv_func_EVP_ripemd160"
+if test "x$ac_cv_func_EVP_ripemd160" = xyes; then :
+  cat >>confdefs.h <<_ACEOF
+#define HAVE_EVP_RIPEMD160 1
+_ACEOF
+
+else
+  unsupported_algorithms="$unsupported_algorithms \
+        hmac-ripemd160
+        hmac-ripemd160@openssh.com
+        hmac-ripemd160-etm@openssh.com"
+
+
+fi
+done
+
 
 # Check complete ECC support in OpenSSL
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether OpenSSL has NID_X9_62_prime256v1" >&5
@@ -12714,6 +12675,24 @@ fi
 
 
 
+for ac_func in  \
+        arc4random \
+        arc4random_buf \
+        arc4random_stir \
+        arc4random_uniform \
+
+do :
+  as_ac_var=`$as_echo "ac_cv_func_$ac_func" | $as_tr_sh`
+ac_fn_c_check_func "$LINENO" "$ac_func" "$as_ac_var"
+if eval test \"x\$"$as_ac_var"\" = x"yes"; then :
+  cat >>confdefs.h <<_ACEOF
+#define `$as_echo "HAVE_$ac_func" | $as_tr_cpp` 1
+_ACEOF
+
+fi
+done
+
+
 saved_LIBS="$LIBS"
 { $as_echo "$as_me:${as_lineno-$LINENO}: checking for ia_openinfo in -liaf" >&5
 $as_echo_n "checking for ia_openinfo in -liaf... " >&6; }
@@ -13123,7 +13102,14 @@ fi
 rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext
 fi
 
-SSH_PRIVSEP_USER=sshd
+case "$host" in
+*-*-cygwin*)
+        SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
+        ;;
+*)
+        SSH_PRIVSEP_USER=sshd
+        ;;
+esac
 
 # Check whether --with-privsep-user was given.
 if test "${with_privsep_user+set}" = set; then :
@@ -13136,11 +13122,19 @@ if test "${with_privsep_user+set}" = set; then :
 
 fi
 
+if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
+
+cat >>confdefs.h <<_ACEOF
+#define SSH_PRIVSEP_USER CYGWIN_SSH_PRIVSEP_USER
+_ACEOF
+
+else
 
 cat >>confdefs.h <<_ACEOF
 #define SSH_PRIVSEP_USER "$SSH_PRIVSEP_USER"
 _ACEOF
 
+fi
 
 
 if test "x$have_linux_no_new_privs" = "x1" ; then
@@ -19684,7 +19678,6 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
-echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff --git a/configure.ac b/configure.ac
index 7c6ce08d8..67c4486e7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.571 2014/02/21 17:09:34 tim Exp $
+# $Id: configure.ac,v 1.583 2014/08/26 20:32:01 djm Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.571 $)
+AC_REVISION($Revision: 1.583 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_LANG([C])
 
@@ -1380,62 +1380,6 @@ AC_ARG_WITH([skey],
         ]
 )
 
-# Check whether user wants TCP wrappers support
-TCPW_MSG="no"
-AC_ARG_WITH([tcp-wrappers],
-        [  --with-tcp-wrappers[[=PATH]] Enable tcpwrappers support (optionally in PATH)],
-        [
-                if test "x$withval" != "xno" ; then
-                        saved_LIBS="$LIBS"
-                        saved_LDFLAGS="$LDFLAGS"
-                        saved_CPPFLAGS="$CPPFLAGS"
-                        if test -n "${withval}" && \
-                            test "x${withval}" != "xyes"; then
-                                if test -d "${withval}/lib"; then
-                                        if test -n "${need_dash_r}"; then
-                                                LDFLAGS="-L${withval}/lib -R${withval}/lib ${LDFLAGS}"
-                                        else
-                                                LDFLAGS="-L${withval}/lib ${LDFLAGS}"
-                                        fi
-                                else
-                                        if test -n "${need_dash_r}"; then
-                                                LDFLAGS="-L${withval} -R${withval} ${LDFLAGS}"
-                                        else
-                                                LDFLAGS="-L${withval} ${LDFLAGS}"
-                                        fi
-                                fi
-                                if test -d "${withval}/include"; then
-                                        CPPFLAGS="-I${withval}/include ${CPPFLAGS}"
-                                else
-                                        CPPFLAGS="-I${withval} ${CPPFLAGS}"
-                                fi
-                        fi
-                        LIBS="-lwrap $LIBS"
-                        AC_MSG_CHECKING([for libwrap])
-                        AC_LINK_IFELSE([AC_LANG_PROGRAM([[
-#include <sys/types.h>
-#include <sys/socket.h>
-#include <netinet/in.h>
-#include <tcpd.h>
-int deny_severity = 0, allow_severity = 0;
-                                ]], [[
-        hosts_access(0);
-                                ]])], [
-                                        AC_MSG_RESULT([yes])
-                                        AC_DEFINE([LIBWRAP], [1],
-                                                [Define if you want
-                                                TCP Wrappers support])
-                                        SSHDLIBS="$SSHDLIBS -lwrap"
-                                        TCPW_MSG="yes"
-                                ], [
-                                        AC_MSG_ERROR([*** libwrap missing])
-                                
-                        ])
-                        LIBS="$saved_LIBS"
-                fi
-        ]
-)
-
 # Check whether user wants to use ldns
 LDNS_MSG="no"
 AC_ARG_WITH(ldns,
@@ -1631,10 +1575,6 @@ AC_CHECK_FUNCS([ \
         Blowfish_expandstate \
         Blowfish_expand0state \
         Blowfish_stream2word \
-        arc4random \
-        arc4random_buf \
-        arc4random_stir \
-        arc4random_uniform \
         asprintf \
         b64_ntop \
         __b64_ntop \
@@ -1678,6 +1618,7 @@ AC_CHECK_FUNCS([ \
         mblen \
         md5_crypt \
         memmove \
+        memset_s \
         mkdtemp \
         mmap \
         ngetaddrinfo \
@@ -1736,7 +1677,6 @@ AC_CHECK_FUNCS([ \
         user_from_uid \
         usleep \
         vasprintf \
-        vhangup \
         vsnprintf \
         waitpid \
 ])
@@ -1948,11 +1888,9 @@ if test "x$ac_cv_func_snprintf" = "xyes" ; then
         )
 fi
 
-# If we don't have a working asprintf, then we strongly depend on vsnprintf
-# returning the right thing on overflow: the number of characters it tried to
-# create (as per SUSv3)
-if test "x$ac_cv_func_asprintf" != "xyes" && \
-   test "x$ac_cv_func_vsnprintf" = "xyes" ; then
+# We depend on vsnprintf returning the right thing on overflow: the
+# number of characters it tried to create (as per SUSv3)
+if test "x$ac_cv_func_vsnprintf" = "xyes" ; then
         AC_MSG_CHECKING([whether vsnprintf returns correct values on overflow])
         AC_RUN_IFELSE(
                 [AC_LANG_PROGRAM([[
@@ -1960,15 +1898,23 @@ if test "x$ac_cv_func_asprintf" != "xyes" && \
 #include <stdio.h>
 #include <stdarg.h>
 
-int x_snprintf(char *str,size_t count,const char *fmt,...)
+int x_snprintf(char *str, size_t count, const char *fmt, ...)
 {
-        size_t ret; va_list ap;
-        va_start(ap, fmt); ret = vsnprintf(str, count, fmt, ap); va_end(ap);
+        size_t ret;
+        va_list ap;
+
+        va_start(ap, fmt);
+        ret = vsnprintf(str, count, fmt, ap);
+        va_end(ap);
         return ret;
 }
                 ]], [[
-        char x[1];
-        exit(x_snprintf(x, 1, "%s %d", "hello", 12345) == 11 ? 0 : 1);
+char x[1];
+if (x_snprintf(x, 1, "%s %d", "hello", 12345) != 11)
+        return 1;
+if (x_snprintf(NULL, 0, "%s %d", "hello", 12345) != 11)
+        return 1;
+return 0;
                 ]])],
                 [AC_MSG_RESULT([yes])],
                 [
@@ -2304,7 +2250,7 @@ AC_RUN_IFELSE(
         if(fd == NULL)
                 exit(1);
 
-        if ((rc = fprintf(fd ,"%x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
+        if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
                 exit(1);
 
         exit(0);
@@ -2339,13 +2285,21 @@ AC_RUN_IFELSE(
         if(fd == NULL)
                 exit(1);
 
-        if ((rc = fprintf(fd ,"%x (%s)\n", SSLeay(), SSLeay_version(SSLEAY_VERSION))) <0)
+        if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
+            SSLeay_version(SSLEAY_VERSION))) <0)
                 exit(1);
 
         exit(0);
         ]])],
         [
                 ssl_library_ver=`cat conftest.ssllibver`
+                # Check version is supported.
+                case "$ssl_library_ver" in
+                        0090[[0-7]]*|009080[[0-5]]*)
+                                AC_MSG_ERROR([OpenSSL >= 0.9.8f required])
+                                ;;
+                        *) ;;
+                esac
                 AC_MSG_RESULT([$ssl_library_ver])
         ],
         [
@@ -2357,6 +2311,10 @@ AC_RUN_IFELSE(
         ]
 )
 
+# XXX make --without-openssl work
+AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
+AC_DEFINE_UNQUOTED([WITH_SSH1], [1], [include SSH protocol version 1 support])
+
 AC_ARG_WITH([openssl-header-check],
         [  --without-openssl-header-check Disable OpenSSL version consistency check],
         [  if test "x$withval" = "xno" ; then
@@ -2565,6 +2523,14 @@ AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
         hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
      ]
 )
+# Search for RIPE-MD support in OpenSSL
+AC_CHECK_FUNCS([EVP_ripemd160], ,
+    [unsupported_algorithms="$unsupported_algorithms \
+        hmac-ripemd160
+        hmac-ripemd160@openssh.com
+        hmac-ripemd160-etm@openssh.com"
+     ]
+)
 
 # Check complete ECC support in OpenSSL
 AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
@@ -2685,6 +2651,13 @@ fi
 AC_SUBST([TEST_SSH_ECC])
 AC_SUBST([COMMENT_OUT_ECC])
 
+AC_CHECK_FUNCS([ \
+        arc4random \
+        arc4random_buf \
+        arc4random_stir \
+        arc4random_uniform \
+])
+
 saved_LIBS="$LIBS"
 AC_CHECK_LIB([iaf], [ia_openinfo], [
         LIBS="$LIBS -liaf"
@@ -2868,7 +2841,14 @@ if test "x$PAM_MSG" = "xyes" ; then
         ])
 fi
 
-SSH_PRIVSEP_USER=sshd
+case "$host" in
+*-*-cygwin*)
+        SSH_PRIVSEP_USER=CYGWIN_SSH_PRIVSEP_USER
+        ;;
+*)
+        SSH_PRIVSEP_USER=sshd
+        ;;
+esac
 AC_ARG_WITH([privsep-user],
         [  --with-privsep-user=user Specify non-privileged user for privilege separation],
         [
@@ -2878,8 +2858,13 @@ AC_ARG_WITH([privsep-user],
                 fi
         ]
 )
-AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
-        [non-privileged user for privilege separation])
+if test "x$SSH_PRIVSEP_USER" = "xCYGWIN_SSH_PRIVSEP_USER" ; then
+        AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], [CYGWIN_SSH_PRIVSEP_USER],
+                [Cygwin function to fetch non-privileged user for privilege separation])
+else
+        AC_DEFINE_UNQUOTED([SSH_PRIVSEP_USER], ["$SSH_PRIVSEP_USER"],
+                [non-privileged user for privilege separation])
+fi
 AC_SUBST([SSH_PRIVSEP_USER])
 
 if test "x$have_linux_no_new_privs" = "x1" ; then
@@ -4844,7 +4829,6 @@ echo "                 KerberosV support: $KRB5_MSG"
 echo "                   SELinux support: $SELINUX_MSG"
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
-echo "              TCP Wrappers support: $TCPW_MSG"
 echo "              MD5 password support: $MD5_MSG"
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 0061fe933..0011b4dea 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -16,7 +16,7 @@
 
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
-%define version         6.6p1
+%define version         6.7p1
 %if %{use_stable}
   %define cvs           %{nil}
   %define release       1
@@ -178,7 +178,6 @@ by Jim Knoble <jmknoble@pobox.com>.
 CFLAGS="$RPM_OPT_FLAGS" \
 %configure \
             --with-pam \
-            --with-tcp-wrappers \
             --with-privsep-path=%{_var}/empty/sshd \
             #leave this line for easy edits.
 
@@ -363,4 +362,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
 
-$Id: openssh.spec,v 1.83 2014/02/27 23:03:55 djm Exp $
+$Id: openssh.spec,v 1.85 2014/08/19 01:36:08 djm Exp $
diff --git a/contrib/cygwin/README b/contrib/cygwin/README
index 2562b6186..1396d99cd 100644
--- a/contrib/cygwin/README
+++ b/contrib/cygwin/README
@@ -69,7 +69,7 @@ Building OpenSSH
 Building from source is easy.  Just unpack the source archive, cd to that
 directory, and call cygport:
 
-        cygport openssh.cygport almostall
+        cygport openssh.cygport all
 
 You must have installed the following packages to be able to build OpenSSH
 with the aforementioned cygport script:
@@ -77,7 +77,6 @@ with the aforementioned cygport script:
   zlib
   crypt
   openssl-devel
-  libwrap-devel
   libedit-devel
   libkrb5-devel
 
diff --git a/contrib/cygwin/ssh-host-config b/contrib/cygwin/ssh-host-config
index 05efd3b3b..a7ea3e0d2 100644
--- a/contrib/cygwin/ssh-host-config
+++ b/contrib/cygwin/ssh-host-config
@@ -34,9 +34,9 @@ declare -a csih_required_commands=(
   /usr/bin/mv coreutils
   /usr/bin/rm coreutils
   /usr/bin/cygpath cygwin
+  /usr/bin/mkpasswd cygwin
   /usr/bin/mount cygwin
   /usr/bin/ps cygwin
-  /usr/bin/setfacl cygwin
   /usr/bin/umount cygwin
   /usr/bin/cmp diffutils
   /usr/bin/grep grep
@@ -59,8 +59,9 @@ PREFIX=/usr
 SYSCONFDIR=/etc
 LOCALSTATEDIR=/var
 
+sshd_config_configured=no
 port_number=22
-privsep_configured=no
+strictmodes=yes
 privsep_used=yes
 cygwin_value=""
 user_account=
@@ -89,28 +90,8 @@ update_services_file() {
   # Depends on the above mount
   _wservices=`cygpath -w "${_services}"`
 
-  # Remove sshd 22/port from services
-  if [ `/usr/bin/grep -q 'sshd[ \t][ \t]*22' "${_services}"; echo $?` -eq 0 ]
-  then
-    /usr/bin/grep -v 'sshd[ \t][ \t]*22' "${_services}" > "${_serv_tmp}"
-    if [ -f "${_serv_tmp}" ]
-    then
-      if /usr/bin/mv "${_serv_tmp}" "${_services}"
-      then
-        csih_inform "Removing sshd from ${_wservices}"
-      else
-        csih_warning "Removing sshd from ${_wservices} failed!"
-        let ++ret
-      fi
-      /usr/bin/rm -f "${_serv_tmp}"
-    else
-      csih_warning "Removing sshd from ${_wservices} failed!"
-      let ++ret
-    fi
-  fi
-
   # Add ssh 22/tcp  and ssh 22/udp to services
-  if [ `/usr/bin/grep -q 'ssh[ \t][ \t]*22' "${_services}"; echo $?` -ne 0 ]
+  if [ `/usr/bin/grep -q 'ssh[[:space:]][[:space:]]*22' "${_services}"; echo $?` -ne 0 ]
   then
     if /usr/bin/awk '{ if ( $2 ~ /^23\/tcp/ ) print "ssh                22/tcp'"${_spaces}"'SSH Remote Login Protocol\nssh                22/udp'"${_spaces}"'SSH Remote Login Protocol"; print $0; }' < "${_services}" > "${_serv_tmp}"
     then
@@ -132,17 +113,45 @@ update_services_file() {
 } # --- End of update_services_file --- #
 
 # ======================================================================
+# Routine: sshd_strictmodes
+#  MODIFIES: strictmodes
+# ======================================================================
+sshd_strictmodes() {
+  if [ "${sshd_config_configured}" != "yes" ]
+  then
+    echo
+    csih_inform "StrictModes is set to 'yes' by default."
+    csih_inform "This is the recommended setting, but it requires that the POSIX"
+    csih_inform "permissions of the user's home directory, the user's .ssh"
+    csih_inform "directory, and the user's ssh key files are tight so that"
+    csih_inform "only the user has write permissions."
+    csih_inform "On the other hand, StrictModes don't work well with default"
+    csih_inform "Windows permissions of a home directory mounted with the"
+    csih_inform "'noacl' option, and they don't work at all if the home"
+    csih_inform "directory is on a FAT or FAT32 partition."
+    if ! csih_request "Should StrictModes be used?"
+    then
+      strictmodes=no
+    fi
+  fi
+  return 0
+}
+
+# ======================================================================
 # Routine: sshd_privsep
-#  MODIFIES: privsep_configured  privsep_used
+#  MODIFIES: privsep_used
 # ======================================================================
 sshd_privsep() {
-  local sshdconfig_tmp
   local ret=0
 
-  if [ "${privsep_configured}" != "yes" ]
+  if [ "${sshd_config_configured}" != "yes" ]
   then
-    csih_inform "Privilege separation is set to yes by default since OpenSSH 3.3."
-    csih_inform "However, this requires a non-privileged account called 'sshd'."
+    echo
+    csih_inform "Privilege separation is set to 'sandbox' by default since"
+    csih_inform "OpenSSH 6.1.  This is unsupported by Cygwin and has to be set"
+    csih_inform "to 'yes' or 'no'."
+    csih_inform "However, using privilege separation requires a non-privileged account"
+    csih_inform "called 'sshd'."
     csih_inform "For more info on privilege separation read /usr/share/doc/openssh/README.privsep."
     if csih_request "Should privilege separation be used?"
     then
@@ -159,36 +168,53 @@ sshd_privsep() {
       privsep_used=no
     fi
   fi
+  return $ret
+} # --- End of sshd_privsep --- #
 
-  # Create default sshd_config from skeleton files in /etc/defaults/etc or
-  # modify to add the missing privsep configuration option
-  if /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
+# ======================================================================
+# Routine: sshd_config_tweak
+# ======================================================================
+sshd_config_tweak() {
+  local ret=0
+
+  # Modify sshd_config
+  csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
+  if [ "${port_number}" -ne 22 ]
   then
-    csih_inform "Updating ${SYSCONFDIR}/sshd_config file"
-    sshdconfig_tmp=${SYSCONFDIR}/sshd_config.$$
-    /usr/bin/sed -e "s/^#UsePrivilegeSeparation yes/UsePrivilegeSeparation ${privsep_used}/
-          s/^#Port 22/Port ${port_number}/
-          s/^#StrictModes yes/StrictModes no/" \
-        < ${SYSCONFDIR}/sshd_config \
-        > "${sshdconfig_tmp}"
-    if ! /usr/bin/mv "${sshdconfig_tmp}" ${SYSCONFDIR}/sshd_config
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*Port[[:space:]].*/Port ${port_number}/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
     then
-        csih_warning "Setting privilege separation to 'yes' failed!"
-        csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
-        let ++ret
+      csih_warning "Setting listening port to ${port_number} failed!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      let ++ret
+    fi
+  fi
+  if [ "${strictmodes}" = "no" ]
+  then
+    /usr/bin/sed -i -e "s/^#\?[[:space:]]*StrictModes[[:space:]].*/StrictModes no/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
+    then
+      csih_warning "Setting StrictModes to 'no' failed!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      let ++ret
     fi
-  elif [ "${privsep_configured}" != "yes" ]
+  fi
+  if [ "${sshd_config_configured}" != "yes" ]
   then
-    echo >> ${SYSCONFDIR}/sshd_config
-    if ! echo "UsePrivilegeSeparation ${privsep_used}" >> ${SYSCONFDIR}/sshd_config
+    /usr/bin/sed -i -e "
+      s/^#\?UsePrivilegeSeparation .*/UsePrivilegeSeparation ${privsep_used}/" \
+      ${SYSCONFDIR}/sshd_config
+    if [ $? -ne 0 ]
     then
-        csih_warning "Setting privilege separation to 'yes' failed!"
-        csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
-        let ++ret
+      csih_warning "Setting privilege separation failed!"
+      csih_warning "Check your ${SYSCONFDIR}/sshd_config file!"
+      let ++ret
     fi
   fi
   return $ret
-} # --- End of sshd_privsep --- #
+} # --- End of sshd_config_tweak --- #
 
 # ======================================================================
 # Routine: update_inetd_conf
@@ -207,11 +233,11 @@ update_inetd_conf() {
     # we have inetutils-1.5 inetd.d support
     if [ -f "${_inetcnf}" ]
     then
-      /usr/bin/grep -q '^[ \t]*ssh' "${_inetcnf}" && _with_comment=0
+      /usr/bin/grep -q '^[[:space:]]*ssh' "${_inetcnf}" && _with_comment=0
 
       # check for sshd OR ssh in top-level inetd.conf file, and remove
       # will be replaced by a file in inetd.d/
-      if [ `/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?` -eq 0 ]
+      if [ $(/usr/bin/grep -q '^[# \t]*ssh' "${_inetcnf}"; echo $?) -eq 0 ]
       then
         /usr/bin/grep -v '^[# \t]*ssh' "${_inetcnf}" >> "${_inetcnf_tmp}"
         if [ -f "${_inetcnf_tmp}" ]
@@ -236,9 +262,9 @@ update_inetd_conf() {
     then
       if [ "${_with_comment}" -eq 0 ]
       then
-        /usr/bin/sed -e 's/@COMMENT@[ \t]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+        /usr/bin/sed -e 's/@COMMENT@[[:space:]]*//' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
       else
-        /usr/bin/sed -e 's/@COMMENT@[ \t]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
+        /usr/bin/sed -e 's/@COMMENT@[[:space:]]*/# /' < "${_sshd_inetd_conf}" > "${_sshd_inetd_conf_tmp}"
       fi
       if /usr/bin/mv "${_sshd_inetd_conf_tmp}" "${_sshd_inetd_conf}"
       then
@@ -251,13 +277,13 @@ update_inetd_conf() {
 
   elif [ -f "${_inetcnf}" ]
   then
-    /usr/bin/grep -q '^[ \t]*sshd' "${_inetcnf}" && _with_comment=0
+    /usr/bin/grep -q '^[[:space:]]*sshd' "${_inetcnf}" && _with_comment=0
 
     # check for sshd in top-level inetd.conf file, and remove
     # will be replaced by a file in inetd.d/
-    if [ `/usr/bin/grep -q '^[# \t]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
+    if [ `/usr/bin/grep -q '^#\?[[:space:]]*sshd' "${_inetcnf}"; echo $?` -eq 0 ]
     then
-      /usr/bin/grep -v '^[# \t]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
+      /usr/bin/grep -v '^#\?[[:space:]]*sshd' "${_inetcnf}" >> "${_inetcnf_tmp}"
       if [ -f "${_inetcnf_tmp}" ]
       then
         if /usr/bin/mv "${_inetcnf_tmp}" "${_inetcnf}"
@@ -305,17 +331,26 @@ check_service_files_ownership() {
 
   if [ -z "${run_service_as}" ]
   then
-    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd | /usr/bin/sed -ne 's/^Account *: *//gp')
+    accnt_name=$(/usr/bin/cygrunsrv -VQ sshd |
+                 /usr/bin/sed -ne 's/^Account *: *//gp')
     if [ "${accnt_name}" = "LocalSystem" ]
     then
       # Convert "LocalSystem" to "SYSTEM" as is the correct account name
-      accnt_name="SYSTEM:"
-    elif [[ "${accnt_name}" =~ ^\.\\ ]]
-    then
-      # Convert "." domain to local machine name
-      accnt_name="U-${COMPUTERNAME}${accnt_name#.},"
+      run_service_as="SYSTEM"
+    else
+      dom="${accnt_name%%\\*}"
+      accnt_name="${accnt_name#*\\}"
+      if [ "${dom}" = '.' ]
+      then
+        # Check local account
+        run_service_as=$(/usr/bin/mkpasswd -l -u "${accnt_name}" |
+                         /usr/bin/awk -F: '{print $1;}')
+      else
+        # Check domain
+        run_service_as=$(/usr/bin/mkpasswd -d "${dom}" -u "${accnt_name}" |
+                         /usr/bin/awk -F: '{print $1;}')
+      fi
     fi
-    run_service_as=$(/usr/bin/grep -Fi "${accnt_name}" /etc/passwd | /usr/bin/awk -F: '{print $1;}')
     if [ -z "${run_service_as}" ]
     then
       csih_warning "Couldn't determine name of user running sshd service from /etc/passwd!"
@@ -615,32 +650,6 @@ echo
 
 warning_cnt=0
 
-# Check for ${SYSCONFDIR} directory
-csih_make_dir "${SYSCONFDIR}" "Cannot create global configuration files."
-if ! /usr/bin/chmod 775 "${SYSCONFDIR}" >/dev/null 2>&1
-then
-  csih_warning "Can't set permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${SYSCONFDIR}" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${SYSCONFDIR}!"
-  let ++warning_cnt
-fi
-
-# Check for /var/log directory
-csih_make_dir "${LOCALSTATEDIR}/log" "Cannot create log directory."
-if ! /usr/bin/chmod 775 "${LOCALSTATEDIR}/log" >/dev/null 2>&1
-then
-  csih_warning "Can't set permissions on ${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/log" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/log!"
-  let ++warning_cnt
-fi
-
 # Create /var/log/lastlog if not already exists
 if [ -e ${LOCALSTATEDIR}/log/lastlog -a ! -f ${LOCALSTATEDIR}/log/lastlog ]
 then
@@ -665,13 +674,9 @@ then
   csih_warning "Can't set permissions on ${LOCALSTATEDIR}/empty!"
   let ++warning_cnt
 fi
-if ! /usr/bin/setfacl -m u:system:rwx "${LOCALSTATEDIR}/empty" >/dev/null 2>&1
-then
-  csih_warning "Can't set extended permissions on ${LOCALSTATEDIR}/empty!"
-  let ++warning_cnt
-fi
 
 # generate missing host keys
+csih_inform "Generating missing SSH host keys"
 /usr/bin/ssh-keygen -A || let warning_cnt+=$?
 
 # handle ssh_config
@@ -690,10 +695,11 @@ fi
 csih_install_config "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults" || let ++warning_cnt
 if ! /usr/bin/cmp "${SYSCONFDIR}/sshd_config" "${SYSCONFDIR}/defaults/${SYSCONFDIR}/sshd_config" >/dev/null 2>&1
 then
-  /usr/bin/grep -q UsePrivilegeSeparation ${SYSCONFDIR}/sshd_config && privsep_configured=yes
+  sshd_config_configured=yes
 fi
+sshd_strictmodes || let warning_cnt+=$?
 sshd_privsep || let warning_cnt+=$?
-
+sshd_config_tweak || let warning_cnt+=$?
 update_services_file || let warning_cnt+=$?
 update_inetd_conf || let warning_cnt+=$?
 install_service || let warning_cnt+=$?
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index 96401c6ee..9bdce1e3c 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 6.6p1
+%define ver 6.7p1
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
@@ -86,7 +86,7 @@ PreReq: initscripts >= 5.00
 %else
 Requires: initscripts >= 5.20
 %endif
-BuildRequires: perl, openssl-devel, tcp_wrappers
+BuildRequires: perl, openssl-devel
 BuildRequires: /bin/login
 %if ! %{build6x}
 BuildPreReq: glibc-devel, pam
@@ -192,7 +192,6 @@ echo K5DIR=$K5DIR
         --sysconfdir=%{_sysconfdir}/ssh \
         --libexecdir=%{_libexecdir}/openssh \
         --datadir=%{_datadir}/openssh \
-        --with-tcp-wrappers \
         --with-rsh=%{_bindir}/rsh \
         --with-default-path=/usr/local/bin:/bin:/usr/bin \
         --with-superuser-path=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin \
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 0515d6d7c..f87674317 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 
 Summary:        OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:           openssh
-Version:        6.6p1
+Version:        6.7p1
 URL:            http://www.openssh.com/
 Release:        1
 Source0:        openssh-%{version}.tar.gz
@@ -28,11 +28,9 @@ Provides:	ssh
 # (Build[ing] Prereq[uisites] only work for RPM 2.95 and newer.)
 # building prerequisites -- stuff for
 #   OpenSSL (openssl-devel),
-#   TCP Wrappers (tcpd-devel),
 #   and Gnome (glibdev, gtkdev, and gnlibsd)
 #
 BuildPrereq:    openssl
-BuildPrereq:    tcpd-devel
 BuildPrereq:    zlib-devel
 #BuildPrereq:   glibdev
 #BuildPrereq:   gtkdev
@@ -140,7 +138,6 @@ CFLAGS="$RPM_OPT_FLAGS" \
                 --mandir=%{_mandir} \
                 --with-privsep-path=/var/lib/empty \
                 --with-pam \
-                --with-tcp-wrappers \
                 --libexecdir=%{_libdir}/ssh
 make
 
diff --git a/defines.h b/defines.h
index 354d5b614..3ac8be987 100644
--- a/defines.h
+++ b/defines.h
@@ -25,7 +25,7 @@
 #ifndef _DEFINES_H
 #define _DEFINES_H
 
-/* $Id: defines.h,v 1.176 2014/01/17 13:12:38 dtucker Exp $ */
+/* $Id: defines.h,v 1.183 2014/09/02 19:33:26 djm Exp $ */
 
 
 /* Constants */
@@ -405,7 +405,7 @@ struct winsize {
 
 /* user may have set a different path */
 #if defined(_PATH_MAILDIR) && defined(MAIL_DIRECTORY)
-# undef _PATH_MAILDIR MAILDIR
+# undef _PATH_MAILDIR
 #endif /* defined(_PATH_MAILDIR) && defined(MAIL_DIRECTORY) */
 
 #ifdef MAIL_DIRECTORY
@@ -603,10 +603,6 @@ struct winsize {
 # define memmove(s1, s2, n) bcopy((s2), (s1), (n))
 #endif /* !defined(HAVE_MEMMOVE) && defined(HAVE_BCOPY) */
 
-#if defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX)
-#  define USE_VHANGUP
-#endif /* defined(HAVE_VHANGUP) && !defined(HAVE_DEV_PTMX) */
-
 #ifndef GETPGRP_VOID
 # include <unistd.h>
 # define getpgrp() getpgrp(0)
@@ -826,4 +822,23 @@ struct winsize {
 # define arc4random_stir()
 #endif
 
+#ifndef HAVE_VA_COPY
+# ifdef HAVE___VA_COPY
+#  define va_copy(dest, src) __va_copy(dest, src)
+# else
+#  define va_copy(dest, src) (dest) = (src)
+# endif
+#endif
+
+#ifndef __predict_true
+# if defined(__GNUC__) && \
+     ((__GNUC__ > (2)) || (__GNUC__ == (2) && __GNUC_MINOR__ >= (96)))
+#  define __predict_true(exp)     __builtin_expect(((exp) != 0), 1)
+#  define __predict_false(exp)    __builtin_expect(((exp) != 0), 0)
+# else
+#  define __predict_true(exp)     ((exp) != 0)
+#  define __predict_false(exp)    ((exp) != 0)
+# endif /* gcc version */
+#endif /* __predict_true */
+
 #endif /* _DEFINES_H */
diff --git a/digest-libc.c b/digest-libc.c
index 1804b0698..1b4423a05 100644
--- a/digest-libc.c
+++ b/digest-libc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: digest-libc.c,v 1.2 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: digest-libc.c,v 1.3 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
  * Copyright (c) 2014 Markus Friedl.  All rights reserved.
@@ -28,7 +28,8 @@
 #include <sha1.h>
 #include <sha2.h>
 
-#include "buffer.h"
+#include "ssherr.h"
+#include "sshbuf.h"
 #include "digest.h"
 
 typedef void md_init_fn(void *mdctx);
@@ -164,7 +165,7 @@ ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
         const struct ssh_digest *digest = ssh_digest_by_alg(from->alg);
 
         if (digest == NULL || from->alg != to->alg)
-                return -1;
+                return SSH_ERR_INVALID_ARGUMENT;
         memcpy(to->mdctx, from->mdctx, digest->ctx_len);
         return 0;
 }
@@ -175,15 +176,15 @@ ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
         const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);
 
         if (digest == NULL)
-                return -1;
+                return SSH_ERR_INVALID_ARGUMENT;
         digest->md_update(ctx->mdctx, m, mlen);
         return 0;
 }
 
 int
-ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b)
+ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const struct sshbuf *b)
 {
-        return ssh_digest_update(ctx, buffer_ptr(b), buffer_len(b));
+        return ssh_digest_update(ctx, sshbuf_ptr(b), sshbuf_len(b));
 }
 
 int
@@ -192,11 +193,11 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
         const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);
 
         if (digest == NULL)
-                return -1;
+                return SSH_ERR_INVALID_ARGUMENT;
         if (dlen > UINT_MAX)
-                return -1;
+                return SSH_ERR_INVALID_ARGUMENT;
         if (dlen < digest->digest_len) /* No truncation allowed */
-                return -1;
+                return SSH_ERR_INVALID_ARGUMENT;
         digest->md_final(d, ctx->mdctx);
         return 0;
 }
@@ -223,16 +224,16 @@ ssh_digest_memory(int alg, const void *m, size_t mlen, u_char *d, size_t dlen)
         struct ssh_digest_ctx *ctx = ssh_digest_start(alg);
 
         if (ctx == NULL)
-                return -1;
+                return SSH_ERR_INVALID_ARGUMENT;
         if (ssh_digest_update(ctx, m, mlen) != 0 ||
             ssh_digest_final(ctx, d, dlen) != 0)
-                return -1;
+                return SSH_ERR_INVALID_ARGUMENT;
         ssh_digest_free(ctx);
         return 0;
 }
 
 int
-ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
+ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
 {
-        return ssh_digest_memory(alg, buffer_ptr(b), buffer_len(b), d, dlen);
+        return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
 }
diff --git a/digest-openssl.c b/digest-openssl.c
index 863d37d03..02b170341 100644
--- a/digest-openssl.c
+++ b/digest-openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: digest-openssl.c,v 1.2 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: digest-openssl.c,v 1.4 2014/07/03 03:26:43 djm Exp $ */
 /*
  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
  *
@@ -26,8 +26,18 @@
 
 #include "openbsd-compat/openssl-compat.h"
 
-#include "buffer.h"
+#include "sshbuf.h"
 #include "digest.h"
+#include "ssherr.h"
+
+#ifndef HAVE_EVP_RIPEMD160
+# define EVP_ripemd160 NULL
+#endif /* HAVE_EVP_RIPEMD160 */
+#ifndef HAVE_EVP_SHA256
+# define EVP_sha256 NULL
+# define EVP_sha384 NULL
+# define EVP_sha512 NULL
+#endif /* HAVE_EVP_SHA256 */
 
 struct ssh_digest_ctx {
         int alg;
@@ -46,11 +56,9 @@ const struct ssh_digest digests[] = {
         { SSH_DIGEST_MD5,       "MD5",          16,     EVP_md5 },
         { SSH_DIGEST_RIPEMD160, "RIPEMD160",    20,     EVP_ripemd160 },
         { SSH_DIGEST_SHA1,      "SHA1",         20,     EVP_sha1 },
-#ifdef HAVE_EVP_SHA256 /* XXX replace with local if missing */
         { SSH_DIGEST_SHA256,    "SHA256",       32,     EVP_sha256 },
         { SSH_DIGEST_SHA384,    "SHA384",       48,     EVP_sha384 },
         { SSH_DIGEST_SHA512,    "SHA512",       64,     EVP_sha512 },
-#endif
         { -1,                   NULL,           0,      NULL },
 };
 
@@ -61,6 +69,8 @@ ssh_digest_by_alg(int alg)
                 return NULL;
         if (digests[alg].id != alg) /* sanity */
                 return NULL;
+        if (digests[alg].mdfunc == NULL)
+                return NULL;
         return &(digests[alg]);
 }
 
@@ -98,9 +108,11 @@ ssh_digest_start(int alg)
 int
 ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
 {
+        if (from->alg != to->alg)
+                return SSH_ERR_INVALID_ARGUMENT;
         /* we have bcopy-style order while openssl has memcpy-style */
         if (!EVP_MD_CTX_copy_ex(&to->mdctx, &from->mdctx))
-                return -1;
+                return SSH_ERR_LIBCRYPTO_ERROR;
         return 0;
 }
 
@@ -108,14 +120,14 @@ int
 ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
 {
         if (EVP_DigestUpdate(&ctx->mdctx, m, mlen) != 1)
-                return -1;
+                return SSH_ERR_LIBCRYPTO_ERROR;
         return 0;
 }
 
 int
-ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b)
+ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const struct sshbuf *b)
 {
-        return ssh_digest_update(ctx, buffer_ptr(b), buffer_len(b));
+        return ssh_digest_update(ctx, sshbuf_ptr(b), sshbuf_len(b));
 }
 
 int
@@ -125,13 +137,13 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
         u_int l = dlen;
 
         if (dlen > UINT_MAX)
-                return -1;
+                return SSH_ERR_INVALID_ARGUMENT;
         if (dlen < digest->digest_len) /* No truncation allowed */
-                return -1;
+                return SSH_ERR_INVALID_ARGUMENT;
         if (EVP_DigestFinal_ex(&ctx->mdctx, d, &l) != 1)
-                return -1;
+                return SSH_ERR_LIBCRYPTO_ERROR;
         if (l != digest->digest_len) /* sanity */
-                return -1;
+                return SSH_ERR_INTERNAL_ERROR;
         return 0;
 }
 
@@ -148,19 +160,23 @@ ssh_digest_free(struct ssh_digest_ctx *ctx)
 int
 ssh_digest_memory(int alg, const void *m, size_t mlen, u_char *d, size_t dlen)
 {
-        struct ssh_digest_ctx *ctx = ssh_digest_start(alg);
-
-        if (ctx == NULL)
-                return -1;
-        if (ssh_digest_update(ctx, m, mlen) != 0 ||
-            ssh_digest_final(ctx, d, dlen) != 0)
-                return -1;
-        ssh_digest_free(ctx);
+        const struct ssh_digest *digest = ssh_digest_by_alg(alg);
+        u_int mdlen;
+
+        if (digest == NULL)
+                return SSH_ERR_INVALID_ARGUMENT;
+        if (dlen > UINT_MAX)
+                return SSH_ERR_INVALID_ARGUMENT;
+        if (dlen < digest->digest_len)
+                return SSH_ERR_INVALID_ARGUMENT;
+        mdlen = dlen;
+        if (!EVP_Digest(m, mlen, d, &mdlen, digest->mdfunc(), NULL))
+                return SSH_ERR_LIBCRYPTO_ERROR;
         return 0;
 }
 
 int
-ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
+ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
 {
-        return ssh_digest_memory(alg, buffer_ptr(b), buffer_len(b), d, dlen);
+        return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
 }
diff --git a/digest.h b/digest.h
index 0fb207fca..6afb197f0 100644
--- a/digest.h
+++ b/digest.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: digest.h,v 1.2 2014/01/27 18:58:14 markus Exp $ */
+/* $OpenBSD: digest.h,v 1.6 2014/07/03 04:36:45 djm Exp $ */
 /*
  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
  *
@@ -30,6 +30,7 @@
 #define SSH_DIGEST_SHA512       5
 #define SSH_DIGEST_MAX          6
 
+struct sshbuf;
 struct ssh_digest_ctx;
 
 /* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
@@ -47,14 +48,15 @@ int ssh_digest_memory(int alg, const void *m, size_t mlen,
     u_char *d, size_t dlen)
         __attribute__((__bounded__(__buffer__, 2, 3)))
         __attribute__((__bounded__(__buffer__, 4, 5)));
-int ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
+int ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
         __attribute__((__bounded__(__buffer__, 3, 4)));
 
 /* Update API */
 struct ssh_digest_ctx *ssh_digest_start(int alg);
 int ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
         __attribute__((__bounded__(__buffer__, 2, 3)));
-int ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b);
+int ssh_digest_update_buffer(struct ssh_digest_ctx *ctx,
+    const struct sshbuf *b);
 int ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
         __attribute__((__bounded__(__buffer__, 2, 3)));
 void ssh_digest_free(struct ssh_digest_ctx *ctx);
diff --git a/dns.c b/dns.c
index 630b97ae8..c4d073cf5 100644
--- a/dns.c
+++ b/dns.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.c,v 1.29 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: dns.c,v 1.31 2014/06/24 01:13:21 djm Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -34,6 +34,8 @@
 #include <stdarg.h>
 #include <stdio.h>
 #include <string.h>
+#include <stdarg.h>
+#include <stdlib.h>
 
 #include "xmalloc.h"
 #include "key.h"
@@ -96,6 +98,11 @@ dns_read_key(u_int8_t *algorithm, u_int8_t *digest_type,
                 if (!*digest_type)
                         *digest_type = SSHFP_HASH_SHA256;
                 break;
+        case KEY_ED25519:
+                *algorithm = SSHFP_KEY_ED25519;
+                if (!*digest_type)
+                        *digest_type = SSHFP_HASH_SHA256;
+                break;
         default:
                 *algorithm = SSHFP_KEY_RESERVED; /* 0 */
                 *digest_type = SSHFP_HASH_RESERVED; /* 0 */
diff --git a/dns.h b/dns.h
index d5f428177..b9feae6be 100644
--- a/dns.h
+++ b/dns.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: dns.h,v 1.12 2012/05/23 03:28:28 djm Exp $ */
+/* $OpenBSD: dns.h,v 1.13 2014/04/20 09:24:26 logan Exp $ */
 
 /*
  * Copyright (c) 2003 Wesley Griffin. All rights reserved.
@@ -32,7 +32,8 @@ enum sshfp_types {
         SSHFP_KEY_RESERVED = 0,
         SSHFP_KEY_RSA = 1,
         SSHFP_KEY_DSA = 2,
-        SSHFP_KEY_ECDSA = 3
+        SSHFP_KEY_ECDSA = 3,
+        SSHFP_KEY_ED25519 = 4 
 };
 
 enum sshfp_hashes {
diff --git a/entropy.c b/entropy.c
index 2d483b391..1e9d52ac4 100644
--- a/entropy.c
+++ b/entropy.c
@@ -43,6 +43,8 @@
 #include <openssl/crypto.h>
 #include <openssl/err.h>
 
+#include "openbsd-compat/openssl-compat.h"
+
 #include "ssh.h"
 #include "misc.h"
 #include "xmalloc.h"
@@ -209,16 +211,7 @@ seed_rng(void)
 #ifndef OPENSSL_PRNG_ONLY
         unsigned char buf[RANDOM_SEED_SIZE];
 #endif
-        /*
-         * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
-         * We match major, minor, fix and status (not patch) for <1.0.0.
-         * After that, we acceptable compatible fix versions (so we
-         * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
-         * within a patch series.
-         */
-        u_long version_mask = SSLeay() >= 0x1000000f ?  ~0xffff0L : ~0xff0L;
-        if (((SSLeay() ^ OPENSSL_VERSION_NUMBER) & version_mask) ||
-            (SSLeay() >> 12) < (OPENSSL_VERSION_NUMBER >> 12))
+        if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER, SSLeay()))
                 fatal("OpenSSL version mismatch. Built against %lx, you "
                     "have %lx", (u_long)OPENSSL_VERSION_NUMBER, SSLeay());
 
diff --git a/gss-serv-krb5.c b/gss-serv-krb5.c
index 759fa104f..795992d9f 100644
--- a/gss-serv-krb5.c
+++ b/gss-serv-krb5.c
@@ -39,6 +39,7 @@
 #include "hostfile.h"
 #include "auth.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 
 #include "buffer.h"
diff --git a/gss-serv.c b/gss-serv.c
index e61b37bec..5c599247b 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.27 2014/07/03 03:34:09 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -97,13 +97,13 @@ static OM_uint32
 ssh_gssapi_acquire_cred(Gssctxt *ctx)
 {
         OM_uint32 status;
-        char lname[MAXHOSTNAMELEN];
+        char lname[NI_MAXHOST];
         gss_OID_set oidset;
 
         gss_create_empty_oid_set(&status, &oidset);
         gss_add_oid_set_member(&status, ctx->oid, &oidset);
 
-        if (gethostname(lname, MAXHOSTNAMELEN)) {
+        if (gethostname(lname, sizeof(lname))) {
                 gss_release_oid_set(&status, &oidset);
                 return (-1);
         }
diff --git a/hmac.h b/hmac.h
index 2374a6955..42b33d002 100644
--- a/hmac.h
+++ b/hmac.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: hmac.h,v 1.6 2014/01/27 18:58:14 markus Exp $ */
+/* $OpenBSD: hmac.h,v 1.9 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2014 Markus Friedl.  All rights reserved.
  *
@@ -21,6 +21,7 @@
 /* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
 size_t ssh_hmac_bytes(int alg);
 
+struct sshbuf;
 struct ssh_hmac_ctx;
 struct ssh_hmac_ctx *ssh_hmac_start(int alg);
 
@@ -29,7 +30,7 @@ int ssh_hmac_init(struct ssh_hmac_ctx *ctx, const void *key, size_t klen)
         __attribute__((__bounded__(__buffer__, 2, 3)));
 int ssh_hmac_update(struct ssh_hmac_ctx *ctx, const void *m, size_t mlen)
         __attribute__((__bounded__(__buffer__, 2, 3)));
-int ssh_hmac_update_buffer(struct ssh_hmac_ctx *ctx, const Buffer *b);
+int ssh_hmac_update_buffer(struct ssh_hmac_ctx *ctx, const struct sshbuf *b);
 int ssh_hmac_final(struct ssh_hmac_ctx *ctx, u_char *d, size_t dlen)
         __attribute__((__bounded__(__buffer__, 2, 3)));
 void ssh_hmac_free(struct ssh_hmac_ctx *ctx);
diff --git a/hostfile.c b/hostfile.c
index 8bc9540b7..ee2daf45f 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hostfile.c,v 1.55 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: hostfile.c,v 1.57 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -47,6 +47,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdarg.h>
 
 #include "xmalloc.h"
 #include "match.h"
@@ -182,6 +183,7 @@ static int
 hostfile_check_key(int bits, const Key *key, const char *host,
     const char *filename, u_long linenum)
 {
+#ifdef WITH_SSH1
         if (key == NULL || key->type != KEY_RSA1 || key->rsa == NULL)
                 return 1;
         if (bits != BN_num_bits(key->rsa->n)) {
@@ -191,6 +193,7 @@ hostfile_check_key(int bits, const Key *key, const char *host,
                 logit("Warning: replace %d with %d in %s, line %lu.",
                     bits, BN_num_bits(key->rsa->n), filename, linenum);
         }
+#endif
         return 1;
 }
 
@@ -296,11 +299,15 @@ load_hostkeys(struct hostkeys *hostkeys, const char *host, const char *path)
                 key = key_new(KEY_UNSPEC);
                 if (!hostfile_read_key(&cp, &kbits, key)) {
                         key_free(key);
+#ifdef WITH_SSH1
                         key = key_new(KEY_RSA1);
                         if (!hostfile_read_key(&cp, &kbits, key)) {
                                 key_free(key);
                                 continue;
                         }
+#else
+                        continue;
+#endif
                 }
                 if (!hostfile_check_key(kbits, key, host, path, linenum))
                         continue;
diff --git a/kex.c b/kex.c
index 74e2b8682..a173e70e3 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.98 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: kex.c,v 1.99 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -33,7 +33,9 @@
 #include <stdlib.h>
 #include <string.h>
 
+#ifdef WITH_OPENSSL
 #include <openssl/crypto.h>
+#endif
 
 #include "xmalloc.h"
 #include "ssh2.h"
@@ -70,12 +72,13 @@ struct kexalg {
         int hash_alg;
 };
 static const struct kexalg kexalgs[] = {
+#ifdef WITH_OPENSSL
         { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
         { KEX_DH14, KEX_DH_GRP14_SHA1, 0, SSH_DIGEST_SHA1 },
         { KEX_DHGEX_SHA1, KEX_DH_GEX_SHA1, 0, SSH_DIGEST_SHA1 },
 #ifdef HAVE_EVP_SHA256
         { KEX_DHGEX_SHA256, KEX_DH_GEX_SHA256, 0, SSH_DIGEST_SHA256 },
-#endif
+#endif /* HAVE_EVP_SHA256 */
 #ifdef OPENSSL_HAS_ECC
         { KEX_ECDH_SHA2_NISTP256, KEX_ECDH_SHA2,
             NID_X9_62_prime256v1, SSH_DIGEST_SHA256 },
@@ -84,12 +87,13 @@ static const struct kexalg kexalgs[] = {
 # ifdef OPENSSL_HAS_NISTP521
         { KEX_ECDH_SHA2_NISTP521, KEX_ECDH_SHA2, NID_secp521r1,
             SSH_DIGEST_SHA512 },
-# endif
-#endif
+# endif /* OPENSSL_HAS_NISTP521 */
+#endif /* OPENSSL_HAS_ECC */
         { KEX_DH1, KEX_DH_GRP1_SHA1, 0, SSH_DIGEST_SHA1 },
+#endif /* WITH_OPENSSL */
 #ifdef HAVE_EVP_SHA256
         { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
-#endif
+#endif /* HAVE_EVP_SHA256 */
         { NULL, -1, -1, -1},
 };
 
@@ -615,6 +619,7 @@ kex_derive_keys(Kex *kex, u_char *hash, u_int hashlen,
         }
 }
 
+#ifdef WITH_OPENSSL
 void
 kex_derive_keys_bn(Kex *kex, u_char *hash, u_int hashlen, const BIGNUM *secret)
 {
@@ -626,6 +631,7 @@ kex_derive_keys_bn(Kex *kex, u_char *hash, u_int hashlen, const BIGNUM *secret)
             buffer_ptr(&shared_secret), buffer_len(&shared_secret));
         buffer_free(&shared_secret);
 }
+#endif
 
 Newkeys *
 kex_get_newkeys(int mode)
@@ -637,6 +643,7 @@ kex_get_newkeys(int mode)
         return ret;
 }
 
+#ifdef WITH_SSH1
 void
 derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
     u_int8_t cookie[8], u_int8_t id[16])
@@ -669,6 +676,7 @@ derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
         explicit_bzero(nbuf, sizeof(nbuf));
         explicit_bzero(obuf, sizeof(obuf));
 }
+#endif
 
 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
 void
diff --git a/kex.h b/kex.h
index c85680eea..4c40ec851 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.62 2014/01/27 18:58:14 markus Exp $ */
+/* $OpenBSD: kex.h,v 1.64 2014/05/02 03:27:54 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
diff --git a/kexc25519.c b/kexc25519.c
index ee79b4327..e3afa0055 100644
--- a/kexc25519.c
+++ b/kexc25519.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexc25519.c,v 1.5 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: kexc25519.c,v 1.7 2014/05/02 03:27:54 djm Exp $ */
 /*
  * Copyright (c) 2001, 2013 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
diff --git a/key.c b/key.c
index 168e1b7d7..206076159 100644
--- a/key.c
+++ b/key.c
@@ -1,2089 +1,242 @@
-/* $OpenBSD: key.c,v 1.116 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: key.c,v 1.122 2014/07/22 01:18:50 dtucker Exp $ */
 /*
- * read_bignum():
- * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
- *
- * As far as I am concerned, the code I have written for this software
- * can be used freely for any purpose.  Any derived versions of this
- * software must be clearly marked as such, and if the derived work is
- * incompatible with the protocol description in the RFC file, it must be
- * called by a name other than "ssh" or "Secure Shell".
- *
- *
- * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
- * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
- * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
- * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
- * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
- * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
- * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
- * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
- * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
- * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ * placed in the public domain
  */
 
 #include "includes.h"
 
 #include <sys/param.h>
 #include <sys/types.h>
-
-#include "crypto_api.h"
-
-#include <openssl/evp.h>
-#include <openbsd-compat/openssl-compat.h>
-
+#include <errno.h>
 #include <stdarg.h>
 #include <stdio.h>
-#include <string.h>
 
-#include "xmalloc.h"
+#define SSH_KEY_NO_DEFINE
 #include "key.h"
-#include "rsa.h"
-#include "uuencode.h"
-#include "buffer.h"
-#include "log.h"
-#include "misc.h"
-#include "ssh2.h"
-#include "digest.h"
-
-static int to_blob(const Key *, u_char **, u_int *, int);
-static Key *key_from_blob2(const u_char *, u_int, int);
-
-static struct KeyCert *
-cert_new(void)
-{
-        struct KeyCert *cert;
-
-        cert = xcalloc(1, sizeof(*cert));
-        buffer_init(&cert->certblob);
-        buffer_init(&cert->critical);
-        buffer_init(&cert->extensions);
-        cert->key_id = NULL;
-        cert->principals = NULL;
-        cert->signature_key = NULL;
-        return cert;
-}
-
-Key *
-key_new(int type)
-{
-        Key *k;
-        RSA *rsa;
-        DSA *dsa;
-        k = xcalloc(1, sizeof(*k));
-        k->type = type;
-        k->ecdsa = NULL;
-        k->ecdsa_nid = -1;
-        k->dsa = NULL;
-        k->rsa = NULL;
-        k->cert = NULL;
-        k->ed25519_sk = NULL;
-        k->ed25519_pk = NULL;
-        switch (k->type) {
-        case KEY_RSA1:
-        case KEY_RSA:
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                if ((rsa = RSA_new()) == NULL)
-                        fatal("key_new: RSA_new failed");
-                if ((rsa->n = BN_new()) == NULL)
-                        fatal("key_new: BN_new failed");
-                if ((rsa->e = BN_new()) == NULL)
-                        fatal("key_new: BN_new failed");
-                k->rsa = rsa;
-                break;
-        case KEY_DSA:
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                if ((dsa = DSA_new()) == NULL)
-                        fatal("key_new: DSA_new failed");
-                if ((dsa->p = BN_new()) == NULL)
-                        fatal("key_new: BN_new failed");
-                if ((dsa->q = BN_new()) == NULL)
-                        fatal("key_new: BN_new failed");
-                if ((dsa->g = BN_new()) == NULL)
-                        fatal("key_new: BN_new failed");
-                if ((dsa->pub_key = BN_new()) == NULL)
-                        fatal("key_new: BN_new failed");
-                k->dsa = dsa;
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA:
-        case KEY_ECDSA_CERT:
-                /* Cannot do anything until we know the group */
-                break;
-#endif
-        case KEY_ED25519:
-        case KEY_ED25519_CERT:
-                /* no need to prealloc */
-                break;
-        case KEY_UNSPEC:
-                break;
-        default:
-                fatal("key_new: bad key type %d", k->type);
-                break;
-        }
 
-        if (key_is_cert(k))
-                k->cert = cert_new();
-
-        return k;
-}
+#include "compat.h"
+#include "sshkey.h"
+#include "ssherr.h"
+#include "log.h"
+#include "authfile.h"
 
 void
 key_add_private(Key *k)
 {
-        switch (k->type) {
-        case KEY_RSA1:
-        case KEY_RSA:
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                if ((k->rsa->d = BN_new()) == NULL)
-                        fatal("key_new_private: BN_new failed");
-                if ((k->rsa->iqmp = BN_new()) == NULL)
-                        fatal("key_new_private: BN_new failed");
-                if ((k->rsa->q = BN_new()) == NULL)
-                        fatal("key_new_private: BN_new failed");
-                if ((k->rsa->p = BN_new()) == NULL)
-                        fatal("key_new_private: BN_new failed");
-                if ((k->rsa->dmq1 = BN_new()) == NULL)
-                        fatal("key_new_private: BN_new failed");
-                if ((k->rsa->dmp1 = BN_new()) == NULL)
-                        fatal("key_new_private: BN_new failed");
-                break;
-        case KEY_DSA:
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                if ((k->dsa->priv_key = BN_new()) == NULL)
-                        fatal("key_new_private: BN_new failed");
-                break;
-        case KEY_ECDSA:
-        case KEY_ECDSA_CERT:
-                /* Cannot do anything until we know the group */
-                break;
-        case KEY_ED25519:
-        case KEY_ED25519_CERT:
-                /* no need to prealloc */
-                break;
-        case KEY_UNSPEC:
-                break;
-        default:
-                break;
-        }
+        int r;
+
+        if ((r = sshkey_add_private(k)) != 0)
+                fatal("%s: %s", __func__, ssh_err(r));
 }
 
 Key *
 key_new_private(int type)
 {
-        Key *k = key_new(type);
-
-        key_add_private(k);
-        return k;
-}
-
-static void
-cert_free(struct KeyCert *cert)
-{
-        u_int i;
-
-        buffer_free(&cert->certblob);
-        buffer_free(&cert->critical);
-        buffer_free(&cert->extensions);
-        free(cert->key_id);
-        for (i = 0; i < cert->nprincipals; i++)
-                free(cert->principals[i]);
-        free(cert->principals);
-        if (cert->signature_key != NULL)
-                key_free(cert->signature_key);
-        free(cert);
-}
-
-void
-key_free(Key *k)
-{
-        if (k == NULL)
-                fatal("key_free: key is NULL");
-        switch (k->type) {
-        case KEY_RSA1:
-        case KEY_RSA:
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                if (k->rsa != NULL)
-                        RSA_free(k->rsa);
-                k->rsa = NULL;
-                break;
-        case KEY_DSA:
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                if (k->dsa != NULL)
-                        DSA_free(k->dsa);
-                k->dsa = NULL;
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA:
-        case KEY_ECDSA_CERT:
-                if (k->ecdsa != NULL)
-                        EC_KEY_free(k->ecdsa);
-                k->ecdsa = NULL;
-                break;
-#endif
-        case KEY_ED25519:
-        case KEY_ED25519_CERT:
-                if (k->ed25519_pk) {
-                        explicit_bzero(k->ed25519_pk, ED25519_PK_SZ);
-                        free(k->ed25519_pk);
-                        k->ed25519_pk = NULL;
-                }
-                if (k->ed25519_sk) {
-                        explicit_bzero(k->ed25519_sk, ED25519_SK_SZ);
-                        free(k->ed25519_sk);
-                        k->ed25519_sk = NULL;
-                }
-                break;
-        case KEY_UNSPEC:
-                break;
-        default:
-                fatal("key_free: bad key type %d", k->type);
-                break;
-        }
-        if (key_is_cert(k)) {
-                if (k->cert != NULL)
-                        cert_free(k->cert);
-                k->cert = NULL;
-        }
-
-        free(k);
-}
-
-static int
-cert_compare(struct KeyCert *a, struct KeyCert *b)
-{
-        if (a == NULL && b == NULL)
-                return 1;
-        if (a == NULL || b == NULL)
-                return 0;
-        if (buffer_len(&a->certblob) != buffer_len(&b->certblob))
-                return 0;
-        if (timingsafe_bcmp(buffer_ptr(&a->certblob), buffer_ptr(&b->certblob),
-            buffer_len(&a->certblob)) != 0)
-                return 0;
-        return 1;
-}
-
-/*
- * Compare public portions of key only, allowing comparisons between
- * certificates and plain keys too.
- */
-int
-key_equal_public(const Key *a, const Key *b)
-{
-#ifdef OPENSSL_HAS_ECC
-        BN_CTX *bnctx;
-#endif
+        Key *ret = NULL;
 
-        if (a == NULL || b == NULL ||
-            key_type_plain(a->type) != key_type_plain(b->type))
-                return 0;
-
-        switch (a->type) {
-        case KEY_RSA1:
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-        case KEY_RSA:
-                return a->rsa != NULL && b->rsa != NULL &&
-                    BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
-                    BN_cmp(a->rsa->n, b->rsa->n) == 0;
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-        case KEY_DSA:
-                return a->dsa != NULL && b->dsa != NULL &&
-                    BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
-                    BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
-                    BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
-                    BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA_CERT:
-        case KEY_ECDSA:
-                if (a->ecdsa == NULL || b->ecdsa == NULL ||
-                    EC_KEY_get0_public_key(a->ecdsa) == NULL ||
-                    EC_KEY_get0_public_key(b->ecdsa) == NULL)
-                        return 0;
-                if ((bnctx = BN_CTX_new()) == NULL)
-                        fatal("%s: BN_CTX_new failed", __func__);
-                if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
-                    EC_KEY_get0_group(b->ecdsa), bnctx) != 0 ||
-                    EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
-                    EC_KEY_get0_public_key(a->ecdsa),
-                    EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
-                        BN_CTX_free(bnctx);
-                        return 0;
-                }
-                BN_CTX_free(bnctx);
-                return 1;
-#endif /* OPENSSL_HAS_ECC */
-        case KEY_ED25519:
-        case KEY_ED25519_CERT:
-                return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
-                    memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
-        default:
-                fatal("key_equal: bad key type %d", a->type);
-        }
-        /* NOTREACHED */
-}
-
-int
-key_equal(const Key *a, const Key *b)
-{
-        if (a == NULL || b == NULL || a->type != b->type)
-                return 0;
-        if (key_is_cert(a)) {
-                if (!cert_compare(a->cert, b->cert))
-                        return 0;
-        }
-        return key_equal_public(a, b);
+        if ((ret = sshkey_new_private(type)) == NULL)
+                fatal("%s: failed", __func__);
+        return ret;
 }
 
 u_char*
 key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
     u_int *dgst_raw_length)
 {
-        u_char *blob = NULL;
-        u_char *retval = NULL;
-        u_int len = 0;
-        int nlen, elen, hash_alg = -1;
-
-        *dgst_raw_length = 0;
-
-        /* XXX switch to DIGEST_* directly? */
-        switch (dgst_type) {
-        case SSH_FP_MD5:
-                hash_alg = SSH_DIGEST_MD5;
-                break;
-        case SSH_FP_SHA1:
-                hash_alg = SSH_DIGEST_SHA1;
-                break;
-        case SSH_FP_SHA256:
-                hash_alg = SSH_DIGEST_SHA256;
-                break;
-        default:
-                fatal("%s: bad digest type %d", __func__, dgst_type);
-        }
-        switch (k->type) {
-        case KEY_RSA1:
-                nlen = BN_num_bytes(k->rsa->n);
-                elen = BN_num_bytes(k->rsa->e);
-                len = nlen + elen;
-                blob = xmalloc(len);
-                BN_bn2bin(k->rsa->n, blob);
-                BN_bn2bin(k->rsa->e, blob + nlen);
-                break;
-        case KEY_DSA:
-        case KEY_ECDSA:
-        case KEY_RSA:
-        case KEY_ED25519:
-                key_to_blob(k, &blob, &len);
-                break;
-        case KEY_DSA_CERT_V00:
-        case KEY_RSA_CERT_V00:
-        case KEY_DSA_CERT:
-        case KEY_ECDSA_CERT:
-        case KEY_RSA_CERT:
-        case KEY_ED25519_CERT:
-                /* We want a fingerprint of the _key_ not of the cert */
-                to_blob(k, &blob, &len, 1);
-                break;
-        case KEY_UNSPEC:
-                return retval;
-        default:
-                fatal("%s: bad key type %d", __func__, k->type);
-                break;
-        }
-        if (blob != NULL) {
-                retval = xmalloc(SSH_DIGEST_MAX_LENGTH);
-                if ((ssh_digest_memory(hash_alg, blob, len,
-                    retval, SSH_DIGEST_MAX_LENGTH)) != 0)
-                        fatal("%s: digest_memory failed", __func__);
-                explicit_bzero(blob, len);
-                free(blob);
-                *dgst_raw_length = ssh_digest_bytes(hash_alg);
-        } else {
-                fatal("%s: blob is null", __func__);
-        }
-        return retval;
-}
-
-static char *
-key_fingerprint_hex(u_char *dgst_raw, u_int dgst_raw_len)
-{
-        char *retval;
-        u_int i;
-
-        retval = xcalloc(1, dgst_raw_len * 3 + 1);
-        for (i = 0; i < dgst_raw_len; i++) {
-                char hex[4];
-                snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
-                strlcat(retval, hex, dgst_raw_len * 3 + 1);
-        }
-
-        /* Remove the trailing ':' character */
-        retval[(dgst_raw_len * 3) - 1] = '\0';
-        return retval;
-}
-
-static char *
-key_fingerprint_bubblebabble(u_char *dgst_raw, u_int dgst_raw_len)
-{
-        char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
-        char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
-            'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
-        u_int i, j = 0, rounds, seed = 1;
-        char *retval;
-
-        rounds = (dgst_raw_len / 2) + 1;
-        retval = xcalloc((rounds * 6), sizeof(char));
-        retval[j++] = 'x';
-        for (i = 0; i < rounds; i++) {
-                u_int idx0, idx1, idx2, idx3, idx4;
-                if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
-                        idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
-                            seed) % 6;
-                        idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
-                        idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
-                            (seed / 6)) % 6;
-                        retval[j++] = vowels[idx0];
-                        retval[j++] = consonants[idx1];
-                        retval[j++] = vowels[idx2];
-                        if ((i + 1) < rounds) {
-                                idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
-                                idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
-                                retval[j++] = consonants[idx3];
-                                retval[j++] = '-';
-                                retval[j++] = consonants[idx4];
-                                seed = ((seed * 5) +
-                                    ((((u_int)(dgst_raw[2 * i])) * 7) +
-                                    ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
-                        }
-                } else {
-                        idx0 = seed % 6;
-                        idx1 = 16;
-                        idx2 = seed / 6;
-                        retval[j++] = vowels[idx0];
-                        retval[j++] = consonants[idx1];
-                        retval[j++] = vowels[idx2];
-                }
-        }
-        retval[j++] = 'x';
-        retval[j++] = '\0';
-        return retval;
-}
-
-/*
- * Draw an ASCII-Art representing the fingerprint so human brain can
- * profit from its built-in pattern recognition ability.
- * This technique is called "random art" and can be found in some
- * scientific publications like this original paper:
- *
- * "Hash Visualization: a New Technique to improve Real-World Security",
- * Perrig A. and Song D., 1999, International Workshop on Cryptographic
- * Techniques and E-Commerce (CrypTEC '99)
- * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
- *
- * The subject came up in a talk by Dan Kaminsky, too.
- *
- * If you see the picture is different, the key is different.
- * If the picture looks the same, you still know nothing.
- *
- * The algorithm used here is a worm crawling over a discrete plane,
- * leaving a trace (augmenting the field) everywhere it goes.
- * Movement is taken from dgst_raw 2bit-wise.  Bumping into walls
- * makes the respective movement vector be ignored for this turn.
- * Graphs are not unambiguous, because circles in graphs can be
- * walked in either direction.
- */
-
-/*
- * Field sizes for the random art.  Have to be odd, so the starting point
- * can be in the exact middle of the picture, and FLDBASE should be >=8 .
- * Else pictures would be too dense, and drawing the frame would
- * fail, too, because the key type would not fit in anymore.
- */
-#define FLDBASE         8
-#define FLDSIZE_Y       (FLDBASE + 1)
-#define FLDSIZE_X       (FLDBASE * 2 + 1)
-static char *
-key_fingerprint_randomart(u_char *dgst_raw, u_int dgst_raw_len, const Key *k)
-{
-        /*
-         * Chars to be used after each other every time the worm
-         * intersects with itself.  Matter of taste.
-         */
-        char    *augmentation_string = " .o+=*BOX@%&#/^SE";
-        char    *retval, *p;
-        u_char   field[FLDSIZE_X][FLDSIZE_Y];
-        u_int    i, b;
-        int      x, y;
-        size_t   len = strlen(augmentation_string) - 1;
-
-        retval = xcalloc(1, (FLDSIZE_X + 3) * (FLDSIZE_Y + 2));
-
-        /* initialize field */
-        memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
-        x = FLDSIZE_X / 2;
-        y = FLDSIZE_Y / 2;
-
-        /* process raw key */
-        for (i = 0; i < dgst_raw_len; i++) {
-                int input;
-                /* each byte conveys four 2-bit move commands */
-                input = dgst_raw[i];
-                for (b = 0; b < 4; b++) {
-                        /* evaluate 2 bit, rest is shifted later */
-                        x += (input & 0x1) ? 1 : -1;
-                        y += (input & 0x2) ? 1 : -1;
-
-                        /* assure we are still in bounds */
-                        x = MAX(x, 0);
-                        y = MAX(y, 0);
-                        x = MIN(x, FLDSIZE_X - 1);
-                        y = MIN(y, FLDSIZE_Y - 1);
-
-                        /* augment the field */
-                        if (field[x][y] < len - 2)
-                                field[x][y]++;
-                        input = input >> 2;
-                }
-        }
-
-        /* mark starting point and end point*/
-        field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
-        field[x][y] = len;
-
-        /* fill in retval */
-        snprintf(retval, FLDSIZE_X, "+--[%4s %4u]", key_type(k), key_size(k));
-        p = strchr(retval, '\0');
-
-        /* output upper border */
-        for (i = p - retval - 1; i < FLDSIZE_X; i++)
-                *p++ = '-';
-        *p++ = '+';
-        *p++ = '\n';
-
-        /* output content */
-        for (y = 0; y < FLDSIZE_Y; y++) {
-                *p++ = '|';
-                for (x = 0; x < FLDSIZE_X; x++)
-                        *p++ = augmentation_string[MIN(field[x][y], len)];
-                *p++ = '|';
-                *p++ = '\n';
-        }
-
-        /* output lower border */
-        *p++ = '+';
-        for (i = 0; i < FLDSIZE_X; i++)
-                *p++ = '-';
-        *p++ = '+';
-
-        return retval;
-}
-
-char *
-key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
-{
-        char *retval = NULL;
-        u_char *dgst_raw;
-        u_int dgst_raw_len;
-
-        dgst_raw = key_fingerprint_raw(k, dgst_type, &dgst_raw_len);
-        if (!dgst_raw)
-                fatal("key_fingerprint: null from key_fingerprint_raw()");
-        switch (dgst_rep) {
-        case SSH_FP_HEX:
-                retval = key_fingerprint_hex(dgst_raw, dgst_raw_len);
-                break;
-        case SSH_FP_BUBBLEBABBLE:
-                retval = key_fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
-                break;
-        case SSH_FP_RANDOMART:
-                retval = key_fingerprint_randomart(dgst_raw, dgst_raw_len, k);
-                break;
-        default:
-                fatal("key_fingerprint: bad digest representation %d",
-                    dgst_rep);
-                break;
-        }
-        explicit_bzero(dgst_raw, dgst_raw_len);
-        free(dgst_raw);
-        return retval;
-}
-
-/*
- * Reads a multiple-precision integer in decimal from the buffer, and advances
- * the pointer.  The integer must already be initialized.  This function is
- * permitted to modify the buffer.  This leaves *cpp to point just beyond the
- * last processed (and maybe modified) character.  Note that this may modify
- * the buffer containing the number.
- */
-static int
-read_bignum(char **cpp, BIGNUM * value)
-{
-        char *cp = *cpp;
-        int old;
-
-        /* Skip any leading whitespace. */
-        for (; *cp == ' ' || *cp == '\t'; cp++)
-                ;
-
-        /* Check that it begins with a decimal digit. */
-        if (*cp < '0' || *cp > '9')
-                return 0;
-
-        /* Save starting position. */
-        *cpp = cp;
-
-        /* Move forward until all decimal digits skipped. */
-        for (; *cp >= '0' && *cp <= '9'; cp++)
-                ;
-
-        /* Save the old terminating character, and replace it by \0. */
-        old = *cp;
-        *cp = 0;
-
-        /* Parse the number. */
-        if (BN_dec2bn(&value, *cpp) == 0)
-                return 0;
-
-        /* Restore old terminating character. */
-        *cp = old;
-
-        /* Move beyond the number and return success. */
-        *cpp = cp;
-        return 1;
-}
-
-static int
-write_bignum(FILE *f, BIGNUM *num)
-{
-        char *buf = BN_bn2dec(num);
-        if (buf == NULL) {
-                error("write_bignum: BN_bn2dec() failed");
-                return 0;
-        }
-        fprintf(f, " %s", buf);
-        OPENSSL_free(buf);
-        return 1;
+        u_char *ret = NULL;
+        size_t dlen;
+        int r;
+
+        if (dgst_raw_length != NULL)
+                *dgst_raw_length = 0;
+        if ((r = sshkey_fingerprint_raw(k, dgst_type, &ret, &dlen)) != 0)
+                fatal("%s: %s", __func__, ssh_err(r));
+        if (dlen > INT_MAX)
+                fatal("%s: giant len %zu", __func__, dlen);
+        *dgst_raw_length = dlen;
+        return ret;
 }
 
-/* returns 1 ok, -1 error */
 int
 key_read(Key *ret, char **cpp)
 {
-        Key *k;
-        int success = -1;
-        char *cp, *space;
-        int len, n, type;
-        u_int bits;
-        u_char *blob;
-#ifdef OPENSSL_HAS_ECC
-        int curve_nid = -1;
-#endif
-
-        cp = *cpp;
-
-        switch (ret->type) {
-        case KEY_RSA1:
-                /* Get number of bits. */
-                if (*cp < '0' || *cp > '9')
-                        return -1;      /* Bad bit count... */
-                for (bits = 0; *cp >= '0' && *cp <= '9'; cp++)
-                        bits = 10 * bits + *cp - '0';
-                if (bits == 0)
-                        return -1;
-                *cpp = cp;
-                /* Get public exponent, public modulus. */
-                if (!read_bignum(cpp, ret->rsa->e))
-                        return -1;
-                if (!read_bignum(cpp, ret->rsa->n))
-                        return -1;
-                /* validate the claimed number of bits */
-                if ((u_int)BN_num_bits(ret->rsa->n) != bits) {
-                        verbose("key_read: claimed key size %d does not match "
-                           "actual %d", bits, BN_num_bits(ret->rsa->n));
-                        return -1;
-                }
-                success = 1;
-                break;
-        case KEY_UNSPEC:
-        case KEY_RSA:
-        case KEY_DSA:
-        case KEY_ECDSA:
-        case KEY_ED25519:
-        case KEY_DSA_CERT_V00:
-        case KEY_RSA_CERT_V00:
-        case KEY_DSA_CERT:
-        case KEY_ECDSA_CERT:
-        case KEY_RSA_CERT:
-        case KEY_ED25519_CERT:
-                space = strchr(cp, ' ');
-                if (space == NULL) {
-                        debug3("key_read: missing whitespace");
-                        return -1;
-                }
-                *space = '\0';
-                type = key_type_from_name(cp);
-#ifdef OPENSSL_HAS_ECC
-                if (key_type_plain(type) == KEY_ECDSA &&
-                    (curve_nid = key_ecdsa_nid_from_name(cp)) == -1) {
-                        debug("key_read: invalid curve");
-                        return -1;
-                }
-#endif
-                *space = ' ';
-                if (type == KEY_UNSPEC) {
-                        debug3("key_read: missing keytype");
-                        return -1;
-                }
-                cp = space+1;
-                if (*cp == '\0') {
-                        debug3("key_read: short string");
-                        return -1;
-                }
-                if (ret->type == KEY_UNSPEC) {
-                        ret->type = type;
-                } else if (ret->type != type) {
-                        /* is a key, but different type */
-                        debug3("key_read: type mismatch");
-                        return -1;
-                }
-                len = 2*strlen(cp);
-                blob = xmalloc(len);
-                n = uudecode(cp, blob, len);
-                if (n < 0) {
-                        error("key_read: uudecode %s failed", cp);
-                        free(blob);
-                        return -1;
-                }
-                k = key_from_blob(blob, (u_int)n);
-                free(blob);
-                if (k == NULL) {
-                        error("key_read: key_from_blob %s failed", cp);
-                        return -1;
-                }
-                if (k->type != type) {
-                        error("key_read: type mismatch: encoding error");
-                        key_free(k);
-                        return -1;
-                }
-#ifdef OPENSSL_HAS_ECC
-                if (key_type_plain(type) == KEY_ECDSA &&
-                    curve_nid != k->ecdsa_nid) {
-                        error("key_read: type mismatch: EC curve mismatch");
-                        key_free(k);
-                        return -1;
-                }
-#endif
-/*XXXX*/
-                if (key_is_cert(ret)) {
-                        if (!key_is_cert(k)) {
-                                error("key_read: loaded key is not a cert");
-                                key_free(k);
-                                return -1;
-                        }
-                        if (ret->cert != NULL)
-                                cert_free(ret->cert);
-                        ret->cert = k->cert;
-                        k->cert = NULL;
-                }
-                if (key_type_plain(ret->type) == KEY_RSA) {
-                        if (ret->rsa != NULL)
-                                RSA_free(ret->rsa);
-                        ret->rsa = k->rsa;
-                        k->rsa = NULL;
-#ifdef DEBUG_PK
-                        RSA_print_fp(stderr, ret->rsa, 8);
-#endif
-                }
-                if (key_type_plain(ret->type) == KEY_DSA) {
-                        if (ret->dsa != NULL)
-                                DSA_free(ret->dsa);
-                        ret->dsa = k->dsa;
-                        k->dsa = NULL;
-#ifdef DEBUG_PK
-                        DSA_print_fp(stderr, ret->dsa, 8);
-#endif
-                }
-#ifdef OPENSSL_HAS_ECC
-                if (key_type_plain(ret->type) == KEY_ECDSA) {
-                        if (ret->ecdsa != NULL)
-                                EC_KEY_free(ret->ecdsa);
-                        ret->ecdsa = k->ecdsa;
-                        ret->ecdsa_nid = k->ecdsa_nid;
-                        k->ecdsa = NULL;
-                        k->ecdsa_nid = -1;
-#ifdef DEBUG_PK
-                        key_dump_ec_key(ret->ecdsa);
-#endif
-                }
-#endif
-                if (key_type_plain(ret->type) == KEY_ED25519) {
-                        free(ret->ed25519_pk);
-                        ret->ed25519_pk = k->ed25519_pk;
-                        k->ed25519_pk = NULL;
-#ifdef DEBUG_PK
-                        /* XXX */
-#endif
-                }
-                success = 1;
-/*XXXX*/
-                key_free(k);
-                if (success != 1)
-                        break;
-                /* advance cp: skip whitespace and data */
-                while (*cp == ' ' || *cp == '\t')
-                        cp++;
-                while (*cp != '\0' && *cp != ' ' && *cp != '\t')
-                        cp++;
-                *cpp = cp;
-                break;
-        default:
-                fatal("key_read: bad key type: %d", ret->type);
-                break;
-        }
-        return success;
+        return sshkey_read(ret, cpp) == 0 ? 1 : -1;
 }
 
 int
 key_write(const Key *key, FILE *f)
 {
-        int n, success = 0;
-        u_int len, bits = 0;
-        u_char *blob;
-        char *uu;
-
-        if (key_is_cert(key)) {
-                if (key->cert == NULL) {
-                        error("%s: no cert data", __func__);
-                        return 0;
-                }
-                if (buffer_len(&key->cert->certblob) == 0) {
-                        error("%s: no signed certificate blob", __func__);
-                        return 0;
-                }
-        }
-
-        switch (key->type) {
-        case KEY_RSA1:
-                if (key->rsa == NULL)
-                        return 0;
-                /* size of modulus 'n' */
-                bits = BN_num_bits(key->rsa->n);
-                fprintf(f, "%u", bits);
-                if (write_bignum(f, key->rsa->e) &&
-                    write_bignum(f, key->rsa->n))
-                        return 1;
-                error("key_write: failed for RSA key");
-                return 0;
-        case KEY_DSA:
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                if (key->dsa == NULL)
-                        return 0;
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA:
-        case KEY_ECDSA_CERT:
-                if (key->ecdsa == NULL)
-                        return 0;
-                break;
-#endif
-        case KEY_ED25519:
-        case KEY_ED25519_CERT:
-                if (key->ed25519_pk == NULL)
-                        return 0;
-                break;
-        case KEY_RSA:
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                if (key->rsa == NULL)
-                        return 0;
-                break;
-        default:
-                return 0;
-        }
-
-        key_to_blob(key, &blob, &len);
-        uu = xmalloc(2*len);
-        n = uuencode(blob, len, uu, 2*len);
-        if (n > 0) {
-                fprintf(f, "%s %s", key_ssh_name(key), uu);
-                success = 1;
-        }
-        free(blob);
-        free(uu);
-
-        return success;
-}
-
-const char *
-key_cert_type(const Key *k)
-{
-        switch (k->cert->type) {
-        case SSH2_CERT_TYPE_USER:
-                return "user";
-        case SSH2_CERT_TYPE_HOST:
-                return "host";
-        default:
-                return "unknown";
-        }
-}
-
-struct keytype {
-        char *name;
-        char *shortname;
-        int type;
-        int nid;
-        int cert;
-};
-static const struct keytype keytypes[] = {
-        { NULL, "RSA1", KEY_RSA1, 0, 0 },
-        { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
-        { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
-        { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
-#ifdef OPENSSL_HAS_ECC
-        { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
-        { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
-# ifdef OPENSSL_HAS_NISTP521
-        { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
-# endif
-#endif /* OPENSSL_HAS_ECC */
-        { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
-        { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
-#ifdef OPENSSL_HAS_ECC
-        { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
-            KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
-        { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
-            KEY_ECDSA_CERT, NID_secp384r1, 1 },
-# ifdef OPENSSL_HAS_NISTP521
-        { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
-            KEY_ECDSA_CERT, NID_secp521r1, 1 },
-# endif
-#endif /* OPENSSL_HAS_ECC */
-        { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
-            KEY_RSA_CERT_V00, 0, 1 },
-        { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
-            KEY_DSA_CERT_V00, 0, 1 },
-        { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
-            KEY_ED25519_CERT, 0, 1 },
-        { NULL, NULL, -1, -1, 0 }
-};
-
-const char *
-key_type(const Key *k)
-{
-        const struct keytype *kt;
-
-        for (kt = keytypes; kt->type != -1; kt++) {
-                if (kt->type == k->type)
-                        return kt->shortname;
-        }
-        return "unknown";
-}
-
-static const char *
-key_ssh_name_from_type_nid(int type, int nid)
-{
-        const struct keytype *kt;
-
-        for (kt = keytypes; kt->type != -1; kt++) {
-                if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
-                        return kt->name;
-        }
-        return "ssh-unknown";
-}
-
-const char *
-key_ssh_name(const Key *k)
-{
-        return key_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
-}
-
-const char *
-key_ssh_name_plain(const Key *k)
-{
-        return key_ssh_name_from_type_nid(key_type_plain(k->type),
-            k->ecdsa_nid);
-}
-
-int
-key_type_from_name(char *name)
-{
-        const struct keytype *kt;
-
-        for (kt = keytypes; kt->type != -1; kt++) {
-                /* Only allow shortname matches for plain key types */
-                if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
-                    (!kt->cert && strcasecmp(kt->shortname, name) == 0))
-                        return kt->type;
-        }
-        debug2("key_type_from_name: unknown key type '%s'", name);
-        return KEY_UNSPEC;
-}
-
-int
-key_ecdsa_nid_from_name(const char *name)
-{
-        const struct keytype *kt;
-
-        for (kt = keytypes; kt->type != -1; kt++) {
-                if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
-                        continue;
-                if (kt->name != NULL && strcmp(name, kt->name) == 0)
-                        return kt->nid;
-        }
-        debug2("%s: unknown/non-ECDSA key type '%s'", __func__, name);
-        return -1;
-}
-
-char *
-key_alg_list(int certs_only, int plain_only)
-{
-        char *ret = NULL;
-        size_t nlen, rlen = 0;
-        const struct keytype *kt;
-
-        for (kt = keytypes; kt->type != -1; kt++) {
-                if (kt->name == NULL)
-                        continue;
-                if ((certs_only && !kt->cert) || (plain_only && kt->cert))
-                        continue;
-                if (ret != NULL)
-                        ret[rlen++] = '\n';
-                nlen = strlen(kt->name);
-                ret = xrealloc(ret, 1, rlen + nlen + 2);
-                memcpy(ret + rlen, kt->name, nlen + 1);
-                rlen += nlen;
-        }
-        return ret;
-}
-
-int
-key_type_is_cert(int type)
-{
-        const struct keytype *kt;
-
-        for (kt = keytypes; kt->type != -1; kt++) {
-                if (kt->type == type)
-                        return kt->cert;
-        }
-        return 0;
-}
-
-static int
-key_type_is_valid_ca(int type)
-{
-        switch (type) {
-        case KEY_RSA:
-        case KEY_DSA:
-        case KEY_ECDSA:
-        case KEY_ED25519:
-                return 1;
-        default:
-                return 0;
-        }
-}
-
-u_int
-key_size(const Key *k)
-{
-        switch (k->type) {
-        case KEY_RSA1:
-        case KEY_RSA:
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                return BN_num_bits(k->rsa->n);
-        case KEY_DSA:
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                return BN_num_bits(k->dsa->p);
-        case KEY_ED25519:
-                return 256;     /* XXX */
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA:
-        case KEY_ECDSA_CERT:
-                return key_curve_nid_to_bits(k->ecdsa_nid);
-#endif
-        }
-        return 0;
-}
-
-static RSA *
-rsa_generate_private_key(u_int bits)
-{
-        RSA *private = RSA_new();
-        BIGNUM *f4 = BN_new();
-
-        if (private == NULL)
-                fatal("%s: RSA_new failed", __func__);
-        if (f4 == NULL)
-                fatal("%s: BN_new failed", __func__);
-        if (!BN_set_word(f4, RSA_F4))
-                fatal("%s: BN_new failed", __func__);
-        if (!RSA_generate_key_ex(private, bits, f4, NULL))
-                fatal("%s: key generation failed.", __func__);
-        BN_free(f4);
-        return private;
-}
-
-static DSA*
-dsa_generate_private_key(u_int bits)
-{
-        DSA *private = DSA_new();
-
-        if (private == NULL)
-                fatal("%s: DSA_new failed", __func__);
-        if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
-            NULL, NULL))
-                fatal("%s: DSA_generate_parameters failed", __func__);
-        if (!DSA_generate_key(private))
-                fatal("%s: DSA_generate_key failed.", __func__);
-        return private;
-}
-
-int
-key_ecdsa_bits_to_nid(int bits)
-{
-        switch (bits) {
-#ifdef OPENSSL_HAS_ECC
-        case 256:
-                return NID_X9_62_prime256v1;
-        case 384:
-                return NID_secp384r1;
-# ifdef OPENSSL_HAS_NISTP521
-        case 521:
-                return NID_secp521r1;
-# endif
-#endif
-        default:
-                return -1;
-        }
-}
-
-#ifdef OPENSSL_HAS_ECC
-int
-key_ecdsa_key_to_nid(EC_KEY *k)
-{
-        EC_GROUP *eg;
-        int nids[] = {
-                NID_X9_62_prime256v1,
-                NID_secp384r1,
-# ifdef OPENSSL_HAS_NISTP521
-                NID_secp521r1,
-# endif
-                -1
-        };
-        int nid;
-        u_int i;
-        BN_CTX *bnctx;
-        const EC_GROUP *g = EC_KEY_get0_group(k);
-
-        /*
-         * The group may be stored in a ASN.1 encoded private key in one of two
-         * ways: as a "named group", which is reconstituted by ASN.1 object ID
-         * or explicit group parameters encoded into the key blob. Only the
-         * "named group" case sets the group NID for us, but we can figure
-         * it out for the other case by comparing against all the groups that
-         * are supported.
-         */
-        if ((nid = EC_GROUP_get_curve_name(g)) > 0)
-                return nid;
-        if ((bnctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new() failed", __func__);
-        for (i = 0; nids[i] != -1; i++) {
-                if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL)
-                        fatal("%s: EC_GROUP_new_by_curve_name failed",
-                            __func__);
-                if (EC_GROUP_cmp(g, eg, bnctx) == 0)
-                        break;
-                EC_GROUP_free(eg);
-        }
-        BN_CTX_free(bnctx);
-        debug3("%s: nid = %d", __func__, nids[i]);
-        if (nids[i] != -1) {
-                /* Use the group with the NID attached */
-                EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
-                if (EC_KEY_set_group(k, eg) != 1)
-                        fatal("%s: EC_KEY_set_group", __func__);
-        }
-        return nids[i];
-}
-
-static EC_KEY*
-ecdsa_generate_private_key(u_int bits, int *nid)
-{
-        EC_KEY *private;
-
-        if ((*nid = key_ecdsa_bits_to_nid(bits)) == -1)
-                fatal("%s: invalid key length", __func__);
-        if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL)
-                fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
-        if (EC_KEY_generate_key(private) != 1)
-                fatal("%s: EC_KEY_generate_key failed", __func__);
-        EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
-        return private;
+        return sshkey_write(key, f) == 0 ? 1 : 0;
 }
-#endif /* OPENSSL_HAS_ECC */
 
 Key *
 key_generate(int type, u_int bits)
 {
-        Key *k = key_new(KEY_UNSPEC);
-        switch (type) {
-        case KEY_DSA:
-                k->dsa = dsa_generate_private_key(bits);
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA:
-                k->ecdsa = ecdsa_generate_private_key(bits, &k->ecdsa_nid);
-                break;
-#endif
-        case KEY_RSA:
-        case KEY_RSA1:
-                k->rsa = rsa_generate_private_key(bits);
-                break;
-        case KEY_ED25519:
-                k->ed25519_pk = xmalloc(ED25519_PK_SZ);
-                k->ed25519_sk = xmalloc(ED25519_SK_SZ);
-                crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
-                break;
-        case KEY_RSA_CERT_V00:
-        case KEY_DSA_CERT_V00:
-        case KEY_RSA_CERT:
-        case KEY_DSA_CERT:
-                fatal("key_generate: cert keys cannot be generated directly");
-        default:
-                fatal("key_generate: unknown type %d", type);
-        }
-        k->type = type;
-        return k;
+        int r;
+        Key *ret = NULL;
+
+        if ((r = sshkey_generate(type, bits, &ret)) != 0)
+                fatal("%s: %s", __func__, ssh_err(r));
+        return ret;
 }
 
 void
-key_cert_copy(const Key *from_key, struct Key *to_key)
+key_cert_copy(const Key *from_key, Key *to_key)
 {
-        u_int i;
-        const struct KeyCert *from;
-        struct KeyCert *to;
-
-        if (to_key->cert != NULL) {
-                cert_free(to_key->cert);
-                to_key->cert = NULL;
-        }
+        int r;
 
-        if ((from = from_key->cert) == NULL)
-                return;
-
-        to = to_key->cert = cert_new();
-
-        buffer_append(&to->certblob, buffer_ptr(&from->certblob),
-            buffer_len(&from->certblob));
-
-        buffer_append(&to->critical,
-            buffer_ptr(&from->critical), buffer_len(&from->critical));
-        buffer_append(&to->extensions,
-            buffer_ptr(&from->extensions), buffer_len(&from->extensions));
-
-        to->serial = from->serial;
-        to->type = from->type;
-        to->key_id = from->key_id == NULL ? NULL : xstrdup(from->key_id);
-        to->valid_after = from->valid_after;
-        to->valid_before = from->valid_before;
-        to->signature_key = from->signature_key == NULL ?
-            NULL : key_from_private(from->signature_key);
-
-        to->nprincipals = from->nprincipals;
-        if (to->nprincipals > CERT_MAX_PRINCIPALS)
-                fatal("%s: nprincipals (%u) > CERT_MAX_PRINCIPALS (%u)",
-                    __func__, to->nprincipals, CERT_MAX_PRINCIPALS);
-        if (to->nprincipals > 0) {
-                to->principals = xcalloc(from->nprincipals,
-                    sizeof(*to->principals));
-                for (i = 0; i < to->nprincipals; i++)
-                        to->principals[i] = xstrdup(from->principals[i]);
-        }
+        if ((r = sshkey_cert_copy(from_key, to_key)) != 0)
+                fatal("%s: %s", __func__, ssh_err(r));
 }
 
 Key *
 key_from_private(const Key *k)
 {
-        Key *n = NULL;
-        switch (k->type) {
-        case KEY_DSA:
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                n = key_new(k->type);
-                if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
-                    (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
-                    (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
-                    (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
-                        fatal("key_from_private: BN_copy failed");
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA:
-        case KEY_ECDSA_CERT:
-                n = key_new(k->type);
-                n->ecdsa_nid = k->ecdsa_nid;
-                if ((n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid)) == NULL)
-                        fatal("%s: EC_KEY_new_by_curve_name failed", __func__);
-                if (EC_KEY_set_public_key(n->ecdsa,
-                    EC_KEY_get0_public_key(k->ecdsa)) != 1)
-                        fatal("%s: EC_KEY_set_public_key failed", __func__);
-                break;
-#endif
-        case KEY_RSA:
-        case KEY_RSA1:
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                n = key_new(k->type);
-                if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
-                    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
-                        fatal("key_from_private: BN_copy failed");
-                break;
-        case KEY_ED25519:
-        case KEY_ED25519_CERT:
-                n = key_new(k->type);
-                if (k->ed25519_pk != NULL) {
-                        n->ed25519_pk = xmalloc(ED25519_PK_SZ);
-                        memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
-                }
-                break;
-        default:
-                fatal("key_from_private: unknown type %d", k->type);
-                break;
-        }
-        if (key_is_cert(k))
-                key_cert_copy(k, n);
-        return n;
-}
-
-int
-key_names_valid2(const char *names)
-{
-        char *s, *cp, *p;
-
-        if (names == NULL || strcmp(names, "") == 0)
-                return 0;
-        s = cp = xstrdup(names);
-        for ((p = strsep(&cp, ",")); p && *p != '\0';
-            (p = strsep(&cp, ","))) {
-                switch (key_type_from_name(p)) {
-                case KEY_RSA1:
-                case KEY_UNSPEC:
-                        free(s);
-                        return 0;
-                }
-        }
-        debug3("key names ok: [%s]", names);
-        free(s);
-        return 1;
-}
-
-static int
-cert_parse(Buffer *b, Key *key, const u_char *blob, u_int blen)
-{
-        u_char *principals, *critical, *exts, *sig_key, *sig;
-        u_int signed_len, plen, clen, sklen, slen, kidlen, elen;
-        Buffer tmp;
-        char *principal;
-        int ret = -1;
-        int v00 = key->type == KEY_DSA_CERT_V00 ||
-            key->type == KEY_RSA_CERT_V00;
-
-        buffer_init(&tmp);
-
-        /* Copy the entire key blob for verification and later serialisation */
-        buffer_append(&key->cert->certblob, blob, blen);
-
-        elen = 0; /* Not touched for v00 certs */
-        principals = exts = critical = sig_key = sig = NULL;
-        if ((!v00 && buffer_get_int64_ret(&key->cert->serial, b) != 0) ||
-            buffer_get_int_ret(&key->cert->type, b) != 0 ||
-            (key->cert->key_id = buffer_get_cstring_ret(b, &kidlen)) == NULL ||
-            (principals = buffer_get_string_ret(b, &plen)) == NULL ||
-            buffer_get_int64_ret(&key->cert->valid_after, b) != 0 ||
-            buffer_get_int64_ret(&key->cert->valid_before, b) != 0 ||
-            (critical = buffer_get_string_ret(b, &clen)) == NULL ||
-            (!v00 && (exts = buffer_get_string_ret(b, &elen)) == NULL) ||
-            (v00 && buffer_get_string_ptr_ret(b, NULL) == NULL) || /* nonce */
-            buffer_get_string_ptr_ret(b, NULL) == NULL || /* reserved */
-            (sig_key = buffer_get_string_ret(b, &sklen)) == NULL) {
-                error("%s: parse error", __func__);
-                goto out;
-        }
-
-        /* Signature is left in the buffer so we can calculate this length */
-        signed_len = buffer_len(&key->cert->certblob) - buffer_len(b);
-
-        if ((sig = buffer_get_string_ret(b, &slen)) == NULL) {
-                error("%s: parse error", __func__);
-                goto out;
-        }
-
-        if (key->cert->type != SSH2_CERT_TYPE_USER &&
-            key->cert->type != SSH2_CERT_TYPE_HOST) {
-                error("Unknown certificate type %u", key->cert->type);
-                goto out;
-        }
+        int r;
+        Key *ret = NULL;
 
-        buffer_append(&tmp, principals, plen);
-        while (buffer_len(&tmp) > 0) {
-                if (key->cert->nprincipals >= CERT_MAX_PRINCIPALS) {
-                        error("%s: Too many principals", __func__);
-                        goto out;
-                }
-                if ((principal = buffer_get_cstring_ret(&tmp, &plen)) == NULL) {
-                        error("%s: Principals data invalid", __func__);
-                        goto out;
-                }
-                key->cert->principals = xrealloc(key->cert->principals,
-                    key->cert->nprincipals + 1, sizeof(*key->cert->principals));
-                key->cert->principals[key->cert->nprincipals++] = principal;
-        }
-
-        buffer_clear(&tmp);
-
-        buffer_append(&key->cert->critical, critical, clen);
-        buffer_append(&tmp, critical, clen);
-        /* validate structure */
-        while (buffer_len(&tmp) != 0) {
-                if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
-                    buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
-                        error("%s: critical option data invalid", __func__);
-                        goto out;
-                }
-        }
-        buffer_clear(&tmp);
-
-        buffer_append(&key->cert->extensions, exts, elen);
-        buffer_append(&tmp, exts, elen);
-        /* validate structure */
-        while (buffer_len(&tmp) != 0) {
-                if (buffer_get_string_ptr_ret(&tmp, NULL) == NULL ||
-                    buffer_get_string_ptr_ret(&tmp, NULL) == NULL) {
-                        error("%s: extension data invalid", __func__);
-                        goto out;
-                }
-        }
-        buffer_clear(&tmp);
-
-        if ((key->cert->signature_key = key_from_blob2(sig_key, sklen, 0))
-            == NULL) {
-                error("%s: Signature key invalid", __func__);
-                goto out;
-        }
-        if (!key_type_is_valid_ca(key->cert->signature_key->type)) {
-                error("%s: Invalid signature key type %s (%d)", __func__,
-                    key_type(key->cert->signature_key),
-                    key->cert->signature_key->type);
-                goto out;
-        }
-
-        switch (key_verify(key->cert->signature_key, sig, slen, 
-            buffer_ptr(&key->cert->certblob), signed_len)) {
-        case 1:
-                ret = 0;
-                break; /* Good signature */
-        case 0:
-                error("%s: Invalid signature on certificate", __func__);
-                goto out;
-        case -1:
-                error("%s: Certificate signature verification failed",
-                    __func__);
-                goto out;
-        }
-
- out:
-        buffer_free(&tmp);
-        free(principals);
-        free(critical);
-        free(exts);
-        free(sig_key);
-        free(sig);
+        if ((r = sshkey_from_private(k, &ret)) != 0)
+                fatal("%s: %s", __func__, ssh_err(r));
         return ret;
 }
 
-static Key *
-key_from_blob2(const u_char *blob, u_int blen, int allow_cert)
+static void
+fatal_on_fatal_errors(int r, const char *func, int extra_fatal)
 {
-        Buffer b;
-        int rlen, type;
-        u_int len;
-        char *ktype = NULL, *curve = NULL;
-        u_char *pk = NULL;
-        Key *key = NULL;
-#ifdef OPENSSL_HAS_ECC
-        EC_POINT *q = NULL;
-        int nid = -1;
-#endif
-
-#ifdef DEBUG_PK
-        dump_base64(stderr, blob, blen);
-#endif
-        buffer_init(&b);
-        buffer_append(&b, blob, blen);
-        if ((ktype = buffer_get_cstring_ret(&b, NULL)) == NULL) {
-                error("key_from_blob: can't read key type");
-                goto out;
-        }
-
-        type = key_type_from_name(ktype);
-#ifdef OPENSSL_HAS_ECC
-        if (key_type_plain(type) == KEY_ECDSA)
-                nid = key_ecdsa_nid_from_name(ktype);
-#endif
-        if (!allow_cert && key_type_is_cert(type)) {
-                error("key_from_blob: certificate not allowed in this context");
-                goto out;
-        }
-        switch (type) {
-        case KEY_RSA_CERT:
-                (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
-                /* FALLTHROUGH */
-        case KEY_RSA:
-        case KEY_RSA_CERT_V00:
-                key = key_new(type);
-                if (buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
-                    buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
-                        error("key_from_blob: can't read rsa key");
- badkey:
-                        key_free(key);
-                        key = NULL;
-                        goto out;
-                }
-#ifdef DEBUG_PK
-                RSA_print_fp(stderr, key->rsa, 8);
-#endif
-                break;
-        case KEY_DSA_CERT:
-                (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
-                /* FALLTHROUGH */
-        case KEY_DSA:
-        case KEY_DSA_CERT_V00:
-                key = key_new(type);
-                if (buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
-                    buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
-                    buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
-                    buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
-                        error("key_from_blob: can't read dsa key");
-                        goto badkey;
-                }
-#ifdef DEBUG_PK
-                DSA_print_fp(stderr, key->dsa, 8);
-#endif
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA_CERT:
-                (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
-                /* FALLTHROUGH */
-        case KEY_ECDSA:
-                key = key_new(type);
-                key->ecdsa_nid = nid;
-                if ((curve = buffer_get_string_ret(&b, NULL)) == NULL) {
-                        error("key_from_blob: can't read ecdsa curve");
-                        goto badkey;
-                }
-                if (key->ecdsa_nid != key_curve_name_to_nid(curve)) {
-                        error("key_from_blob: ecdsa curve doesn't match type");
-                        goto badkey;
-                }
-                if (key->ecdsa != NULL)
-                        EC_KEY_free(key->ecdsa);
-                if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
-                    == NULL)
-                        fatal("key_from_blob: EC_KEY_new_by_curve_name failed");
-                if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL)
-                        fatal("key_from_blob: EC_POINT_new failed");
-                if (buffer_get_ecpoint_ret(&b, EC_KEY_get0_group(key->ecdsa),
-                    q) == -1) {
-                        error("key_from_blob: can't read ecdsa key point");
-                        goto badkey;
-                }
-                if (key_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
-                    q) != 0)
-                        goto badkey;
-                if (EC_KEY_set_public_key(key->ecdsa, q) != 1)
-                        fatal("key_from_blob: EC_KEY_set_public_key failed");
-#ifdef DEBUG_PK
-                key_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
-#endif
-                break;
-#endif /* OPENSSL_HAS_ECC */
-        case KEY_ED25519_CERT:
-                (void)buffer_get_string_ptr_ret(&b, NULL); /* Skip nonce */
-                /* FALLTHROUGH */
-        case KEY_ED25519:
-                if ((pk = buffer_get_string_ret(&b, &len)) == NULL) {
-                        error("key_from_blob: can't read ed25519 key");
-                        goto badkey;
-                }
-                if (len != ED25519_PK_SZ) {
-                        error("key_from_blob: ed25519 len %d != %d",
-                            len, ED25519_PK_SZ);
-                        goto badkey;
-                }
-                key = key_new(type);
-                key->ed25519_pk = pk;
-                pk = NULL;
-                break;
-        case KEY_UNSPEC:
-                key = key_new(type);
-                break;
-        default:
-                error("key_from_blob: cannot handle type %s", ktype);
-                goto out;
-        }
-        if (key_is_cert(key) && cert_parse(&b, key, blob, blen) == -1) {
-                error("key_from_blob: can't parse cert data");
-                goto badkey;
-        }
-        rlen = buffer_len(&b);
-        if (key != NULL && rlen != 0)
-                error("key_from_blob: remaining bytes in key blob %d", rlen);
- out:
-        free(ktype);
-        free(curve);
-        free(pk);
-#ifdef OPENSSL_HAS_ECC
-        if (q != NULL)
-                EC_POINT_free(q);
-#endif
-        buffer_free(&b);
-        return key;
+        if (r == SSH_ERR_INTERNAL_ERROR ||
+            r == SSH_ERR_ALLOC_FAIL ||
+            (extra_fatal != 0 && r == extra_fatal))
+                fatal("%s: %s", func, ssh_err(r));
 }
 
 Key *
 key_from_blob(const u_char *blob, u_int blen)
 {
-        return key_from_blob2(blob, blen, 1);
+        int r;
+        Key *ret = NULL;
+
+        if ((r = sshkey_from_blob(blob, blen, &ret)) != 0) {
+                fatal_on_fatal_errors(r, __func__, 0);
+                error("%s: %s", __func__, ssh_err(r));
+                return NULL;
+        }
+        return ret;
 }
 
-static int
-to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain)
+int
+key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
 {
-        Buffer b;
-        int len, type;
+        u_char *blob;
+        size_t blen;
+        int r;
 
         if (blobp != NULL)
                 *blobp = NULL;
         if (lenp != NULL)
                 *lenp = 0;
-        if (key == NULL) {
-                error("key_to_blob: key == NULL");
-                return 0;
-        }
-        buffer_init(&b);
-        type = force_plain ? key_type_plain(key->type) : key->type;
-        switch (type) {
-        case KEY_DSA_CERT_V00:
-        case KEY_RSA_CERT_V00:
-        case KEY_DSA_CERT:
-        case KEY_ECDSA_CERT:
-        case KEY_RSA_CERT:
-        case KEY_ED25519_CERT:
-                /* Use the existing blob */
-                buffer_append(&b, buffer_ptr(&key->cert->certblob),
-                    buffer_len(&key->cert->certblob));
-                break;
-        case KEY_DSA:
-                buffer_put_cstring(&b,
-                    key_ssh_name_from_type_nid(type, key->ecdsa_nid));
-                buffer_put_bignum2(&b, key->dsa->p);
-                buffer_put_bignum2(&b, key->dsa->q);
-                buffer_put_bignum2(&b, key->dsa->g);
-                buffer_put_bignum2(&b, key->dsa->pub_key);
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA:
-                buffer_put_cstring(&b,
-                    key_ssh_name_from_type_nid(type, key->ecdsa_nid));
-                buffer_put_cstring(&b, key_curve_nid_to_name(key->ecdsa_nid));
-                buffer_put_ecpoint(&b, EC_KEY_get0_group(key->ecdsa),
-                    EC_KEY_get0_public_key(key->ecdsa));
-                break;
-#endif
-        case KEY_RSA:
-                buffer_put_cstring(&b,
-                    key_ssh_name_from_type_nid(type, key->ecdsa_nid));
-                buffer_put_bignum2(&b, key->rsa->e);
-                buffer_put_bignum2(&b, key->rsa->n);
-                break;
-        case KEY_ED25519:
-                buffer_put_cstring(&b,
-                    key_ssh_name_from_type_nid(type, key->ecdsa_nid));
-                buffer_put_string(&b, key->ed25519_pk, ED25519_PK_SZ);
-                break;
-        default:
-                error("key_to_blob: unsupported key type %d", key->type);
-                buffer_free(&b);
+        if ((r = sshkey_to_blob(key, &blob, &blen)) != 0) {
+                fatal_on_fatal_errors(r, __func__, 0);
+                error("%s: %s", __func__, ssh_err(r));
                 return 0;
         }
-        len = buffer_len(&b);
+        if (blen > INT_MAX)
+                fatal("%s: giant len %zu", __func__, blen);
+        if (blobp != NULL)
+                *blobp = blob;
         if (lenp != NULL)
-                *lenp = len;
-        if (blobp != NULL) {
-                *blobp = xmalloc(len);
-                memcpy(*blobp, buffer_ptr(&b), len);
-        }
-        explicit_bzero(buffer_ptr(&b), len);
-        buffer_free(&b);
-        return len;
-}
-
-int
-key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
-{
-        return to_blob(key, blobp, lenp, 0);
+                *lenp = blen;
+        return blen;
 }
 
 int
-key_sign(
-    const Key *key,
-    u_char **sigp, u_int *lenp,
+key_sign(const Key *key, u_char **sigp, u_int *lenp,
     const u_char *data, u_int datalen)
 {
-        switch (key->type) {
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-        case KEY_DSA:
-                return ssh_dss_sign(key, sigp, lenp, data, datalen);
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA_CERT:
-        case KEY_ECDSA:
-                return ssh_ecdsa_sign(key, sigp, lenp, data, datalen);
-#endif
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-        case KEY_RSA:
-                return ssh_rsa_sign(key, sigp, lenp, data, datalen);
-        case KEY_ED25519:
-        case KEY_ED25519_CERT:
-                return ssh_ed25519_sign(key, sigp, lenp, data, datalen);
-        default:
-                error("key_sign: invalid key type %d", key->type);
+        int r;
+        u_char *sig;
+        size_t siglen;
+
+        if (sigp != NULL)
+                *sigp = NULL;
+        if (lenp != NULL)
+                *lenp = 0;
+        if ((r = sshkey_sign(key, &sig, &siglen,
+            data, datalen, datafellows)) != 0) {
+                fatal_on_fatal_errors(r, __func__, 0);
+                error("%s: %s", __func__, ssh_err(r));
                 return -1;
         }
+        if (siglen > INT_MAX)
+                fatal("%s: giant len %zu", __func__, siglen);
+        if (sigp != NULL)
+                *sigp = sig;
+        if (lenp != NULL)
+                *lenp = siglen;
+        return 0;
 }
 
-/*
- * key_verify returns 1 for a correct signature, 0 for an incorrect signature
- * and -1 on error.
- */
 int
-key_verify(
-    const Key *key,
-    const u_char *signature, u_int signaturelen,
+key_verify(const Key *key, const u_char *signature, u_int signaturelen,
     const u_char *data, u_int datalen)
 {
-        if (signaturelen == 0)
-                return -1;
+        int r;
 
-        switch (key->type) {
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-        case KEY_DSA:
-                return ssh_dss_verify(key, signature, signaturelen, data, datalen);
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA_CERT:
-        case KEY_ECDSA:
-                return ssh_ecdsa_verify(key, signature, signaturelen, data, datalen);
-#endif
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-        case KEY_RSA:
-                return ssh_rsa_verify(key, signature, signaturelen, data, datalen);
-        case KEY_ED25519:
-        case KEY_ED25519_CERT:
-                return ssh_ed25519_verify(key, signature, signaturelen, data, datalen);
-        default:
-                error("key_verify: invalid key type %d", key->type);
-                return -1;
+        if ((r = sshkey_verify(key, signature, signaturelen,
+            data, datalen, datafellows)) != 0) {
+                fatal_on_fatal_errors(r, __func__, 0);
+                error("%s: %s", __func__, ssh_err(r));
+                return r == SSH_ERR_SIGNATURE_INVALID ? 0 : -1;
         }
+        return 1;
 }
 
-/* Converts a private to a public key */
 Key *
 key_demote(const Key *k)
 {
-        Key *pk;
-
-        pk = xcalloc(1, sizeof(*pk));
-        pk->type = k->type;
-        pk->flags = k->flags;
-        pk->ecdsa_nid = k->ecdsa_nid;
-        pk->dsa = NULL;
-        pk->ecdsa = NULL;
-        pk->rsa = NULL;
-        pk->ed25519_pk = NULL;
-        pk->ed25519_sk = NULL;
-
-        switch (k->type) {
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                key_cert_copy(k, pk);
-                /* FALLTHROUGH */
-        case KEY_RSA1:
-        case KEY_RSA:
-                if ((pk->rsa = RSA_new()) == NULL)
-                        fatal("key_demote: RSA_new failed");
-                if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
-                        fatal("key_demote: BN_dup failed");
-                if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
-                        fatal("key_demote: BN_dup failed");
-                break;
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                key_cert_copy(k, pk);
-                /* FALLTHROUGH */
-        case KEY_DSA:
-                if ((pk->dsa = DSA_new()) == NULL)
-                        fatal("key_demote: DSA_new failed");
-                if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
-                        fatal("key_demote: BN_dup failed");
-                if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
-                        fatal("key_demote: BN_dup failed");
-                if ((pk->dsa->g = BN_dup(k->dsa->g)) == NULL)
-                        fatal("key_demote: BN_dup failed");
-                if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
-                        fatal("key_demote: BN_dup failed");
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA_CERT:
-                key_cert_copy(k, pk);
-                /* FALLTHROUGH */
-        case KEY_ECDSA:
-                if ((pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid)) == NULL)
-                        fatal("key_demote: EC_KEY_new_by_curve_name failed");
-                if (EC_KEY_set_public_key(pk->ecdsa,
-                    EC_KEY_get0_public_key(k->ecdsa)) != 1)
-                        fatal("key_demote: EC_KEY_set_public_key failed");
-                break;
-#endif
-        case KEY_ED25519_CERT:
-                key_cert_copy(k, pk);
-                /* FALLTHROUGH */
-        case KEY_ED25519:
-                if (k->ed25519_pk != NULL) {
-                        pk->ed25519_pk = xmalloc(ED25519_PK_SZ);
-                        memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
-                }
-                break;
-        default:
-                fatal("key_demote: bad key type %d", k->type);
-                break;
-        }
-
-        return (pk);
-}
+        int r;
+        Key *ret = NULL;
 
-int
-key_is_cert(const Key *k)
-{
-        if (k == NULL)
-                return 0;
-        return key_type_is_cert(k->type);
-}
-
-/* Return the cert-less equivalent to a certified key type */
-int
-key_type_plain(int type)
-{
-        switch (type) {
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                return KEY_RSA;
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                return KEY_DSA;
-        case KEY_ECDSA_CERT:
-                return KEY_ECDSA;
-        case KEY_ED25519_CERT:
-                return KEY_ED25519;
-        default:
-                return type;
-        }
+        if ((r = sshkey_demote(k, &ret)) != 0)
+                fatal("%s: %s", __func__, ssh_err(r));
+        return ret;
 }
 
-/* Convert a plain key to their _CERT equivalent */
 int
 key_to_certified(Key *k, int legacy)
 {
-        switch (k->type) {
-        case KEY_RSA:
-                k->cert = cert_new();
-                k->type = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
-                return 0;
-        case KEY_DSA:
-                k->cert = cert_new();
-                k->type = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
-                return 0;
-        case KEY_ECDSA:
-                if (legacy)
-                        fatal("%s: legacy ECDSA certificates are not supported",
-                            __func__);
-                k->cert = cert_new();
-                k->type = KEY_ECDSA_CERT;
-                return 0;
-        case KEY_ED25519:
-                if (legacy)
-                        fatal("%s: legacy ED25519 certificates are not "
-                            "supported", __func__);
-                k->cert = cert_new();
-                k->type = KEY_ED25519_CERT;
-                return 0;
-        default:
-                error("%s: key has incorrect type %s", __func__, key_type(k));
+        int r;
+
+        if ((r = sshkey_to_certified(k, legacy)) != 0) {
+                fatal_on_fatal_errors(r, __func__, 0);
+                error("%s: %s", __func__, ssh_err(r));
                 return -1;
         }
+        return 0;
 }
 
-/* Convert a certificate to its raw key equivalent */
 int
 key_drop_cert(Key *k)
 {
-        if (!key_type_is_cert(k->type)) {
-                error("%s: key has incorrect type %s", __func__, key_type(k));
+        int r;
+
+        if ((r = sshkey_drop_cert(k)) != 0) {
+                fatal_on_fatal_errors(r, __func__, 0);
+                error("%s: %s", __func__, ssh_err(r));
                 return -1;
         }
-        cert_free(k->cert);
-        k->cert = NULL;
-        k->type = key_type_plain(k->type);
         return 0;
 }
 
-/* Sign a certified key, (re-)generating the signed certblob. */
 int
 key_certify(Key *k, Key *ca)
 {
-        Buffer principals;
-        u_char *ca_blob, *sig_blob, nonce[32];
-        u_int i, ca_len, sig_len;
-
-        if (k->cert == NULL) {
-                error("%s: key lacks cert info", __func__);
-                return -1;
-        }
-
-        if (!key_is_cert(k)) {
-                error("%s: certificate has unknown type %d", __func__,
-                    k->cert->type);
-                return -1;
-        }
-
-        if (!key_type_is_valid_ca(ca->type)) {
-                error("%s: CA key has unsupported type %s", __func__,
-                    key_type(ca));
-                return -1;
-        }
-
-        key_to_blob(ca, &ca_blob, &ca_len);
-
-        buffer_clear(&k->cert->certblob);
-        buffer_put_cstring(&k->cert->certblob, key_ssh_name(k));
-
-        /* -v01 certs put nonce first */
-        arc4random_buf(&nonce, sizeof(nonce));
-        if (!key_cert_is_legacy(k))
-                buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
-
-        /* XXX this substantially duplicates to_blob(); refactor */
-        switch (k->type) {
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                buffer_put_bignum2(&k->cert->certblob, k->dsa->p);
-                buffer_put_bignum2(&k->cert->certblob, k->dsa->q);
-                buffer_put_bignum2(&k->cert->certblob, k->dsa->g);
-                buffer_put_bignum2(&k->cert->certblob, k->dsa->pub_key);
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA_CERT:
-                buffer_put_cstring(&k->cert->certblob,
-                    key_curve_nid_to_name(k->ecdsa_nid));
-                buffer_put_ecpoint(&k->cert->certblob,
-                    EC_KEY_get0_group(k->ecdsa),
-                    EC_KEY_get0_public_key(k->ecdsa));
-                break;
-#endif
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                buffer_put_bignum2(&k->cert->certblob, k->rsa->e);
-                buffer_put_bignum2(&k->cert->certblob, k->rsa->n);
-                break;
-        case KEY_ED25519_CERT:
-                buffer_put_string(&k->cert->certblob,
-                    k->ed25519_pk, ED25519_PK_SZ);
-                break;
-        default:
-                error("%s: key has incorrect type %s", __func__, key_type(k));
-                buffer_clear(&k->cert->certblob);
-                free(ca_blob);
-                return -1;
-        }
-
-        /* -v01 certs have a serial number next */
-        if (!key_cert_is_legacy(k))
-                buffer_put_int64(&k->cert->certblob, k->cert->serial);
-
-        buffer_put_int(&k->cert->certblob, k->cert->type);
-        buffer_put_cstring(&k->cert->certblob, k->cert->key_id);
-
-        buffer_init(&principals);
-        for (i = 0; i < k->cert->nprincipals; i++)
-                buffer_put_cstring(&principals, k->cert->principals[i]);
-        buffer_put_string(&k->cert->certblob, buffer_ptr(&principals),
-            buffer_len(&principals));
-        buffer_free(&principals);
-
-        buffer_put_int64(&k->cert->certblob, k->cert->valid_after);
-        buffer_put_int64(&k->cert->certblob, k->cert->valid_before);
-        buffer_put_string(&k->cert->certblob,
-            buffer_ptr(&k->cert->critical), buffer_len(&k->cert->critical));
-
-        /* -v01 certs have non-critical options here */
-        if (!key_cert_is_legacy(k)) {
-                buffer_put_string(&k->cert->certblob,
-                    buffer_ptr(&k->cert->extensions),
-                    buffer_len(&k->cert->extensions));
-        }
-
-        /* -v00 certs put the nonce at the end */
-        if (key_cert_is_legacy(k))
-                buffer_put_string(&k->cert->certblob, nonce, sizeof(nonce));
-
-        buffer_put_string(&k->cert->certblob, NULL, 0); /* reserved */
-        buffer_put_string(&k->cert->certblob, ca_blob, ca_len);
-        free(ca_blob);
+        int r;
 
-        /* Sign the whole mess */
-        if (key_sign(ca, &sig_blob, &sig_len, buffer_ptr(&k->cert->certblob),
-            buffer_len(&k->cert->certblob)) != 0) {
-                error("%s: signature operation failed", __func__);
-                buffer_clear(&k->cert->certblob);
+        if ((r = sshkey_certify(k, ca)) != 0) {
+                fatal_on_fatal_errors(r, __func__, 0);
+                error("%s: %s", __func__, ssh_err(r));
                 return -1;
         }
-        /* Append signature and we are done */
-        buffer_put_string(&k->cert->certblob, sig_blob, sig_len);
-        free(sig_blob);
-
         return 0;
 }
 
@@ -2091,535 +244,236 @@ int
 key_cert_check_authority(const Key *k, int want_host, int require_principal,
     const char *name, const char **reason)
 {
-        u_int i, principal_matches;
-        time_t now = time(NULL);
-
-        if (want_host) {
-                if (k->cert->type != SSH2_CERT_TYPE_HOST) {
-                        *reason = "Certificate invalid: not a host certificate";
-                        return -1;
-                }
-        } else {
-                if (k->cert->type != SSH2_CERT_TYPE_USER) {
-                        *reason = "Certificate invalid: not a user certificate";
-                        return -1;
-                }
-        }
-        if (now < 0) {
-                error("%s: system clock lies before epoch", __func__);
-                *reason = "Certificate invalid: not yet valid";
-                return -1;
-        }
-        if ((u_int64_t)now < k->cert->valid_after) {
-                *reason = "Certificate invalid: not yet valid";
-                return -1;
-        }
-        if ((u_int64_t)now >= k->cert->valid_before) {
-                *reason = "Certificate invalid: expired";
+        int r;
+
+        if ((r = sshkey_cert_check_authority(k, want_host, require_principal,
+            name, reason)) != 0) {
+                fatal_on_fatal_errors(r, __func__, 0);
+                error("%s: %s", __func__, ssh_err(r));
                 return -1;
         }
-        if (k->cert->nprincipals == 0) {
-                if (require_principal) {
-                        *reason = "Certificate lacks principal list";
-                        return -1;
-                }
-        } else if (name != NULL) {
-                principal_matches = 0;
-                for (i = 0; i < k->cert->nprincipals; i++) {
-                        if (strcmp(name, k->cert->principals[i]) == 0) {
-                                principal_matches = 1;
-                                break;
-                        }
-                }
-                if (!principal_matches) {
-                        *reason = "Certificate invalid: name is not a listed "
-                            "principal";
-                        return -1;
-                }
-        }
         return 0;
 }
 
+#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
 int
-key_cert_is_legacy(const Key *k)
+key_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
 {
-        switch (k->type) {
-        case KEY_DSA_CERT_V00:
-        case KEY_RSA_CERT_V00:
-                return 1;
-        default:
-                return 0;
+        int r;
+
+        if ((r = sshkey_ec_validate_public(group, public)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                error("%s: %s", __func__, ssh_err(r));
+                return -1;
         }
+        return 0;
 }
 
-/* XXX: these are really begging for a table-driven approach */
 int
-key_curve_name_to_nid(const char *name)
+key_ec_validate_private(const EC_KEY *key)
 {
-#ifdef OPENSSL_HAS_ECC
-        if (strcmp(name, "nistp256") == 0)
-                return NID_X9_62_prime256v1;
-        else if (strcmp(name, "nistp384") == 0)
-                return NID_secp384r1;
-# ifdef OPENSSL_HAS_NISTP521
-        else if (strcmp(name, "nistp521") == 0)
-                return NID_secp521r1;
-# endif
-#endif
-
-        debug("%s: unsupported EC curve name \"%.100s\"", __func__, name);
-        return -1;
+        int r;
+
+        if ((r = sshkey_ec_validate_private(key)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                error("%s: %s", __func__, ssh_err(r));
+                return -1;
+        }
+        return 0;
 }
+#endif /* WITH_OPENSSL */
 
-u_int
-key_curve_nid_to_bits(int nid)
+void
+key_private_serialize(const Key *key, struct sshbuf *b)
 {
-        switch (nid) {
-#ifdef OPENSSL_HAS_ECC
-        case NID_X9_62_prime256v1:
-                return 256;
-        case NID_secp384r1:
-                return 384;
-# ifdef OPENSSL_HAS_NISTP521
-        case NID_secp521r1:
-                return 521;
-# endif
-#endif
-        default:
-                error("%s: unsupported EC curve nid %d", __func__, nid);
-                return 0;
-        }
+        int r;
+
+        if ((r = sshkey_private_serialize(key, b)) != 0)
+                fatal("%s: %s", __func__, ssh_err(r));
 }
 
-const char *
-key_curve_nid_to_name(int nid)
+Key *
+key_private_deserialize(struct sshbuf *blob)
 {
-#ifdef OPENSSL_HAS_ECC
-        if (nid == NID_X9_62_prime256v1)
-                return "nistp256";
-        else if (nid == NID_secp384r1)
-                return "nistp384";
-# ifdef OPENSSL_HAS_NISTP521
-        else if (nid == NID_secp521r1)
-                return "nistp521";
-# endif
-#endif
-        error("%s: unsupported EC curve nid %d", __func__, nid);
-        return NULL;
+        int r;
+        Key *ret = NULL;
+
+        if ((r = sshkey_private_deserialize(blob, &ret)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                error("%s: %s", __func__, ssh_err(r));
+                return NULL;
+        }
+        return ret;
 }
 
-#ifdef OPENSSL_HAS_ECC
+/* authfile.c */
+
 int
-key_ec_nid_to_hash_alg(int nid)
+key_save_private(Key *key, const char *filename, const char *passphrase,
+    const char *comment, int force_new_format, const char *new_format_cipher,
+    int new_format_rounds)
 {
-        int kbits = key_curve_nid_to_bits(nid);
-
-        if (kbits == 0)
-                fatal("%s: invalid nid %d", __func__, nid);
-        /* RFC5656 section 6.2.1 */
-        if (kbits <= 256)
-                return SSH_DIGEST_SHA256;
-        else if (kbits <= 384)
-                return SSH_DIGEST_SHA384;
-        else
-                return SSH_DIGEST_SHA512;
+        int r;
+
+        if ((r = sshkey_save_private(key, filename, passphrase, comment,
+            force_new_format, new_format_cipher, new_format_rounds)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                error("%s: %s", __func__, ssh_err(r));
+                return 0;
+        }
+        return 1;
 }
 
 int
-key_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
+key_load_file(int fd, const char *filename, struct sshbuf *blob)
 {
-        BN_CTX *bnctx;
-        EC_POINT *nq = NULL;
-        BIGNUM *order, *x, *y, *tmp;
-        int ret = -1;
-
-        if ((bnctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new failed", __func__);
-        BN_CTX_start(bnctx);
-
-        /*
-         * We shouldn't ever hit this case because bignum_get_ecpoint()
-         * refuses to load GF2m points.
-         */
-        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
-            NID_X9_62_prime_field) {
-                error("%s: group is not a prime field", __func__);
-                goto out;
-        }
+        int r;
 
-        /* Q != infinity */
-        if (EC_POINT_is_at_infinity(group, public)) {
-                error("%s: received degenerate public key (infinity)",
-                    __func__);
-                goto out;
+        if ((r = sshkey_load_file(fd, filename, blob)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                error("%s: %s", __func__, ssh_err(r));
+                return 0;
         }
+        return 1;
+}
 
-        if ((x = BN_CTX_get(bnctx)) == NULL ||
-            (y = BN_CTX_get(bnctx)) == NULL ||
-            (order = BN_CTX_get(bnctx)) == NULL ||
-            (tmp = BN_CTX_get(bnctx)) == NULL)
-                fatal("%s: BN_CTX_get failed", __func__);
-
-        /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
-        if (EC_GROUP_get_order(group, order, bnctx) != 1)
-                fatal("%s: EC_GROUP_get_order failed", __func__);
-        if (EC_POINT_get_affine_coordinates_GFp(group, public,
-            x, y, bnctx) != 1)
-                fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
-        if (BN_num_bits(x) <= BN_num_bits(order) / 2) {
-                error("%s: public key x coordinate too small: "
-                    "bits(x) = %d, bits(order)/2 = %d", __func__,
-                    BN_num_bits(x), BN_num_bits(order) / 2);
-                goto out;
-        }
-        if (BN_num_bits(y) <= BN_num_bits(order) / 2) {
-                error("%s: public key y coordinate too small: "
-                    "bits(y) = %d, bits(order)/2 = %d", __func__,
-                    BN_num_bits(x), BN_num_bits(order) / 2);
-                goto out;
+Key *
+key_load_cert(const char *filename)
+{
+        int r;
+        Key *ret = NULL;
+
+        if ((r = sshkey_load_cert(filename, &ret)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                /* Old authfile.c ignored all file errors. */
+                if (r == SSH_ERR_SYSTEM_ERROR)
+                        debug("%s: %s", __func__, ssh_err(r));
+                else
+                        error("%s: %s", __func__, ssh_err(r));
+                return NULL;
         }
+        return ret;
 
-        /* nQ == infinity (n == order of subgroup) */
-        if ((nq = EC_POINT_new(group)) == NULL)
-                fatal("%s: BN_CTX_tmp failed", __func__);
-        if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1)
-                fatal("%s: EC_GROUP_mul failed", __func__);
-        if (EC_POINT_is_at_infinity(group, nq) != 1) {
-                error("%s: received degenerate public key (nQ != infinity)",
-                    __func__);
-                goto out;
-        }
+}
 
-        /* x < order - 1, y < order - 1 */
-        if (!BN_sub(tmp, order, BN_value_one()))
-                fatal("%s: BN_sub failed", __func__);
-        if (BN_cmp(x, tmp) >= 0) {
-                error("%s: public key x coordinate >= group order - 1",
-                    __func__);
-                goto out;
-        }
-        if (BN_cmp(y, tmp) >= 0) {
-                error("%s: public key y coordinate >= group order - 1",
-                    __func__);
-                goto out;
+Key *
+key_load_public(const char *filename, char **commentp)
+{
+        int r;
+        Key *ret = NULL;
+
+        if ((r = sshkey_load_public(filename, &ret, commentp)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                /* Old authfile.c ignored all file errors. */
+                if (r == SSH_ERR_SYSTEM_ERROR)
+                        debug("%s: %s", __func__, ssh_err(r));
+                else
+                        error("%s: %s", __func__, ssh_err(r));
+                return NULL;
         }
-        ret = 0;
- out:
-        BN_CTX_free(bnctx);
-        EC_POINT_free(nq);
         return ret;
 }
 
-int
-key_ec_validate_private(const EC_KEY *key)
-{
-        BN_CTX *bnctx;
-        BIGNUM *order, *tmp;
-        int ret = -1;
-
-        if ((bnctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new failed", __func__);
-        BN_CTX_start(bnctx);
-
-        if ((order = BN_CTX_get(bnctx)) == NULL ||
-            (tmp = BN_CTX_get(bnctx)) == NULL)
-                fatal("%s: BN_CTX_get failed", __func__);
-
-        /* log2(private) > log2(order)/2 */
-        if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1)
-                fatal("%s: EC_GROUP_get_order failed", __func__);
-        if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
-            BN_num_bits(order) / 2) {
-                error("%s: private key too small: "
-                    "bits(y) = %d, bits(order)/2 = %d", __func__,
-                    BN_num_bits(EC_KEY_get0_private_key(key)),
-                    BN_num_bits(order) / 2);
-                goto out;
+Key *
+key_load_private(const char *path, const char *passphrase,
+    char **commentp)
+{
+        int r;
+        Key *ret = NULL;
+
+        if ((r = sshkey_load_private(path, passphrase, &ret, commentp)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                /* Old authfile.c ignored all file errors. */
+                if (r == SSH_ERR_SYSTEM_ERROR ||
+                    r == SSH_ERR_KEY_WRONG_PASSPHRASE)
+                        debug("%s: %s", __func__, ssh_err(r));
+                else
+                        error("%s: %s", __func__, ssh_err(r));
+                return NULL;
         }
+        return ret;
+}
 
-        /* private < order - 1 */
-        if (!BN_sub(tmp, order, BN_value_one()))
-                fatal("%s: BN_sub failed", __func__);
-        if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0) {
-                error("%s: private key >= group order - 1", __func__);
-                goto out;
+Key *
+key_load_private_cert(int type, const char *filename, const char *passphrase,
+    int *perm_ok)
+{
+        int r;
+        Key *ret = NULL;
+
+        if ((r = sshkey_load_private_cert(type, filename, passphrase,
+            &ret, perm_ok)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                /* Old authfile.c ignored all file errors. */
+                if (r == SSH_ERR_SYSTEM_ERROR ||
+                    r == SSH_ERR_KEY_WRONG_PASSPHRASE)
+                        debug("%s: %s", __func__, ssh_err(r));
+                else
+                        error("%s: %s", __func__, ssh_err(r));
+                return NULL;
         }
-        ret = 0;
- out:
-        BN_CTX_free(bnctx);
         return ret;
 }
 
-#if defined(DEBUG_KEXECDH) || defined(DEBUG_PK)
-void
-key_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
-{
-        BIGNUM *x, *y;
-        BN_CTX *bnctx;
-
-        if (point == NULL) {
-                fputs("point=(NULL)\n", stderr);
-                return;
+Key *
+key_load_private_type(int type, const char *filename, const char *passphrase,
+    char **commentp, int *perm_ok)
+{
+        int r;
+        Key *ret = NULL;
+
+        if ((r = sshkey_load_private_type(type, filename, passphrase,
+            &ret, commentp, perm_ok)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                /* Old authfile.c ignored all file errors. */
+                if (r == SSH_ERR_SYSTEM_ERROR ||
+                    (r == SSH_ERR_KEY_WRONG_PASSPHRASE))
+                        debug("%s: %s", __func__, ssh_err(r));
+                else
+                        error("%s: %s", __func__, ssh_err(r));
+                return NULL;
         }
-        if ((bnctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new failed", __func__);
-        BN_CTX_start(bnctx);
-        if ((x = BN_CTX_get(bnctx)) == NULL || (y = BN_CTX_get(bnctx)) == NULL)
-                fatal("%s: BN_CTX_get failed", __func__);
-        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
-            NID_X9_62_prime_field)
-                fatal("%s: group is not a prime field", __func__);
-        if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y, bnctx) != 1)
-                fatal("%s: EC_POINT_get_affine_coordinates_GFp", __func__);
-        fputs("x=", stderr);
-        BN_print_fp(stderr, x);
-        fputs("\ny=", stderr);
-        BN_print_fp(stderr, y);
-        fputs("\n", stderr);
-        BN_CTX_free(bnctx);
+        return ret;
 }
 
-void
-key_dump_ec_key(const EC_KEY *key)
-{
-        const BIGNUM *exponent;
-
-        key_dump_ec_point(EC_KEY_get0_group(key), EC_KEY_get0_public_key(key));
-        fputs("exponent=", stderr);
-        if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
-                fputs("(NULL)", stderr);
-        else
-                BN_print_fp(stderr, EC_KEY_get0_private_key(key));
-        fputs("\n", stderr);
+#ifdef WITH_OPENSSL
+Key *
+key_load_private_pem(int fd, int type, const char *passphrase,
+    char **commentp)
+{
+        int r;
+        Key *ret = NULL;
+
+        if ((r = sshkey_load_private_pem(fd, type, passphrase,
+             &ret, commentp)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                if (r == SSH_ERR_KEY_WRONG_PASSPHRASE)
+                        debug("%s: %s", __func__, ssh_err(r));
+                else
+                        error("%s: %s", __func__, ssh_err(r));
+                return NULL;
+        }
+        return ret;
 }
-#endif /* defined(DEBUG_KEXECDH) || defined(DEBUG_PK) */
-#endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
 
-void
-key_private_serialize(const Key *key, Buffer *b)
+int
+key_perm_ok(int fd, const char *filename)
 {
-        buffer_put_cstring(b, key_ssh_name(key));
-        switch (key->type) {
-        case KEY_RSA:
-                buffer_put_bignum2(b, key->rsa->n);
-                buffer_put_bignum2(b, key->rsa->e);
-                buffer_put_bignum2(b, key->rsa->d);
-                buffer_put_bignum2(b, key->rsa->iqmp);
-                buffer_put_bignum2(b, key->rsa->p);
-                buffer_put_bignum2(b, key->rsa->q);
-                break;
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
-                        fatal("%s: no cert/certblob", __func__);
-                buffer_put_string(b, buffer_ptr(&key->cert->certblob),
-                    buffer_len(&key->cert->certblob));
-                buffer_put_bignum2(b, key->rsa->d);
-                buffer_put_bignum2(b, key->rsa->iqmp);
-                buffer_put_bignum2(b, key->rsa->p);
-                buffer_put_bignum2(b, key->rsa->q);
-                break;
-        case KEY_DSA:
-                buffer_put_bignum2(b, key->dsa->p);
-                buffer_put_bignum2(b, key->dsa->q);
-                buffer_put_bignum2(b, key->dsa->g);
-                buffer_put_bignum2(b, key->dsa->pub_key);
-                buffer_put_bignum2(b, key->dsa->priv_key);
-                break;
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
-                        fatal("%s: no cert/certblob", __func__);
-                buffer_put_string(b, buffer_ptr(&key->cert->certblob),
-                    buffer_len(&key->cert->certblob));
-                buffer_put_bignum2(b, key->dsa->priv_key);
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA:
-                buffer_put_cstring(b, key_curve_nid_to_name(key->ecdsa_nid));
-                buffer_put_ecpoint(b, EC_KEY_get0_group(key->ecdsa),
-                    EC_KEY_get0_public_key(key->ecdsa));
-                buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
-                break;
-        case KEY_ECDSA_CERT:
-                if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
-                        fatal("%s: no cert/certblob", __func__);
-                buffer_put_string(b, buffer_ptr(&key->cert->certblob),
-                    buffer_len(&key->cert->certblob));
-                buffer_put_bignum2(b, EC_KEY_get0_private_key(key->ecdsa));
-                break;
-#endif /* OPENSSL_HAS_ECC */
-        case KEY_ED25519:
-                buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
-                buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
-                break;
-        case KEY_ED25519_CERT:
-                if (key->cert == NULL || buffer_len(&key->cert->certblob) == 0)
-                        fatal("%s: no cert/certblob", __func__);
-                buffer_put_string(b, buffer_ptr(&key->cert->certblob),
-                    buffer_len(&key->cert->certblob));
-                buffer_put_string(b, key->ed25519_pk, ED25519_PK_SZ);
-                buffer_put_string(b, key->ed25519_sk, ED25519_SK_SZ);
-                break;
-        }
+        return sshkey_perm_ok(fd, filename) == 0 ? 1 : 0;
 }
 
-Key *
-key_private_deserialize(Buffer *blob)
+int
+key_in_file(Key *key, const char *filename, int strict_type)
 {
-        char *type_name;
-        Key *k = NULL;
-        u_char *cert;
-        u_int len, pklen, sklen;
-        int type;
-#ifdef OPENSSL_HAS_ECC
-        char *curve;
-        BIGNUM *exponent;
-        EC_POINT *q;
-#endif
-
-        type_name = buffer_get_string(blob, NULL);
-        type = key_type_from_name(type_name);
-        switch (type) {
-        case KEY_DSA:
-                k = key_new_private(type);
-                buffer_get_bignum2(blob, k->dsa->p);
-                buffer_get_bignum2(blob, k->dsa->q);
-                buffer_get_bignum2(blob, k->dsa->g);
-                buffer_get_bignum2(blob, k->dsa->pub_key);
-                buffer_get_bignum2(blob, k->dsa->priv_key);
-                break;
-        case KEY_DSA_CERT_V00:
-        case KEY_DSA_CERT:
-                cert = buffer_get_string(blob, &len);
-                if ((k = key_from_blob(cert, len)) == NULL)
-                        fatal("Certificate parse failed");
-                free(cert);
-                key_add_private(k);
-                buffer_get_bignum2(blob, k->dsa->priv_key);
-                break;
-#ifdef OPENSSL_HAS_ECC
-        case KEY_ECDSA:
-                k = key_new_private(type);
-                k->ecdsa_nid = key_ecdsa_nid_from_name(type_name);
-                curve = buffer_get_string(blob, NULL);
-                if (k->ecdsa_nid != key_curve_name_to_nid(curve))
-                        fatal("%s: curve names mismatch", __func__);
-                free(curve);
-                k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
-                if (k->ecdsa == NULL)
-                        fatal("%s: EC_KEY_new_by_curve_name failed",
-                            __func__);
-                q = EC_POINT_new(EC_KEY_get0_group(k->ecdsa));
-                if (q == NULL)
-                        fatal("%s: BN_new failed", __func__);
-                if ((exponent = BN_new()) == NULL)
-                        fatal("%s: BN_new failed", __func__);
-                buffer_get_ecpoint(blob,
-                        EC_KEY_get0_group(k->ecdsa), q);
-                buffer_get_bignum2(blob, exponent);
-                if (EC_KEY_set_public_key(k->ecdsa, q) != 1)
-                        fatal("%s: EC_KEY_set_public_key failed",
-                            __func__);
-                if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1)
-                        fatal("%s: EC_KEY_set_private_key failed",
-                            __func__);
-                if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
-                    EC_KEY_get0_public_key(k->ecdsa)) != 0)
-                        fatal("%s: bad ECDSA public key", __func__);
-                if (key_ec_validate_private(k->ecdsa) != 0)
-                        fatal("%s: bad ECDSA private key", __func__);
-                BN_clear_free(exponent);
-                EC_POINT_free(q);
-                break;
-        case KEY_ECDSA_CERT:
-                cert = buffer_get_string(blob, &len);
-                if ((k = key_from_blob(cert, len)) == NULL)
-                        fatal("Certificate parse failed");
-                free(cert);
-                key_add_private(k);
-                if ((exponent = BN_new()) == NULL)
-                        fatal("%s: BN_new failed", __func__);
-                buffer_get_bignum2(blob, exponent);
-                if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1)
-                        fatal("%s: EC_KEY_set_private_key failed",
-                            __func__);
-                if (key_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
-                    EC_KEY_get0_public_key(k->ecdsa)) != 0 ||
-                    key_ec_validate_private(k->ecdsa) != 0)
-                        fatal("%s: bad ECDSA key", __func__);
-                BN_clear_free(exponent);
-                break;
-#endif
-        case KEY_RSA:
-                k = key_new_private(type);
-                buffer_get_bignum2(blob, k->rsa->n);
-                buffer_get_bignum2(blob, k->rsa->e);
-                buffer_get_bignum2(blob, k->rsa->d);
-                buffer_get_bignum2(blob, k->rsa->iqmp);
-                buffer_get_bignum2(blob, k->rsa->p);
-                buffer_get_bignum2(blob, k->rsa->q);
-
-                /* Generate additional parameters */
-                rsa_generate_additional_parameters(k->rsa);
-                break;
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-                cert = buffer_get_string(blob, &len);
-                if ((k = key_from_blob(cert, len)) == NULL)
-                        fatal("Certificate parse failed");
-                free(cert);
-                key_add_private(k);
-                buffer_get_bignum2(blob, k->rsa->d);
-                buffer_get_bignum2(blob, k->rsa->iqmp);
-                buffer_get_bignum2(blob, k->rsa->p);
-                buffer_get_bignum2(blob, k->rsa->q);
-                break;
-        case KEY_ED25519:
-                k = key_new_private(type);
-                k->ed25519_pk = buffer_get_string(blob, &pklen);
-                k->ed25519_sk = buffer_get_string(blob, &sklen);
-                if (pklen != ED25519_PK_SZ)
-                        fatal("%s: ed25519 pklen %d != %d",
-                            __func__, pklen, ED25519_PK_SZ);
-                if (sklen != ED25519_SK_SZ)
-                        fatal("%s: ed25519 sklen %d != %d",
-                            __func__, sklen, ED25519_SK_SZ);
-                break;
-        case KEY_ED25519_CERT:
-                cert = buffer_get_string(blob, &len);
-                if ((k = key_from_blob(cert, len)) == NULL)
-                        fatal("Certificate parse failed");
-                free(cert);
-                key_add_private(k);
-                k->ed25519_pk = buffer_get_string(blob, &pklen);
-                k->ed25519_sk = buffer_get_string(blob, &sklen);
-                if (pklen != ED25519_PK_SZ)
-                        fatal("%s: ed25519 pklen %d != %d",
-                            __func__, pklen, ED25519_PK_SZ);
-                if (sklen != ED25519_SK_SZ)
-                        fatal("%s: ed25519 sklen %d != %d",
-                            __func__, sklen, ED25519_SK_SZ);
-                break;
-        default:
-                free(type_name);
-                buffer_clear(blob);
-                return NULL;
-        }
-        free(type_name);
-
-        /* enable blinding */
-        switch (k->type) {
-        case KEY_RSA:
-        case KEY_RSA_CERT_V00:
-        case KEY_RSA_CERT:
-        case KEY_RSA1:
-                if (RSA_blinding_on(k->rsa, NULL) != 1) {
-                        error("%s: RSA_blinding_on failed", __func__);
-                        key_free(k);
-                        return NULL;
-                }
-                break;
+        int r;
+
+        if ((r = sshkey_in_file(key, filename, strict_type)) != 0) {
+                fatal_on_fatal_errors(r, __func__, SSH_ERR_LIBCRYPTO_ERROR);
+                if (r == SSH_ERR_SYSTEM_ERROR && errno == ENOENT)
+                        return 0;
+                error("%s: %s", __func__, ssh_err(r));
+                return r == SSH_ERR_KEY_NOT_FOUND ? 0 : -1;
         }
-        return k;
+        return 1;
 }
diff --git a/key.h b/key.h
index d8ad13d08..c6401a576 100644
--- a/key.h
+++ b/key.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.h,v 1.41 2014/01/09 23:20:00 djm Exp $ */
+/* $OpenBSD: key.h,v 1.42 2014/06/24 01:13:21 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -26,141 +26,86 @@
 #ifndef KEY_H
 #define KEY_H
 
-#include "buffer.h"
-#include <openssl/rsa.h>
-#include <openssl/dsa.h>
-#ifdef OPENSSL_HAS_ECC
-#include <openssl/ec.h>
+#include "sshkey.h"
+
+typedef struct sshkey Key;
+
+#define types sshkey_types
+#define fp_type sshkey_fp_type
+#define fp_rep sshkey_fp_rep
+
+#ifndef SSH_KEY_NO_DEFINE
+#define key_new                 sshkey_new
+#define key_free                sshkey_free
+#define key_equal_public        sshkey_equal_public
+#define key_equal               sshkey_equal
+#define key_fingerprint         sshkey_fingerprint
+#define key_type                sshkey_type
+#define key_cert_type           sshkey_cert_type
+#define key_ssh_name            sshkey_ssh_name
+#define key_ssh_name_plain      sshkey_ssh_name_plain
+#define key_type_from_name      sshkey_type_from_name
+#define key_ecdsa_nid_from_name sshkey_ecdsa_nid_from_name
+#define key_type_is_cert        sshkey_type_is_cert
+#define key_size                sshkey_size
+#define key_ecdsa_bits_to_nid   sshkey_ecdsa_bits_to_nid
+#define key_ecdsa_key_to_nid    sshkey_ecdsa_key_to_nid
+#define key_names_valid2        sshkey_names_valid2
+#define key_is_cert             sshkey_is_cert
+#define key_type_plain          sshkey_type_plain
+#define key_cert_is_legacy      sshkey_cert_is_legacy
+#define key_curve_name_to_nid   sshkey_curve_name_to_nid
+#define key_curve_nid_to_bits   sshkey_curve_nid_to_bits
+#define key_curve_nid_to_name   sshkey_curve_nid_to_name
+#define key_ec_nid_to_hash_alg  sshkey_ec_nid_to_hash_alg
+#define key_dump_ec_point       sshkey_dump_ec_point
+#define key_dump_ec_key         sshkey_dump_ec_key
+#define key_fingerprint         sshkey_fingerprint
 #endif
 
-typedef struct Key Key;
-enum types {
-        KEY_RSA1,
-        KEY_RSA,
-        KEY_DSA,
-        KEY_ECDSA,
-        KEY_ED25519,
-        KEY_RSA_CERT,
-        KEY_DSA_CERT,
-        KEY_ECDSA_CERT,
-        KEY_ED25519_CERT,
-        KEY_RSA_CERT_V00,
-        KEY_DSA_CERT_V00,
-        KEY_UNSPEC
-};
-enum fp_type {
-        SSH_FP_SHA1,
-        SSH_FP_MD5,
-        SSH_FP_SHA256
-};
-enum fp_rep {
-        SSH_FP_HEX,
-        SSH_FP_BUBBLEBABBLE,
-        SSH_FP_RANDOMART
-};
-
-/* key is stored in external hardware */
-#define KEY_FLAG_EXT            0x0001
-
-#define CERT_MAX_PRINCIPALS     256
-struct KeyCert {
-        Buffer           certblob; /* Kept around for use on wire */
-        u_int            type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */
-        u_int64_t        serial;
-        char            *key_id;
-        u_int            nprincipals;
-        char            **principals;
-        u_int64_t        valid_after, valid_before;
-        Buffer           critical;
-        Buffer           extensions;
-        Key             *signature_key;
-};
-
-struct Key {
-        int      type;
-        int      flags;
-        RSA     *rsa;
-        DSA     *dsa;
-        int      ecdsa_nid;     /* NID of curve */
-#ifdef OPENSSL_HAS_ECC
-        EC_KEY  *ecdsa;
-#else
-        void    *ecdsa;
-#endif
-        struct KeyCert *cert;
-        u_char  *ed25519_sk;
-        u_char  *ed25519_pk;
-};
-
-#define ED25519_SK_SZ   crypto_sign_ed25519_SECRETKEYBYTES
-#define ED25519_PK_SZ   crypto_sign_ed25519_PUBLICKEYBYTES
-
-Key             *key_new(int);
-void             key_add_private(Key *);
-Key             *key_new_private(int);
-void             key_free(Key *);
-Key             *key_demote(const Key *);
-int              key_equal_public(const Key *, const Key *);
-int              key_equal(const Key *, const Key *);
-char            *key_fingerprint(const Key *, enum fp_type, enum fp_rep);
-u_char          *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
-const char      *key_type(const Key *);
-const char      *key_cert_type(const Key *);
-int              key_write(const Key *, FILE *);
-int              key_read(Key *, char **);
-u_int            key_size(const Key *);
+void     key_add_private(Key *);
+Key     *key_new_private(int);
+void     key_free(Key *);
+Key     *key_demote(const Key *);
+u_char  *key_fingerprint_raw(const Key *, enum fp_type, u_int *);
+int      key_write(const Key *, FILE *);
+int      key_read(Key *, char **);
 
 Key     *key_generate(int, u_int);
 Key     *key_from_private(const Key *);
-int      key_type_from_name(char *);
-int      key_is_cert(const Key *);
-int      key_type_is_cert(int);
-int      key_type_plain(int);
 int      key_to_certified(Key *, int);
 int      key_drop_cert(Key *);
 int      key_certify(Key *, Key *);
-void     key_cert_copy(const Key *, struct Key *);
+void     key_cert_copy(const Key *, Key *);
 int      key_cert_check_authority(const Key *, int, int, const char *,
             const char **);
-int      key_cert_is_legacy(const Key *);
+char    *key_alg_list(int, int);
 
-int              key_ecdsa_nid_from_name(const char *);
-int              key_curve_name_to_nid(const char *);
-const char      *key_curve_nid_to_name(int);
-u_int            key_curve_nid_to_bits(int);
-int              key_ecdsa_bits_to_nid(int);
-#ifdef OPENSSL_HAS_ECC
-int              key_ecdsa_key_to_nid(EC_KEY *);
-int              key_ec_nid_to_hash_alg(int nid);
-int              key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
-int              key_ec_validate_private(const EC_KEY *);
-#endif
-char            *key_alg_list(int, int);
+#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
+int      key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
+int      key_ec_validate_private(const EC_KEY *);
+#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
 
-Key             *key_from_blob(const u_char *, u_int);
-int              key_to_blob(const Key *, u_char **, u_int *);
-const char      *key_ssh_name(const Key *);
-const char      *key_ssh_name_plain(const Key *);
-int              key_names_valid2(const char *);
+Key     *key_from_blob(const u_char *, u_int);
+int      key_to_blob(const Key *, u_char **, u_int *);
 
 int      key_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
 int      key_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
 
-int      ssh_dss_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
-int      ssh_dss_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-int      ssh_ecdsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
-int      ssh_ecdsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-int      ssh_rsa_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
-int      ssh_rsa_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-int      ssh_ed25519_sign(const Key *, u_char **, u_int *, const u_char *, u_int);
-int      ssh_ed25519_verify(const Key *, const u_char *, u_int, const u_char *, u_int);
-
-#if defined(OPENSSL_HAS_ECC) && (defined(DEBUG_KEXECDH) || defined(DEBUG_PK))
-void    key_dump_ec_point(const EC_GROUP *, const EC_POINT *);
-void    key_dump_ec_key(const EC_KEY *);
-#endif
-
-void     key_private_serialize(const Key *, Buffer *);
-Key     *key_private_deserialize(Buffer *);
+void     key_private_serialize(const Key *, struct sshbuf *);
+Key     *key_private_deserialize(struct sshbuf *);
+
+/* authfile.c */
+int      key_save_private(Key *, const char *, const char *, const char *,
+    int, const char *, int);
+int      key_load_file(int, const char *, struct sshbuf *);
+Key     *key_load_cert(const char *);
+Key     *key_load_public(const char *, char **);
+Key     *key_load_private(const char *, const char *, char **);
+Key     *key_load_private_cert(int, const char *, const char *, int *);
+Key     *key_load_private_type(int, const char *, const char *, char **, int *);
+Key     *key_load_private_pem(int, int, const char *, char **);
+int      key_perm_ok(int, const char *);
+int      key_in_file(Key *, const char *, int);
 
 #endif
diff --git a/krl.c b/krl.c
index 3b4cded05..eb31df90f 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: krl.c,v 1.14 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: krl.c,v 1.17 2014/06/24 01:13:21 djm Exp $ */
 
 #include "includes.h"
 
@@ -366,7 +366,7 @@ plain_key_blob(const Key *key, u_char **blob, u_int *blen)
         }
         r = key_to_blob(kcopy, blob, blen);
         free(kcopy);
-        return r == 0 ? -1 : 0;
+        return r;
 }
 
 /* Revoke a key blob. Ownership of blob is transferred to the tree */
@@ -394,7 +394,7 @@ ssh_krl_revoke_key_explicit(struct ssh_krl *krl, const Key *key)
         u_int len;
 
         debug3("%s: revoke type %s", __func__, key_type(key));
-        if (plain_key_blob(key, &blob, &len) != 0)
+        if (plain_key_blob(key, &blob, &len) < 0)
                 return -1;
         return revoke_blob(&krl->revoked_keys, blob, len);
 }
@@ -575,6 +575,7 @@ revoked_certs_generate(struct revoked_certs *rc, Buffer *buf)
                         buffer_put_char(buf, state);
                         buffer_put_string(buf,
                             buffer_ptr(&sect), buffer_len(&sect));
+                        buffer_clear(&sect);
                 }
 
                 /* If we are starting a new section then prepare it now */
@@ -753,7 +754,8 @@ static int
 parse_revoked_certs(Buffer *buf, struct ssh_krl *krl)
 {
         int ret = -1, nbits;
-        u_char type, *blob;
+        u_char type;
+        const u_char *blob;
         u_int blen;
         Buffer subsect;
         u_int64_t serial, serial_lo, serial_hi;
@@ -887,7 +889,8 @@ ssh_krl_from_blob(Buffer *buf, struct ssh_krl **krlp,
         char timestamp[64];
         int ret = -1, r, sig_seen;
         Key *key = NULL, **ca_used = NULL;
-        u_char type, *blob, *rdata = NULL;
+        u_char type, *rdata = NULL;
+        const u_char *blob;
         u_int i, j, sig_off, sects_off, rlen, blen, format_version, nca_used;
 
         nca_used = 0;
@@ -1127,7 +1130,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
 
         /* Next, explicit keys */
         memset(&rb, 0, sizeof(rb));
-        if (plain_key_blob(key, &rb.blob, &rb.len) != 0)
+        if (plain_key_blob(key, &rb.blob, &rb.len) < 0)
                 return -1;
         erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
         free(rb.blob);
diff --git a/mac.c b/mac.c
index 097757213..402dc984c 100644
--- a/mac.c
+++ b/mac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mac.c,v 1.28 2014/02/07 06:55:54 djm Exp $ */
+/* $OpenBSD: mac.c,v 1.30 2014/04/30 19:07:48 naddy Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -175,7 +175,8 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
                 u_char m[EVP_MAX_MD_SIZE];
                 u_int64_t for_align;
         } u;
-        u_char b[4], nonce[8];
+        u_char b[4];
+        u_char nonce[8];
 
         if (mac->mac_len > sizeof(u))
                 fatal("mac_compute: mac too long %u %zu",
diff --git a/misc.c b/misc.c
index e4c8c3238..94b05b08e 100644
--- a/misc.c
+++ b/misc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.c,v 1.92 2013/10/14 23:28:23 djm Exp $ */
+/* $OpenBSD: misc.c,v 1.94 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2005,2006 Damien Miller.  All rights reserved.
@@ -29,6 +29,7 @@
 #include <sys/types.h>
 #include <sys/ioctl.h>
 #include <sys/socket.h>
+#include <sys/un.h>
 #include <sys/param.h>
 
 #include <stdarg.h>
@@ -788,6 +789,20 @@ get_u32(const void *vp)
         return (v);
 }
 
+u_int32_t
+get_u32_le(const void *vp)
+{
+        const u_char *p = (const u_char *)vp;
+        u_int32_t v;
+
+        v  = (u_int32_t)p[0];
+        v |= (u_int32_t)p[1] << 8;
+        v |= (u_int32_t)p[2] << 16;
+        v |= (u_int32_t)p[3] << 24;
+
+        return (v);
+}
+
 u_int16_t
 get_u16(const void *vp)
 {
@@ -826,6 +841,16 @@ put_u32(void *vp, u_int32_t v)
         p[3] = (u_char)v & 0xff;
 }
 
+void
+put_u32_le(void *vp, u_int32_t v)
+{
+        u_char *p = (u_char *)vp;
+
+        p[0] = (u_char)v & 0xff;
+        p[1] = (u_char)(v >> 8) & 0xff;
+        p[2] = (u_char)(v >> 16) & 0xff;
+        p[3] = (u_char)(v >> 24) & 0xff;
+}
 
 void
 put_u16(void *vp, u_int16_t v)
@@ -858,17 +883,24 @@ ms_to_timeval(struct timeval *tv, int ms)
 time_t
 monotime(void)
 {
-#if defined(HAVE_CLOCK_GETTIME) && defined(CLOCK_MONOTONIC)
+#if defined(HAVE_CLOCK_GETTIME) && \
+    (defined(CLOCK_MONOTONIC) || defined(CLOCK_BOOTTIME))
         struct timespec ts;
         static int gettime_failed = 0;
 
         if (!gettime_failed) {
+#if defined(CLOCK_BOOTTIME)
+                if (clock_gettime(CLOCK_BOOTTIME, &ts) == 0)
+                        return (ts.tv_sec);
+#endif
+#if defined(CLOCK_MONOTONIC)
                 if (clock_gettime(CLOCK_MONOTONIC, &ts) == 0)
                         return (ts.tv_sec);
+#endif
                 debug3("clock_gettime: %s", strerror(errno));
                 gettime_failed = 1;
         }
-#endif
+#endif /* HAVE_CLOCK_GETTIME && (CLOCK_MONOTONIC || CLOCK_BOOTTIME */
 
         return time(NULL);
 }
@@ -1025,6 +1057,53 @@ lowercase(char *s)
         for (; *s; s++)
                 *s = tolower((u_char)*s);
 }
+
+int
+unix_listener(const char *path, int backlog, int unlink_first)
+{
+        struct sockaddr_un sunaddr;
+        int saved_errno, sock;
+
+        memset(&sunaddr, 0, sizeof(sunaddr));
+        sunaddr.sun_family = AF_UNIX;
+        if (strlcpy(sunaddr.sun_path, path, sizeof(sunaddr.sun_path)) >= sizeof(sunaddr.sun_path)) {
+                error("%s: \"%s\" too long for Unix domain socket", __func__,
+                    path);
+                errno = ENAMETOOLONG;
+                return -1;
+        }
+
+        sock = socket(PF_UNIX, SOCK_STREAM, 0);
+        if (sock < 0) {
+                saved_errno = errno;
+                error("socket: %.100s", strerror(errno));
+                errno = saved_errno;
+                return -1;
+        }
+        if (unlink_first == 1) {
+                if (unlink(path) != 0 && errno != ENOENT)
+                        error("unlink(%s): %.100s", path, strerror(errno));
+        }
+        if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
+                saved_errno = errno;
+                error("bind: %.100s", strerror(errno));
+                close(sock);
+                error("%s: cannot bind to path: %s", __func__, path);
+                errno = saved_errno;
+                return -1;
+        }
+        if (listen(sock, backlog) < 0) {
+                saved_errno = errno;
+                error("listen: %.100s", strerror(errno));
+                close(sock);
+                unlink(path);
+                error("%s: cannot listen on path: %s", __func__, path);
+                errno = saved_errno;
+                return -1;
+        }
+        return sock;
+}
+
 void
 sock_set_v6only(int s)
 {
diff --git a/misc.h b/misc.h
index d4df619cd..374c33ce1 100644
--- a/misc.h
+++ b/misc.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: misc.h,v 1.50 2013/10/14 23:28:23 djm Exp $ */
+/* $OpenBSD: misc.h,v 1.54 2014/07/15 15:54:14 millert Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -15,6 +15,25 @@
 #ifndef _MISC_H
 #define _MISC_H
 
+/* Data structure for representing a forwarding request. */
+struct Forward {
+        char     *listen_host;          /* Host (address) to listen on. */
+        int       listen_port;          /* Port to forward. */
+        char     *listen_path;          /* Path to bind domain socket. */
+        char     *connect_host;         /* Host to connect. */
+        int       connect_port;         /* Port to connect on connect_host. */
+        char     *connect_path;         /* Path to connect domain socket. */
+        int       allocated_port;       /* Dynamically allocated listen port */
+        int       handle;               /* Handle for dynamic listen ports */
+};
+
+/* Common server and client forwarding options. */
+struct ForwardOptions {
+        int      gateway_ports; /* Allow remote connects to forwarded ports. */
+        mode_t   streamlocal_bind_mask; /* umask for streamlocal binds */
+        int      streamlocal_bind_unlink; /* unlink socket before bind */
+};
+
 /* misc.c */
 
 char    *chop(char *);
@@ -37,6 +56,7 @@ void	 ms_subtract_diff(struct timeval *, int *);
 void     ms_to_timeval(struct timeval *, int);
 time_t   monotime(void);
 void     lowercase(char *s);
+int      unix_listener(const char *, int, int);
 
 void     sock_set_v6only(int);
 
@@ -68,6 +88,9 @@ int	 tun_open(int, int);
 #define SSH_TUNID_ERR           (SSH_TUNID_ANY - 1)
 #define SSH_TUNID_MAX           (SSH_TUNID_ANY - 2)
 
+/* Fake port to indicate that host field is really a path. */
+#define PORT_STREAMLOCAL        -2
+
 /* Functions to extract or store big-endian words of various sizes */
 u_int64_t       get_u64(const void *)
     __attribute__((__bounded__( __minbytes__, 1, 8)));
@@ -82,6 +105,12 @@ void		put_u32(void *, u_int32_t)
 void            put_u16(void *, u_int16_t)
     __attribute__((__bounded__( __minbytes__, 1, 2)));
 
+/* Little-endian store/load, used by umac.c */
+u_int32_t       get_u32_le(const void *)
+    __attribute__((__bounded__(__minbytes__, 1, 4)));
+void            put_u32_le(void *, u_int32_t)
+    __attribute__((__bounded__(__minbytes__, 1, 4)));
+
 struct bwlimit {
         size_t buflen;
         u_int64_t rate, thresh, lamt;
diff --git a/moduli.0 b/moduli.0
index 7d678b459..d9aaadba9 100644
--- a/moduli.0
+++ b/moduli.0
@@ -1,4 +1,4 @@
-MODULI(5)                 OpenBSD Programmer's Manual                MODULI(5)
+MODULI(5)                     File Formats Manual                    MODULI(5)
 
 NAME
      moduli - Diffie-Hellman moduli
@@ -71,4 +71,4 @@ STANDARDS
      the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
      2006.
 
-OpenBSD 5.5                   September 26, 2012                   OpenBSD 5.5
+OpenBSD 5.6                   September 26, 2012                   OpenBSD 5.6
diff --git a/monitor.c b/monitor.c
index 531c4f9a8..dbe29f128 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.131 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: monitor.c,v 1.135 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -40,9 +40,10 @@
 #endif
 #include <pwd.h>
 #include <signal.h>
-#include <stdarg.h>
 #include <stdlib.h>
 #include <string.h>
+#include <stdarg.h>
+#include <stdio.h>
 #include <unistd.h>
 #ifdef HAVE_POLL_H
 #include <poll.h>
@@ -56,7 +57,9 @@
 #include <skey.h>
 #endif
 
+#ifdef WITH_OPENSSL
 #include <openssl/dh.h>
+#endif
 
 #include "openbsd-compat/sys-queue.h"
 #include "atomicio.h"
@@ -84,6 +87,7 @@
 #include "sshlogin.h"
 #include "canohost.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 #include "monitor.h"
 #include "monitor_mm.h"
@@ -92,7 +96,6 @@
 #endif
 #include "monitor_wrap.h"
 #include "monitor_fdpass.h"
-#include "misc.h"
 #include "compat.h"
 #include "ssh2.h"
 #include "roaming.h"
@@ -185,7 +188,10 @@ int mm_answer_audit_command(int, Buffer *);
 static int monitor_read_log(struct monitor *);
 
 static Authctxt *authctxt;
+
+#ifdef WITH_SSH1
 static BIGNUM *ssh1_challenge = NULL;   /* used for ssh1 rsa auth */
+#endif
 
 /* local state for key verify */
 static u_char *key_blob = NULL;
@@ -215,7 +221,9 @@ struct mon_table {
 #define MON_PERMIT      0x1000  /* Request is permitted */
 
 struct mon_table mon_dispatch_proto20[] = {
+#ifdef WITH_OPENSSL
     {MONITOR_REQ_MODULI, MON_ONCE, mm_answer_moduli},
+#endif
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -252,7 +260,9 @@ struct mon_table mon_dispatch_proto20[] = {
 };
 
 struct mon_table mon_dispatch_postauth20[] = {
+#ifdef WITH_OPENSSL
     {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
+#endif
     {MONITOR_REQ_SIGN, 0, mm_answer_sign},
     {MONITOR_REQ_PTY, 0, mm_answer_pty},
     {MONITOR_REQ_PTYCLEANUP, 0, mm_answer_pty_cleanup},
@@ -265,6 +275,7 @@ struct mon_table mon_dispatch_postauth20[] = {
 };
 
 struct mon_table mon_dispatch_proto15[] = {
+#ifdef WITH_SSH1
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_SESSKEY, MON_ONCE, mm_answer_sesskey},
     {MONITOR_REQ_SESSID, MON_ONCE, mm_answer_sessid},
@@ -292,10 +303,12 @@ struct mon_table mon_dispatch_proto15[] = {
 #ifdef SSH_AUDIT_EVENTS
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
 #endif
+#endif /* WITH_SSH1 */
     {0, 0, NULL}
 };
 
 struct mon_table mon_dispatch_postauth15[] = {
+#ifdef WITH_SSH1
     {MONITOR_REQ_PTY, MON_ONCE, mm_answer_pty},
     {MONITOR_REQ_PTYCLEANUP, MON_ONCE, mm_answer_pty_cleanup},
     {MONITOR_REQ_TERM, 0, mm_answer_term},
@@ -303,6 +316,7 @@ struct mon_table mon_dispatch_postauth15[] = {
     {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
     {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
 #endif
+#endif /* WITH_SSH1 */
     {0, 0, NULL}
 };
 
@@ -457,6 +471,9 @@ monitor_child_postauth(struct monitor *pmonitor)
         signal(SIGHUP, &monitor_child_handler);
         signal(SIGTERM, &monitor_child_handler);
         signal(SIGINT, &monitor_child_handler);
+#ifdef SIGXFSZ
+        signal(SIGXFSZ, SIG_IGN);
+#endif
 
         if (compat20) {
                 mon_dispatch = mon_dispatch_postauth20;
@@ -630,6 +647,7 @@ monitor_reset_key_state(void)
         hostbased_chost = NULL;
 }
 
+#ifdef WITH_OPENSSL
 int
 mm_answer_moduli(int sock, Buffer *m)
 {
@@ -664,6 +682,7 @@ mm_answer_moduli(int sock, Buffer *m)
         mm_request_send(sock, MONITOR_ANS_MODULI, m);
         return (0);
 }
+#endif
 
 extern AuthenticationConnection *auth_conn;
 
@@ -1166,6 +1185,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
                             cuser, chost);
                         auth_method = "hostbased";
                         break;
+#ifdef WITH_SSH1
                 case MM_RSAHOSTKEY:
                         key->type = KEY_RSA1; /* XXX */
                         allowed = options.rhosts_rsa_authentication &&
@@ -1175,6 +1195,7 @@ mm_answer_keyallowed(int sock, Buffer *m)
                                 auth_clear_options();
                         auth_method = "rsa";
                         break;
+#endif
                 default:
                         fatal("%s: unknown key type %d", __func__, type);
                         break;
@@ -1511,6 +1532,7 @@ mm_answer_pty_cleanup(int sock, Buffer *m)
         return (0);
 }
 
+#ifdef WITH_SSH1
 int
 mm_answer_sesskey(int sock, Buffer *m)
 {
@@ -1688,6 +1710,7 @@ mm_answer_rsa_response(int sock, Buffer *m)
 
         return (success);
 }
+#endif
 
 int
 mm_answer_term(int sock, Buffer *req)
@@ -1792,6 +1815,8 @@ monitor_apply_keystate(struct monitor *pmonitor)
         if (options.compression)
                 mm_init_compression(pmonitor->m_zlib);
 
+        packet_set_postauth();
+
         if (options.rekey_limit || options.rekey_interval)
                 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                     (time_t)options.rekey_interval);
@@ -1828,11 +1853,13 @@ mm_get_kex(Buffer *m)
             timingsafe_bcmp(kex->session_id, session_id2, session_id2_len) != 0)
                 fatal("mm_get_get: internal error: bad session id");
         kex->we_need = buffer_get_int(m);
+#ifdef WITH_OPENSSL
         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
         kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+#endif
         kex->kex[KEX_C25519_SHA256] = kexc25519_server;
         kex->server = 1;
         kex->hostkey_type = buffer_get_int(m);
diff --git a/monitor_fdpass.c b/monitor_fdpass.c
index 7eb6f5c6e..100fa5660 100644
--- a/monitor_fdpass.c
+++ b/monitor_fdpass.c
@@ -34,12 +34,17 @@
 #endif
 
 #include <errno.h>
-#ifdef HAVE_POLL_H
-#include <poll.h>
-#endif
 #include <string.h>
 #include <stdarg.h>
 
+#ifdef HAVE_POLL_H
+# include <poll.h>
+#else
+# ifdef HAVE_SYS_POLL_H
+#  include <sys/poll.h>
+# endif
+#endif
+
 #include "log.h"
 #include "monitor_fdpass.h"
 
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 1a47e4174..45dc16951 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.79 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.80 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -38,14 +38,18 @@
 #include <string.h>
 #include <unistd.h>
 
+#ifdef WITH_OPENSSL
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/evp.h>
+#endif
 
 #include "openbsd-compat/sys-queue.h"
 #include "xmalloc.h"
 #include "ssh.h"
+#ifdef WITH_OPENSSL
 #include "dh.h"
+#endif
 #include "buffer.h"
 #include "key.h"
 #include "cipher.h"
@@ -174,6 +178,7 @@ mm_request_receive_expect(int sock, enum monitor_reqtype type, Buffer *m)
                     rtype, type);
 }
 
+#ifdef WITH_OPENSSL
 DH *
 mm_choose_dh(int min, int nbits, int max)
 {
@@ -207,6 +212,7 @@ mm_choose_dh(int min, int nbits, int max)
 
         return (dh_new_group(g, p));
 }
+#endif
 
 int
 mm_key_sign(Key *key, u_char **sigp, u_int *lenp, u_char *data, u_int datalen)
@@ -912,6 +918,7 @@ mm_terminate(void)
         buffer_free(&m);
 }
 
+#ifdef WITH_SSH1
 int
 mm_ssh1_session_key(BIGNUM *num)
 {
@@ -931,6 +938,7 @@ mm_ssh1_session_key(BIGNUM *num)
 
         return (rsafail);
 }
+#endif
 
 static void
 mm_chall_setup(char **name, char **infotxt, u_int *numprompts,
@@ -1078,6 +1086,7 @@ mm_ssh1_session_id(u_char session_id[16])
         buffer_free(&m);
 }
 
+#ifdef WITH_SSH1
 int
 mm_auth_rsa_key_allowed(struct passwd *pw, BIGNUM *client_n, Key **rkey)
 {
@@ -1173,6 +1182,7 @@ mm_auth_rsa_verify_response(Key *key, BIGNUM *p, u_char response[16])
 
         return (success);
 }
+#endif
 
 #ifdef SSH_AUDIT_EVENTS
 void
diff --git a/mux.c b/mux.c
index 882fa61b5..48f7a050f 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.44 2013/07/12 00:19:58 djm Exp $ */
+/* $OpenBSD: mux.c,v 1.48 2014/07/17 07:22:19 djm Exp $ */
 /*
  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
  *
@@ -105,6 +105,11 @@ struct mux_session_confirm_ctx {
         u_int rid;
 };
 
+/* Context for stdio fwd open confirmation callback */
+struct mux_stdio_confirm_ctx {
+        u_int rid;
+};
+
 /* Context for global channel callback */
 struct mux_channel_confirm_ctx {
         u_int cid;      /* channel id */
@@ -157,6 +162,7 @@ struct mux_master_state {
 #define MUX_FWD_DYNAMIC 3
 
 static void mux_session_confirm(int, int, void *);
+static void mux_stdio_confirm(int, int, void *);
 
 static int process_mux_master_hello(u_int, Channel *, Buffer *, Buffer *);
 static int process_mux_new_session(u_int, Channel *, Buffer *, Buffer *);
@@ -509,29 +515,33 @@ process_mux_terminate(u_int rid, Channel *c, Buffer *m, Buffer *r)
 }
 
 static char *
-format_forward(u_int ftype, Forward *fwd)
+format_forward(u_int ftype, struct Forward *fwd)
 {
         char *ret;
 
         switch (ftype) {
         case MUX_FWD_LOCAL:
                 xasprintf(&ret, "local forward %.200s:%d -> %.200s:%d",
+                    (fwd->listen_path != NULL) ? fwd->listen_path :
                     (fwd->listen_host == NULL) ?
-                    (options.gateway_ports ? "*" : "LOCALHOST") :
+                    (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
                     fwd->listen_host, fwd->listen_port,
+                    (fwd->connect_path != NULL) ? fwd->connect_path :
                     fwd->connect_host, fwd->connect_port);
                 break;
         case MUX_FWD_DYNAMIC:
                 xasprintf(&ret, "dynamic forward %.200s:%d -> *",
                     (fwd->listen_host == NULL) ?
-                    (options.gateway_ports ? "*" : "LOCALHOST") :
+                    (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
                      fwd->listen_host, fwd->listen_port);
                 break;
         case MUX_FWD_REMOTE:
                 xasprintf(&ret, "remote forward %.200s:%d -> %.200s:%d",
+                    (fwd->listen_path != NULL) ? fwd->listen_path :
                     (fwd->listen_host == NULL) ?
                     "LOCALHOST" : fwd->listen_host,
                     fwd->listen_port,
+                    (fwd->connect_path != NULL) ? fwd->connect_path :
                     fwd->connect_host, fwd->connect_port);
                 break;
         default:
@@ -551,14 +561,18 @@ compare_host(const char *a, const char *b)
 }
 
 static int
-compare_forward(Forward *a, Forward *b)
+compare_forward(struct Forward *a, struct Forward *b)
 {
         if (!compare_host(a->listen_host, b->listen_host))
                 return 0;
+        if (!compare_host(a->listen_path, b->listen_path))
+                return 0;
         if (a->listen_port != b->listen_port)
                 return 0;
         if (!compare_host(a->connect_host, b->connect_host))
                 return 0;
+        if (!compare_host(a->connect_path, b->connect_path))
+                return 0;
         if (a->connect_port != b->connect_port)
                 return 0;
 
@@ -570,7 +584,7 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
 {
         struct mux_channel_confirm_ctx *fctx = ctxt;
         char *failmsg = NULL;
-        Forward *rfwd;
+        struct Forward *rfwd;
         Channel *c;
         Buffer out;
 
@@ -587,7 +601,8 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
         rfwd = &options.remote_forwards[fctx->fid];
         debug("%s: %s for: listen %d, connect %s:%d", __func__,
             type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
-            rfwd->listen_port, rfwd->connect_host, rfwd->connect_port);
+            rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path :
+            rfwd->connect_host, rfwd->connect_port);
         if (type == SSH2_MSG_REQUEST_SUCCESS) {
                 if (rfwd->listen_port == 0) {
                         rfwd->allocated_port = packet_get_int();
@@ -607,8 +622,12 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
         } else {
                 if (rfwd->listen_port == 0)
                         channel_update_permitted_opens(rfwd->handle, -1);
-                xasprintf(&failmsg, "remote port forwarding failed for "
-                    "listen port %d", rfwd->listen_port);
+                if (rfwd->listen_path != NULL)
+                        xasprintf(&failmsg, "remote port forwarding failed for "
+                            "listen path %s", rfwd->listen_path);
+                else
+                        xasprintf(&failmsg, "remote port forwarding failed for "
+                            "listen port %d", rfwd->listen_port);
         }
  fail:
         error("%s: %s", __func__, failmsg);
@@ -627,34 +646,46 @@ mux_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
 static int
 process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
 {
-        Forward fwd;
+        struct Forward fwd;
         char *fwd_desc = NULL;
+        char *listen_addr, *connect_addr;
         u_int ftype;
         u_int lport, cport;
         int i, ret = 0, freefwd = 1;
 
-        fwd.listen_host = fwd.connect_host = NULL;
+        /* XXX - lport/cport check redundant */
         if (buffer_get_int_ret(&ftype, m) != 0 ||
-            (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
+            (listen_addr = buffer_get_string_ret(m, NULL)) == NULL ||
             buffer_get_int_ret(&lport, m) != 0 ||
-            (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
+            (connect_addr = buffer_get_string_ret(m, NULL)) == NULL ||
             buffer_get_int_ret(&cport, m) != 0 ||
-            lport > 65535 || cport > 65535) {
+            (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
+            (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
                 error("%s: malformed message", __func__);
                 ret = -1;
                 goto out;
         }
-        fwd.listen_port = lport;
-        fwd.connect_port = cport;
-        if (*fwd.listen_host == '\0') {
-                free(fwd.listen_host);
-                fwd.listen_host = NULL;
+        if (*listen_addr == '\0') {
+                free(listen_addr);
+                listen_addr = NULL;
         }
-        if (*fwd.connect_host == '\0') {
-                free(fwd.connect_host);
-                fwd.connect_host = NULL;
+        if (*connect_addr == '\0') {
+                free(connect_addr);
+                connect_addr = NULL;
         }
 
+        memset(&fwd, 0, sizeof(fwd));
+        fwd.listen_port = lport;
+        if (fwd.listen_port == PORT_STREAMLOCAL)
+                fwd.listen_path = listen_addr;
+        else
+                fwd.listen_host = listen_addr;
+        fwd.connect_port = cport;
+        if (fwd.connect_port == PORT_STREAMLOCAL)
+                fwd.connect_path = connect_addr;
+        else
+                fwd.connect_host = connect_addr;
+
         debug2("%s: channel %d: request %s", __func__, c->self,
             (fwd_desc = format_forward(ftype, &fwd)));
 
@@ -662,25 +693,30 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
             ftype != MUX_FWD_DYNAMIC) {
                 logit("%s: invalid forwarding type %u", __func__, ftype);
  invalid:
-                free(fwd.listen_host);
-                free(fwd.connect_host);
+                free(listen_addr);
+                free(connect_addr);
                 buffer_put_int(r, MUX_S_FAILURE);
                 buffer_put_int(r, rid);
                 buffer_put_cstring(r, "Invalid forwarding request");
                 return 0;
         }
-        if (fwd.listen_port >= 65536) {
+        if (ftype == MUX_FWD_DYNAMIC && fwd.listen_path) {
+                logit("%s: streamlocal and dynamic forwards "
+                    "are mutually exclusive", __func__);
+                goto invalid;
+        }
+        if (fwd.listen_port != PORT_STREAMLOCAL && fwd.listen_port >= 65536) {
                 logit("%s: invalid listen port %u", __func__,
                     fwd.listen_port);
                 goto invalid;
         }
-        if (fwd.connect_port >= 65536 || (ftype != MUX_FWD_DYNAMIC &&
-            ftype != MUX_FWD_REMOTE && fwd.connect_port == 0)) {
+        if ((fwd.connect_port != PORT_STREAMLOCAL && fwd.connect_port >= 65536)
+            || (ftype != MUX_FWD_DYNAMIC && ftype != MUX_FWD_REMOTE && fwd.connect_port == 0)) {
                 logit("%s: invalid connect port %u", __func__,
                     fwd.connect_port);
                 goto invalid;
         }
-        if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL) {
+        if (ftype != MUX_FWD_DYNAMIC && fwd.connect_host == NULL && fwd.connect_path == NULL) {
                 logit("%s: missing connect host", __func__);
                 goto invalid;
         }
@@ -731,9 +767,8 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
         }
 
         if (ftype == MUX_FWD_LOCAL || ftype == MUX_FWD_DYNAMIC) {
-                if (!channel_setup_local_fwd_listener(fwd.listen_host,
-                    fwd.listen_port, fwd.connect_host, fwd.connect_port,
-                    options.gateway_ports)) {
+                if (!channel_setup_local_fwd_listener(&fwd,
+                    &options.fwd_opts)) {
  fail:
                         logit("slave-requested %s failed", fwd_desc);
                         buffer_put_int(r, MUX_S_FAILURE);
@@ -746,8 +781,7 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
         } else {
                 struct mux_channel_confirm_ctx *fctx;
 
-                fwd.handle = channel_request_remote_forwarding(fwd.listen_host,
-                    fwd.listen_port, fwd.connect_host, fwd.connect_port);
+                fwd.handle = channel_request_remote_forwarding(&fwd);
                 if (fwd.handle < 0)
                         goto fail;
                 add_remote_forward(&options, &fwd);
@@ -768,7 +802,9 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
         free(fwd_desc);
         if (freefwd) {
                 free(fwd.listen_host);
+                free(fwd.listen_path);
                 free(fwd.connect_host);
+                free(fwd.connect_path);
         }
         return ret;
 }
@@ -776,36 +812,47 @@ process_mux_open_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
 static int
 process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
 {
-        Forward fwd, *found_fwd;
+        struct Forward fwd, *found_fwd;
         char *fwd_desc = NULL;
         const char *error_reason = NULL;
+        char *listen_addr = NULL, *connect_addr = NULL;
         u_int ftype;
-        int i, listen_port, ret = 0;
+        int i, ret = 0;
         u_int lport, cport;
 
-        fwd.listen_host = fwd.connect_host = NULL;
         if (buffer_get_int_ret(&ftype, m) != 0 ||
-            (fwd.listen_host = buffer_get_string_ret(m, NULL)) == NULL ||
+            (listen_addr = buffer_get_string_ret(m, NULL)) == NULL ||
             buffer_get_int_ret(&lport, m) != 0 ||
-            (fwd.connect_host = buffer_get_string_ret(m, NULL)) == NULL ||
+            (connect_addr = buffer_get_string_ret(m, NULL)) == NULL ||
             buffer_get_int_ret(&cport, m) != 0 ||
-            lport > 65535 || cport > 65535) {
+            (lport != (u_int)PORT_STREAMLOCAL && lport > 65535) ||
+            (cport != (u_int)PORT_STREAMLOCAL && cport > 65535)) {
                 error("%s: malformed message", __func__);
                 ret = -1;
                 goto out;
         }
-        fwd.listen_port = lport;
-        fwd.connect_port = cport;
 
-        if (*fwd.listen_host == '\0') {
-                free(fwd.listen_host);
-                fwd.listen_host = NULL;
+        if (*listen_addr == '\0') {
+                free(listen_addr);
+                listen_addr = NULL;
         }
-        if (*fwd.connect_host == '\0') {
-                free(fwd.connect_host);
-                fwd.connect_host = NULL;
+        if (*connect_addr == '\0') {
+                free(connect_addr);
+                connect_addr = NULL;
         }
 
+        memset(&fwd, 0, sizeof(fwd));
+        fwd.listen_port = lport;
+        if (fwd.listen_port == PORT_STREAMLOCAL)
+                fwd.listen_path = listen_addr;
+        else
+                fwd.listen_host = listen_addr;
+        fwd.connect_port = cport;
+        if (fwd.connect_port == PORT_STREAMLOCAL)
+                fwd.connect_path = connect_addr;
+        else
+                fwd.connect_host = connect_addr;
+
         debug2("%s: channel %d: request cancel %s", __func__, c->self,
             (fwd_desc = format_forward(ftype, &fwd)));
 
@@ -840,18 +887,14 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
                  * This shouldn't fail unless we confused the host/port
                  * between options.remote_forwards and permitted_opens.
                  * However, for dynamic allocated listen ports we need
-                 * to lookup the actual listen port.
+                 * to use the actual listen port.
                  */
-                listen_port = (fwd.listen_port == 0) ?
-                    found_fwd->allocated_port : fwd.listen_port;
-                if (channel_request_rforward_cancel(fwd.listen_host,
-                    listen_port) == -1)
+                if (channel_request_rforward_cancel(found_fwd) == -1)
                         error_reason = "port not in permitted opens";
         } else {        /* local and dynamic forwards */
                 /* Ditto */
-                if (channel_cancel_lport_listener(fwd.listen_host,
-                    fwd.listen_port, fwd.connect_port,
-                    options.gateway_ports) == -1)
+                if (channel_cancel_lport_listener(&fwd, fwd.connect_port,
+                    &options.fwd_opts) == -1)
                         error_reason = "port not found";
         }
 
@@ -860,8 +903,11 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
                 buffer_put_int(r, rid);
 
                 free(found_fwd->listen_host);
+                free(found_fwd->listen_path);
                 free(found_fwd->connect_host);
+                free(found_fwd->connect_path);
                 found_fwd->listen_host = found_fwd->connect_host = NULL;
+                found_fwd->listen_path = found_fwd->connect_path = NULL;
                 found_fwd->listen_port = found_fwd->connect_port = 0;
         } else {
                 buffer_put_int(r, MUX_S_FAILURE);
@@ -870,8 +916,8 @@ process_mux_close_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
         }
  out:
         free(fwd_desc);
-        free(fwd.listen_host);
-        free(fwd.connect_host);
+        free(listen_addr);
+        free(connect_addr);
 
         return ret;
 }
@@ -883,6 +929,7 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
         char *reserved, *chost;
         u_int cport, i, j;
         int new_fd[2];
+        struct mux_stdio_confirm_ctx *cctx;
 
         chost = reserved = NULL;
         if ((reserved = buffer_get_string_ret(m, NULL)) == NULL ||
@@ -962,15 +1009,60 @@ process_mux_stdio_fwd(u_int rid, Channel *c, Buffer *m, Buffer *r)
 
         channel_register_cleanup(nc->self, mux_master_session_cleanup_cb, 1);
 
-        /* prepare reply */
-        /* XXX defer until channel confirmed */
-        buffer_put_int(r, MUX_S_SESSION_OPENED);
-        buffer_put_int(r, rid);
-        buffer_put_int(r, nc->self);
+        cctx = xcalloc(1, sizeof(*cctx));
+        cctx->rid = rid;
+        channel_register_open_confirm(nc->self, mux_stdio_confirm, cctx);
+        c->mux_pause = 1; /* stop handling messages until open_confirm done */
 
+        /* reply is deferred, sent by mux_session_confirm */
         return 0;
 }
 
+/* Callback on open confirmation in mux master for a mux stdio fwd session. */
+static void
+mux_stdio_confirm(int id, int success, void *arg)
+{
+        struct mux_stdio_confirm_ctx *cctx = arg;
+        Channel *c, *cc;
+        Buffer reply;
+
+        if (cctx == NULL)
+                fatal("%s: cctx == NULL", __func__);
+        if ((c = channel_by_id(id)) == NULL)
+                fatal("%s: no channel for id %d", __func__, id);
+        if ((cc = channel_by_id(c->ctl_chan)) == NULL)
+                fatal("%s: channel %d lacks control channel %d", __func__,
+                    id, c->ctl_chan);
+
+        if (!success) {
+                debug3("%s: sending failure reply", __func__);
+                /* prepare reply */
+                buffer_init(&reply);
+                buffer_put_int(&reply, MUX_S_FAILURE);
+                buffer_put_int(&reply, cctx->rid);
+                buffer_put_cstring(&reply, "Session open refused by peer");
+                goto done;
+        }
+
+        debug3("%s: sending success reply", __func__);
+        /* prepare reply */
+        buffer_init(&reply);
+        buffer_put_int(&reply, MUX_S_SESSION_OPENED);
+        buffer_put_int(&reply, cctx->rid);
+        buffer_put_int(&reply, c->self);
+
+ done:
+        /* Send reply */
+        buffer_put_string(&cc->output, buffer_ptr(&reply), buffer_len(&reply));
+        buffer_free(&reply);
+
+        if (cc->mux_pause <= 0)
+                fatal("%s: mux_pause %d", __func__, cc->mux_pause);
+        cc->mux_pause = 0; /* start processing messages again */
+        c->open_confirm_ctx = NULL;
+        free(cctx);
+}
+
 static int
 process_mux_stop_listening(u_int rid, Channel *c, Buffer *m, Buffer *r)
 {
@@ -1010,7 +1102,7 @@ mux_master_read_cb(Channel *c)
 {
         struct mux_master_state *state = (struct mux_master_state *)c->mux_ctx;
         Buffer in, out;
-        void *ptr;
+        const u_char *ptr;
         u_int type, rid, have, i;
         int ret = -1;
 
@@ -1133,12 +1225,11 @@ mux_tty_alloc_failed(Channel *c)
 void
 muxserver_listen(void)
 {
-        struct sockaddr_un addr;
-        socklen_t sun_len;
         mode_t old_umask;
         char *orig_control_path = options.control_path;
         char rbuf[16+1];
         u_int i, r;
+        int oerrno;
 
         if (options.control_path == NULL ||
             options.control_master == SSHCTL_MASTER_NO)
@@ -1163,24 +1254,12 @@ muxserver_listen(void)
         xasprintf(&options.control_path, "%s.%s", orig_control_path, rbuf);
         debug3("%s: temporary control path %s", __func__, options.control_path);
 
-        memset(&addr, '\0', sizeof(addr));
-        addr.sun_family = AF_UNIX;
-        sun_len = offsetof(struct sockaddr_un, sun_path) +
-            strlen(options.control_path) + 1;
-
-        if (strlcpy(addr.sun_path, options.control_path,
-            sizeof(addr.sun_path)) >= sizeof(addr.sun_path)) {
-                error("ControlPath \"%s\" too long for Unix domain socket",
-                    options.control_path);
-                goto disable_mux_master;
-        }
-
-        if ((muxserver_sock = socket(PF_UNIX, SOCK_STREAM, 0)) < 0)
-                fatal("%s socket(): %s", __func__, strerror(errno));
-
         old_umask = umask(0177);
-        if (bind(muxserver_sock, (struct sockaddr *)&addr, sun_len) == -1) {
-                if (errno == EINVAL || errno == EADDRINUSE) {
+        muxserver_sock = unix_listener(options.control_path, 64, 0);
+        oerrno = errno;
+        umask(old_umask);
+        if (muxserver_sock < 0) {
+                if (oerrno == EINVAL || oerrno == EADDRINUSE) {
                         error("ControlSocket %s already exists, "
                             "disabling multiplexing", options.control_path);
  disable_mux_master:
@@ -1193,13 +1272,11 @@ muxserver_listen(void)
                         options.control_path = NULL;
                         options.control_master = SSHCTL_MASTER_NO;
                         return;
-                } else
-                        fatal("%s bind(): %s", __func__, strerror(errno));
+                } else {
+                        /* unix_listener() logs the error */
+                        cleanup_exit(255);
+                }
         }
-        umask(old_umask);
-
-        if (listen(muxserver_sock, 64) == -1)
-                fatal("%s listen(): %s", __func__, strerror(errno));
 
         /* Now atomically "move" the mux socket into position */
         if (link(options.control_path, orig_control_path) != 0) {
@@ -1429,7 +1506,7 @@ mux_client_read_packet(int fd, Buffer *m)
 {
         Buffer queue;
         u_int need, have;
-        void *ptr;
+        const u_char *ptr;
         int oerrno;
 
         buffer_init(&queue);
@@ -1593,7 +1670,7 @@ mux_client_request_terminate(int fd)
 }
 
 static int
-mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd)
+mux_client_forward(int fd, int cancel_flag, u_int ftype, struct Forward *fwd)
 {
         Buffer m;
         char *e, *fwd_desc;
@@ -1608,11 +1685,19 @@ mux_client_forward(int fd, int cancel_flag, u_int ftype, Forward *fwd)
         buffer_put_int(&m, cancel_flag ? MUX_C_CLOSE_FWD : MUX_C_OPEN_FWD);
         buffer_put_int(&m, muxclient_request_id);
         buffer_put_int(&m, ftype);
-        buffer_put_cstring(&m,
-            fwd->listen_host == NULL ? "" : fwd->listen_host);
+        if (fwd->listen_path != NULL) {
+                buffer_put_cstring(&m, fwd->listen_path);
+        } else {
+                buffer_put_cstring(&m,
+                    fwd->listen_host == NULL ? "" : fwd->listen_host);
+        }
         buffer_put_int(&m, fwd->listen_port);
-        buffer_put_cstring(&m,
-            fwd->connect_host == NULL ? "" : fwd->connect_host);
+        if (fwd->connect_path != NULL) {
+                buffer_put_cstring(&m, fwd->connect_path);
+        } else {
+                buffer_put_cstring(&m,
+                    fwd->connect_host == NULL ? "" : fwd->connect_host);
+        }
         buffer_put_int(&m, fwd->connect_port);
 
         if (mux_client_write_packet(fd, &m) != 0)
@@ -1922,7 +2007,7 @@ mux_client_request_stdio_fwd(int fd)
         case MUX_S_FAILURE:
                 e = buffer_get_string(&m, NULL);
                 buffer_free(&m);
-                fatal("%s: stdio forwarding request failed: %s", __func__, e);
+                fatal("Stdio forwarding request failed: %s", e);
         default:
                 buffer_free(&m);
                 error("%s: unexpected response from master 0x%08x",
diff --git a/myproposal.h b/myproposal.h
index 3a0f5aeab..b35b2b8bd 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.35 2013/12/06 13:39:49 markus Exp $ */
+/* $OpenBSD: myproposal.h,v 1.41 2014/07/11 13:54:34 tedu Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -69,23 +69,28 @@
 #ifdef HAVE_EVP_SHA256
 # define KEX_SHA256_METHODS \
         "diffie-hellman-group-exchange-sha256,"
-#define KEX_CURVE25519_METHODS \
-        "curve25519-sha256@libssh.org,"
 #define SHA2_HMAC_MODES \
         "hmac-sha2-256," \
         "hmac-sha2-512,"
 #else
 # define KEX_SHA256_METHODS
-# define KEX_CURVE25519_METHODS
 # define SHA2_HMAC_MODES
 #endif
 
-# define KEX_DEFAULT_KEX \
+#ifdef WITH_OPENSSL
+# ifdef HAVE_EVP_SHA256
+#  define KEX_CURVE25519_METHODS "curve25519-sha256@libssh.org,"
+# else
+#  define KEX_CURVE25519_METHODS ""
+# endif
+#define KEX_SERVER_KEX \
         KEX_CURVE25519_METHODS \
         KEX_ECDH_METHODS \
         KEX_SHA256_METHODS \
+        "diffie-hellman-group14-sha1"
+
+#define KEX_CLIENT_KEX KEX_SERVER_KEX "," \
         "diffie-hellman-group-exchange-sha1," \
-        "diffie-hellman-group14-sha1," \
         "diffie-hellman-group1-sha1"
 
 #define KEX_DEFAULT_PK_ALG      \
@@ -102,47 +107,91 @@
 
 /* the actual algorithms */
 
-#define KEX_DEFAULT_ENCRYPT \
+#define KEX_SERVER_ENCRYPT \
         "aes128-ctr,aes192-ctr,aes256-ctr," \
-        "arcfour256,arcfour128," \
         AESGCM_CIPHER_MODES \
-        "chacha20-poly1305@openssh.com," \
+        "chacha20-poly1305@openssh.com"
+
+#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT "," \
+        "arcfour256,arcfour128," \
         "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
         "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
 
-#define KEX_DEFAULT_MAC \
-        "hmac-md5-etm@openssh.com," \
-        "hmac-sha1-etm@openssh.com," \
+#define KEX_SERVER_MAC \
         "umac-64-etm@openssh.com," \
         "umac-128-etm@openssh.com," \
         "hmac-sha2-256-etm@openssh.com," \
         "hmac-sha2-512-etm@openssh.com," \
+        "hmac-sha1-etm@openssh.com," \
+        "umac-64@openssh.com," \
+        "umac-128@openssh.com," \
+        "hmac-sha2-256," \
+        "hmac-sha2-512," \
+        "hmac-sha1"
+
+#define KEX_CLIENT_MAC KEX_SERVER_MAC "," \
+        "hmac-md5-etm@openssh.com," \
         "hmac-ripemd160-etm@openssh.com," \
         "hmac-sha1-96-etm@openssh.com," \
         "hmac-md5-96-etm@openssh.com," \
         "hmac-md5," \
-        "hmac-sha1," \
-        "umac-64@openssh.com," \
-        "umac-128@openssh.com," \
-        SHA2_HMAC_MODES \
         "hmac-ripemd160," \
         "hmac-ripemd160@openssh.com," \
         "hmac-sha1-96," \
         "hmac-md5-96"
 
+#else
+
+#define KEX_SERVER_KEX          \
+        "curve25519-sha256@libssh.org"
+#define KEX_DEFAULT_PK_ALG      \
+        "ssh-ed25519-cert-v01@openssh.com," \
+        "ssh-ed25519"
+#define KEX_SERVER_ENCRYPT \
+        "aes128-ctr,aes192-ctr,aes256-ctr," \
+        "chacha20-poly1305@openssh.com"
+#define KEX_SERVER_MAC \
+        "umac-64-etm@openssh.com," \
+        "umac-128-etm@openssh.com," \
+        "hmac-sha2-256-etm@openssh.com," \
+        "hmac-sha2-512-etm@openssh.com," \
+        "hmac-sha1-etm@openssh.com," \
+        "umac-64@openssh.com," \
+        "umac-128@openssh.com," \
+        "hmac-sha2-256," \
+        "hmac-sha2-512," \
+        "hmac-sha1"
+
+#define KEX_CLIENT_KEX KEX_SERVER_KEX
+#define KEX_CLIENT_ENCRYPT KEX_SERVER_ENCRYPT
+#define KEX_CLIENT_MAC KEX_SERVER_MAC
+
+#endif /* WITH_OPENSSL */
+
 #define KEX_DEFAULT_COMP        "none,zlib@openssh.com,zlib"
 #define KEX_DEFAULT_LANG        ""
 
+#define KEX_CLIENT \
+        KEX_CLIENT_KEX, \
+        KEX_DEFAULT_PK_ALG, \
+        KEX_CLIENT_ENCRYPT, \
+        KEX_CLIENT_ENCRYPT, \
+        KEX_CLIENT_MAC, \
+        KEX_CLIENT_MAC, \
+        KEX_DEFAULT_COMP, \
+        KEX_DEFAULT_COMP, \
+        KEX_DEFAULT_LANG, \
+        KEX_DEFAULT_LANG
 
-static char *myproposal[PROPOSAL_MAX] = {
-        KEX_DEFAULT_KEX,
-        KEX_DEFAULT_PK_ALG,
-        KEX_DEFAULT_ENCRYPT,
-        KEX_DEFAULT_ENCRYPT,
-        KEX_DEFAULT_MAC,
-        KEX_DEFAULT_MAC,
-        KEX_DEFAULT_COMP,
-        KEX_DEFAULT_COMP,
-        KEX_DEFAULT_LANG,
+#define KEX_SERVER \
+        KEX_SERVER_KEX, \
+        KEX_DEFAULT_PK_ALG, \
+        KEX_SERVER_ENCRYPT, \
+        KEX_SERVER_ENCRYPT, \
+        KEX_SERVER_MAC, \
+        KEX_SERVER_MAC, \
+        KEX_DEFAULT_COMP, \
+        KEX_DEFAULT_COMP, \
+        KEX_DEFAULT_LANG, \
         KEX_DEFAULT_LANG
-};
+
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 6ecfb93d5..ab1a3e315 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.55 2014/02/04 00:37:50 djm Exp $
+# $Id: Makefile.in,v 1.56 2014/09/30 23:43:08 djm Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
 
 OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
 
-COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
 
 PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
index eac073cc0..09dbfda16 100644
--- a/openbsd-compat/arc4random.c
+++ b/openbsd-compat/arc4random.c
@@ -87,7 +87,7 @@ _rs_stir(void)
                 _rs_init(rnd, sizeof(rnd));
         } else
                 _rs_rekey(rnd, sizeof(rnd));
-        memset(rnd, 0, sizeof(rnd));
+        explicit_bzero(rnd, sizeof(rnd));
 
         /* invalidate rs_buf */
         rs_have = 0;
@@ -229,7 +229,7 @@ arc4random_buf(void *_buf, size_t n)
                 buf[i] = r & 0xff;
                 r >>= 8;
         }
-        i = r = 0;
+        explicit_bzero(&r, sizeof(r));
 }
 #endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
 
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 267e77a11..a2d82126d 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -57,6 +57,22 @@ check_ntsec(const char *filename)
         return (pathconf(filename, _PC_POSIX_PERMISSIONS));
 }
 
+const char *
+cygwin_ssh_privsep_user()
+{
+  static char cyg_privsep_user[DNLEN + UNLEN + 2];
+
+  if (!cyg_privsep_user[0])
+    {
+#ifdef CW_CYGNAME_FROM_WINNAME
+      if (cygwin_internal (CW_CYGNAME_FROM_WINNAME, "sshd", cyg_privsep_user,
+                           sizeof cyg_privsep_user) != 0)
+#endif
+        strcpy (cyg_privsep_user, "sshd");
+    }
+  return cyg_privsep_user;
+}
+
 #define NL(x) x, (sizeof (x) - 1)
 #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))
 
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 1177366f1..79cb2a197 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -1,4 +1,4 @@
-/* $Id: bsd-cygwin_util.h,v 1.17 2014/01/18 10:04:00 dtucker Exp $ */
+/* $Id: bsd-cygwin_util.h,v 1.18 2014/05/27 04:34:43 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com>
@@ -39,6 +39,8 @@
 /* Avoid including windows headers. */
 typedef void *HANDLE;
 #define INVALID_HANDLE_VALUE ((HANDLE) -1)
+#define DNLEN 16
+#define UNLEN 256
 
 /* Cygwin functions for which declarations are only available when including
    windows headers, so we have to define them here explicitely. */
@@ -48,6 +50,8 @@ extern void cygwin_set_impersonation_token (const HANDLE);
 #include <sys/cygwin.h>
 #include <io.h>
 
+#define CYGWIN_SSH_PRIVSEP_USER (cygwin_ssh_privsep_user())
+const char *cygwin_ssh_privsep_user();
 
 int binary_open(const char *, int , ...);
 int check_ntsec(const char *);
diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c
index 975991e7f..23a635989 100644
--- a/openbsd-compat/bsd-snprintf.c
+++ b/openbsd-compat/bsd-snprintf.c
@@ -538,7 +538,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
         }
         while (*value && (cnt < max)) {
                 DOPR_OUTCH(buffer, *currlen, maxlen, *value);
-                *value++;
+                value++;
                 ++cnt;
         }
         while ((padlen < 0) && (cnt < max)) {
@@ -553,7 +553,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
 
 static int
 fmtint(char *buffer, size_t *currlen, size_t maxlen,
-                    LLONG value, int base, int min, int max, int flags)
+    intmax_t value, int base, int min, int max, int flags)
 {
         int signvalue = 0;
         unsigned LLONG uvalue;
diff --git a/openbsd-compat/explicit_bzero.c b/openbsd-compat/explicit_bzero.c
index b106741e5..3c85a4843 100644
--- a/openbsd-compat/explicit_bzero.c
+++ b/openbsd-compat/explicit_bzero.c
@@ -7,14 +7,34 @@
 
 #include "includes.h"
 
+/*
+ * explicit_bzero - don't let the compiler optimize away bzero
+ */
+
 #ifndef HAVE_EXPLICIT_BZERO
 
+#ifdef HAVE_MEMSET_S
+
+void
+explicit_bzero(void *p, size_t n)
+{
+        (void)memset_s(p, n, 0, n);
+}
+
+#else /* HAVE_MEMSET_S */
+
 /*
- * explicit_bzero - don't let the compiler optimize away bzero
+ * Indirect bzero through a volatile pointer to hopefully avoid
+ * dead-store optimisation eliminating the call.
  */
+static void (* volatile ssh_bzero)(void *, size_t) = bzero;
+
 void
 explicit_bzero(void *p, size_t n)
 {
-        bzero(p, n);
+        ssh_bzero(p, n);
 }
-#endif
+
+#endif /* HAVE_MEMSET_S */
+
+#endif /* HAVE_EXPLICIT_BZERO */
diff --git a/openbsd-compat/kludge-fd_set.c b/openbsd-compat/kludge-fd_set.c
new file mode 100644
index 000000000..6c2ffb64b
--- /dev/null
+++ b/openbsd-compat/kludge-fd_set.c
@@ -0,0 +1,28 @@
+/* Placed in the public domain.  */
+
+/*
+ * _FORTIFY_SOURCE includes a misguided check for FD_SET(n)/FD_ISSET(b)
+ * where n > FD_SETSIZE. This breaks OpenSSH and other programs that
+ * explicitly allocate fd_sets. To avoid this, we wrap FD_SET in a
+ * function compiled without _FORTIFY_SOURCE.
+ */
+
+#include "config.h"
+
+#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE)
+# include <features.h>
+# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ)
+#  if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0)
+#   undef _FORTIFY_SOURCE
+#   undef __USE_FORTIFY_LEVEL
+#   include <sys/socket.h>
+void kludge_FD_SET(int n, fd_set *set) {
+        FD_SET(n, set);
+}
+int kludge_FD_ISSET(int n, fd_set *set) {
+        return FD_ISSET(n, set);
+}
+#  endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */
+# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */
+#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */
+
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index bc9888e31..ce6abae82 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.61 2014/02/04 00:18:23 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.62 2014/09/30 23:43:08 djm Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -268,4 +268,20 @@ char *shadow_pw(struct passwd *pw);
 #include "port-tun.h"
 #include "port-uw.h"
 
+/* _FORTIFY_SOURCE breaks FD_ISSET(n)/FD_SET(n) for n > FD_SETSIZE. Avoid. */
+#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE)
+# include <features.h>
+# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ)
+#  if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0)
+#   include <sys/socket.h>  /* Ensure include guard is defined */
+#   undef FD_SET
+#   undef FD_ISSET
+#   define FD_SET(n, set)       kludge_FD_SET(n, set)
+#   define FD_ISSET(n, set)     kludge_FD_ISSET(n, set)
+void kludge_FD_SET(int, fd_set *);
+int kludge_FD_ISSET(int, fd_set *);
+#  endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */
+# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */
+#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */
+
 #endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 885c121f2..36570e4ad 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */
+/* $Id: openssl-compat.c,v 1.19 2014/07/02 05:28:07 djm Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -16,6 +16,7 @@
  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 #include "includes.h"
 
 #include <stdarg.h>
@@ -26,147 +27,44 @@
 # include <openssl/conf.h>
 #endif
 
-#ifndef HAVE_RSA_GET_DEFAULT_METHOD
-# include <openssl/rsa.h>
-#endif
-
 #include "log.h"
 
-#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 #include "openssl-compat.h"
 
-#ifdef SSH_OLD_EVP
-int
-ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
-    unsigned char *key, unsigned char *iv, int enc)
-{
-        EVP_CipherInit(evp, type, key, iv, enc);
-        return 1;
-}
-
-int
-ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
-{
-        EVP_Cipher(evp, dst, src, len);
-        return 1;
-}
-
-int
-ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
-{
-        EVP_CIPHER_CTX_cleanup(evp);
-        return 1;
-}
-#endif
-
-#ifndef HAVE_EVP_DIGESTINIT_EX
-int
-EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine)
-{
-        if (engine != NULL)
-                fatal("%s: ENGINE is not supported", __func__);
-# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
-        EVP_DigestInit(ctx, md);
-        return 1;
-# else
-        return EVP_DigestInit(ctx, md);
-# endif
-}
-#endif
-
-#ifndef HAVE_EVP_DIGESTFINAL_EX
-int
-EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s)
-{
-# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
-        EVP_DigestFinal(ctx, md, s);
-        return 1;
-# else
-        return EVP_DigestFinal(ctx, md, s);
-# endif
-}
-#endif
-
-#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
-int
-ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt)
-{
-        EVP_DigestUpdate(ctx, d, cnt);
-        return 1;
-}
-#endif
-
-#ifndef HAVE_EVP_MD_CTX_COPY_EX
-int
-EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
-{
-        return EVP_MD_CTX_copy(out, in);
-}
-#endif
-
-#ifndef HAVE_BN_IS_PRIME_EX
-int
-BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, void *cb)
-{
-        if (cb != NULL)
-                fatal("%s: callback args not supported", __func__);
-        return BN_is_prime(p, nchecks, NULL, ctx, NULL);
-}
-#endif
-
-#ifndef HAVE_RSA_GENERATE_KEY_EX
-int
-RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *bn_e, void *cb)
-{
-        RSA *new_rsa, tmp_rsa;
-        unsigned long e;
-
-        if (cb != NULL)
-                fatal("%s: callback args not supported", __func__);
-        e = BN_get_word(bn_e);
-        if (e == 0xffffffffL)
-                fatal("%s: value of e too large", __func__);
-        new_rsa = RSA_generate_key(bits, e, NULL, NULL);
-        if (new_rsa == NULL)
-                return 0;
-        /* swap rsa/new_rsa then free new_rsa */
-        tmp_rsa = *rsa;
-        *rsa = *new_rsa;
-        *new_rsa = tmp_rsa;
-        RSA_free(new_rsa);
-        return 1;
-}
-#endif
+/*
+ * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
+ * We match major, minor, fix and status (not patch) for <1.0.0.
+ * After that, we acceptable compatible fix versions (so we
+ * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+ * within a patch series.
+ */
 
-#ifndef HAVE_DSA_GENERATE_PARAMETERS_EX
 int
-DSA_generate_parameters_ex(DSA *dsa, int bits, const unsigned char *seed,
-    int seed_len, int *counter_ret, unsigned long *h_ret, void *cb)
+ssh_compatible_openssl(long headerver, long libver)
 {
-        DSA *new_dsa, tmp_dsa;
-
-        if (cb != NULL)
-                fatal("%s: callback args not supported", __func__);
-        new_dsa = DSA_generate_parameters(bits, (unsigned char *)seed, seed_len,
-            counter_ret, h_ret, NULL, NULL);
-        if (new_dsa == NULL)
-                return 0;
-        /* swap dsa/new_dsa then free new_dsa */
-        tmp_dsa = *dsa;
-        *dsa = *new_dsa;
-        *new_dsa = tmp_dsa;
-        DSA_free(new_dsa);
-        return 1;
-}
-#endif
-
-#ifndef HAVE_RSA_GET_DEFAULT_METHOD
-RSA_METHOD *
-RSA_get_default_method(void)
-{
-        return RSA_PKCS1_SSLeay();
+        long mask, hfix, lfix;
+
+        /* exact match is always OK */
+        if (headerver == libver)
+                return 1;
+
+        /* for versions < 1.0.0, major,minor,fix,status must match */
+        if (headerver < 0x1000000f) {
+                mask = 0xfffff00fL; /* major,minor,fix,status */
+                return (headerver & mask) == (libver & mask);
+        }
+        
+        /*
+         * For versions >= 1.0.0, major,minor,status must match and library
+         * fix version must be equal to or newer than the header.
+         */
+        mask = 0xfff0000fL; /* major,minor,status */
+        hfix = (headerver & 0x000ff000) >> 12;
+        lfix = (libver & 0x000ff000) >> 12;
+        if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
+                return 1;
+        return 0;
 }
-#endif
 
 #ifdef  USE_OPENSSL_ENGINE
 void
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 276b9706d..3695d412b 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.31 2014/08/29 18:18:29 djm Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -16,28 +16,19 @@
  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#ifndef _OPENSSL_COMPAT_H
+#define _OPENSSL_COMPAT_H
+
 #include "includes.h"
 #include <openssl/opensslv.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
 
-/* Only in 0.9.8 */
-#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
-# define OPENSSL_DSA_MAX_MODULUS_BITS        10000
-#endif
-#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
-# define OPENSSL_RSA_MAX_MODULUS_BITS        16384
-#endif
-
-/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */
-#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f)
-# define OPENSSL_free(x) Free(x)
-#endif
+int ssh_compatible_openssl(long, long);
 
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-# define SSH_OLD_EVP
-# define EVP_CIPHER_CTX_get_app_data(e)         ((e)->app_data)
+#if (OPENSSL_VERSION_NUMBER <= 0x0090805fL)
+# error OpenSSL 0.9.8f or greater is required
 #endif
 
 #if OPENSSL_VERSION_NUMBER < 0x10000001L
@@ -46,27 +37,17 @@
 # define LIBCRYPTO_EVP_INL_TYPE size_t
 #endif
 
-#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
-# define USE_BUILTIN_RIJNDAEL
+#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
+# define OPENSSL_RSA_MAX_MODULUS_BITS   16384
 #endif
-
-#ifdef USE_BUILTIN_RIJNDAEL
-# include "rijndael.h"
-# define AES_KEY rijndael_ctx
-# define AES_BLOCK_SIZE 16
-# define AES_encrypt(a, b, c)           rijndael_encrypt(c, a, b)
-# define AES_set_encrypt_key(a, b, c)   rijndael_set_key(c, (char *)a, b, 1)
-# define EVP_aes_128_cbc evp_rijndael
-# define EVP_aes_192_cbc evp_rijndael
-# define EVP_aes_256_cbc evp_rijndael
-const EVP_CIPHER *evp_rijndael(void);
-void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
+#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
+# define OPENSSL_DSA_MAX_MODULUS_BITS   10000
 #endif
 
 #ifndef OPENSSL_HAVE_EVPCTR
-#define EVP_aes_128_ctr evp_aes_128_ctr
-#define EVP_aes_192_ctr evp_aes_128_ctr
-#define EVP_aes_256_ctr evp_aes_128_ctr
+# define EVP_aes_128_ctr evp_aes_128_ctr
+# define EVP_aes_192_ctr evp_aes_128_ctr
+# define EVP_aes_256_ctr evp_aes_128_ctr
 const EVP_CIPHER *evp_aes_128_ctr(void);
 void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
 #endif
@@ -88,26 +69,9 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
 # endif
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-#define EVP_X_STATE(evp)        &(evp).c
-#define EVP_X_STATE_LEN(evp)    sizeof((evp).c)
-#else
-#define EVP_X_STATE(evp)        (evp).cipher_data
-#define EVP_X_STATE_LEN(evp)    (evp).cipher->ctx_size
-#endif
-
-/* OpenSSL 0.9.8e returns cipher key len not context key len */
-#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
-# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
-#endif
-
-#ifndef HAVE_RSA_GET_DEFAULT_METHOD
-RSA_METHOD *RSA_get_default_method(void);
-#endif
-
 /*
  * We overload some of the OpenSSL crypto functions with ssh_* equivalents
- * which cater for older and/or less featureful OpenSSL version.
+ * to automatically handle OpenSSL engine initialisation.
  *
  * In order for the compat library to call the real functions, it must
  * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
@@ -115,19 +79,6 @@ RSA_METHOD *RSA_get_default_method(void);
  */
 #ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 
-# ifdef SSH_OLD_EVP
-#  ifdef EVP_Cipher
-#   undef EVP_Cipher
-#  endif
-#  define EVP_CipherInit(a,b,c,d,e)     ssh_EVP_CipherInit((a),(b),(c),(d),(e))
-#  define EVP_Cipher(a,b,c,d)           ssh_EVP_Cipher((a),(b),(c),(d))
-#  define EVP_CIPHER_CTX_cleanup(a)     ssh_EVP_CIPHER_CTX_cleanup((a))
-# endif /* SSH_OLD_EVP */
-
-# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
-#  define EVP_DigestUpdate(a,b,c)       ssh_EVP_DigestUpdate((a),(b),(c))
-#  endif
-
 # ifdef USE_OPENSSL_ENGINE
 #  ifdef OpenSSL_add_all_algorithms
 #   undef OpenSSL_add_all_algorithms
@@ -135,48 +86,8 @@ RSA_METHOD *RSA_get_default_method(void);
 #  define OpenSSL_add_all_algorithms()  ssh_OpenSSL_add_all_algorithms()
 # endif
 
-# ifndef HAVE_BN_IS_PRIME_EX
-int BN_is_prime_ex(const BIGNUM *, int, BN_CTX *, void *);
-# endif
-
-# ifndef HAVE_DSA_GENERATE_PARAMETERS_EX
-int DSA_generate_parameters_ex(DSA *, int, const unsigned char *, int, int *,
-    unsigned long *, void *);
-# endif
-
-# ifndef HAVE_RSA_GENERATE_KEY_EX
-int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *);
-# endif
-
-# ifndef HAVE_EVP_DIGESTINIT_EX
-int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, void *);
-# endif
-
-# ifndef HAVE_EVP_DISESTFINAL_EX
-int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *);
-# endif
-
-# ifndef EVP_MD_CTX_COPY_EX
-int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *);
-# endif
-
-int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
-    unsigned char *, int);
-int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
-int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
 void ssh_OpenSSL_add_all_algorithms(void);
 
-# ifndef HAVE_HMAC_CTX_INIT
-#  define HMAC_CTX_init(a)
-# endif
-
-# ifndef HAVE_EVP_MD_CTX_INIT
-#  define EVP_MD_CTX_init(a)
-# endif
-
-# ifndef HAVE_EVP_MD_CTX_CLEANUP
-#  define EVP_MD_CTX_cleanup(a)
-# endif
-
 #endif  /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
 
+#endif /* _OPENSSL_COMPAT_H */
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c
index b1fbfa208..db24dbb94 100644
--- a/openbsd-compat/port-uw.c
+++ b/openbsd-compat/port-uw.c
@@ -42,6 +42,7 @@
 #include "key.h"
 #include "auth-options.h"
 #include "log.h"
+#include "misc.h"       /* servconf.h needs misc.h for struct ForwardOptions */
 #include "servconf.h"
 #include "hostfile.h"
 #include "auth.h"
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
index bcf214bd0..dabdb0912 100644
--- a/openbsd-compat/regress/Makefile.in
+++ b/openbsd-compat/regress/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $
+# $Id: Makefile.in,v 1.5 2014/06/17 13:06:08 dtucker Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -16,11 +16,11 @@ LIBS=@LIBS@
 LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
 
 TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
-        strtonumtest$(EXEEXT)
+        strtonumtest$(EXEEXT) opensslvertest$(EXEEXT)
 
 all:    t-exec ${OTHERTESTS}
 
-%$(EXEEXT):     %.c
+%$(EXEEXT):     %.c $(LIBCOMPAT)
         $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
 
 t-exec: $(TESTPROGS)
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
new file mode 100644
index 000000000..5d019b598
--- /dev/null
+++ b/openbsd-compat/regress/opensslvertest.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2014 Darren Tucker
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+int ssh_compatible_openssl(long, long);
+
+struct version_test {
+        long headerver;
+        long libver;
+        int result;
+} version_tests[] = {
+        /* built with 0.9.8b release headers */
+        { 0x0090802fL, 0x0090802fL, 1}, /* exact match */
+        { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */
+        { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */
+        { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */
+        { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */
+        { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */
+        { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */
+
+        /* built with 1.0.1b release headers */
+        { 0x1000101fL, 0x1000101fL, 1},/* exact match */
+        { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
+        { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
+        { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
+        { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */
+        { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */
+        { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */
+        { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */
+};
+
+void
+fail(long hver, long lver, int result)
+{
+        fprintf(stderr, "opensslver: header %lx library %lx != %d \n", hver, lver, result);
+        exit(1);
+}
+
+int
+main(void)
+{
+        unsigned int i;
+        int res;
+        long hver, lver;
+
+        for (i = 0; i < sizeof(version_tests) / sizeof(version_tests[0]); i++) {
+                hver = version_tests[i].headerver;
+                lver = version_tests[i].libver;
+                res = version_tests[i].result;
+                if (ssh_compatible_openssl(hver, lver) != res)
+                        fail(hver, lver, res);
+        }
+        exit(0);
+}
diff --git a/opensshd.init.in b/opensshd.init.in
index 0db60caa7..517345bfb 100755
--- a/opensshd.init.in
+++ b/opensshd.init.in
@@ -21,6 +21,7 @@ HOST_KEY_RSA1=$sysconfdir/ssh_host_key
 HOST_KEY_DSA=$sysconfdir/ssh_host_dsa_key
 HOST_KEY_RSA=$sysconfdir/ssh_host_rsa_key
 @COMMENT_OUT_ECC@HOST_KEY_ECDSA=$sysconfdir/ssh_host_ecdsa_key
+HOST_KEY_ED25519=$sysconfdir/ssh_host_ed25519_key
 
 
 checkkeys() {
@@ -36,6 +37,9 @@ checkkeys() {
 @COMMENT_OUT_ECC@    if [ ! -f $HOST_KEY_ECDSA ]; then
 @COMMENT_OUT_ECC@       ${SSH_KEYGEN} -t ecdsa -f ${HOST_KEY_ECDSA} -N ""
 @COMMENT_OUT_ECC@    fi
+    if [ ! -f $HOST_KEY_ED25519 ]; then
+        ${SSH_KEYGEN} -t ed25519 -f ${HOST_KEY_ED25519} -N ""
+    fi
 }
 
 stop_service() {
diff --git a/packet.c b/packet.c
index 54c0558f9..6e7b87757 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.192 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: packet.c,v 1.198 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -66,7 +66,6 @@
 #include "crc32.h"
 #include "compress.h"
 #include "deattack.h"
-#include "channels.h"
 #include "compat.h"
 #include "ssh1.h"
 #include "ssh2.h"
@@ -77,7 +76,9 @@
 #include "log.h"
 #include "canohost.h"
 #include "misc.h"
+#include "channels.h"
 #include "ssh.h"
+#include "ssherr.h"
 #include "roaming.h"
 
 #ifdef PACKET_DEBUG
@@ -222,6 +223,7 @@ void
 packet_set_connection(int fd_in, int fd_out)
 {
         const Cipher *none = cipher_by_name("none");
+        int r;
 
         if (none == NULL)
                 fatal("packet_set_connection: cannot load cipher 'none'");
@@ -229,10 +231,11 @@ packet_set_connection(int fd_in, int fd_out)
                 active_state = alloc_session_state();
         active_state->connection_in = fd_in;
         active_state->connection_out = fd_out;
-        cipher_init(&active_state->send_context, none, (const u_char *)"",
-            0, NULL, 0, CIPHER_ENCRYPT);
-        cipher_init(&active_state->receive_context, none, (const u_char *)"",
-            0, NULL, 0, CIPHER_DECRYPT);
+        if ((r = cipher_init(&active_state->send_context, none,
+            (const u_char *)"", 0, NULL, 0, CIPHER_ENCRYPT)) != 0 ||
+            (r = cipher_init(&active_state->receive_context, none,
+            (const u_char *)"", 0, NULL, 0, CIPHER_DECRYPT)) != 0)
+                fatal("%s: cipher_init: %s", __func__, ssh_err(r));
         active_state->newkeys[MODE_IN] = active_state->newkeys[MODE_OUT] = NULL;
         if (!active_state->initialized) {
                 active_state->initialized = 1;
@@ -329,13 +332,15 @@ void
 packet_get_keyiv(int mode, u_char *iv, u_int len)
 {
         CipherContext *cc;
+        int r;
 
         if (mode == MODE_OUT)
                 cc = &active_state->send_context;
         else
                 cc = &active_state->receive_context;
 
-        cipher_get_keyiv(cc, iv, len);
+        if ((r = cipher_get_keyiv(cc, iv, len)) != 0)
+                fatal("%s: cipher_get_keyiv: %s", __func__, ssh_err(r));
 }
 
 int
@@ -381,13 +386,15 @@ void
 packet_set_iv(int mode, u_char *dat)
 {
         CipherContext *cc;
+        int r;
 
         if (mode == MODE_OUT)
                 cc = &active_state->send_context;
         else
                 cc = &active_state->receive_context;
 
-        cipher_set_keyiv(cc, dat);
+        if ((r = cipher_set_keyiv(cc, dat)) != 0)
+                fatal("%s: cipher_set_keyiv: %s", __func__, ssh_err(r));
 }
 
 int
@@ -552,6 +559,7 @@ void
 packet_set_encryption_key(const u_char *key, u_int keylen, int number)
 {
         const Cipher *cipher = cipher_by_number(number);
+        int r;
 
         if (cipher == NULL)
                 fatal("packet_set_encryption_key: unknown cipher number %d", number);
@@ -561,10 +569,11 @@ packet_set_encryption_key(const u_char *key, u_int keylen, int number)
                 fatal("packet_set_encryption_key: keylen too big: %d", keylen);
         memcpy(active_state->ssh1_key, key, keylen);
         active_state->ssh1_keylen = keylen;
-        cipher_init(&active_state->send_context, cipher, key, keylen, NULL,
-            0, CIPHER_ENCRYPT);
-        cipher_init(&active_state->receive_context, cipher, key, keylen, NULL,
-            0, CIPHER_DECRYPT);
+        if ((r = cipher_init(&active_state->send_context, cipher,
+            key, keylen, NULL, 0, CIPHER_ENCRYPT)) != 0 ||
+            (r = cipher_init(&active_state->receive_context, cipher,
+            key, keylen, NULL, 0, CIPHER_DECRYPT)) != 0)
+                fatal("%s: cipher_init: %s", __func__, ssh_err(r));
 }
 
 u_int
@@ -630,6 +639,7 @@ packet_put_raw(const void *buf, u_int len)
         buffer_append(&active_state->outgoing_packet, buf, len);
 }
 
+#ifdef WITH_OPENSSL
 void
 packet_put_bignum(BIGNUM * value)
 {
@@ -641,6 +651,7 @@ packet_put_bignum2(BIGNUM * value)
 {
         buffer_put_bignum2(&active_state->outgoing_packet, value);
 }
+#endif
 
 #ifdef OPENSSL_HAS_ECC
 void
@@ -742,7 +753,7 @@ set_newkeys(int mode)
         Comp *comp;
         CipherContext *cc;
         u_int64_t *max_blocks;
-        int crypt_type;
+        int r, crypt_type;
 
         debug2("set_newkeys: mode %d", mode);
 
@@ -784,8 +795,9 @@ set_newkeys(int mode)
         if (cipher_authlen(enc->cipher) == 0 && mac_init(mac) == 0)
                 mac->enabled = 1;
         DBG(debug("cipher_init_context: %d", mode));
-        cipher_init(cc, enc->cipher, enc->key, enc->key_len,
-            enc->iv, enc->iv_len, crypt_type);
+        if ((r = cipher_init(cc, enc->cipher, enc->key, enc->key_len,
+            enc->iv, enc->iv_len, crypt_type)) != 0)
+                fatal("%s: cipher_init: %s", __func__, ssh_err(r));
         /* Deleting the keys does not gain extra security */
         /* explicit_bzero(enc->iv,  enc->block_size);
            explicit_bzero(enc->key, enc->key_len);
@@ -912,8 +924,8 @@ packet_send2_wrapped(void)
                     roundup(active_state->extra_pad, block_size);
                 pad = active_state->extra_pad -
                     ((len + padlen) % active_state->extra_pad);
-                debug3("packet_send2: adding %d (len %d padlen %d extra_pad %d)",
-                    pad, len, padlen, active_state->extra_pad);
+                DBG(debug3("%s: adding %d (len %d padlen %d extra_pad %d)",
+                    __func__, pad, len, padlen, active_state->extra_pad));
                 padlen += pad;
                 active_state->extra_pad = 0;
         }
@@ -1569,6 +1581,7 @@ packet_get_int64(void)
  * must have been initialized before this call.
  */
 
+#ifdef WITH_OPENSSL
 void
 packet_get_bignum(BIGNUM * value)
 {
@@ -1598,6 +1611,7 @@ packet_get_raw(u_int *length_ptr)
                 *length_ptr = bytes;
         return buffer_ptr(&active_state->incoming_packet);
 }
+#endif
 
 int
 packet_remaining(void)
@@ -1618,7 +1632,7 @@ packet_get_string(u_int *length_ptr)
         return buffer_get_string(&active_state->incoming_packet, length_ptr);
 }
 
-void *
+const void *
 packet_get_string_ptr(u_int *length_ptr)
 {
         return buffer_get_string_ptr(&active_state->incoming_packet, length_ptr);
@@ -2055,3 +2069,23 @@ packet_restore_state(void)
                 add_recv_bytes(len);
         }
 }
+
+/* Reset after_authentication and reset compression in post-auth privsep */
+void
+packet_set_postauth(void)
+{
+        Comp *comp;
+        int mode;
+
+        debug("%s: called", __func__);
+        /* This was set in net child, but is not visible in user child */
+        active_state->after_authentication = 1;
+        active_state->rekeying = 0;
+        for (mode = 0; mode < MODE_MAX; mode++) {
+                if (active_state->newkeys[mode] == NULL)
+                        continue;
+                comp = &active_state->newkeys[mode]->comp;
+                if (comp && comp->enabled)
+                        packet_init_compression();
+        }
+}
diff --git a/packet.h b/packet.h
index f8edf851c..e7b5fcba9 100644
--- a/packet.h
+++ b/packet.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.h,v 1.59 2013/07/12 00:19:59 djm Exp $ */
+/* $OpenBSD: packet.h,v 1.61 2014/05/03 17:20:34 markus Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -70,7 +70,7 @@ void	 packet_get_ecpoint(const EC_GROUP *, EC_POINT *);
 void    *packet_get_raw(u_int *length_ptr);
 void    *packet_get_string(u_int *length_ptr);
 char    *packet_get_cstring(u_int *length_ptr);
-void    *packet_get_string_ptr(u_int *length_ptr);
+const void      *packet_get_string_ptr(u_int *length_ptr);
 void     packet_disconnect(const char *fmt,...) __attribute__((noreturn)) __attribute__((format(printf, 1, 2)));
 void     packet_send_debug(const char *fmt,...) __attribute__((format(printf, 1, 2)));
 
@@ -120,6 +120,7 @@ time_t	 packet_get_rekey_timeout(void);
 
 void     packet_backup_state(void);
 void     packet_restore_state(void);
+void     packet_set_postauth(void);
 
 void    *packet_get_input(void);
 void    *packet_get_output(void);
diff --git a/platform.c b/platform.c
index 30fc60909..ee313da55 100644
--- a/platform.c
+++ b/platform.c
@@ -1,4 +1,4 @@
-/* $Id: platform.c,v 1.21 2014/01/21 01:59:29 tim Exp $ */
+/* $Id: platform.c,v 1.22 2014/07/18 04:11:26 djm Exp $ */
 
 /*
  * Copyright (c) 2006 Darren Tucker.  All rights reserved.
@@ -25,6 +25,7 @@
 
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 #include "key.h"
 #include "hostfile.h"
diff --git a/poly1305.h b/poly1305.h
index 221efc462..f7db5f8d7 100644
--- a/poly1305.h
+++ b/poly1305.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: poly1305.h,v 1.2 2013/12/19 22:57:13 djm Exp $ */
+/* $OpenBSD: poly1305.h,v 1.4 2014/05/02 03:27:54 djm Exp $ */
 
 /* 
  * Public Domain poly1305 from Andrew Moon
diff --git a/readconf.c b/readconf.c
index dc884c9b1..7948ce1cd 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.218 2014/02/23 20:11:36 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.220 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -18,6 +18,7 @@
 #include <sys/stat.h>
 #include <sys/socket.h>
 #include <sys/wait.h>
+#include <sys/un.h>
 
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
@@ -48,9 +49,9 @@
 #include "pathnames.h"
 #include "log.h"
 #include "key.h"
+#include "misc.h"
 #include "readconf.h"
 #include "match.h"
-#include "misc.h"
 #include "buffer.h"
 #include "kex.h"
 #include "mac.h"
@@ -149,6 +150,7 @@ typedef enum {
         oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
         oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
         oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
+        oStreamLocalBindMask, oStreamLocalBindUnlink,
         oIgnoredUnknownOption, oDeprecated, oUnsupported
 } OpCodes;
 
@@ -261,6 +263,8 @@ static struct {
         { "canonicalizehostname", oCanonicalizeHostname },
         { "canonicalizemaxdots", oCanonicalizeMaxDots },
         { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
+        { "streamlocalbindmask", oStreamLocalBindMask },
+        { "streamlocalbindunlink", oStreamLocalBindUnlink },
         { "ignoreunknown", oIgnoreUnknown },
 
         { NULL, oBadOption }
@@ -272,12 +276,13 @@ static struct {
  */
 
 void
-add_local_forward(Options *options, const Forward *newfwd)
+add_local_forward(Options *options, const struct Forward *newfwd)
 {
-        Forward *fwd;
+        struct Forward *fwd;
 #ifndef NO_IPPORT_RESERVED_CONCEPT
         extern uid_t original_real_uid;
-        if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0)
+        if (newfwd->listen_port < IPPORT_RESERVED && original_real_uid != 0 &&
+            newfwd->listen_path == NULL)
                 fatal("Privileged ports can only be forwarded by root.");
 #endif
         options->local_forwards = xrealloc(options->local_forwards,
@@ -287,8 +292,10 @@ add_local_forward(Options *options, const Forward *newfwd)
 
         fwd->listen_host = newfwd->listen_host;
         fwd->listen_port = newfwd->listen_port;
+        fwd->listen_path = newfwd->listen_path;
         fwd->connect_host = newfwd->connect_host;
         fwd->connect_port = newfwd->connect_port;
+        fwd->connect_path = newfwd->connect_path;
 }
 
 /*
@@ -297,9 +304,9 @@ add_local_forward(Options *options, const Forward *newfwd)
  */
 
 void
-add_remote_forward(Options *options, const Forward *newfwd)
+add_remote_forward(Options *options, const struct Forward *newfwd)
 {
-        Forward *fwd;
+        struct Forward *fwd;
 
         options->remote_forwards = xrealloc(options->remote_forwards,
             options->num_remote_forwards + 1,
@@ -308,8 +315,10 @@ add_remote_forward(Options *options, const Forward *newfwd)
 
         fwd->listen_host = newfwd->listen_host;
         fwd->listen_port = newfwd->listen_port;
+        fwd->listen_path = newfwd->listen_path;
         fwd->connect_host = newfwd->connect_host;
         fwd->connect_port = newfwd->connect_port;
+        fwd->connect_path = newfwd->connect_path;
         fwd->handle = newfwd->handle;
         fwd->allocated_port = 0;
 }
@@ -321,7 +330,9 @@ clear_forwardings(Options *options)
 
         for (i = 0; i < options->num_local_forwards; i++) {
                 free(options->local_forwards[i].listen_host);
+                free(options->local_forwards[i].listen_path);
                 free(options->local_forwards[i].connect_host);
+                free(options->local_forwards[i].connect_path);
         }
         if (options->num_local_forwards > 0) {
                 free(options->local_forwards);
@@ -330,7 +341,9 @@ clear_forwardings(Options *options)
         options->num_local_forwards = 0;
         for (i = 0; i < options->num_remote_forwards; i++) {
                 free(options->remote_forwards[i].listen_host);
+                free(options->remote_forwards[i].listen_path);
                 free(options->remote_forwards[i].connect_host);
+                free(options->remote_forwards[i].connect_path);
         }
         if (options->num_remote_forwards > 0) {
                 free(options->remote_forwards);
@@ -345,6 +358,7 @@ add_identity_file(Options *options, const char *dir, const char *filename,
     int userprovided)
 {
         char *path;
+        int i;
 
         if (options->num_identity_files >= SSH_MAX_IDENTITY_FILES)
                 fatal("Too many identity files specified (max %d)",
@@ -355,6 +369,16 @@ add_identity_file(Options *options, const char *dir, const char *filename,
         else
                 (void)xasprintf(&path, "%.100s%.100s", dir, filename);
 
+        /* Avoid registering duplicates */
+        for (i = 0; i < options->num_identity_files; i++) {
+                if (options->identity_file_userprovided[i] == userprovided &&
+                    strcmp(options->identity_files[i], path) == 0) {
+                        debug2("%s: ignoring duplicate key %s", __func__, path);
+                        free(path);
+                        return;
+                }
+        }
+
         options->identity_file_userprovided[options->num_identity_files] =
             userprovided;
         options->identity_files[options->num_identity_files++] = path;
@@ -704,7 +728,7 @@ process_config_line(Options *options, struct passwd *pw, const char *host,
         LogLevel *log_level_ptr;
         long long val64;
         size_t len;
-        Forward fwd;
+        struct Forward fwd;
         const struct multistate *multistate_ptr;
         struct allowed_cname *cname;
 
@@ -794,7 +818,7 @@ parse_time:
                 goto parse_time;
 
         case oGatewayPorts:
-                intptr = &options->gateway_ports;
+                intptr = &options->fwd_opts.gateway_ports;
                 goto parse_flag;
 
         case oExitOnForwardFailure:
@@ -1394,6 +1418,21 @@ parse_int:
                 intptr = &options->canonicalize_fallback_local;
                 goto parse_flag;
 
+        case oStreamLocalBindMask:
+                arg = strdelim(&s);
+                if (!arg || *arg == '\0')
+                        fatal("%.200s line %d: Missing StreamLocalBindMask argument.", filename, linenum);
+                /* Parse mode in octal format */
+                value = strtol(arg, &endofnumber, 8);
+                if (arg == endofnumber || value < 0 || value > 0777)
+                        fatal("%.200s line %d: Bad mask.", filename, linenum);
+                options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
+                break;
+
+        case oStreamLocalBindUnlink:
+                intptr = &options->fwd_opts.streamlocal_bind_unlink;
+                goto parse_flag;
+
         case oDeprecated:
                 debug("%s line %d: Deprecated option \"%s\"",
                     filename, linenum, keyword);
@@ -1491,7 +1530,9 @@ initialize_options(Options * options)
         options->forward_x11_timeout = -1;
         options->exit_on_forward_failure = -1;
         options->xauth_location = NULL;
-        options->gateway_ports = -1;
+        options->fwd_opts.gateway_ports = -1;
+        options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
+        options->fwd_opts.streamlocal_bind_unlink = -1;
         options->use_privileged_port = -1;
         options->rsa_authentication = -1;
         options->pubkey_authentication = -1;
@@ -1604,8 +1645,12 @@ fill_default_options(Options * options)
                 options->exit_on_forward_failure = 0;
         if (options->xauth_location == NULL)
                 options->xauth_location = _PATH_XAUTH;
-        if (options->gateway_ports == -1)
-                options->gateway_ports = 0;
+        if (options->fwd_opts.gateway_ports == -1)
+                options->fwd_opts.gateway_ports = 0;
+        if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+                options->fwd_opts.streamlocal_bind_mask = 0177;
+        if (options->fwd_opts.streamlocal_bind_unlink == -1)
+                options->fwd_opts.streamlocal_bind_unlink = 0;
         if (options->use_privileged_port == -1)
                 options->use_privileged_port = 0;
         if (options->rsa_authentication == -1)
@@ -1757,22 +1802,92 @@ fill_default_options(Options * options)
         /* options->preferred_authentications will be set in ssh */
 }
 
+struct fwdarg {
+        char *arg;
+        int ispath;
+};
+
+/*
+ * parse_fwd_field
+ * parses the next field in a port forwarding specification.
+ * sets fwd to the parsed field and advances p past the colon
+ * or sets it to NULL at end of string.
+ * returns 0 on success, else non-zero.
+ */
+static int
+parse_fwd_field(char **p, struct fwdarg *fwd)
+{
+        char *ep, *cp = *p;
+        int ispath = 0;
+
+        if (*cp == '\0') {
+                *p = NULL;
+                return -1;      /* end of string */
+        }
+
+        /*
+         * A field escaped with square brackets is used literally.
+         * XXX - allow ']' to be escaped via backslash?
+         */
+        if (*cp == '[') {
+                /* find matching ']' */
+                for (ep = cp + 1; *ep != ']' && *ep != '\0'; ep++) {
+                        if (*ep == '/')
+                                ispath = 1;
+                }
+                /* no matching ']' or not at end of field. */
+                if (ep[0] != ']' || (ep[1] != ':' && ep[1] != '\0'))
+                        return -1;
+                /* NUL terminate the field and advance p past the colon */
+                *ep++ = '\0';
+                if (*ep != '\0')
+                        *ep++ = '\0';
+                fwd->arg = cp + 1;
+                fwd->ispath = ispath;
+                *p = ep;
+                return 0;
+        }
+
+        for (cp = *p; *cp != '\0'; cp++) {
+                switch (*cp) {
+                case '\\':
+                        memmove(cp, cp + 1, strlen(cp + 1) + 1);
+                        cp++;
+                        break;
+                case '/':
+                        ispath = 1;
+                        break;
+                case ':':
+                        *cp++ = '\0';
+                        goto done;
+                }
+        }
+done:
+        fwd->arg = *p;
+        fwd->ispath = ispath;
+        *p = cp;
+        return 0;
+}
+
 /*
  * parse_forward
  * parses a string containing a port forwarding specification of the form:
  *   dynamicfwd == 0
- *      [listenhost:]listenport:connecthost:connectport
+ *      [listenhost:]listenport|listenpath:connecthost:connectport|connectpath
+ *      listenpath:connectpath
  *   dynamicfwd == 1
  *      [listenhost:]listenport
  * returns number of arguments parsed or zero on error
  */
 int
-parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
+parse_forward(struct Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
 {
+        struct fwdarg fwdargs[4];
+        char *p, *cp;
         int i;
-        char *p, *cp, *fwdarg[4];
 
-        memset(fwd, '\0', sizeof(*fwd));
+        memset(fwd, 0, sizeof(*fwd));
+        memset(fwdargs, 0, sizeof(fwdargs));
 
         cp = p = xstrdup(fwdspec);
 
@@ -1780,39 +1895,70 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
         while (isspace((u_char)*cp))
                 cp++;
 
-        for (i = 0; i < 4; ++i)
-                if ((fwdarg[i] = hpdelim(&cp)) == NULL)
+        for (i = 0; i < 4; ++i) {
+                if (parse_fwd_field(&cp, &fwdargs[i]) != 0)
                         break;
+        }
 
         /* Check for trailing garbage */
-        if (cp != NULL)
+        if (cp != NULL && *cp != '\0') {
                 i = 0;  /* failure */
+        }
 
         switch (i) {
         case 1:
-                fwd->listen_host = NULL;
-                fwd->listen_port = a2port(fwdarg[0]);
+                if (fwdargs[0].ispath) {
+                        fwd->listen_path = xstrdup(fwdargs[0].arg);
+                        fwd->listen_port = PORT_STREAMLOCAL;
+                } else {
+                        fwd->listen_host = NULL;
+                        fwd->listen_port = a2port(fwdargs[0].arg);
+                }
                 fwd->connect_host = xstrdup("socks");
                 break;
 
         case 2:
-                fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
-                fwd->listen_port = a2port(fwdarg[1]);
-                fwd->connect_host = xstrdup("socks");
+                if (fwdargs[0].ispath && fwdargs[1].ispath) {
+                        fwd->listen_path = xstrdup(fwdargs[0].arg);
+                        fwd->listen_port = PORT_STREAMLOCAL;
+                        fwd->connect_path = xstrdup(fwdargs[1].arg);
+                        fwd->connect_port = PORT_STREAMLOCAL;
+                } else if (fwdargs[1].ispath) {
+                        fwd->listen_host = NULL;
+                        fwd->listen_port = a2port(fwdargs[0].arg);
+                        fwd->connect_path = xstrdup(fwdargs[1].arg);
+                        fwd->connect_port = PORT_STREAMLOCAL;
+                } else {
+                        fwd->listen_host = xstrdup(fwdargs[0].arg);
+                        fwd->listen_port = a2port(fwdargs[1].arg);
+                        fwd->connect_host = xstrdup("socks");
+                }
                 break;
 
         case 3:
-                fwd->listen_host = NULL;
-                fwd->listen_port = a2port(fwdarg[0]);
-                fwd->connect_host = xstrdup(cleanhostname(fwdarg[1]));
-                fwd->connect_port = a2port(fwdarg[2]);
+                if (fwdargs[0].ispath) {
+                        fwd->listen_path = xstrdup(fwdargs[0].arg);
+                        fwd->listen_port = PORT_STREAMLOCAL;
+                        fwd->connect_host = xstrdup(fwdargs[1].arg);
+                        fwd->connect_port = a2port(fwdargs[2].arg);
+                } else if (fwdargs[2].ispath) {
+                        fwd->listen_host = xstrdup(fwdargs[0].arg);
+                        fwd->listen_port = a2port(fwdargs[1].arg);
+                        fwd->connect_path = xstrdup(fwdargs[2].arg);
+                        fwd->connect_port = PORT_STREAMLOCAL;
+                } else {
+                        fwd->listen_host = NULL;
+                        fwd->listen_port = a2port(fwdargs[0].arg);
+                        fwd->connect_host = xstrdup(fwdargs[1].arg);
+                        fwd->connect_port = a2port(fwdargs[2].arg);
+                }
                 break;
 
         case 4:
-                fwd->listen_host = xstrdup(cleanhostname(fwdarg[0]));
-                fwd->listen_port = a2port(fwdarg[1]);
-                fwd->connect_host = xstrdup(cleanhostname(fwdarg[2]));
-                fwd->connect_port = a2port(fwdarg[3]);
+                fwd->listen_host = xstrdup(fwdargs[0].arg);
+                fwd->listen_port = a2port(fwdargs[1].arg);
+                fwd->connect_host = xstrdup(fwdargs[2].arg);
+                fwd->connect_port = a2port(fwdargs[3].arg);
                 break;
         default:
                 i = 0; /* failure */
@@ -1824,29 +1970,42 @@ parse_forward(Forward *fwd, const char *fwdspec, int dynamicfwd, int remotefwd)
                 if (!(i == 1 || i == 2))
                         goto fail_free;
         } else {
-                if (!(i == 3 || i == 4))
-                        goto fail_free;
-                if (fwd->connect_port <= 0)
+                if (!(i == 3 || i == 4)) {
+                        if (fwd->connect_path == NULL &&
+                            fwd->listen_path == NULL)
+                                goto fail_free;
+                }
+                if (fwd->connect_port <= 0 && fwd->connect_path == NULL)
                         goto fail_free;
         }
 
-        if (fwd->listen_port < 0 || (!remotefwd && fwd->listen_port == 0))
+        if ((fwd->listen_port < 0 && fwd->listen_path == NULL) ||
+            (!remotefwd && fwd->listen_port == 0))
                 goto fail_free;
-
         if (fwd->connect_host != NULL &&
             strlen(fwd->connect_host) >= NI_MAXHOST)
                 goto fail_free;
+        /* XXX - if connecting to a remote socket, max sun len may not match this host */
+        if (fwd->connect_path != NULL &&
+            strlen(fwd->connect_path) >= PATH_MAX_SUN)
+                goto fail_free;
         if (fwd->listen_host != NULL &&
             strlen(fwd->listen_host) >= NI_MAXHOST)
                 goto fail_free;
-
+        if (fwd->listen_path != NULL &&
+            strlen(fwd->listen_path) >= PATH_MAX_SUN)
+                goto fail_free;
 
         return (i);
 
  fail_free:
         free(fwd->connect_host);
         fwd->connect_host = NULL;
+        free(fwd->connect_path);
+        fwd->connect_path = NULL;
         free(fwd->listen_host);
         fwd->listen_host = NULL;
+        free(fwd->listen_path);
+        fwd->listen_path = NULL;
         return (0);
 }
diff --git a/readconf.h b/readconf.h
index 75e3f8f7a..0b9cb777a 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.101 2014/02/23 20:11:36 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.102 2014/07/15 15:54:14 millert Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -16,21 +16,12 @@
 #ifndef READCONF_H
 #define READCONF_H
 
-/* Data structure for representing a forwarding request. */
-
-typedef struct {
-        char     *listen_host;          /* Host (address) to listen on. */
-        int       listen_port;          /* Port to forward. */
-        char     *connect_host;         /* Host to connect. */
-        int       connect_port;         /* Port to connect on connect_host. */
-        int       allocated_port;       /* Dynamically allocated listen port */
-        int       handle;               /* Handle for dynamic listen ports */
-}       Forward;
 /* Data structure for representing option data. */
 
 #define MAX_SEND_ENV            256
 #define SSH_MAX_HOSTS_FILES     32
 #define MAX_CANON_DOMAINS       32
+#define PATH_MAX_SUN            (sizeof((struct sockaddr_un *)0)->sun_path)
 
 struct allowed_cname {
         char *source_list;
@@ -44,7 +35,7 @@ typedef struct {
         int     forward_x11_trusted;    /* Trust Forward X11 display. */
         int     exit_on_forward_failure;        /* Exit if bind(2) fails for -L/-R */
         char   *xauth_location; /* Location for xauth program */
-        int     gateway_ports;  /* Allow remote connects to forwarded ports. */
+        struct ForwardOptions fwd_opts; /* forwarding options */
         int     use_privileged_port;    /* Don't use privileged port if false. */
         int     rhosts_rsa_authentication;      /* Try rhosts with RSA
                                                  * authentication. */
@@ -106,11 +97,11 @@ typedef struct {
 
         /* Local TCP/IP forward requests. */
         int     num_local_forwards;
-        Forward *local_forwards;
+        struct Forward *local_forwards;
 
         /* Remote TCP/IP forward requests. */
         int     num_remote_forwards;
-        Forward *remote_forwards;
+        struct Forward *remote_forwards;
         int     clear_forwardings;
 
         int     enable_ssh_keysign;
@@ -181,12 +172,12 @@ int	 process_config_line(Options *, struct passwd *, const char *, char *,
     const char *, int, int *, int);
 int      read_config_file(const char *, struct passwd *, const char *,
     Options *, int);
-int      parse_forward(Forward *, const char *, int, int);
+int      parse_forward(struct Forward *, const char *, int, int);
 int      default_ssh_port(void);
 int      option_clear_or_none(const char *);
 
-void     add_local_forward(Options *, const Forward *);
-void     add_remote_forward(Options *, const Forward *);
+void     add_local_forward(Options *, const struct Forward *);
+void     add_remote_forward(Options *, const struct Forward *);
 void     add_identity_file(Options *, const char *, const char *, int);
 
 #endif                          /* READCONF_H */
diff --git a/regress/Makefile b/regress/Makefile
index 6e3b8d634..3feb7a997 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,6 +1,6 @@
-#       $OpenBSD: Makefile,v 1.68 2014/01/25 04:35:32 dtucker Exp $
+#       $OpenBSD: Makefile,v 1.70 2014/06/24 01:14:17 djm Exp $
 
-REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec
+REGRESS_TARGETS=        unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec
 tests:          $(REGRESS_TARGETS)
 
 # Interop tests are not run by default
@@ -180,3 +180,11 @@ t-exec-interop:	${INTEROP_TESTS:=.sh}
 
 # Not run by default
 interop: ${INTEROP_TARGETS}
+
+# Unit tests, built by top-level Makefile
+unit:
+        set -e ; if test -z "${SKIP_UNIT}" ; then \
+                ${.OBJDIR}/unittests/sshbuf/test_sshbuf ; \
+                ${.OBJDIR}/unittests/sshkey/test_sshkey \
+                        -d  ${.CURDIR}//unittests/sshkey/testdata ; \
+        fi
diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh
index 94cc64acf..41cb7af69 100644
--- a/regress/connect-privsep.sh
+++ b/regress/connect-privsep.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: connect-privsep.sh,v 1.4 2012/07/02 14:37:06 dtucker Exp $
+#       $OpenBSD: connect-privsep.sh,v 1.5 2014/05/04 10:40:59 logan Exp $
 #       Placed in the Public Domain.
 
 tid="proxy connect with privsep"
@@ -26,7 +26,7 @@ done
 
 # Because sandbox is sensitive to changes in libc, especially malloc, retest
 # with every malloc.conf option (and none).
-for m in '' A F G H J P R S X Z '<' '>'; do
+for m in '' A F G H J P R S X '<' '>'; do
     for p in 1 2; do
         env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
         if [ $? -ne 0 ]; then
diff --git a/regress/dhgex.sh b/regress/dhgex.sh
index 4c1a3d83c..57fca4a32 100644
--- a/regress/dhgex.sh
+++ b/regress/dhgex.sh
@@ -1,10 +1,11 @@
-#       $OpenBSD: dhgex.sh,v 1.1 2014/01/25 04:35:32 dtucker Exp $
+#       $OpenBSD: dhgex.sh,v 1.2 2014/04/21 22:15:37 djm Exp $
 #       Placed in the Public Domain.
 
 tid="dhgex"
 
 LOG=${TEST_SSH_LOGFILE}
 rm -f ${LOG}
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
 kexs=`${SSH} -Q kex | grep diffie-hellman-group-exchange`
 
@@ -14,6 +15,9 @@ ssh_test_dhgex()
         cipher="$1"; shift
         kex="$1"; shift
 
+        cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+        echo "KexAlgorithms=$kex" >> $OBJ/sshd_proxy
+        echo "Ciphers=$cipher" >> $OBJ/sshd_proxy
         rm -f ${LOG}
         opts="-oKexAlgorithms=$kex -oCiphers=$cipher"
         groupsz="1024<$bits<8192"
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index 94873f22c..f799d4951 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: forwarding.sh,v 1.11 2013/06/10 21:56:43 dtucker Exp $
+#       $OpenBSD: forwarding.sh,v 1.12 2014/07/15 15:54:15 millert Exp $
 #       Placed in the Public Domain.
 
 tid="local and remote forwarding"
@@ -28,7 +28,7 @@ for p in 1 2; do
         trace "transfer over forwarded channels and check result"
         ${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
                 somehost cat ${DATA} > ${COPY}
-        test -f ${COPY}         || fail "failed copy of ${DATA}"
+        test -s ${COPY}         || fail "failed copy of ${DATA}"
         cmp ${DATA} ${COPY}     || fail "corrupted copy of ${DATA}"
 
         sleep 10
@@ -114,8 +114,24 @@ for p in 1 2; do
         trace "config file: transfer over forwarded channels and check result"
         ${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
                 somehost cat ${DATA} > ${COPY}
-        test -f ${COPY}         || fail "failed copy of ${DATA}"
+        test -s ${COPY}         || fail "failed copy of ${DATA}"
         cmp ${DATA} ${COPY}     || fail "corrupted copy of ${DATA}"
 
         wait
 done
+
+for p in 2; do
+        trace "transfer over chained unix domain socket forwards and check result"
+        rm -f $OBJ/unix-[123].fwd
+        ${SSH} -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
+        ${SSH} -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
+        ${SSH} -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
+        ${SSH} -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
+        ${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
+                somehost cat ${DATA} > ${COPY}
+        test -s ${COPY}                 || fail "failed copy ${DATA}"
+        cmp ${DATA} ${COPY}             || fail "corrupted copy of ${DATA}"
+
+        #wait
+        sleep 10
+done
diff --git a/regress/integrity.sh b/regress/integrity.sh
index 852d82690..d3a489ff7 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,7 +1,8 @@
-#       $OpenBSD: integrity.sh,v 1.12 2013/11/21 03:18:51 djm Exp $
+#       $OpenBSD: integrity.sh,v 1.14 2014/05/21 07:04:21 djm Exp $
 #       Placed in the Public Domain.
 
 tid="integrity"
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
 # start at byte 2900 (i.e. after kex) and corrupt at different offsets
 # XXX the test hangs if we modify the low bytes of the packet length
@@ -34,11 +35,15 @@ for m in $macs; do
                         # avoid modifying the high bytes of the length
                         continue
                 fi
+                cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
                 # modify output from sshd at offset $off
                 pxy="proxycommand=$cmd | $OBJ/modpipe -wm xor:$off:1"
                 if ssh -Q cipher-auth | grep "^${m}\$" >/dev/null 2>&1 ; then
+                        echo "Ciphers=$m" >> $OBJ/sshd_proxy
                         macopt="-c $m"
                 else
+                        echo "Ciphers=aes128-ctr" >> $OBJ/sshd_proxy
+                        echo "MACs=$m" >> $OBJ/sshd_proxy
                         macopt="-m $m -c aes128-ctr"
                 fi
                 verbose "test $tid: $m @$off"
@@ -49,14 +54,14 @@ for m in $macs; do
                         fail "ssh -m $m succeeds with bit-flip at $off"
                 fi
                 ecnt=`expr $ecnt + 1`
-                output=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \
+                out=$(tail -2 $TEST_SSH_LOGFILE | egrep -v "^debug" | \
                      tr -s '\r\n' '.')
-                case "$output" in
+                case "$out" in
                 Bad?packet*)    elen=`expr $elen + 1`; skip=3;;
                 Corrupted?MAC* | Decryption?integrity?check?failed*)
                                 emac=`expr $emac + 1`; skip=0;;
                 padding*)       epad=`expr $epad + 1`; skip=0;;
-                *)              fail "unexpected error mac $m at $off";;
+                *)              fail "unexpected error mac $m at $off: $out";;
                 esac
         done
         verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen"
diff --git a/regress/kextype.sh b/regress/kextype.sh
index 8c2ac09d6..6f952f4e4 100644
--- a/regress/kextype.sh
+++ b/regress/kextype.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: kextype.sh,v 1.4 2013/11/07 04:26:56 dtucker Exp $
+#       $OpenBSD: kextype.sh,v 1.5 2014/04/21 22:15:37 djm Exp $
 #       Placed in the Public Domain.
 
 tid="login with different key exchange algorithms"
@@ -7,6 +7,11 @@ TIME=/usr/bin/time
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 
+# Make server accept all key exchanges.
+ALLKEX=`ssh -Q kex`
+KEXOPT=`echo $ALLKEX | tr ' ' ,`
+echo "KexAlgorithms=$KEXOPT" >> $OBJ/sshd_proxy
+
 tries="1 2 3 4"
 for k in `${SSH} -Q kex`; do
         verbose "kex $k"
diff --git a/regress/krl.sh b/regress/krl.sh
index 09246371c..287384b4a 100644
--- a/regress/krl.sh
+++ b/regress/krl.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: krl.sh,v 1.2 2013/11/21 03:15:46 djm Exp $
+#       $OpenBSD: krl.sh,v 1.3 2014/06/24 01:04:43 djm Exp $
 #       Placed in the Public Domain.
 
 tid="key revocation lists"
@@ -37,6 +37,9 @@ serial: 700-797
 serial: 798
 serial: 799
 serial: 599-701
+# Some multiple consecutive serial number ranges
+serial: 10000-20000
+serial: 30000-40000
 EOF
 
 # A specification that revokes some certificated by key ID.
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index d9b48f391..eb76f554b 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: login-timeout.sh,v 1.6 2014/02/27 20:04:16 djm Exp $
+#       $OpenBSD: login-timeout.sh,v 1.7 2014/03/13 20:44:49 djm Exp $
 #       Placed in the Public Domain.
 
 tid="connect after login grace timeout"
@@ -22,6 +22,7 @@ $SUDO kill `$SUDO cat $PIDFILE`
 trace "test login grace without privsep"
 echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
 start_sshd
+sleep 1
 
 (echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & 
 sleep 15
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 3e697e691..8ee140be6 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,10 +1,26 @@
-#       $OpenBSD: multiplex.sh,v 1.21 2013/05/17 04:29:14 dtucker Exp $
+#       $OpenBSD: multiplex.sh,v 1.25 2014/07/22 01:32:12 djm Exp $
 #       Placed in the Public Domain.
 
 CTL=/tmp/openssh.regress.ctl-sock.$$
 
 tid="connection multiplexing"
 
+if have_prog nc ; then
+        if nc -h 2>&1 | grep -- -N >/dev/null; then
+                NC="nc -N";
+        elif nc -h 2>&1 | grep -- "-U.*Use UNIX" >/dev/null ; then
+                NC="nc"
+        else
+                echo "nc is incompatible"
+        fi
+fi
+
+if test -z "$NC" ; then
+        echo "skipped (no compatible nc found)"
+        exit 0
+fi
+
+trace "will use ProxyCommand $proxycmd"
 if config_defined DISABLE_FD_PASSING ; then
         echo "skipped (not supported on this platform)"
         exit 0
@@ -29,7 +45,8 @@ start_mux_master()
         trace "start master, fork to background"
         ${SSH} -Nn2 -MS$CTL -F $OBJ/ssh_config -oSendEnv="_XXX_TEST" somehost \
             -E $TEST_REGRESS_LOGFILE 2>&1 &
-        MASTER_PID=$!
+        # NB. $SSH_PID will be killed by test-exec.sh:cleanup on fatal errors.
+        SSH_PID=$!
         wait_for_mux_master_ready
 }
 
@@ -71,6 +88,25 @@ test -f ${COPY}			|| fail "scp: failed copy ${DATA}"
 cmp ${DATA} ${COPY}             || fail "scp: corrupted copy of ${DATA}"
 
 rm -f ${COPY}
+verbose "test $tid: forward"
+trace "forward over TCP/IP and check result"
+$NC -l 127.0.0.1 $((${PORT} + 1)) < ${DATA} &
+netcat_pid=$!
+${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L127.0.0.1:$((${PORT} + 2)):127.0.0.1:$((${PORT} + 1)) otherhost >>$TEST_SSH_LOGFILE 2>&1
+$NC -d 127.0.0.1 $((${PORT} + 2)) > ${COPY} < /dev/null
+cmp ${DATA} ${COPY}             || fail "ssh: corrupted copy of ${DATA}"
+kill $netcat_pid 2>/dev/null
+rm -f ${COPY} $OBJ/unix-[123].fwd
+
+trace "forward over UNIX and check result"
+$NC -Ul $OBJ/unix-1.fwd < ${DATA} &
+netcat_pid=$!
+${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L$OBJ/unix-2.fwd:$OBJ/unix-1.fwd otherhost >>$TEST_SSH_LOGFILE 2>&1
+${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R$OBJ/unix-3.fwd:$OBJ/unix-2.fwd otherhost >>$TEST_SSH_LOGFILE 2>&1
+$NC -d -U $OBJ/unix-3.fwd > ${COPY} </dev/null
+cmp ${DATA} ${COPY}             || fail "ssh: corrupted copy of ${DATA}"
+kill $netcat_pid 2>/dev/null
+rm -f ${COPY} $OBJ/unix-[123].fwd
 
 for s in 0 1 4 5 44; do
         trace "exit status $s over multiplexed connection"
@@ -95,7 +131,7 @@ verbose "test $tid: cmd check"
 ${SSH} -F $OBJ/ssh_config -S $CTL -Ocheck otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
     || fail "check command failed" 
 
-verbose "test $tid: cmd forward local"
+verbose "test $tid: cmd forward local (TCP)"
 ${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $P:localhost:$PORT otherhost \
      || fail "request local forward failed"
 ${SSH} -F $OBJ/ssh_config -p$P otherhost true \
@@ -105,7 +141,7 @@ ${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $P:localhost:$PORT otherhost \
 ${SSH} -F $OBJ/ssh_config -p$P otherhost true \
      && fail "local forward port still listening"
 
-verbose "test $tid: cmd forward remote"
+verbose "test $tid: cmd forward remote (TCP)"
 ${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $P:localhost:$PORT otherhost \
      || fail "request remote forward failed"
 ${SSH} -F $OBJ/ssh_config -p$P otherhost true \
@@ -115,13 +151,35 @@ ${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $P:localhost:$PORT otherhost \
 ${SSH} -F $OBJ/ssh_config -p$P otherhost true \
      && fail "remote forward port still listening"
 
+verbose "test $tid: cmd forward local (UNIX)"
+${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -L $OBJ/unix-1.fwd:localhost:$PORT otherhost \
+     || fail "request local forward failed"
+echo "" | $NC -U $OBJ/unix-1.fwd | grep "Protocol mismatch" >/dev/null 2>&1 \
+     || fail "connect to local forward path failed"
+${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -L $OBJ/unix-1.fwd:localhost:$PORT otherhost \
+     || fail "cancel local forward failed"
+N=$(echo "xyzzy" | $NC -U $OBJ/unix-1.fwd 2>&1 | grep "xyzzy" | wc -l)
+test ${N} -eq 0 || fail "local forward path still listening"
+rm -f $OBJ/unix-1.fwd
+
+verbose "test $tid: cmd forward remote (UNIX)"
+${SSH} -F $OBJ/ssh_config -S $CTL -Oforward -R $OBJ/unix-1.fwd:localhost:$PORT otherhost \
+     || fail "request remote forward failed"
+echo "" | $NC -U $OBJ/unix-1.fwd | grep "Protocol mismatch" >/dev/null 2>&1 \
+     || fail "connect to remote forwarded path failed"
+${SSH} -F $OBJ/ssh_config -S $CTL -Ocancel -R $OBJ/unix-1.fwd:localhost:$PORT otherhost \
+     || fail "cancel remote forward failed"
+N=$(echo "xyzzy" | $NC -U $OBJ/unix-1.fwd 2>&1 | grep "xyzzy" | wc -l)
+test ${N} -eq 0 || fail "remote forward path still listening"
+rm -f $OBJ/unix-1.fwd
+
 verbose "test $tid: cmd exit"
 ${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_REGRESS_LOGFILE 2>&1 \
     || fail "send exit command failed" 
 
 # Wait for master to exit
-wait $MASTER_PID
-kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
+wait $SSH_PID
+kill -0 $SSH_PID >/dev/null 2>&1 && fail "exit command failed"
 
 # Restart master and test -O stop command with master using -N
 verbose "test $tid: cmd stop"
@@ -138,6 +196,8 @@ ${SSH} -F $OBJ/ssh_config -S $CTL -Ostop otherhost >>$TEST_REGRESS_LOGFILE 2>&1
 # wait until both long-running command and master have exited.
 wait $SLEEP_PID
 [ $! != 0 ] || fail "waiting for concurrent command"
-wait $MASTER_PID
+wait $SSH_PID
 [ $! != 0 ] || fail "waiting for master stop"
-kill -0 $MASTER_PID >/dev/null 2>&1 && fail "stop command failed"
+kill -0 $SSH_PID >/dev/null 2>&1 && fatal "stop command failed"
+SSH_PID="" # Already gone, so don't kill in cleanup
+
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh
index 76e602dd6..023ba7367 100644
--- a/regress/proxy-connect.sh
+++ b/regress/proxy-connect.sh
@@ -1,26 +1,31 @@
-#       $OpenBSD: proxy-connect.sh,v 1.6 2013/03/07 00:20:34 djm Exp $
+#       $OpenBSD: proxy-connect.sh,v 1.7 2014/05/03 18:46:14 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="proxy connect"
 
-verbose "plain username"
-for p in 1 2; do
-        ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
-        if [ $? -ne 0 ]; then
-                fail "ssh proxyconnect protocol $p failed"
-        fi
-        SSH_CONNECTION=`${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 'echo $SSH_CONNECTION'`
+mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
+
+for ps in no yes; do
+  cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+  echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
+
+  for p in 1 2; do
+    for c in no yes; do
+        verbose "plain username protocol $p privsep=$ps comp=$c"
+        opts="-$p -oCompression=$c -F $OBJ/ssh_proxy"
+        SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
         if [ $? -ne 0 ]; then
-                fail "ssh proxyconnect protocol $p failed"
+                fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed"
         fi
         if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
-                fail "bad SSH_CONNECTION"
+                fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c"
         fi
+    done
+  done
 done
 
-verbose "username with style"
 for p in 1 2; do
+        verbose "username with style protocol $p"
         ${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
                 fail "ssh proxyconnect protocol $p failed"
 done
-
diff --git a/regress/rekey.sh b/regress/rekey.sh
index cf9401ea0..fd452b034 100644
--- a/regress/rekey.sh
+++ b/regress/rekey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: rekey.sh,v 1.14 2013/11/21 03:18:51 djm Exp $
+#       $OpenBSD: rekey.sh,v 1.15 2014/04/21 22:15:37 djm Exp $
 #       Placed in the Public Domain.
 
 tid="rekey"
@@ -6,14 +6,22 @@ tid="rekey"
 LOG=${TEST_SSH_LOGFILE}
 
 rm -f ${LOG}
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 
 # Test rekeying based on data volume only.
 # Arguments will be passed to ssh.
 ssh_data_rekeying()
 {
+        _kexopt=$1 ; shift
+        _opts="$@"
+        if ! test -z "$_kexopts" ; then
+                cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+                echo "$_kexopt" >> $OBJ/sshd_proxy
+                _opts="$_opts -o$_kexopt"
+        fi
         rm -f ${COPY} ${LOG}
-        ${SSH} <${DATA} -oCompression=no $@ -v -F $OBJ/ssh_proxy somehost \
-                "cat > ${COPY}"
+        _opts="$_opts -oCompression=no"
+        ${SSH} <${DATA} $_opts -v -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
         if [ $? -ne 0 ]; then
                 fail "ssh failed ($@)"
         fi
@@ -41,7 +49,7 @@ done
 
 for opt in $opts; do
         verbose "client rekey $opt"
-        ssh_data_rekeying -oRekeyLimit=256k -o$opt
+        ssh_data_rekeying "$opt" -oRekeyLimit=256k
 done
 
 # AEAD ciphers are magical so test with all KexAlgorithms
@@ -49,14 +57,14 @@ if ${SSH} -Q cipher-auth | grep '^.*$' >/dev/null 2>&1 ; then
   for c in `${SSH} -Q cipher-auth`; do
     for kex in `${SSH} -Q kex`; do
         verbose "client rekey $c $kex"
-        ssh_data_rekeying -oRekeyLimit=256k -oCiphers=$c -oKexAlgorithms=$kex
+        ssh_data_rekeying "KexAlgorithms=$kex" -oRekeyLimit=256k -oCiphers=$c
     done
   done
 fi
 
 for s in 16 1k 128k 256k; do
         verbose "client rekeylimit ${s}"
-        ssh_data_rekeying -oCompression=no -oRekeyLimit=$s
+        ssh_data_rekeying "" -oCompression=no -oRekeyLimit=$s
 done
 
 for s in 5 10; do
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index aac8aa5c2..a1bab832f 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: test-exec.sh,v 1.47 2013/11/09 05:41:34 dtucker Exp $
+#       $OpenBSD: test-exec.sh,v 1.48 2014/07/06 07:42:03 djm Exp $
 #       Placed in the Public Domain.
 
 #SUDO=sudo
@@ -240,13 +240,20 @@ md5 () {
 # helper
 cleanup ()
 {
+        if [ "x$SSH_PID" != "x" ]; then
+                if [ $SSH_PID -lt 2 ]; then
+                        echo bad pid for ssh: $SSH_PID
+                else
+                        kill $SSH_PID
+                fi
+        fi
         if [ -f $PIDFILE ]; then
                 pid=`$SUDO cat $PIDFILE`
                 if [ "X$pid" = "X" ]; then
                         echo no sshd running
                 else
                         if [ $pid -lt 2 ]; then
-                                echo bad pid for ssh: $pid
+                                echo bad pid for sshd: $pid
                         else
                                 $SUDO kill $pid
                                 trace "wait for sshd to exit"
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index ac34cedbf..2881ce16c 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,13 +1,18 @@
-#       $OpenBSD: try-ciphers.sh,v 1.22 2013/11/21 03:18:51 djm Exp $
+#       $OpenBSD: try-ciphers.sh,v 1.23 2014/04/21 22:15:37 djm Exp $
 #       Placed in the Public Domain.
 
 tid="try ciphers"
 
+cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
+
 for c in `${SSH} -Q cipher`; do
         n=0
         for m in `${SSH} -Q mac`; do
                 trace "proto 2 cipher $c mac $m"
                 verbose "test $tid: proto 2 cipher $c mac $m"
+                cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
+                echo "Ciphers=$c" >> $OBJ/sshd_proxy
+                echo "MACs=$m" >> $OBJ/sshd_proxy
                 ${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
                 if [ $? -ne 0 ]; then
                         fail "ssh -2 failed with mac $m cipher $c"
diff --git a/regress/unittests/Makefile b/regress/unittests/Makefile
new file mode 100644
index 000000000..bdb4574e2
--- /dev/null
+++ b/regress/unittests/Makefile
@@ -0,0 +1,5 @@
+#       $OpenBSD: Makefile,v 1.1 2014/04/30 05:32:00 djm Exp $
+
+SUBDIR= test_helper sshbuf sshkey
+
+.include <bsd.subdir.mk>
diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc
new file mode 100644
index 000000000..4c3363749
--- /dev/null
+++ b/regress/unittests/Makefile.inc
@@ -0,0 +1,59 @@
+#       $OpenBSD: Makefile.inc,v 1.1 2014/04/30 05:32:00 djm Exp $
+
+.include <bsd.own.mk>
+.include <bsd.obj.mk>
+
+# enable warnings
+WARNINGS=Yes
+
+DEBUG=-g
+CFLAGS+=        -fstack-protector-all
+CDIAGFLAGS=     -Wall
+CDIAGFLAGS+=    -Wextra
+CDIAGFLAGS+=    -Werror
+CDIAGFLAGS+=    -Wchar-subscripts
+CDIAGFLAGS+=    -Wcomment
+CDIAGFLAGS+=    -Wformat
+CDIAGFLAGS+=    -Wformat-security
+CDIAGFLAGS+=    -Wimplicit
+CDIAGFLAGS+=    -Winline
+CDIAGFLAGS+=    -Wmissing-declarations
+CDIAGFLAGS+=    -Wmissing-prototypes
+CDIAGFLAGS+=    -Wparentheses
+CDIAGFLAGS+=    -Wpointer-arith
+CDIAGFLAGS+=    -Wpointer-sign
+CDIAGFLAGS+=    -Wreturn-type
+CDIAGFLAGS+=    -Wshadow
+CDIAGFLAGS+=    -Wsign-compare
+CDIAGFLAGS+=    -Wstrict-aliasing
+CDIAGFLAGS+=    -Wstrict-prototypes
+CDIAGFLAGS+=    -Wswitch
+CDIAGFLAGS+=    -Wtrigraphs
+CDIAGFLAGS+=    -Wuninitialized
+CDIAGFLAGS+=    -Wunused
+.if ${COMPILER_VERSION} == "gcc4"
+CDIAGFLAGS+=    -Wold-style-definition
+.endif
+
+SSHREL=../../../../../usr.bin/ssh
+
+CFLAGS+=-I${.CURDIR}/../test_helper -I${.CURDIR}/${SSHREL}
+
+.if exists(${.CURDIR}/../test_helper/${__objdir})
+LDADD+=-L${.CURDIR}/../test_helper/${__objdir} -ltest_helper
+DPADD+=${.CURDIR}/../test_helper/${__objdir}/libtest_helper.a
+.else
+LDADD+=-L${.CURDIR}/../test_helper -ltest_helper
+DPADD+=${.CURDIR}/../test_helper/libtest_helper.a
+.endif
+
+.if exists(${.CURDIR}/${SSHREL}/lib/${__objdir})
+LDADD+=-L${.CURDIR}/${SSHREL}/lib/${__objdir} -lssh
+DPADD+=${.CURDIR}/${SSHREL}/lib/${__objdir}/libssh.a
+.else
+LDADD+=-L${.CURDIR}/${SSHREL}/lib -lssh
+DPADD+=${.CURDIR}/${SSHREL}/lib/libssh.a
+.endif
+
+LDADD+= -lcrypto
+DPADD+= ${LIBCRYPTO}
diff --git a/regress/unittests/sshbuf/Makefile b/regress/unittests/sshbuf/Makefile
new file mode 100644
index 000000000..85f99ac38
--- /dev/null
+++ b/regress/unittests/sshbuf/Makefile
@@ -0,0 +1,14 @@
+#       $OpenBSD: Makefile,v 1.1 2014/04/30 05:32:00 djm Exp $
+
+PROG=test_sshbuf
+SRCS=tests.c
+SRCS+=test_sshbuf.c
+SRCS+=test_sshbuf_getput_basic.c
+SRCS+=test_sshbuf_getput_crypto.c
+SRCS+=test_sshbuf_misc.c
+SRCS+=test_sshbuf_fuzz.c
+SRCS+=test_sshbuf_getput_fuzz.c
+SRCS+=test_sshbuf_fixed.c
+
+.include <bsd.regress.mk>
+
diff --git a/regress/unittests/sshbuf/test_sshbuf.c b/regress/unittests/sshbuf/test_sshbuf.c
new file mode 100644
index 000000000..ee77d6934
--- /dev/null
+++ b/regress/unittests/sshbuf/test_sshbuf.c
@@ -0,0 +1,240 @@
+/*      $OpenBSD: test_sshbuf.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */
+/*
+ * Regress test for sshbuf.h buffer API
+ *
+ * Placed in the public domain
+ */
+
+#define SSHBUF_INTERNAL 1       /* access internals for testing */
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include "../test_helper/test_helper.h"
+
+#include "ssherr.h"
+#include "sshbuf.h"
+
+void sshbuf_tests(void);
+
+void
+sshbuf_tests(void)
+{
+        struct sshbuf *p1;
+        const u_char *cdp;
+        u_char *dp;
+        size_t sz;
+        int r;
+
+        TEST_START("allocate sshbuf");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        TEST_DONE();
+
+        TEST_START("max size on fresh buffer");
+        ASSERT_SIZE_T_GT(sshbuf_max_size(p1), 0);
+        TEST_DONE();
+
+        TEST_START("available on fresh buffer");
+        ASSERT_SIZE_T_GT(sshbuf_avail(p1), 0);
+        TEST_DONE();
+
+        TEST_START("len = 0 on empty buffer");
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        TEST_DONE();
+
+        TEST_START("set valid max size");
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 65536), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_max_size(p1), 65536);
+        TEST_DONE();
+
+        TEST_START("available on limited buffer");
+        ASSERT_SIZE_T_EQ(sshbuf_avail(p1), 65536);
+        TEST_DONE();
+
+        TEST_START("free");
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("consume on empty buffer");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_consume(p1, 0), 0);
+        ASSERT_INT_EQ(sshbuf_consume(p1, 1), SSH_ERR_MESSAGE_INCOMPLETE);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("consume_end on empty buffer");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_consume_end(p1, 0), 0);
+        ASSERT_INT_EQ(sshbuf_consume_end(p1, 1), SSH_ERR_MESSAGE_INCOMPLETE);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("reserve space");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        r = sshbuf_reserve(p1, 1, &dp);
+        ASSERT_INT_EQ(r, 0);
+        ASSERT_PTR_NE(dp, NULL);
+        *dp = 0x11;
+        r = sshbuf_reserve(p1, 3, &dp);
+        ASSERT_INT_EQ(r, 0);
+        ASSERT_PTR_NE(dp, NULL);
+        *dp++ = 0x22;
+        *dp++ = 0x33;
+        *dp++ = 0x44;
+        TEST_DONE();
+
+        TEST_START("sshbuf_len on filled buffer");
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
+        TEST_DONE();
+
+        TEST_START("sshbuf_ptr on filled buffer");
+        cdp = sshbuf_ptr(p1);
+        ASSERT_PTR_NE(cdp, NULL);
+        ASSERT_U8_EQ(cdp[0], 0x11);
+        ASSERT_U8_EQ(cdp[1], 0x22);
+        ASSERT_U8_EQ(cdp[2], 0x33);
+        ASSERT_U8_EQ(cdp[3], 0x44);
+        TEST_DONE();
+
+        TEST_START("consume on filled buffer");
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
+        ASSERT_INT_EQ(sshbuf_consume(p1, 0), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
+        r = sshbuf_consume(p1, 64);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
+        ASSERT_INT_EQ(sshbuf_consume(p1, 1), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 3);
+        cdp = sshbuf_ptr(p1);
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_U8_EQ(cdp[0], 0x22);
+        ASSERT_INT_EQ(sshbuf_consume(p1, 2), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        cdp = sshbuf_ptr(p1);
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_U8_EQ(cdp[0], 0x44);
+        r = sshbuf_consume(p1, 2);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        ASSERT_INT_EQ(sshbuf_consume(p1, 1), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        r = sshbuf_consume(p1, 1);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("consume_end on filled buffer");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        r = sshbuf_reserve(p1, 4, &dp);
+        ASSERT_INT_EQ(r, 0);
+        ASSERT_PTR_NE(dp, NULL);
+        *dp++ = 0x11;
+        *dp++ = 0x22;
+        *dp++ = 0x33;
+        *dp++ = 0x44;
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
+        r = sshbuf_consume_end(p1, 5);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
+        ASSERT_INT_EQ(sshbuf_consume_end(p1, 3), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        cdp = sshbuf_ptr(p1);
+        ASSERT_PTR_NE(cdp, NULL);
+        ASSERT_U8_EQ(*cdp, 0x11);
+        r = sshbuf_consume_end(p1, 2);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_INT_EQ(sshbuf_consume_end(p1, 1), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("fill limited buffer");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 1223), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_max_size(p1), 1223);
+        ASSERT_SIZE_T_EQ(sshbuf_avail(p1), 1223);
+        r = sshbuf_reserve(p1, 1223, &dp);
+        ASSERT_INT_EQ(r, 0);
+        ASSERT_PTR_NE(dp, NULL);
+        memset(dp, 0xd7, 1223);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1223);
+        ASSERT_SIZE_T_EQ(sshbuf_avail(p1), 0);
+        r = sshbuf_reserve(p1, 1, &dp);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_PTR_EQ(dp, NULL);
+        TEST_DONE();
+
+        TEST_START("consume and force compaction");
+        ASSERT_INT_EQ(sshbuf_consume(p1, 223), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1000);
+        ASSERT_SIZE_T_EQ(sshbuf_avail(p1), 223);
+        r = sshbuf_reserve(p1, 224, &dp);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_PTR_EQ(dp, NULL);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1000);
+        ASSERT_SIZE_T_EQ(sshbuf_avail(p1), 223);
+        r = sshbuf_reserve(p1, 223, &dp);
+        ASSERT_INT_EQ(r, 0);
+        ASSERT_PTR_NE(dp, NULL);
+        memset(dp, 0x7d, 223);
+        cdp = sshbuf_ptr(p1);
+        ASSERT_PTR_NE(cdp, NULL);
+        ASSERT_MEM_FILLED_EQ(cdp, 0xd7, 1000);
+        ASSERT_MEM_FILLED_EQ(cdp + 1000, 0x7d, 223);
+        TEST_DONE();
+
+        TEST_START("resize full buffer");
+        r = sshbuf_set_max_size(p1, 1000);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        sz = roundup(1223 + SSHBUF_SIZE_INC * 3, SSHBUF_SIZE_INC);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, sz), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_max_size(p1), sz);
+        ASSERT_SIZE_T_EQ(sshbuf_avail(p1), sz - 1223);
+        ASSERT_INT_EQ(sshbuf_len(p1), 1223);
+        TEST_DONE();
+
+        /* NB. uses sshbuf internals */
+        TEST_START("alloc chunking");
+        r = sshbuf_reserve(p1, 1, &dp);
+        ASSERT_INT_EQ(r, 0);
+        ASSERT_PTR_NE(dp, NULL);
+        *dp = 0xff;
+        cdp = sshbuf_ptr(p1);
+        ASSERT_PTR_NE(cdp, NULL);
+        ASSERT_MEM_FILLED_EQ(cdp, 0xd7, 1000);
+        ASSERT_MEM_FILLED_EQ(cdp + 1000, 0x7d, 223);
+        ASSERT_MEM_FILLED_EQ(cdp + 1223, 0xff, 1);
+        ASSERT_SIZE_T_EQ(sshbuf_alloc(p1) % SSHBUF_SIZE_INC, 0);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("reset buffer");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 1223), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_max_size(p1), 1223);
+        r = sshbuf_reserve(p1, 1223, &dp);
+        ASSERT_INT_EQ(r, 0);
+        ASSERT_PTR_NE(dp, NULL);
+        memset(dp, 0xd7, 1223);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1223);
+        sshbuf_reset(p1);
+        ASSERT_SIZE_T_EQ(sshbuf_max_size(p1), 1223);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_avail(p1), 1223);
+        sshbuf_free(p1);
+        TEST_DONE();
+}
diff --git a/regress/unittests/sshbuf/test_sshbuf_fixed.c b/regress/unittests/sshbuf/test_sshbuf_fixed.c
new file mode 100644
index 000000000..df4925f7c
--- /dev/null
+++ b/regress/unittests/sshbuf/test_sshbuf_fixed.c
@@ -0,0 +1,126 @@
+/*      $OpenBSD: test_sshbuf_fixed.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */
+/*
+ * Regress test for sshbuf.h buffer API
+ *
+ * Placed in the public domain
+ */
+
+#define SSHBUF_INTERNAL 1  /* access internals for testing */
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include "../test_helper/test_helper.h"
+
+#include "sshbuf.h"
+#include "ssherr.h"
+
+void sshbuf_fixed(void);
+
+const u_char test_buf[] = "\x01\x12\x34\x56\x78\x00\x00\x00\x05hello";
+
+void
+sshbuf_fixed(void)
+{
+        struct sshbuf *p1, *p2, *p3;
+        u_char c;
+        char *s;
+        u_int i;
+        size_t l;
+
+        TEST_START("sshbuf_from");
+        p1 = sshbuf_from(test_buf, sizeof(test_buf));
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_PTR_EQ(sshbuf_mutable_ptr(p1), NULL);
+        ASSERT_INT_EQ(sshbuf_check_reserve(p1, 1), SSH_ERR_BUFFER_READ_ONLY);
+        ASSERT_INT_EQ(sshbuf_reserve(p1, 1, NULL), SSH_ERR_BUFFER_READ_ONLY);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 200), SSH_ERR_BUFFER_READ_ONLY);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, 0x12345678), SSH_ERR_BUFFER_READ_ONLY);
+        ASSERT_SIZE_T_EQ(sshbuf_avail(p1), 0);
+        ASSERT_PTR_EQ(sshbuf_ptr(p1), test_buf);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_from data");
+        p1 = sshbuf_from(test_buf, sizeof(test_buf) - 1);
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_PTR_EQ(sshbuf_ptr(p1), test_buf);
+        ASSERT_INT_EQ(sshbuf_get_u8(p1, &c), 0);
+        ASSERT_PTR_EQ(sshbuf_ptr(p1), test_buf + 1);
+        ASSERT_U8_EQ(c, 1);
+        ASSERT_INT_EQ(sshbuf_get_u32(p1, &i), 0);
+        ASSERT_PTR_EQ(sshbuf_ptr(p1), test_buf + 5);
+        ASSERT_U32_EQ(i, 0x12345678);
+        ASSERT_INT_EQ(sshbuf_get_cstring(p1, &s, &l), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        ASSERT_STRING_EQ(s, "hello");
+        ASSERT_SIZE_T_EQ(l, 5);
+        sshbuf_free(p1);
+        free(s);
+        TEST_DONE();
+
+        TEST_START("sshbuf_fromb ");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_U_INT_EQ(sshbuf_refcount(p1), 1);
+        ASSERT_PTR_EQ(sshbuf_parent(p1), NULL);
+        ASSERT_INT_EQ(sshbuf_put(p1, test_buf, sizeof(test_buf) - 1), 0);
+        p2 = sshbuf_fromb(p1);
+        ASSERT_PTR_NE(p2, NULL);
+        ASSERT_U_INT_EQ(sshbuf_refcount(p1), 2);
+        ASSERT_PTR_EQ(sshbuf_parent(p1), NULL);
+        ASSERT_PTR_EQ(sshbuf_parent(p2), p1);
+        ASSERT_PTR_EQ(sshbuf_ptr(p2), sshbuf_ptr(p1));
+        ASSERT_PTR_NE(sshbuf_ptr(p1), NULL);
+        ASSERT_PTR_NE(sshbuf_ptr(p2), NULL);
+        ASSERT_PTR_EQ(sshbuf_mutable_ptr(p1), NULL);
+        ASSERT_PTR_EQ(sshbuf_mutable_ptr(p2), NULL);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sshbuf_len(p2));
+        ASSERT_INT_EQ(sshbuf_get_u8(p2, &c), 0);
+        ASSERT_PTR_EQ(sshbuf_ptr(p2), sshbuf_ptr(p1) + 1);
+        ASSERT_U8_EQ(c, 1);
+        ASSERT_INT_EQ(sshbuf_get_u32(p2, &i), 0);
+        ASSERT_PTR_EQ(sshbuf_ptr(p2), sshbuf_ptr(p1) + 5);
+        ASSERT_U32_EQ(i, 0x12345678);
+        ASSERT_INT_EQ(sshbuf_get_cstring(p2, &s, &l), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p2), 0);
+        ASSERT_STRING_EQ(s, "hello");
+        ASSERT_SIZE_T_EQ(l, 5);
+        sshbuf_free(p1);
+        ASSERT_U_INT_EQ(sshbuf_refcount(p1), 1);
+        sshbuf_free(p2);
+        free(s);
+        TEST_DONE();
+
+        TEST_START("sshbuf_froms");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x01), 0);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, 0x12345678), 0);
+        ASSERT_INT_EQ(sshbuf_put_cstring(p1, "hello"), 0);
+        p2 = sshbuf_new();
+        ASSERT_PTR_NE(p2, NULL);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(test_buf) - 1);
+        ASSERT_INT_EQ(sshbuf_put_stringb(p2, p1), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p2), sizeof(test_buf) + 4 - 1);
+        ASSERT_INT_EQ(sshbuf_froms(p2, &p3), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p2), 0);
+        ASSERT_PTR_NE(p3, NULL);
+        ASSERT_PTR_NE(sshbuf_ptr(p3), NULL);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p3), sizeof(test_buf) - 1);
+        ASSERT_MEM_EQ(sshbuf_ptr(p3), test_buf, sizeof(test_buf) - 1);
+        sshbuf_free(p3);
+        ASSERT_INT_EQ(sshbuf_put_stringb(p2, p1), 0);
+        ASSERT_INT_EQ(sshbuf_consume_end(p2, 1), 0);
+        ASSERT_INT_EQ(sshbuf_froms(p2, &p3), SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_PTR_EQ(p3, NULL);
+        sshbuf_free(p2);
+        sshbuf_free(p1);
+}
diff --git a/regress/unittests/sshbuf/test_sshbuf_fuzz.c b/regress/unittests/sshbuf/test_sshbuf_fuzz.c
new file mode 100644
index 000000000..c52376b53
--- /dev/null
+++ b/regress/unittests/sshbuf/test_sshbuf_fuzz.c
@@ -0,0 +1,127 @@
+/*      $OpenBSD: test_sshbuf_fuzz.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */
+/*
+ * Regress test for sshbuf.h buffer API
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include "../test_helper/test_helper.h"
+
+#include "ssherr.h"
+#include "sshbuf.h"
+
+#define NUM_FUZZ_TESTS (1 << 18)
+
+void sshbuf_fuzz_tests(void);
+
+void
+sshbuf_fuzz_tests(void)
+{
+        struct sshbuf *p1;
+        u_char *dp;
+        size_t sz, sz2, i;
+        u_int32_t r;
+        int ret;
+
+        /* NB. uses sshbuf internals */
+        TEST_START("fuzz alloc/dealloc");
+        p1 = sshbuf_new();
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 16 * 1024), 0);
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_PTR_NE(sshbuf_ptr(p1), NULL);
+        ASSERT_MEM_ZERO_NE(sshbuf_ptr(p1), sshbuf_len(p1));
+        for (i = 0; i < NUM_FUZZ_TESTS; i++) {
+                r = arc4random_uniform(10);
+                if (r == 0) {
+                        /* 10% chance: small reserve */
+                        r = arc4random_uniform(10);
+ fuzz_reserve:
+                        sz = sshbuf_avail(p1);
+                        sz2 = sshbuf_len(p1);
+                        ret = sshbuf_reserve(p1, r, &dp);
+                        if (ret < 0) {
+                                ASSERT_PTR_EQ(dp, NULL);
+                                ASSERT_SIZE_T_LT(sz, r);
+                                ASSERT_SIZE_T_EQ(sshbuf_avail(p1), sz);
+                                ASSERT_SIZE_T_EQ(sshbuf_len(p1), sz2);
+                        } else {
+                                ASSERT_PTR_NE(dp, NULL);
+                                ASSERT_SIZE_T_GE(sz, r);
+                                ASSERT_SIZE_T_EQ(sshbuf_avail(p1), sz - r);
+                                ASSERT_SIZE_T_EQ(sshbuf_len(p1), sz2 + r);
+                                memset(dp, arc4random_uniform(255) + 1, r);
+                        }
+                } else if (r < 3) {
+                        /* 20% chance: big reserve */
+                        r = arc4random_uniform(8 * 1024);
+                        goto fuzz_reserve;
+                } else if (r == 3) {
+                        /* 10% chance: small consume */
+                        r = arc4random_uniform(10);
+ fuzz_consume:
+                        sz = sshbuf_avail(p1);
+                        sz2 = sshbuf_len(p1);
+                        /* 50% change consume from end, otherwise start */
+                        ret = ((arc4random() & 1) ?
+                            sshbuf_consume : sshbuf_consume_end)(p1, r);
+                        if (ret < 0) {
+                                ASSERT_SIZE_T_LT(sz2, r);
+                                ASSERT_SIZE_T_EQ(sshbuf_avail(p1), sz);
+                                ASSERT_SIZE_T_EQ(sshbuf_len(p1), sz2);
+                        } else {
+                                ASSERT_SIZE_T_GE(sz2, r);
+                                ASSERT_SIZE_T_EQ(sshbuf_avail(p1), sz + r);
+                                ASSERT_SIZE_T_EQ(sshbuf_len(p1), sz2 - r);
+                        }
+                } else if (r < 8) {
+                        /* 40% chance: big consume */
+                        r = arc4random_uniform(2 * 1024);
+                        goto fuzz_consume;
+                } else if (r == 8) {
+                        /* 10% chance: reset max size */
+                        r = arc4random_uniform(16 * 1024);
+                        sz = sshbuf_max_size(p1);
+                        if (sshbuf_set_max_size(p1, r) < 0)
+                                ASSERT_SIZE_T_EQ(sshbuf_max_size(p1), sz);
+                        else
+                                ASSERT_SIZE_T_EQ(sshbuf_max_size(p1), r);
+                } else {
+                        if (arc4random_uniform(8192) == 0) {
+                                /* tiny chance: new buffer */
+                                ASSERT_PTR_NE(sshbuf_ptr(p1), NULL);
+                                ASSERT_MEM_ZERO_NE(sshbuf_ptr(p1), sshbuf_len(p1));
+                                sshbuf_free(p1);
+                                p1 = sshbuf_new();
+                                ASSERT_PTR_NE(p1, NULL);
+                                ASSERT_INT_EQ(sshbuf_set_max_size(p1,
+                                    16 * 1024), 0);
+                        } else {
+                                /* Almost 10%: giant reserve */
+                                /* use arc4random_buf for r > 2^32 on 64 bit */
+                                arc4random_buf(&r, sizeof(r));
+                                while (r < SSHBUF_SIZE_MAX / 2) {
+                                        r <<= 1;
+                                        r |= arc4random() & 1;
+                                }
+                                goto fuzz_reserve;
+                        }
+                }
+                ASSERT_PTR_NE(sshbuf_ptr(p1), NULL);
+                ASSERT_SIZE_T_LE(sshbuf_max_size(p1), 16 * 1024);
+        }
+        ASSERT_PTR_NE(sshbuf_ptr(p1), NULL);
+        ASSERT_MEM_ZERO_NE(sshbuf_ptr(p1), sshbuf_len(p1));
+        sshbuf_free(p1);
+        TEST_DONE();
+}
diff --git a/regress/unittests/sshbuf/test_sshbuf_getput_basic.c b/regress/unittests/sshbuf/test_sshbuf_getput_basic.c
new file mode 100644
index 000000000..966e8432b
--- /dev/null
+++ b/regress/unittests/sshbuf/test_sshbuf_getput_basic.c
@@ -0,0 +1,484 @@
+/*      $OpenBSD: test_sshbuf_getput_basic.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */
+/*
+ * Regress test for sshbuf.h buffer API
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include "../test_helper/test_helper.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+
+void sshbuf_getput_basic_tests(void);
+
+void
+sshbuf_getput_basic_tests(void)
+{
+        struct sshbuf *p1, *p2;
+        const u_char *cd;
+        u_char *d, d2[32], x[] = {
+                0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, 0x88, 0x00, 0x99
+        };
+        u_int64_t v64;
+        u_int32_t v32;
+        u_int16_t v16;
+        u_char v8;
+        size_t s;
+        char *s2;
+        int r;
+        u_char bn1[] = { 0x00, 0x00, 0x00 };
+        u_char bn2[] = { 0x00, 0x00, 0x01, 0x02 };
+        u_char bn3[] = { 0x00, 0x80, 0x09 };
+        u_char bn_exp1[] = { 0x00, 0x00, 0x00, 0x00 };
+        u_char bn_exp2[] = { 0x00, 0x00, 0x00, 0x02, 0x01, 0x02 };
+        u_char bn_exp3[] = { 0x00, 0x00, 0x00, 0x03, 0x00, 0x80, 0x09 };
+
+        TEST_START("PEEK_U64");
+        ASSERT_U64_EQ(PEEK_U64(x), 0x1122334455667788ULL);
+        TEST_DONE();
+
+        TEST_START("PEEK_U32");
+        ASSERT_U32_EQ(PEEK_U32(x), 0x11223344);
+        TEST_DONE();
+
+        TEST_START("PEEK_U16");
+        ASSERT_U16_EQ(PEEK_U16(x), 0x1122);
+        TEST_DONE();
+
+        TEST_START("POKE_U64");
+        bzero(d2, sizeof(d2));
+        POKE_U64(d2, 0x1122334455667788ULL);
+        ASSERT_MEM_EQ(d2, x, 8);
+        TEST_DONE();
+        
+        TEST_START("POKE_U32");
+        bzero(d2, sizeof(d2));
+        POKE_U32(d2, 0x11223344);
+        ASSERT_MEM_EQ(d2, x, 4);
+        TEST_DONE();
+        
+        TEST_START("POKE_U16");
+        bzero(d2, sizeof(d2));
+        POKE_U16(d2, 0x1122);
+        ASSERT_MEM_EQ(d2, x, 2);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, 5), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 5);
+        cd = sshbuf_ptr(p1);
+        ASSERT_PTR_NE(cd, NULL);
+        ASSERT_U8_EQ(cd[0], 0x11);
+        ASSERT_U8_EQ(cd[1], 0x22);
+        ASSERT_U8_EQ(cd[2], 0x33);
+        ASSERT_U8_EQ(cd[3], 0x44);
+        ASSERT_U8_EQ(cd[4], 0x55);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get");
+        ASSERT_INT_EQ(sshbuf_get(p1, d2, 4), 0);
+        ASSERT_MEM_EQ(d2, x, 4);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        ASSERT_U8_EQ(*(sshbuf_ptr(p1)), 0x55);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get truncated");
+        r = sshbuf_get(p1, d2, 4);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        ASSERT_U8_EQ(*(sshbuf_ptr(p1)), 0x55);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put truncated");
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 4), 0);
+        r = sshbuf_put(p1, x, 5);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_u64");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, 10), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 10);
+        ASSERT_INT_EQ(sshbuf_get_u64(p1, &v64), 0);
+        ASSERT_U64_EQ(v64, 0x1122334455667788ULL);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_u64 truncated");
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        r = sshbuf_get_u64(p1, &v64);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_u32");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, 10), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 10);
+        ASSERT_INT_EQ(sshbuf_get_u32(p1, &v32), 0);
+        ASSERT_U32_EQ(v32, 0x11223344);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 6);
+        ASSERT_INT_EQ(sshbuf_get_u32(p1, &v32), 0);
+        ASSERT_U32_EQ(v32, 0x55667788);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_u32 truncated");
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        r = sshbuf_get_u32(p1, &v32);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_u16");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, 9), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 9);
+        ASSERT_INT_EQ(sshbuf_get_u16(p1, &v16), 0);
+        ASSERT_U16_EQ(v16, 0x1122);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 7);
+        ASSERT_INT_EQ(sshbuf_get_u16(p1, &v16), 0);
+        ASSERT_U16_EQ(v16, 0x3344);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 5);
+        ASSERT_INT_EQ(sshbuf_get_u16(p1, &v16), 0);
+        ASSERT_U16_EQ(v16, 0x5566);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 3);
+        ASSERT_INT_EQ(sshbuf_get_u16(p1, &v16), 0);
+        ASSERT_U16_EQ(v16, 0x7788);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_u16 truncated");
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        r = sshbuf_get_u16(p1, &v16);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_u8");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, 2), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        ASSERT_INT_EQ(sshbuf_get_u8(p1, &v8), 0);
+        ASSERT_U8_EQ(v8, 0x11);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        ASSERT_INT_EQ(sshbuf_get_u8(p1, &v8), 0);
+        ASSERT_U8_EQ(v8, 0x22);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_u8 truncated");
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        r = sshbuf_get_u8(p1, &v8);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_u64");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u64(p1, 0x1122334455667788ULL), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 8);
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), x, 8);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_u64 exact");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 8), 0);
+        ASSERT_INT_EQ(sshbuf_put_u64(p1, 0x1122334455667788ULL), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 8);
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), x, 8);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_u64 limited");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 7), 0);
+        r = sshbuf_put_u64(p1, 0x1122334455667788ULL);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        sshbuf_free(p1);
+        TEST_DONE();
+        
+        TEST_START("sshbuf_put_u32");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, 0x11223344), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), x, 4);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_u32 exact");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 4), 0);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, 0x11223344), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), x, 4);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_u32 limited");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 3), 0);
+        r = sshbuf_put_u32(p1, 0x11223344);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        sshbuf_free(p1);
+        TEST_DONE();
+        
+        TEST_START("sshbuf_put_u16");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, 0x1122), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), x, 2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_u16");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 2), 0);
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, 0x1122), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), x, 2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_u16 limited");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, 1), 0);
+        r = sshbuf_put_u16(p1, 0x1122);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_string");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, sizeof(x)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x)), 0);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, sizeof(x)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 4 + 4);
+        ASSERT_INT_EQ(sshbuf_get_string(p1, &d, &s), 0);
+        ASSERT_SIZE_T_EQ(s, sizeof(x));
+        ASSERT_MEM_EQ(d, x, sizeof(x));
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
+        free(d);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_string exact");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(x) + 4), 0);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, sizeof(x)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 4);
+        ASSERT_INT_EQ(sshbuf_get_string(p1, &d, &s), 0);
+        ASSERT_SIZE_T_EQ(s, sizeof(x));
+        ASSERT_MEM_EQ(d, x, sizeof(x));
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        free(d);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_string truncated");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, sizeof(x)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 4);
+        ASSERT_INT_EQ(sshbuf_consume_end(p1, 1), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 3);
+        r = sshbuf_get_string(p1, &d, &s);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 3);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_string giant");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, 0xffffffff), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 4);
+        r = sshbuf_get_string(p1, &d, &s);
+        ASSERT_INT_EQ(r, SSH_ERR_STRING_TOO_LARGE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 4);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_cstring giant");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, 0xffffffff), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 4);
+        r = sshbuf_get_cstring(p1, &s2, &s);
+        ASSERT_INT_EQ(r, SSH_ERR_STRING_TOO_LARGE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 4);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_cstring embedded \\0");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, sizeof(x)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 4);
+        r = sshbuf_get_cstring(p1, &s2, NULL);
+        ASSERT_INT_EQ(r, SSH_ERR_INVALID_FORMAT);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_cstring trailing \\0");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, sizeof(x) - 1), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, x, sizeof(x) - 1), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 4 - 1);
+        ASSERT_INT_EQ(sshbuf_get_cstring(p1, &s2, &s), 0);
+        ASSERT_SIZE_T_EQ(s, sizeof(x) - 1);
+        ASSERT_MEM_EQ(s2, x, s);
+        free(s2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_string");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_string(p1, x, sizeof(x)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(x) + 4);
+        ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), sizeof(x));
+        ASSERT_MEM_EQ(sshbuf_ptr(p1) + 4, x, sizeof(x));
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_string limited");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(x) + 4 - 1), 0);
+        r = sshbuf_put_string(p1, x, sizeof(x));
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_string giant");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        r = sshbuf_put_string(p1, (void *)0x01, 0xfffffffc);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_putf");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        r = sshbuf_putf(p1, "%s %d %x", "hello", 23, 0x5f);
+        ASSERT_INT_EQ(r, 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 11);
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), "hello 23 5f", 11);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_putb");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        p2 = sshbuf_new();
+        ASSERT_PTR_NE(p2, NULL);
+        ASSERT_INT_EQ(sshbuf_put(p1, "blahblahblah", 12), 0);
+        ASSERT_INT_EQ(sshbuf_putb(p2, p1), 0);
+        sshbuf_free(p1);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p2), 12);
+        ASSERT_MEM_EQ(sshbuf_ptr(p2), "blahblahblah", 12);
+        sshbuf_free(p2);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum2_bytes empty buf");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_bignum2_bytes(p1, NULL, 0), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(bn_exp1));
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), bn_exp1, sizeof(bn_exp1));
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum2_bytes all zeroes");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_bignum2_bytes(p1, bn1, sizeof(bn1)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(bn_exp1));
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), bn_exp1, sizeof(bn_exp1));
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum2_bytes simple");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_bignum2_bytes(p1, bn2+2, sizeof(bn2)-2), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(bn_exp2));
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), bn_exp2, sizeof(bn_exp2));
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum2_bytes leading zero");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_bignum2_bytes(p1, bn2, sizeof(bn2)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(bn_exp2));
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), bn_exp2, sizeof(bn_exp2));
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum2_bytes neg");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_bignum2_bytes(p1, bn3+1, sizeof(bn3)-1), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(bn_exp3));
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), bn_exp3, sizeof(bn_exp3));
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum2_bytes neg and leading zero");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_bignum2_bytes(p1, bn3, sizeof(bn3)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(bn_exp3));
+        ASSERT_MEM_EQ(sshbuf_ptr(p1), bn_exp3, sizeof(bn_exp3));
+        sshbuf_free(p1);
+        TEST_DONE();
+}
diff --git a/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c b/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
new file mode 100644
index 000000000..0c4c71ecd
--- /dev/null
+++ b/regress/unittests/sshbuf/test_sshbuf_getput_crypto.c
@@ -0,0 +1,409 @@
+/*      $OpenBSD: test_sshbuf_getput_crypto.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */
+/*
+ * Regress test for sshbuf.h buffer API
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
+
+#include "../test_helper/test_helper.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+
+void sshbuf_getput_crypto_tests(void);
+
+void
+sshbuf_getput_crypto_tests(void)
+{
+        struct sshbuf *p1;
+        const u_char *d;
+        size_t s;
+        BIGNUM *bn, *bn2;
+        /* This one has num_bits != num_bytes * 8 to test bignum1 encoding */
+        const char *hexbn1 = "0102030405060708090a0b0c0d0e0f10";
+        /* This one has MSB set to test bignum2 encoding negative-avoidance */
+        const char *hexbn2 = "f0e0d0c0b0a0908070605040302010007fff11";
+        u_char expbn1[] = {
+                0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+        };
+        u_char expbn2[] = {
+                0xf0, 0xe0, 0xd0, 0xc0, 0xb0, 0xa0, 0x90, 0x80,
+                0x70, 0x60, 0x50, 0x40, 0x30, 0x20, 0x10, 0x00,
+                0x7f, 0xff, 0x11
+        };
+#ifdef OPENSSL_HAS_NISTP256
+        BIGNUM *bn_x, *bn_y;
+        int ec256_nid = NID_X9_62_prime256v1;
+        char *ec256_x = "0C828004839D0106AA59575216191357"
+                        "34B451459DADB586677EF9DF55784999";
+        char *ec256_y = "4D196B50F0B4E94B3C73E3A9D4CD9DF2"
+                        "C8F9A35E42BDD047550F69D80EC23CD4";
+        u_char expec256[] = {
+                0x04,
+                0x0c, 0x82, 0x80, 0x04, 0x83, 0x9d, 0x01, 0x06,
+                0xaa, 0x59, 0x57, 0x52, 0x16, 0x19, 0x13, 0x57,
+                0x34, 0xb4, 0x51, 0x45, 0x9d, 0xad, 0xb5, 0x86,
+                0x67, 0x7e, 0xf9, 0xdf, 0x55, 0x78, 0x49, 0x99,
+                0x4d, 0x19, 0x6b, 0x50, 0xf0, 0xb4, 0xe9, 0x4b,
+                0x3c, 0x73, 0xe3, 0xa9, 0xd4, 0xcd, 0x9d, 0xf2,
+                0xc8, 0xf9, 0xa3, 0x5e, 0x42, 0xbd, 0xd0, 0x47,
+                0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4
+        };
+        EC_KEY *eck;
+        EC_POINT *ecp;
+#endif
+        int r;
+
+#define MKBN(b, bnn) \
+        do { \
+                bnn = NULL; \
+                ASSERT_INT_GT(BN_hex2bn(&bnn, b), 0); \
+        } while (0)
+
+        TEST_START("sshbuf_put_bignum1");
+        MKBN(hexbn1, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_bignum1(p1, bn), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 2);
+        ASSERT_U16_EQ(PEEK_U16(sshbuf_ptr(p1)), (u_int16_t)BN_num_bits(bn));
+        ASSERT_MEM_EQ(sshbuf_ptr(p1) + 2, expbn1, sizeof(expbn1));
+        BN_free(bn);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum1 limited");
+        MKBN(hexbn1, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 1), 0);
+        r = sshbuf_put_bignum1(p1, bn);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        BN_free(bn);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum1 bn2");
+        MKBN(hexbn2, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_bignum1(p1, bn), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 2);
+        ASSERT_U16_EQ(PEEK_U16(sshbuf_ptr(p1)), (u_int16_t)BN_num_bits(bn));
+        ASSERT_MEM_EQ(sshbuf_ptr(p1) + 2, expbn2, sizeof(expbn2));
+        BN_free(bn);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum1 bn2 limited");
+        MKBN(hexbn2, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 1), 0);
+        r = sshbuf_put_bignum1(p1, bn);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        BN_free(bn);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum2");
+        MKBN(hexbn1, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_bignum2(p1, bn), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 4);
+        ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), (u_int32_t)BN_num_bytes(bn));
+        ASSERT_MEM_EQ(sshbuf_ptr(p1) + 4, expbn1, sizeof(expbn1));
+        BN_free(bn);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum2 limited");
+        MKBN(hexbn1, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn1) + 3), 0);
+        r = sshbuf_put_bignum2(p1, bn);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        BN_free(bn);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum2 bn2");
+        MKBN(hexbn2, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_bignum2(p1, bn), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 4 + 1); /* MSB */
+        ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), (u_int32_t)BN_num_bytes(bn) + 1);
+        ASSERT_U8_EQ(*(sshbuf_ptr(p1) + 4), 0x00);
+        ASSERT_MEM_EQ(sshbuf_ptr(p1) + 5, expbn2, sizeof(expbn2));
+        BN_free(bn);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_put_bignum2 bn2 limited");
+        MKBN(hexbn2, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_set_max_size(p1, sizeof(expbn2) + 3), 0);
+        r = sshbuf_put_bignum2(p1, bn);
+        ASSERT_INT_EQ(r, SSH_ERR_NO_BUFFER_SPACE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 0);
+        BN_free(bn);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum1");
+        MKBN(hexbn1, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1));
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
+        bn2 = BN_new();
+        ASSERT_INT_EQ(sshbuf_get_bignum1(p1, bn2), 0);
+        ASSERT_BIGNUM_EQ(bn, bn2);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum1 truncated");
+        MKBN(hexbn1, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1) - 1), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1) - 1);
+        bn2 = BN_new();
+        r = sshbuf_get_bignum1(p1, bn2);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn1) - 1);
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum1 giant");
+        MKBN(hexbn1, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xffff), 0);
+        ASSERT_INT_EQ(sshbuf_reserve(p1, (0xffff + 7) / 8, NULL), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + ((0xffff + 7) / 8));
+        bn2 = BN_new();
+        r = sshbuf_get_bignum1(p1, bn2);
+        ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_TOO_LARGE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + ((0xffff + 7) / 8));
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum1 bn2");
+        MKBN(hexbn2, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2));
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
+        bn2 = BN_new();
+        ASSERT_INT_EQ(sshbuf_get_bignum1(p1, bn2), 0);
+        ASSERT_BIGNUM_EQ(bn, bn2);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum1 bn2 truncated");
+        MKBN(hexbn2, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, BN_num_bits(bn)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2) - 1), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2) - 1);
+        bn2 = BN_new();
+        r = sshbuf_get_bignum1(p1, bn2);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2 + sizeof(expbn2) - 1);
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum2");
+        MKBN(hexbn1, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4 + sizeof(expbn1));
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
+        bn2 = BN_new();
+        ASSERT_INT_EQ(sshbuf_get_bignum2(p1, bn2), 0);
+        ASSERT_BIGNUM_EQ(bn, bn2);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum2 truncated");
+        MKBN(hexbn1, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, expbn1, sizeof(expbn1) - 1), 0);
+        bn2 = BN_new();
+        r = sshbuf_get_bignum2(p1, bn2);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn1) + 3);
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum2 giant");
+        MKBN(hexbn1, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, 65536), 0);
+        ASSERT_INT_EQ(sshbuf_reserve(p1, 65536, NULL), 0);
+        bn2 = BN_new();
+        r = sshbuf_get_bignum2(p1, bn2);
+        ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_TOO_LARGE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 65536 + 4);
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum2 bn2");
+        MKBN(hexbn2, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn) + 1), 0); /* MSB */
+        ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4 + 1 + sizeof(expbn2));
+        ASSERT_INT_EQ(sshbuf_put_u16(p1, 0xd00f), 0);
+        bn2 = BN_new();
+        ASSERT_INT_EQ(sshbuf_get_bignum2(p1, bn2), 0);
+        ASSERT_BIGNUM_EQ(bn, bn2);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum2 bn2 truncated");
+        MKBN(hexbn2, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn) + 1), 0);
+        ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2) - 1), 0);
+        bn2 = BN_new();
+        r = sshbuf_get_bignum2(p1, bn2);
+        ASSERT_INT_EQ(r, SSH_ERR_MESSAGE_INCOMPLETE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 1 + 4 - 1);
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_bignum2 bn2 negative");
+        MKBN(hexbn2, bn);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, BN_num_bytes(bn)), 0);
+        ASSERT_INT_EQ(sshbuf_put(p1, expbn2, sizeof(expbn2)), 0);
+        bn2 = BN_new();
+        r = sshbuf_get_bignum2(p1, bn2);
+        ASSERT_INT_EQ(r, SSH_ERR_BIGNUM_IS_NEGATIVE);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expbn2) + 4);
+        BN_free(bn);
+        BN_free(bn2);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+#ifdef OPENSSL_HAS_NISTP256
+        TEST_START("sshbuf_put_ec");
+        eck = EC_KEY_new_by_curve_name(ec256_nid);
+        ASSERT_PTR_NE(eck, NULL);
+        ecp = EC_POINT_new(EC_KEY_get0_group(eck));
+        ASSERT_PTR_NE(ecp, NULL);
+        MKBN(ec256_x, bn_x);
+        MKBN(ec256_y, bn_y);
+        ASSERT_INT_EQ(EC_POINT_set_affine_coordinates_GFp(
+            EC_KEY_get0_group(eck), ecp, bn_x, bn_y, NULL), 1);
+        ASSERT_INT_EQ(EC_KEY_set_public_key(eck, ecp), 1);
+        BN_free(bn_x);
+        BN_free(bn_y);
+        EC_POINT_free(ecp);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_eckey(p1, eck), 0);
+        ASSERT_INT_EQ(sshbuf_get_string_direct(p1, &d, &s), 0);
+        ASSERT_SIZE_T_EQ(s, sizeof(expec256));
+        ASSERT_MEM_EQ(d, expec256, sizeof(expec256));
+        sshbuf_free(p1);
+        EC_KEY_free(eck);
+        TEST_DONE();
+
+        TEST_START("sshbuf_get_ec");
+        eck = EC_KEY_new_by_curve_name(ec256_nid);
+        ASSERT_PTR_NE(eck, NULL);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_string(p1, expec256, sizeof(expec256)), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), sizeof(expec256) + 4);
+        ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x00), 0);
+        ASSERT_INT_EQ(sshbuf_get_eckey(p1, eck), 0);
+        bn_x = BN_new();
+        bn_y = BN_new();
+        ASSERT_PTR_NE(bn_x, NULL);
+        ASSERT_PTR_NE(bn_y, NULL);
+        ASSERT_INT_EQ(EC_POINT_get_affine_coordinates_GFp(
+            EC_KEY_get0_group(eck), EC_KEY_get0_public_key(eck),
+            bn_x, bn_y, NULL), 1);
+        MKBN(ec256_x, bn);
+        MKBN(ec256_y, bn2);
+        ASSERT_INT_EQ(BN_cmp(bn_x, bn), 0);
+        ASSERT_INT_EQ(BN_cmp(bn_y, bn2), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        sshbuf_free(p1);
+        EC_KEY_free(eck);
+        BN_free(bn_x);
+        BN_free(bn_y);
+        BN_free(bn);
+        BN_free(bn2);
+        TEST_DONE();
+#endif
+}
+
diff --git a/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c b/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c
new file mode 100644
index 000000000..8c3269b13
--- /dev/null
+++ b/regress/unittests/sshbuf/test_sshbuf_getput_fuzz.c
@@ -0,0 +1,130 @@
+/*      $OpenBSD: test_sshbuf_getput_fuzz.c,v 1.2 2014/05/02 02:54:00 djm Exp $ */
+/*
+ * Regress test for sshbuf.h buffer API
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
+
+#include "../test_helper/test_helper.h"
+#include "ssherr.h"
+#include "sshbuf.h"
+
+void sshbuf_getput_fuzz_tests(void);
+
+static void
+attempt_parse_blob(u_char *blob, size_t len)
+{
+        struct sshbuf *p1;
+        BIGNUM *bn;
+#ifdef OPENSSL_HAS_NISTP256
+        EC_KEY *eck;
+#endif
+        u_char *s;
+        size_t l;
+        u_int8_t u8;
+        u_int16_t u16;
+        u_int32_t u32;
+        u_int64_t u64;
+
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put(p1, blob, len), 0);
+        sshbuf_get_u8(p1, &u8);
+        sshbuf_get_u16(p1, &u16);
+        sshbuf_get_u32(p1, &u32);
+        sshbuf_get_u64(p1, &u64);
+        if (sshbuf_get_string(p1, &s, &l) == 0) {
+                bzero(s, l);
+                free(s);
+        }
+        bn = BN_new();
+        sshbuf_get_bignum1(p1, bn);
+        BN_clear_free(bn);
+        bn = BN_new();
+        sshbuf_get_bignum2(p1, bn);
+        BN_clear_free(bn);
+#ifdef OPENSSL_HAS_NISTP256
+        eck = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
+        ASSERT_PTR_NE(eck, NULL);
+        sshbuf_get_eckey(p1, eck);
+        EC_KEY_free(eck);
+#endif
+        sshbuf_free(p1);
+}
+
+
+static void
+onerror(void *fuzz)
+{
+        fprintf(stderr, "Failed during fuzz:\n");
+        fuzz_dump((struct fuzz *)fuzz);
+}
+
+void
+sshbuf_getput_fuzz_tests(void)
+{
+        u_char blob[] = {
+                /* u8 */
+                0xd0,
+                /* u16 */
+                0xc0, 0xde,
+                /* u32 */
+                0xfa, 0xce, 0xde, 0xad,
+                /* u64 */
+                0xfe, 0xed, 0xac, 0x1d, 0x1f, 0x1c, 0xbe, 0xef,
+                /* string */
+                0x00, 0x00, 0x00, 0x09,
+                'O', ' ', 'G', 'o', 'r', 'g', 'o', 'n', '!',
+                /* bignum1 */
+                0x79,
+                0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08,
+                0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10,
+                /* bignum2 */
+                0x00, 0x00, 0x00, 0x14,
+                0x00,
+                0xf0, 0xe0, 0xd0, 0xc0, 0xb0, 0xa0, 0x90, 0x80,
+                0x70, 0x60, 0x50, 0x40, 0x30, 0x20, 0x10, 0x00,
+                0x7f, 0xff, 0x11,
+                /* EC point (NIST-256 curve) */
+                0x00, 0x00, 0x00, 0x41,
+                0x04,
+                0x0c, 0x82, 0x80, 0x04, 0x83, 0x9d, 0x01, 0x06,
+                0xaa, 0x59, 0x57, 0x52, 0x16, 0x19, 0x13, 0x57,
+                0x34, 0xb4, 0x51, 0x45, 0x9d, 0xad, 0xb5, 0x86,
+                0x67, 0x7e, 0xf9, 0xdf, 0x55, 0x78, 0x49, 0x99,
+                0x4d, 0x19, 0x6b, 0x50, 0xf0, 0xb4, 0xe9, 0x4b,
+                0x3c, 0x73, 0xe3, 0xa9, 0xd4, 0xcd, 0x9d, 0xf2,
+                0xc8, 0xf9, 0xa3, 0x5e, 0x42, 0xbd, 0xd0, 0x47,
+                0x55, 0x0f, 0x69, 0xd8, 0x0e, 0xc2, 0x3c, 0xd4,
+        };
+        struct fuzz *fuzz;
+
+        TEST_START("fuzz blob parsing");
+        fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_2_BIT_FLIP |
+            FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
+            FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, blob, sizeof(blob));
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz))
+                attempt_parse_blob(blob, sizeof(blob));
+        fuzz_cleanup(fuzz);
+        TEST_DONE();
+        TEST_ONERROR(NULL, NULL);
+}
+
diff --git a/regress/unittests/sshbuf/test_sshbuf_misc.c b/regress/unittests/sshbuf/test_sshbuf_misc.c
new file mode 100644
index 000000000..f155491a0
--- /dev/null
+++ b/regress/unittests/sshbuf/test_sshbuf_misc.c
@@ -0,0 +1,138 @@
+/*      $OpenBSD: test_sshbuf_misc.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */
+/*
+ * Regress test for sshbuf.h buffer API
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include "../test_helper/test_helper.h"
+
+#include "sshbuf.h"
+
+void sshbuf_misc_tests(void);
+
+void
+sshbuf_misc_tests(void)
+{
+        struct sshbuf *p1;
+        char tmp[512], *p;
+        FILE *out;
+        size_t sz;
+
+        TEST_START("sshbuf_dump");
+        out = tmpfile();
+        ASSERT_PTR_NE(out, NULL);
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, 0x12345678), 0);
+        sshbuf_dump(p1, out);
+        fflush(out);
+        rewind(out);
+        sz = fread(tmp, 1, sizeof(tmp), out);
+        ASSERT_INT_EQ(ferror(out), 0);
+        ASSERT_INT_NE(feof(out), 0);
+        ASSERT_SIZE_T_GT(sz, 0);
+        tmp[sz] = '\0';
+        ASSERT_PTR_NE(strstr(tmp, "12 34 56 78"), NULL);
+        fclose(out);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_dtob16");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u32(p1, 0x12345678), 0);
+        p = sshbuf_dtob16(p1);
+        ASSERT_PTR_NE(p, NULL);
+        ASSERT_STRING_EQ(p, "12345678");
+        free(p);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_dtob64 len 1");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0);
+        p = sshbuf_dtob64(p1);
+        ASSERT_PTR_NE(p, NULL);
+        ASSERT_STRING_EQ(p, "EQ==");
+        free(p);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_dtob64 len 2");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0);
+        ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x22), 0);
+        p = sshbuf_dtob64(p1);
+        ASSERT_PTR_NE(p, NULL);
+        ASSERT_STRING_EQ(p, "ESI=");
+        free(p);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_dtob64 len 3");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x11), 0);
+        ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x22), 0);
+        ASSERT_INT_EQ(sshbuf_put_u8(p1, 0x33), 0);
+        p = sshbuf_dtob64(p1);
+        ASSERT_PTR_NE(p, NULL);
+        ASSERT_STRING_EQ(p, "ESIz");
+        free(p);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_dtob64 len 8191");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_reserve(p1, 8192, NULL), 0);
+        bzero(sshbuf_mutable_ptr(p1), 8192);
+        p = sshbuf_dtob64(p1);
+        ASSERT_PTR_NE(p, NULL);
+        ASSERT_SIZE_T_EQ(strlen(p), ((8191 + 2) / 3) * 4);
+        free(p);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_b64tod len 1");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_b64tod(p1, "0A=="), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 1);
+        ASSERT_U8_EQ(*sshbuf_ptr(p1), 0xd0);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_b64tod len 2");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_b64tod(p1, "0A8="), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 2);
+        ASSERT_U16_EQ(PEEK_U16(sshbuf_ptr(p1)), 0xd00f);
+        sshbuf_free(p1);
+        TEST_DONE();
+
+        TEST_START("sshbuf_b64tod len 4");
+        p1 = sshbuf_new();
+        ASSERT_PTR_NE(p1, NULL);
+        ASSERT_INT_EQ(sshbuf_b64tod(p1, "0A/QDw=="), 0);
+        ASSERT_SIZE_T_EQ(sshbuf_len(p1), 4);
+        ASSERT_U32_EQ(PEEK_U32(sshbuf_ptr(p1)), 0xd00fd00f);
+        sshbuf_free(p1);
+        TEST_DONE();
+}
+
diff --git a/regress/unittests/sshbuf/tests.c b/regress/unittests/sshbuf/tests.c
new file mode 100644
index 000000000..1557e4342
--- /dev/null
+++ b/regress/unittests/sshbuf/tests.c
@@ -0,0 +1,28 @@
+/*      $OpenBSD: tests.c,v 1.1 2014/04/30 05:32:00 djm Exp $ */
+/*
+ * Regress test for sshbuf.h buffer API
+ *
+ * Placed in the public domain
+ */
+
+#include "../test_helper/test_helper.h"
+
+void sshbuf_tests(void);
+void sshbuf_getput_basic_tests(void);
+void sshbuf_getput_crypto_tests(void);
+void sshbuf_misc_tests(void);
+void sshbuf_fuzz_tests(void);
+void sshbuf_getput_fuzz_tests(void);
+void sshbuf_fixed(void);
+
+void
+tests(void)
+{
+        sshbuf_tests();
+        sshbuf_getput_basic_tests();
+        sshbuf_getput_crypto_tests();
+        sshbuf_misc_tests();
+        sshbuf_fuzz_tests();
+        sshbuf_getput_fuzz_tests();
+        sshbuf_fixed();
+}
diff --git a/regress/unittests/sshkey/Makefile b/regress/unittests/sshkey/Makefile
new file mode 100644
index 000000000..1bcd26676
--- /dev/null
+++ b/regress/unittests/sshkey/Makefile
@@ -0,0 +1,13 @@
+#       $OpenBSD: Makefile,v 1.1 2014/06/24 01:14:18 djm Exp $
+
+TEST_ENV=      "MALLOC_OPTIONS=AFGJPRX"
+
+PROG=test_sshkey
+SRCS=tests.c test_sshkey.c test_file.c test_fuzz.c common.c
+REGRESS_TARGETS=run-regress-${PROG}
+
+run-regress-${PROG}: ${PROG}
+        env ${TEST_ENV} ./${PROG} -d ${.CURDIR}/testdata
+
+.include <bsd.regress.mk>
+
diff --git a/regress/unittests/sshkey/common.c b/regress/unittests/sshkey/common.c
new file mode 100644
index 000000000..0a4b3a90c
--- /dev/null
+++ b/regress/unittests/sshkey/common.c
@@ -0,0 +1,84 @@
+/*      $OpenBSD: common.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */
+/*
+ * Helpers for key API tests
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
+
+#include "../test_helper/test_helper.h"
+
+#include "ssherr.h"
+#include "authfile.h"
+#include "sshkey.h"
+#include "sshbuf.h"
+
+#include "common.h"
+
+struct sshbuf *
+load_file(const char *name)
+{
+        int fd;
+        struct sshbuf *ret;
+
+        ASSERT_PTR_NE(ret = sshbuf_new(), NULL);
+        ASSERT_INT_NE(fd = open(test_data_file(name), O_RDONLY), -1);
+        ASSERT_INT_EQ(sshkey_load_file(fd, name, ret), 0);
+        close(fd);
+        return ret;
+}
+
+struct sshbuf *
+load_text_file(const char *name)
+{
+        struct sshbuf *ret = load_file(name);
+        const u_char *p;
+
+        /* Trim whitespace at EOL */
+        for (p = sshbuf_ptr(ret); sshbuf_len(ret) > 0;) {
+                if (p[sshbuf_len(ret) - 1] == '\r' ||
+                    p[sshbuf_len(ret) - 1] == '\t' ||
+                    p[sshbuf_len(ret) - 1] == ' ' ||
+                    p[sshbuf_len(ret) - 1] == '\n')
+                        ASSERT_INT_EQ(sshbuf_consume_end(ret, 1), 0);
+                else
+                        break;
+        }
+        /* \0 terminate */
+        ASSERT_INT_EQ(sshbuf_put_u8(ret, 0), 0);
+        return ret;
+}
+
+BIGNUM *
+load_bignum(const char *name)
+{
+        BIGNUM *ret = NULL;
+        struct sshbuf *buf;
+
+        buf = load_text_file(name);
+        ASSERT_INT_NE(BN_hex2bn(&ret, (const char *)sshbuf_ptr(buf)), 0);
+        sshbuf_free(buf);
+        return ret;
+}
+
diff --git a/regress/unittests/sshkey/common.h b/regress/unittests/sshkey/common.h
new file mode 100644
index 000000000..bf7d19dce
--- /dev/null
+++ b/regress/unittests/sshkey/common.h
@@ -0,0 +1,16 @@
+/*      $OpenBSD: common.h,v 1.1 2014/06/24 01:14:18 djm Exp $ */
+/*
+ * Helpers for key API tests
+ *
+ * Placed in the public domain
+ */
+
+/* Load a binary file into a buffer */
+struct sshbuf *load_file(const char *name);
+
+/* Load a text file into a buffer */
+struct sshbuf *load_text_file(const char *name);
+
+/* Load a bignum from a file */
+BIGNUM *load_bignum(const char *name);
+
diff --git a/regress/unittests/sshkey/mktestdata.sh b/regress/unittests/sshkey/mktestdata.sh
new file mode 100755
index 000000000..ee1fe3962
--- /dev/null
+++ b/regress/unittests/sshkey/mktestdata.sh
@@ -0,0 +1,190 @@
+#!/bin/sh
+# $OpenBSD: mktestdata.sh,v 1.3 2014/07/22 23:57:40 dtucker Exp $
+
+PW=mekmitasdigoat
+
+rsa1_params() {
+        _in="$1"
+        _outbase="$2"
+        set -e
+        ssh-keygen -f $_in -e -m pkcs8 | \
+            openssl rsa -noout -text -pubin | \
+            awk '/^Modulus:$/,/^Exponent:/' | \
+            grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.n
+        # XXX need conversion support in ssh-keygen for the other params
+        for x in n ; do
+                echo "" >> ${_outbase}.$x
+                echo ============ ${_outbase}.$x
+                cat ${_outbase}.$x
+                echo ============
+        done
+}
+
+rsa_params() {
+        _in="$1"
+        _outbase="$2"
+        set -e
+        openssl rsa -noout -text -in $_in | \
+            awk '/^modulus:$/,/^publicExponent:/' | \
+            grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.n
+        openssl rsa -noout -text -in $_in | \
+            awk '/^prime1:$/,/^prime2:/' | \
+            grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.p
+        openssl rsa -noout -text -in $_in | \
+            awk '/^prime2:$/,/^exponent1:/' | \
+            grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.q
+        for x in n p q ; do
+                echo "" >> ${_outbase}.$x
+                echo ============ ${_outbase}.$x
+                cat ${_outbase}.$x
+                echo ============
+        done
+}
+
+dsa_params() {
+        _in="$1"
+        _outbase="$2"
+        set -e
+        openssl dsa -noout -text -in $_in | \
+            awk '/^priv:$/,/^pub:/' | \
+            grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.priv
+        openssl dsa -noout -text -in $_in | \
+            awk '/^pub:/,/^P:/' | #\
+            grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.pub
+        openssl dsa -noout -text -in $_in | \
+            awk '/^G:/,0' | \
+            grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.g
+        for x in priv pub g ; do
+                echo "" >> ${_outbase}.$x
+                echo ============ ${_outbase}.$x
+                cat ${_outbase}.$x
+                echo ============
+        done
+}
+
+ecdsa_params() {
+        _in="$1"
+        _outbase="$2"
+        set -e
+        openssl ec -noout -text -in $_in | \
+            awk '/^priv:$/,/^pub:/' | \
+            grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.priv
+        openssl ec -noout -text -in $_in | \
+            awk '/^pub:/,/^ASN1 OID:/' | #\
+            grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.pub
+        openssl ec -noout -text -in $_in | \
+            grep "ASN1 OID:" | tr -d '\n' | \
+            sed 's/.*: //;s/ *$//' > ${_outbase}.curve
+        for x in priv pub curve ; do
+                echo "" >> ${_outbase}.$x
+                echo ============ ${_outbase}.$x
+                cat ${_outbase}.$x
+                echo ============
+        done
+}
+
+set -ex
+
+cd testdata
+
+rm -f rsa1_1 rsa_1 dsa_1 ecdsa_1 ed25519_1
+rm -f rsa1_2 rsa_2 dsa_2 ecdsa_2 ed25519_2
+rm -f rsa_n dsa_n ecdsa_n # new-format keys
+rm -f rsa1_1_pw rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw
+rm -f rsa_n_pw dsa_n_pw ecdsa_n_pw
+rm -f pw *.pub *.bn.* *.param.* *.fp *.fp.bb
+
+ssh-keygen -t rsa1 -b 768 -C "RSA1 test key #1" -N "" -f rsa1_1
+ssh-keygen -t rsa -b 768 -C "RSA test key #1" -N "" -f rsa_1
+ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1
+ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1
+ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_1
+
+ssh-keygen -t rsa1 -b 2048 -C "RSA1 test key #2" -N "" -f rsa1_2
+ssh-keygen -t rsa -b 2048 -C "RSA test key #2" -N "" -f rsa_2
+ssh-keygen -t dsa -b 1024 -C "DSA test key #2" -N "" -f dsa_2
+ssh-keygen -t ecdsa -b 521 -C "ECDSA test key #2" -N "" -f ecdsa_2
+ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_2
+
+cp rsa_1 rsa_n
+cp dsa_1 dsa_n
+cp ecdsa_1 ecdsa_n
+
+cp rsa1_1 rsa1_1_pw
+cp rsa_1 rsa_1_pw
+cp dsa_1 dsa_1_pw
+cp ecdsa_1 ecdsa_1_pw
+cp ed25519_1 ed25519_1_pw
+cp rsa_1 rsa_n_pw
+cp dsa_1 dsa_n_pw
+cp ecdsa_1 ecdsa_n_pw
+
+ssh-keygen -pf rsa1_1_pw -N "$PW"
+ssh-keygen -pf rsa_1_pw -N "$PW"
+ssh-keygen -pf dsa_1_pw -N "$PW"
+ssh-keygen -pf ecdsa_1_pw -N "$PW"
+ssh-keygen -pf ed25519_1_pw -N "$PW"
+ssh-keygen -opf rsa_n_pw -N "$PW"
+ssh-keygen -opf dsa_n_pw -N "$PW"
+ssh-keygen -opf ecdsa_n_pw -N "$PW"
+
+rsa1_params rsa1_1 rsa1_1.param
+rsa1_params rsa1_2 rsa1_2.param
+rsa_params rsa_1 rsa_1.param
+rsa_params rsa_2 rsa_2.param
+dsa_params dsa_1 dsa_1.param
+dsa_params dsa_1 dsa_1.param
+ecdsa_params ecdsa_1 ecdsa_1.param
+ecdsa_params ecdsa_2 ecdsa_2.param
+# XXX ed25519 params
+
+ssh-keygen -s rsa_2 -I hugo -n user1,user2 \
+    -Oforce-command=/bin/ls -Ono-port-forwarding -Osource-address=10.0.0.0/8 \
+    -V 19990101:20110101 -z 1 rsa_1.pub
+ssh-keygen -s rsa_2 -I hugo -n user1,user2 \
+    -Oforce-command=/bin/ls -Ono-port-forwarding -Osource-address=10.0.0.0/8 \
+    -V 19990101:20110101 -z 2 dsa_1.pub
+ssh-keygen -s rsa_2 -I hugo -n user1,user2 \
+    -Oforce-command=/bin/ls -Ono-port-forwarding -Osource-address=10.0.0.0/8 \
+    -V 19990101:20110101 -z 3 ecdsa_1.pub
+ssh-keygen -s rsa_2 -I hugo -n user1,user2 \
+    -Oforce-command=/bin/ls -Ono-port-forwarding -Osource-address=10.0.0.0/8 \
+    -V 19990101:20110101 -z 4 ed25519_1.pub
+
+ssh-keygen -s ed25519_1 -I julius -n host1,host2 -h \
+    -V 19990101:20110101 -z 5 rsa_1.pub
+ssh-keygen -s ed25519_1 -I julius -n host1,host2 -h \
+    -V 19990101:20110101 -z 6 dsa_1.pub
+ssh-keygen -s ecdsa_1 -I julius -n host1,host2 -h \
+    -V 19990101:20110101 -z 7 ecdsa_1.pub
+ssh-keygen -s ed25519_1 -I julius -n host1,host2 -h \
+    -V 19990101:20110101 -z 8 ed25519_1.pub
+
+ssh-keygen -lf rsa1_1 | awk '{print $2}' > rsa1_1.fp
+ssh-keygen -lf rsa_1 | awk '{print $2}' > rsa_1.fp
+ssh-keygen -lf dsa_1 | awk '{print $2}' > dsa_1.fp
+ssh-keygen -lf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp
+ssh-keygen -lf ed25519_1 | awk '{print $2}' > ed25519_1.fp
+ssh-keygen -lf rsa1_2 | awk '{print $2}' > rsa1_2.fp
+ssh-keygen -lf rsa_2 | awk '{print $2}' > rsa_2.fp
+ssh-keygen -lf dsa_2 | awk '{print $2}' > dsa_2.fp
+ssh-keygen -lf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp
+ssh-keygen -lf ed25519_2 | awk '{print $2}' > ed25519_2.fp
+
+ssh-keygen -lf dsa_1-cert.pub  | awk '{print $2}' > dsa_1-cert.fp
+ssh-keygen -lf ecdsa_1-cert.pub  | awk '{print $2}' > ecdsa_1-cert.fp
+ssh-keygen -lf ed25519_1-cert.pub  | awk '{print $2}' > ed25519_1-cert.fp
+ssh-keygen -lf rsa_1-cert.pub  | awk '{print $2}' > rsa_1-cert.fp
+
+ssh-keygen -Bf rsa1_1 | awk '{print $2}' > rsa1_1.fp.bb
+ssh-keygen -Bf rsa_1 | awk '{print $2}' > rsa_1.fp.bb
+ssh-keygen -Bf dsa_1 | awk '{print $2}' > dsa_1.fp.bb
+ssh-keygen -Bf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp.bb
+ssh-keygen -Bf ed25519_1 | awk '{print $2}' > ed25519_1.fp.bb
+ssh-keygen -Bf rsa1_2 | awk '{print $2}' > rsa1_2.fp.bb
+ssh-keygen -Bf rsa_2 | awk '{print $2}' > rsa_2.fp.bb
+ssh-keygen -Bf dsa_2 | awk '{print $2}' > dsa_2.fp.bb
+ssh-keygen -Bf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp.bb
+ssh-keygen -Bf ed25519_2 | awk '{print $2}' > ed25519_2.fp.bb
+
+echo "$PW" > pw
diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c
new file mode 100644
index 000000000..764f7fb76
--- /dev/null
+++ b/regress/unittests/sshkey/test_file.c
@@ -0,0 +1,457 @@
+/*      $OpenBSD: test_file.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */
+/*
+ * Regress test for sshkey.h key management API
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
+
+#include "../test_helper/test_helper.h"
+
+#include "ssherr.h"
+#include "authfile.h"
+#include "sshkey.h"
+#include "sshbuf.h"
+
+#include "common.h"
+
+void sshkey_file_tests(void);
+
+void
+sshkey_file_tests(void)
+{
+        struct sshkey *k1, *k2;
+        struct sshbuf *buf, *pw;
+        BIGNUM *a, *b, *c;
+        char *cp;
+
+        TEST_START("load passphrase");
+        pw = load_text_file("pw");
+        TEST_DONE();
+
+        TEST_START("parse RSA1 from private");
+        buf = load_file("rsa1_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "rsa1_1",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k1, NULL);
+        a = load_bignum("rsa1_1.param.n");
+        ASSERT_BIGNUM_EQ(k1->rsa->n, a);
+        BN_free(a);
+        TEST_DONE();
+
+        TEST_START("parse RSA1 from private w/ passphrase");
+        buf = load_file("rsa1_1_pw");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            (const char *)sshbuf_ptr(pw), "rsa1_1_pw", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("load RSA1 from public");
+        ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa1_1.pub"), &k2,
+            NULL), 0);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("RSA1 key hex fingerprint");
+        buf = load_text_file("rsa1_1.fp");
+        cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        TEST_DONE();
+
+        TEST_START("RSA1 key bubblebabble fingerprint");
+        buf = load_text_file("rsa1_1.fp.bb");
+        cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        TEST_DONE();
+
+        sshkey_free(k1);
+
+        TEST_START("parse RSA from private");
+        buf = load_file("rsa_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "rsa_1",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k1, NULL);
+        a = load_bignum("rsa_1.param.n");
+        b = load_bignum("rsa_1.param.p");
+        c = load_bignum("rsa_1.param.q");
+        ASSERT_BIGNUM_EQ(k1->rsa->n, a);
+        ASSERT_BIGNUM_EQ(k1->rsa->p, b);
+        ASSERT_BIGNUM_EQ(k1->rsa->q, c);
+        BN_free(a);
+        BN_free(b);
+        BN_free(c);
+        TEST_DONE();
+
+        TEST_START("parse RSA from private w/ passphrase");
+        buf = load_file("rsa_1_pw");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            (const char *)sshbuf_ptr(pw), "rsa_1_pw", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("parse RSA from new-format");
+        buf = load_file("rsa_n");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            "", "rsa_n", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("parse RSA from new-format w/ passphrase");
+        buf = load_file("rsa_n_pw");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            (const char *)sshbuf_ptr(pw), "rsa_n_pw", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("load RSA from public");
+        ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,
+            NULL), 0);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("load RSA cert");
+        ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k2), 0);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(k2->type, KEY_RSA_CERT);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 0);
+        ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1);
+        TEST_DONE();
+
+        TEST_START("RSA key hex fingerprint");
+        buf = load_text_file("rsa_1.fp");
+        cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        TEST_DONE();
+
+        TEST_START("RSA cert hex fingerprint");
+        buf = load_text_file("rsa_1-cert.fp");
+        cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("RSA key bubblebabble fingerprint");
+        buf = load_text_file("rsa_1.fp.bb");
+        cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        TEST_DONE();
+
+        sshkey_free(k1);
+
+        TEST_START("parse DSA from private");
+        buf = load_file("dsa_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "dsa_1",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k1, NULL);
+        a = load_bignum("dsa_1.param.g");
+        b = load_bignum("dsa_1.param.priv");
+        c = load_bignum("dsa_1.param.pub");
+        ASSERT_BIGNUM_EQ(k1->dsa->g, a);
+        ASSERT_BIGNUM_EQ(k1->dsa->priv_key, b);
+        ASSERT_BIGNUM_EQ(k1->dsa->pub_key, c);
+        BN_free(a);
+        BN_free(b);
+        BN_free(c);
+        TEST_DONE();
+
+        TEST_START("parse DSA from private w/ passphrase");
+        buf = load_file("dsa_1_pw");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            (const char *)sshbuf_ptr(pw), "dsa_1_pw", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("parse DSA from new-format");
+        buf = load_file("dsa_n");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            "", "dsa_n", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("parse DSA from new-format w/ passphrase");
+        buf = load_file("dsa_n_pw");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            (const char *)sshbuf_ptr(pw), "dsa_n_pw", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("load DSA from public");
+        ASSERT_INT_EQ(sshkey_load_public(test_data_file("dsa_1.pub"), &k2,
+            NULL), 0);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("load DSA cert");
+        ASSERT_INT_EQ(sshkey_load_cert(test_data_file("dsa_1"), &k2), 0);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(k2->type, KEY_DSA_CERT);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 0);
+        ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1);
+        TEST_DONE();
+
+        TEST_START("DSA key hex fingerprint");
+        buf = load_text_file("dsa_1.fp");
+        cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        TEST_DONE();
+
+        TEST_START("DSA cert hex fingerprint");
+        buf = load_text_file("dsa_1-cert.fp");
+        cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("DSA key bubblebabble fingerprint");
+        buf = load_text_file("dsa_1.fp.bb");
+        cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        TEST_DONE();
+
+        sshkey_free(k1);
+
+#ifdef OPENSSL_HAS_ECC
+        TEST_START("parse ECDSA from private");
+        buf = load_file("ecdsa_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "ecdsa_1",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k1, NULL);
+        buf = load_text_file("ecdsa_1.param.curve");
+        ASSERT_STRING_EQ((const char *)sshbuf_ptr(buf),
+            OBJ_nid2sn(k1->ecdsa_nid));
+        sshbuf_free(buf);
+        a = load_bignum("ecdsa_1.param.priv");
+        b = load_bignum("ecdsa_1.param.pub");
+        c = EC_POINT_point2bn(EC_KEY_get0_group(k1->ecdsa),
+            EC_KEY_get0_public_key(k1->ecdsa), POINT_CONVERSION_UNCOMPRESSED,
+            NULL, NULL);
+        ASSERT_PTR_NE(c, NULL);
+        ASSERT_BIGNUM_EQ(EC_KEY_get0_private_key(k1->ecdsa), a);
+        ASSERT_BIGNUM_EQ(b, c);
+        BN_free(a);
+        BN_free(b);
+        BN_free(c);
+        TEST_DONE();
+
+        TEST_START("parse ECDSA from private w/ passphrase");
+        buf = load_file("ecdsa_1_pw");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            (const char *)sshbuf_ptr(pw), "ecdsa_1_pw", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("parse ECDSA from new-format");
+        buf = load_file("ecdsa_n");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            "", "ecdsa_n", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("parse ECDSA from new-format w/ passphrase");
+        buf = load_file("ecdsa_n_pw");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            (const char *)sshbuf_ptr(pw), "ecdsa_n_pw", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("load ECDSA from public");
+        ASSERT_INT_EQ(sshkey_load_public(test_data_file("ecdsa_1.pub"), &k2,
+            NULL), 0);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("load ECDSA cert");
+        ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ecdsa_1"), &k2), 0);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(k2->type, KEY_ECDSA_CERT);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 0);
+        ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1);
+        TEST_DONE();
+
+        TEST_START("ECDSA key hex fingerprint");
+        buf = load_text_file("ecdsa_1.fp");
+        cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        TEST_DONE();
+
+        TEST_START("ECDSA cert hex fingerprint");
+        buf = load_text_file("ecdsa_1-cert.fp");
+        cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("ECDSA key bubblebabble fingerprint");
+        buf = load_text_file("ecdsa_1.fp.bb");
+        cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        TEST_DONE();
+
+        sshkey_free(k1);
+#endif /* OPENSSL_HAS_ECC */
+
+        TEST_START("parse Ed25519 from private");
+        buf = load_file("ed25519_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "ed25519_1",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_INT_EQ(k1->type, KEY_ED25519);
+        /* XXX check key contents */
+        TEST_DONE();
+
+        TEST_START("parse Ed25519 from private w/ passphrase");
+        buf = load_file("ed25519_1_pw");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
+            (const char *)sshbuf_ptr(pw), "ed25519_1_pw", &k2, NULL), 0);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("load Ed25519 from public");
+        ASSERT_INT_EQ(sshkey_load_public(test_data_file("ed25519_1.pub"), &k2,
+            NULL), 0);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("load Ed25519 cert");
+        ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ed25519_1"), &k2), 0);
+        ASSERT_PTR_NE(k2, NULL);
+        ASSERT_INT_EQ(k2->type, KEY_ED25519_CERT);
+        ASSERT_INT_EQ(sshkey_equal(k1, k2), 0);
+        ASSERT_INT_EQ(sshkey_equal_public(k1, k2), 1);
+        TEST_DONE();
+
+        TEST_START("Ed25519 key hex fingerprint");
+        buf = load_text_file("ed25519_1.fp");
+        cp = sshkey_fingerprint(k1, SSH_FP_MD5, SSH_FP_HEX);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        TEST_DONE();
+
+        TEST_START("Ed25519 cert hex fingerprint");
+        buf = load_text_file("ed25519_1-cert.fp");
+        cp = sshkey_fingerprint(k2, SSH_FP_MD5, SSH_FP_HEX);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        sshkey_free(k2);
+        TEST_DONE();
+
+        TEST_START("Ed25519 key bubblebabble fingerprint");
+        buf = load_text_file("ed25519_1.fp.bb");
+        cp = sshkey_fingerprint(k1, SSH_FP_SHA1, SSH_FP_BUBBLEBABBLE);
+        ASSERT_PTR_NE(cp, NULL);
+        ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
+        sshbuf_free(buf);
+        free(cp);
+        TEST_DONE();
+
+        sshkey_free(k1);
+
+        sshbuf_free(pw);
+
+}
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c
new file mode 100644
index 000000000..a3f61a6df
--- /dev/null
+++ b/regress/unittests/sshkey/test_fuzz.c
@@ -0,0 +1,406 @@
+/*      $OpenBSD: test_fuzz.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */
+/*
+ * Fuzz tests for key parsing
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/objects.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
+
+#include "../test_helper/test_helper.h"
+
+#include "ssherr.h"
+#include "authfile.h"
+#include "sshkey.h"
+#include "sshbuf.h"
+
+#include "common.h"
+
+void sshkey_fuzz_tests(void);
+
+static void
+onerror(void *fuzz)
+{
+        fprintf(stderr, "Failed during fuzz:\n");
+        fuzz_dump((struct fuzz *)fuzz);
+}
+
+static void
+public_fuzz(struct sshkey *k)
+{
+        struct sshkey *k1;
+        struct sshbuf *buf;
+        struct fuzz *fuzz;
+
+        ASSERT_PTR_NE(buf = sshbuf_new(), NULL);
+        ASSERT_INT_EQ(sshkey_to_blob_buf(k, buf), 0);
+        /* XXX need a way to run the tests in "slow, but complete" mode */
+        fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* XXX too slow FUZZ_2_BIT_FLIP | */
+            FUZZ_1_BYTE_FLIP | /* XXX too slow FUZZ_2_BYTE_FLIP | */
+            FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
+            sshbuf_mutable_ptr(buf), sshbuf_len(buf));
+        ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(buf), sshbuf_len(buf),
+            &k1), 0);
+        sshkey_free(k1);
+        sshbuf_free(buf);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                if (sshkey_from_blob(fuzz_ptr(fuzz), fuzz_len(fuzz), &k1) == 0)
+                        sshkey_free(k1);
+        }
+        fuzz_cleanup(fuzz);
+}
+
+static void
+sig_fuzz(struct sshkey *k)
+{
+        struct fuzz *fuzz;
+        u_char *sig, c[] = "some junk to be signed";
+        size_t l;
+
+        ASSERT_INT_EQ(sshkey_sign(k, &sig, &l, c, sizeof(c), 0), 0);
+        ASSERT_SIZE_T_GT(l, 0);
+        fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | /* too slow FUZZ_2_BIT_FLIP | */
+            FUZZ_1_BYTE_FLIP | FUZZ_2_BYTE_FLIP |
+            FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END, sig, l);
+        ASSERT_INT_EQ(sshkey_verify(k, sig, l, c, sizeof(c), 0), 0);
+        free(sig);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                sshkey_verify(k, fuzz_ptr(fuzz), fuzz_len(fuzz),
+                    c, sizeof(c), 0);
+        }
+        fuzz_cleanup(fuzz);
+}
+
+void
+sshkey_fuzz_tests(void)
+{
+        struct sshkey *k1;
+        struct sshbuf *buf, *fuzzed;
+        struct fuzz *fuzz;
+        int r;
+
+        TEST_START("fuzz RSA1 private");
+        buf = load_file("rsa1_1");
+        fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
+            FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
+            sshbuf_mutable_ptr(buf), sshbuf_len(buf));
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshkey_free(k1);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
+                ASSERT_INT_EQ(r, 0);
+                if (sshkey_parse_private_fileblob(fuzzed, "", "key",
+                    &k1, NULL) == 0)
+                        sshkey_free(k1);
+                sshbuf_reset(fuzzed);
+        }
+        sshbuf_free(fuzzed);
+        fuzz_cleanup(fuzz);
+        TEST_DONE();
+
+        TEST_START("fuzz RSA1 public");
+        buf = load_file("rsa1_1_pw");
+        fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
+            FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
+            sshbuf_mutable_ptr(buf), sshbuf_len(buf));
+        ASSERT_INT_EQ(sshkey_parse_public_rsa1_fileblob(buf, &k1, NULL), 0);
+        sshkey_free(k1);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
+                ASSERT_INT_EQ(r, 0);
+                if (sshkey_parse_public_rsa1_fileblob(fuzzed, &k1, NULL) == 0)
+                        sshkey_free(k1);
+                sshbuf_reset(fuzzed);
+        }
+        sshbuf_free(fuzzed);
+        fuzz_cleanup(fuzz);
+        TEST_DONE();
+
+        TEST_START("fuzz RSA private");
+        buf = load_file("rsa_1");
+        fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
+            sshbuf_len(buf));
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshkey_free(k1);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
+                ASSERT_INT_EQ(r, 0);
+                if (sshkey_parse_private_fileblob(fuzzed, "", "key",
+                    &k1, NULL) == 0)
+                        sshkey_free(k1);
+                sshbuf_reset(fuzzed);
+        }
+        sshbuf_free(fuzzed);
+        fuzz_cleanup(fuzz);
+        TEST_DONE();
+
+        TEST_START("fuzz RSA new-format private");
+        buf = load_file("rsa_n");
+        fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
+            sshbuf_len(buf));
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshkey_free(k1);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
+                ASSERT_INT_EQ(r, 0);
+                if (sshkey_parse_private_fileblob(fuzzed, "", "key",
+                    &k1, NULL) == 0)
+                        sshkey_free(k1);
+                sshbuf_reset(fuzzed);
+        }
+        sshbuf_free(fuzzed);
+        fuzz_cleanup(fuzz);
+        TEST_DONE();
+
+        TEST_START("fuzz DSA private");
+        buf = load_file("dsa_1");
+        fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
+            sshbuf_len(buf));
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshkey_free(k1);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
+                ASSERT_INT_EQ(r, 0);
+                if (sshkey_parse_private_fileblob(fuzzed, "", "key",
+                    &k1, NULL) == 0)
+                        sshkey_free(k1);
+                sshbuf_reset(fuzzed);
+        }
+        sshbuf_free(fuzzed);
+        fuzz_cleanup(fuzz);
+        TEST_DONE();
+
+        TEST_START("fuzz DSA new-format private");
+        buf = load_file("dsa_n");
+        fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
+            sshbuf_len(buf));
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshkey_free(k1);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
+                ASSERT_INT_EQ(r, 0);
+                if (sshkey_parse_private_fileblob(fuzzed, "", "key",
+                    &k1, NULL) == 0)
+                        sshkey_free(k1);
+                sshbuf_reset(fuzzed);
+        }
+        sshbuf_free(fuzzed);
+        fuzz_cleanup(fuzz);
+        TEST_DONE();
+
+#ifdef OPENSSL_HAS_ECC
+        TEST_START("fuzz ECDSA private");
+        buf = load_file("ecdsa_1");
+        fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
+            sshbuf_len(buf));
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshkey_free(k1);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
+                ASSERT_INT_EQ(r, 0);
+                if (sshkey_parse_private_fileblob(fuzzed, "", "key",
+                    &k1, NULL) == 0)
+                        sshkey_free(k1);
+                sshbuf_reset(fuzzed);
+        }
+        sshbuf_free(fuzzed);
+        fuzz_cleanup(fuzz);
+        TEST_DONE();
+
+        TEST_START("fuzz ECDSA new-format private");
+        buf = load_file("ecdsa_n");
+        fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
+            sshbuf_len(buf));
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshkey_free(k1);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
+                ASSERT_INT_EQ(r, 0);
+                if (sshkey_parse_private_fileblob(fuzzed, "", "key",
+                    &k1, NULL) == 0)
+                        sshkey_free(k1);
+                sshbuf_reset(fuzzed);
+        }
+        sshbuf_free(fuzzed);
+        fuzz_cleanup(fuzz);
+        TEST_DONE();
+#endif
+
+        TEST_START("fuzz Ed25519 private");
+        buf = load_file("ed25519_1");
+        fuzz = fuzz_begin(FUZZ_BASE64, sshbuf_mutable_ptr(buf),
+            sshbuf_len(buf));
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshkey_free(k1);
+        sshbuf_free(buf);
+        ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
+        TEST_ONERROR(onerror, fuzz);
+        for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
+                r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
+                ASSERT_INT_EQ(r, 0);
+                if (sshkey_parse_private_fileblob(fuzzed, "", "key",
+                    &k1, NULL) == 0)
+                        sshkey_free(k1);
+                sshbuf_reset(fuzzed);
+        }
+        sshbuf_free(fuzzed);
+        fuzz_cleanup(fuzz);
+        TEST_DONE();
+
+        TEST_START("fuzz RSA public");
+        buf = load_file("rsa_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        public_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("fuzz RSA cert");
+        ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0);
+        public_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("fuzz DSA public");
+        buf = load_file("dsa_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        public_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("fuzz DSA cert");
+        ASSERT_INT_EQ(sshkey_load_cert(test_data_file("dsa_1"), &k1), 0);
+        public_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+#ifdef OPENSSL_HAS_ECC
+        TEST_START("fuzz ECDSA public");
+        buf = load_file("ecdsa_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        public_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("fuzz ECDSA cert");
+        ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ecdsa_1"), &k1), 0);
+        public_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+#endif
+
+        TEST_START("fuzz Ed25519 public");
+        buf = load_file("ed25519_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        public_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("fuzz Ed25519 cert");
+        ASSERT_INT_EQ(sshkey_load_cert(test_data_file("ed25519_1"), &k1), 0);
+        public_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("fuzz RSA sig");
+        buf = load_file("rsa_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        sig_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("fuzz DSA sig");
+        buf = load_file("dsa_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        sig_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+#ifdef OPENSSL_HAS_ECC
+        TEST_START("fuzz ECDSA sig");
+        buf = load_file("ecdsa_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        sig_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+#endif
+
+        TEST_START("fuzz Ed25519 sig");
+        buf = load_file("ed25519_1");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", "key",
+            &k1, NULL), 0);
+        sshbuf_free(buf);
+        sig_fuzz(k1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+/* XXX fuzz decoded new-format blobs too */
+
+}
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
new file mode 100644
index 000000000..ef0c67956
--- /dev/null
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -0,0 +1,357 @@
+/*      $OpenBSD: test_sshkey.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */
+/*
+ * Regress test for sshkey.h key management API
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+#include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#ifdef OPENSSL_HAS_NISTP256
+# include <openssl/ec.h>
+#endif
+
+#include "../test_helper/test_helper.h"
+
+#include "ssherr.h"
+#include "sshbuf.h"
+#define SSHBUF_INTERNAL 1       /* access internals for testing */
+#include "sshkey.h"
+
+#include "authfile.h"
+#include "common.h"
+#include "ssh2.h"
+
+void sshkey_tests(void);
+
+static void
+build_cert(struct sshbuf *b, const struct sshkey *k, const char *type,
+    const struct sshkey *sign_key, const struct sshkey *ca_key)
+{
+        struct sshbuf *ca_buf, *pk, *principals, *critopts, *exts;
+        u_char *sigblob;
+        size_t siglen;
+
+        ca_buf = sshbuf_new();
+        ASSERT_INT_EQ(sshkey_to_blob_buf(ca_key, ca_buf), 0);
+
+        /*
+         * Get the public key serialisation by rendering the key and skipping
+         * the type string. This is a bit of a hack :/
+         */
+        pk = sshbuf_new();
+        ASSERT_INT_EQ(sshkey_plain_to_blob_buf(k, pk), 0);
+        ASSERT_INT_EQ(sshbuf_skip_string(pk), 0);
+
+        principals = sshbuf_new();
+        ASSERT_INT_EQ(sshbuf_put_cstring(principals, "gsamsa"), 0);
+        ASSERT_INT_EQ(sshbuf_put_cstring(principals, "gregor"), 0);
+
+        critopts = sshbuf_new();
+        /* XXX fill this in */
+
+        exts = sshbuf_new();
+        /* XXX fill this in */
+
+        ASSERT_INT_EQ(sshbuf_put_cstring(b, type), 0);
+        ASSERT_INT_EQ(sshbuf_put_cstring(b, "noncenoncenonce!"), 0); /* nonce */
+        ASSERT_INT_EQ(sshbuf_putb(b, pk), 0); /* public key serialisation */
+        ASSERT_INT_EQ(sshbuf_put_u64(b, 1234), 0); /* serial */
+        ASSERT_INT_EQ(sshbuf_put_u32(b, SSH2_CERT_TYPE_USER), 0); /* type */
+        ASSERT_INT_EQ(sshbuf_put_cstring(b, "gregor"), 0); /* key ID */
+        ASSERT_INT_EQ(sshbuf_put_stringb(b, principals), 0); /* principals */
+        ASSERT_INT_EQ(sshbuf_put_u64(b, 0), 0); /* start */
+        ASSERT_INT_EQ(sshbuf_put_u64(b, 0xffffffffffffffffULL), 0); /* end */
+        ASSERT_INT_EQ(sshbuf_put_stringb(b, critopts), 0); /* options */
+        ASSERT_INT_EQ(sshbuf_put_stringb(b, exts), 0); /* extensions */
+        ASSERT_INT_EQ(sshbuf_put_string(b, NULL, 0), 0); /* reserved */
+        ASSERT_INT_EQ(sshbuf_put_stringb(b, ca_buf), 0); /* signature key */
+        ASSERT_INT_EQ(sshkey_sign(sign_key, &sigblob, &siglen,
+            sshbuf_ptr(b), sshbuf_len(b), 0), 0);
+        ASSERT_INT_EQ(sshbuf_put_string(b, sigblob, siglen), 0); /* signature */
+
+        free(sigblob);
+        sshbuf_free(ca_buf);
+        sshbuf_free(exts);
+        sshbuf_free(critopts);
+        sshbuf_free(principals);
+        sshbuf_free(pk);
+}
+
+void
+sshkey_tests(void)
+{
+        struct sshkey *k1, *k2, *k3, *k4, *kr, *kd, *ke, *kf;
+        struct sshbuf *b;
+
+        TEST_START("new invalid");
+        k1 = sshkey_new(-42);
+        ASSERT_PTR_EQ(k1, NULL);
+        TEST_DONE();
+
+        TEST_START("new/free KEY_UNSPEC");
+        k1 = sshkey_new(KEY_UNSPEC);
+        ASSERT_PTR_NE(k1, NULL);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("new/free KEY_RSA1");
+        k1 = sshkey_new(KEY_RSA1);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_PTR_NE(k1->rsa, NULL);
+        ASSERT_PTR_NE(k1->rsa->n, NULL);
+        ASSERT_PTR_NE(k1->rsa->e, NULL);
+        ASSERT_PTR_EQ(k1->rsa->p, NULL);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("new/free KEY_RSA");
+        k1 = sshkey_new(KEY_RSA);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_PTR_NE(k1->rsa, NULL);
+        ASSERT_PTR_NE(k1->rsa->n, NULL);
+        ASSERT_PTR_NE(k1->rsa->e, NULL);
+        ASSERT_PTR_EQ(k1->rsa->p, NULL);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("new/free KEY_DSA");
+        k1 = sshkey_new(KEY_DSA);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_PTR_NE(k1->dsa, NULL);
+        ASSERT_PTR_NE(k1->dsa->g, NULL);
+        ASSERT_PTR_EQ(k1->dsa->priv_key, NULL);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("new/free KEY_ECDSA");
+        k1 = sshkey_new(KEY_ECDSA);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_PTR_EQ(k1->ecdsa, NULL);  /* Can't allocate without NID */
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("new/free KEY_ED25519");
+        k1 = sshkey_new(KEY_ED25519);
+        ASSERT_PTR_NE(k1, NULL);
+        /* These should be blank until key loaded or generated */
+        ASSERT_PTR_EQ(k1->ed25519_sk, NULL);
+        ASSERT_PTR_EQ(k1->ed25519_pk, NULL);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("new_private KEY_RSA");
+        k1 = sshkey_new_private(KEY_RSA);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_PTR_NE(k1->rsa, NULL);
+        ASSERT_PTR_NE(k1->rsa->n, NULL);
+        ASSERT_PTR_NE(k1->rsa->e, NULL);
+        ASSERT_PTR_NE(k1->rsa->p, NULL);
+        ASSERT_INT_EQ(sshkey_add_private(k1), 0);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("new_private KEY_DSA");
+        k1 = sshkey_new_private(KEY_DSA);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_PTR_NE(k1->dsa, NULL);
+        ASSERT_PTR_NE(k1->dsa->g, NULL);
+        ASSERT_PTR_NE(k1->dsa->priv_key, NULL);
+        ASSERT_INT_EQ(sshkey_add_private(k1), 0);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("generate KEY_RSA too small modulus");
+        ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 128, &k1),
+            SSH_ERR_INVALID_ARGUMENT);
+        ASSERT_PTR_EQ(k1, NULL);
+        TEST_DONE();
+
+        TEST_START("generate KEY_RSA too large modulus");
+        ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1 << 20, &k1),
+            SSH_ERR_INVALID_ARGUMENT);
+        ASSERT_PTR_EQ(k1, NULL);
+        TEST_DONE();
+
+        TEST_START("generate KEY_DSA wrong bits");
+        ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1),
+            SSH_ERR_INVALID_ARGUMENT);
+        ASSERT_PTR_EQ(k1, NULL);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("generate KEY_ECDSA wrong bits");
+        ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1),
+            SSH_ERR_INVALID_ARGUMENT);
+        ASSERT_PTR_EQ(k1, NULL);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("generate KEY_RSA");
+        ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 768, &kr), 0);
+        ASSERT_PTR_NE(kr, NULL);
+        ASSERT_PTR_NE(kr->rsa, NULL);
+        ASSERT_PTR_NE(kr->rsa->n, NULL);
+        ASSERT_PTR_NE(kr->rsa->e, NULL);
+        ASSERT_PTR_NE(kr->rsa->p, NULL);
+        ASSERT_INT_EQ(BN_num_bits(kr->rsa->n), 768);
+        TEST_DONE();
+
+        TEST_START("generate KEY_DSA");
+        ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &kd), 0);
+        ASSERT_PTR_NE(kd, NULL);
+        ASSERT_PTR_NE(kd->dsa, NULL);
+        ASSERT_PTR_NE(kd->dsa->g, NULL);
+        ASSERT_PTR_NE(kd->dsa->priv_key, NULL);
+        TEST_DONE();
+
+#ifdef OPENSSL_HAS_ECC
+        TEST_START("generate KEY_ECDSA");
+        ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &ke), 0);
+        ASSERT_PTR_NE(ke, NULL);
+        ASSERT_PTR_NE(ke->ecdsa, NULL);
+        ASSERT_PTR_NE(EC_KEY_get0_public_key(ke->ecdsa), NULL);
+        ASSERT_PTR_NE(EC_KEY_get0_private_key(ke->ecdsa), NULL);
+        TEST_DONE();
+#endif
+
+        TEST_START("generate KEY_ED25519");
+        ASSERT_INT_EQ(sshkey_generate(KEY_ED25519, 256, &kf), 0);
+        ASSERT_PTR_NE(kf, NULL);
+        ASSERT_INT_EQ(kf->type, KEY_ED25519);
+        ASSERT_PTR_NE(kf->ed25519_pk, NULL);
+        ASSERT_PTR_NE(kf->ed25519_sk, NULL);
+        TEST_DONE();
+
+        TEST_START("demote KEY_RSA");
+        ASSERT_INT_EQ(sshkey_demote(kr, &k1), 0);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_PTR_NE(kr, k1);
+        ASSERT_INT_EQ(k1->type, KEY_RSA);
+        ASSERT_PTR_NE(k1->rsa, NULL);
+        ASSERT_PTR_NE(k1->rsa->n, NULL);
+        ASSERT_PTR_NE(k1->rsa->e, NULL);
+        ASSERT_PTR_EQ(k1->rsa->p, NULL);
+        TEST_DONE();
+
+        TEST_START("equal KEY_RSA/demoted KEY_RSA");
+        ASSERT_INT_EQ(sshkey_equal(kr, k1), 1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("demote KEY_DSA");
+        ASSERT_INT_EQ(sshkey_demote(kd, &k1), 0);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_PTR_NE(kd, k1);
+        ASSERT_INT_EQ(k1->type, KEY_DSA);
+        ASSERT_PTR_NE(k1->dsa, NULL);
+        ASSERT_PTR_NE(k1->dsa->g, NULL);
+        ASSERT_PTR_EQ(k1->dsa->priv_key, NULL);
+        TEST_DONE();
+
+        TEST_START("equal KEY_DSA/demoted KEY_DSA");
+        ASSERT_INT_EQ(sshkey_equal(kd, k1), 1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+#ifdef OPENSSL_HAS_ECC
+        TEST_START("demote KEY_ECDSA");
+        ASSERT_INT_EQ(sshkey_demote(ke, &k1), 0);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_PTR_NE(ke, k1);
+        ASSERT_INT_EQ(k1->type, KEY_ECDSA);
+        ASSERT_PTR_NE(k1->ecdsa, NULL);
+        ASSERT_INT_EQ(k1->ecdsa_nid, ke->ecdsa_nid);
+        ASSERT_PTR_NE(EC_KEY_get0_public_key(ke->ecdsa), NULL);
+        ASSERT_PTR_EQ(EC_KEY_get0_private_key(k1->ecdsa), NULL);
+        TEST_DONE();
+
+        TEST_START("equal KEY_ECDSA/demoted KEY_ECDSA");
+        ASSERT_INT_EQ(sshkey_equal(ke, k1), 1);
+        sshkey_free(k1);
+        TEST_DONE();
+#endif
+
+        TEST_START("demote KEY_ED25519");
+        ASSERT_INT_EQ(sshkey_demote(kf, &k1), 0);
+        ASSERT_PTR_NE(k1, NULL);
+        ASSERT_PTR_NE(kf, k1);
+        ASSERT_INT_EQ(k1->type, KEY_ED25519);
+        ASSERT_PTR_NE(k1->ed25519_pk, NULL);
+        ASSERT_PTR_EQ(k1->ed25519_sk, NULL);
+        TEST_DONE();
+
+        TEST_START("equal KEY_ED25519/demoted KEY_ED25519");
+        ASSERT_INT_EQ(sshkey_equal(kf, k1), 1);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        TEST_START("equal mismatched key types");
+        ASSERT_INT_EQ(sshkey_equal(kd, kr), 0);
+#ifdef OPENSSL_HAS_ECC
+        ASSERT_INT_EQ(sshkey_equal(kd, ke), 0);
+        ASSERT_INT_EQ(sshkey_equal(kr, ke), 0);
+        ASSERT_INT_EQ(sshkey_equal(ke, kf), 0);
+#endif
+        ASSERT_INT_EQ(sshkey_equal(kd, kf), 0);
+        TEST_DONE();
+
+        TEST_START("equal different keys");
+        ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 768, &k1), 0);
+        ASSERT_INT_EQ(sshkey_equal(kr, k1), 0);
+        sshkey_free(k1);
+        ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 1024, &k1), 0);
+        ASSERT_INT_EQ(sshkey_equal(kd, k1), 0);
+        sshkey_free(k1);
+#ifdef OPENSSL_HAS_ECC
+        ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 256, &k1), 0);
+        ASSERT_INT_EQ(sshkey_equal(ke, k1), 0);
+        sshkey_free(k1);
+#endif
+        ASSERT_INT_EQ(sshkey_generate(KEY_ED25519, 256, &k1), 0);
+        ASSERT_INT_EQ(sshkey_equal(kf, k1), 0);
+        sshkey_free(k1);
+        TEST_DONE();
+
+        sshkey_free(kr);
+        sshkey_free(kd);
+#ifdef OPENSSL_HAS_ECC
+        sshkey_free(ke);
+#endif
+        sshkey_free(kf);
+
+/* XXX certify test */
+/* XXX sign test */
+/* XXX verify test */
+
+        TEST_START("nested certificate");
+        ASSERT_INT_EQ(sshkey_load_cert(test_data_file("rsa_1"), &k1), 0);
+        ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa_1.pub"), &k2,
+            NULL), 0);
+        b = load_file("rsa_2");
+        ASSERT_INT_EQ(sshkey_parse_private_fileblob(b, "", "rsa_1",
+            &k3, NULL), 0);
+        sshbuf_reset(b);
+        build_cert(b, k2, "ssh-rsa-cert-v01@openssh.com", k3, k1);
+        ASSERT_INT_EQ(sshkey_from_blob(sshbuf_ptr(b), sshbuf_len(b), &k4),
+            SSH_ERR_KEY_CERT_INVALID_SIGN_KEY);
+        ASSERT_PTR_EQ(k4, NULL);
+        sshbuf_free(b);
+        sshkey_free(k1);
+        sshkey_free(k2);
+        sshkey_free(k3);
+        TEST_DONE();
+
+}
diff --git a/regress/unittests/sshkey/testdata/dsa_1 b/regress/unittests/sshkey/testdata/dsa_1
new file mode 100644
index 000000000..34346869f
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_1
@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBuwIBAAKBgQCxBNwH8TmLXqiZa0b9pxC6W+zS4Voqp8S+QwecYpNPTmhjaUYI
+E/aJWAzFVtdbysLM89ukvw/z8qBkbMSefdypKmjUtgv51ZD4nfV4Wxb+G+1QExHr
+M+kowOOL3XbcsdbPLUt8vxDJbBlQRch4zyai7CWjQR3JFXpR8sevUFJxSQIVAIdE
+oncp2DEY2U/ZZnIyGCwApCzfAoGARW+eewZTv1Eosxv3ANKx372pf5+fQKwnWizI
+j5z/GY3w3xobRCP9FiL4K3Nip2FvHLTGpRrlfm19RWYAg77VsNgztC4V9C8QrKWc
+WJdkUkoQpZ3VoO25rO13hmIelkal3omKCF4ZE/edeF3d2B8DlzYs0aBcjTCMDrub
+/CJILcYCgYEAgJt9jefGQi4Sl5F8h3jYo52LygE8sNYyurElMKVmyhFSKJ1Ifi9j
+4hNp2jZzu7jpZWhYndUoPaG6gbRB7fL3p5knlRo3P2Dznd6u6NAdhrADWW+JX9n1
+/EMKUv0h8rRFI/3b9RY1HVVzBQH7V3sNJ6iekH8JqOy1liCMaMylw4gCFBl7Lc6V
+hmTiTuhLXjoRdCZS/p/m
+-----END DSA PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/dsa_1-cert.fp b/regress/unittests/sshkey/testdata/dsa_1-cert.fp
new file mode 100644
index 000000000..56ee1f89b
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_1-cert.fp
@@ -0,0 +1 @@
+5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
diff --git a/regress/unittests/sshkey/testdata/dsa_1-cert.pub b/regress/unittests/sshkey/testdata/dsa_1-cert.pub
new file mode 100644
index 000000000..023edf136
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_1-cert.pub
@@ -0,0 +1 @@
+ssh-dss-cert-v01@openssh.com AAAAHHNzaC1kc3MtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgj8zueN51MSQ7jW3fFwqyJWA3DycAAavQ8WgMHqcUG7YAAACBALEE3AfxOYteqJlrRv2nELpb7NLhWiqnxL5DB5xik09OaGNpRggT9olYDMVW11vKwszz26S/D/PyoGRsxJ593KkqaNS2C/nVkPid9XhbFv4b7VATEesz6SjA44vddtyx1s8tS3y/EMlsGVBFyHjPJqLsJaNBHckVelHyx69QUnFJAAAAFQCHRKJ3KdgxGNlP2WZyMhgsAKQs3wAAAIBFb557BlO/USizG/cA0rHfval/n59ArCdaLMiPnP8ZjfDfGhtEI/0WIvgrc2KnYW8ctMalGuV+bX1FZgCDvtWw2DO0LhX0LxCspZxYl2RSShClndWg7bms7XeGYh6WRqXeiYoIXhkT9514Xd3YHwOXNizRoFyNMIwOu5v8IkgtxgAAAIEAgJt9jefGQi4Sl5F8h3jYo52LygE8sNYyurElMKVmyhFSKJ1Ifi9j4hNp2jZzu7jpZWhYndUoPaG6gbRB7fL3p5knlRo3P2Dznd6u6NAdhrADWW+JX9n1/EMKUv0h8rRFI/3b9RY1HVVzBQH7V3sNJ6iekH8JqOy1liCMaMylw4gAAAAAAAAABgAAAAIAAAAGanVsaXVzAAAAEgAAAAVob3N0MQAAAAVob3N0MgAAAAA2i4NgAAAAAE0d4eAAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILk95V5J3LKVx8bcLSB4073R7d0aAvR8gJrPvnV0D3MQAAAAUwAAAAtzc2gtZWQyNTUxOQAAAEA6qftqozw0ah9PG9obAg8iOPwQv6AsT9t/1G69eArSd9Am85OKIhAvYguI1Xtr9rw78X/Xk+6HtyAOF3QemaQD dsa_1.pub
diff --git a/regress/unittests/sshkey/testdata/dsa_1.fp b/regress/unittests/sshkey/testdata/dsa_1.fp
new file mode 100644
index 000000000..56ee1f89b
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_1.fp
@@ -0,0 +1 @@
+5a:4a:41:8c:4e:fa:4c:52:19:f9:39:49:31:fb:fd:74
diff --git a/regress/unittests/sshkey/testdata/dsa_1.fp.bb b/regress/unittests/sshkey/testdata/dsa_1.fp.bb
new file mode 100644
index 000000000..07dd9b418
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_1.fp.bb
@@ -0,0 +1 @@
+xosat-baneh-gocad-relek-kepur-mibip-motog-bykyb-hisug-mysus-tuxix
diff --git a/regress/unittests/sshkey/testdata/dsa_1.param.g b/regress/unittests/sshkey/testdata/dsa_1.param.g
new file mode 100644
index 000000000..4b09f6d18
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_1.param.g
@@ -0,0 +1 @@
+456f9e7b0653bf5128b31bf700d2b1dfbda97f9f9f40ac275a2cc88f9cff198df0df1a1b4423fd1622f82b7362a7616f1cb4c6a51ae57e6d7d45660083bed5b0d833b42e15f42f10aca59c589764524a10a59dd5a0edb9aced7786621e9646a5de898a085e1913f79d785dddd81f0397362cd1a05c8d308c0ebb9bfc22482dc6
diff --git a/regress/unittests/sshkey/testdata/dsa_1.param.priv b/regress/unittests/sshkey/testdata/dsa_1.param.priv
new file mode 100644
index 000000000..2dd737cbe
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_1.param.priv
@@ -0,0 +1 @@
+197b2dce958664e24ee84b5e3a11742652fe9fe6
diff --git a/regress/unittests/sshkey/testdata/dsa_1.param.pub b/regress/unittests/sshkey/testdata/dsa_1.param.pub
new file mode 100644
index 000000000..b23d7207f
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_1.param.pub
@@ -0,0 +1 @@
+00809b7d8de7c6422e1297917c8778d8a39d8bca013cb0d632bab12530a566ca1152289d487e2f63e21369da3673bbb8e96568589dd5283da1ba81b441edf2f7a79927951a373f60f39ddeaee8d01d86b003596f895fd9f5fc430a52fd21f2b44523fddbf516351d55730501fb577b0d27a89e907f09a8ecb596208c68cca5c388
diff --git a/regress/unittests/sshkey/testdata/dsa_1.pub b/regress/unittests/sshkey/testdata/dsa_1.pub
new file mode 100644
index 000000000..89681970c
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_1.pub
@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBALEE3AfxOYteqJlrRv2nELpb7NLhWiqnxL5DB5xik09OaGNpRggT9olYDMVW11vKwszz26S/D/PyoGRsxJ593KkqaNS2C/nVkPid9XhbFv4b7VATEesz6SjA44vddtyx1s8tS3y/EMlsGVBFyHjPJqLsJaNBHckVelHyx69QUnFJAAAAFQCHRKJ3KdgxGNlP2WZyMhgsAKQs3wAAAIBFb557BlO/USizG/cA0rHfval/n59ArCdaLMiPnP8ZjfDfGhtEI/0WIvgrc2KnYW8ctMalGuV+bX1FZgCDvtWw2DO0LhX0LxCspZxYl2RSShClndWg7bms7XeGYh6WRqXeiYoIXhkT9514Xd3YHwOXNizRoFyNMIwOu5v8IkgtxgAAAIEAgJt9jefGQi4Sl5F8h3jYo52LygE8sNYyurElMKVmyhFSKJ1Ifi9j4hNp2jZzu7jpZWhYndUoPaG6gbRB7fL3p5knlRo3P2Dznd6u6NAdhrADWW+JX9n1/EMKUv0h8rRFI/3b9RY1HVVzBQH7V3sNJ6iekH8JqOy1liCMaMylw4g= DSA test key #1
diff --git a/regress/unittests/sshkey/testdata/dsa_1_pw b/regress/unittests/sshkey/testdata/dsa_1_pw
new file mode 100644
index 000000000..1402153a0
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_1_pw
@@ -0,0 +1,15 @@
+-----BEGIN DSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,9E668E24E7B9D658E3E7D0446B32B376
+
+hDjDLbfCAQutblxLuyNzSLxISSgXTgyzq8St9GE0lUtEc7i0xGNWwoWpFSbtD9y1
+yTG5UkhATQt56SY1ABfXZ21wieYuEEQeSJi0gwUQNNt2SwwITx4EdzDedWiHjikt
+jbzH3v33agp/odw2X9wY6zu75y9CeW9o7SszRl286DliWIHJmhMlbb8r7jRqu62H
+s5YYxD0xS1ipWauxklmIXMWNZHcARo8ZiJOuNdLshrSrl8DUW9P6F89FvxclQzKr
+44u3OBm7KbgPvPURDFLgNP6uCGBjzHvhHTpzVBxmQzCl3aGgsTKXiwJ1eupNjntB
+ji0EnbznvoxR6qhXxw/WQ+MnWlWqTXka/2qaB6m3oJv+Zn7cPCJ5kvHnhr2JmNMl
+igTh4Ov4LZLyNgO0Lbec4KyxW9QInRV5CY4Pu5lhqHteiPmOIGMWFtuh8Bb8Kg2q
+VvXnPo5I3FjqV7UhDduO1Wn558sBZWQPqRbHVPN6wXJuM3HGkBl+aNjn0qddv9tr
+VFJd/xdly2Ne81g3CB8jysE+3WEOrV9kdybocp/EhSOzP4i6pjWlyWdR5+CgbvRm
+TUIeIaQbmPIB5251o5YK+Q==
+-----END DSA PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/dsa_2 b/regress/unittests/sshkey/testdata/dsa_2
new file mode 100644
index 000000000..b189dc821
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_2
@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBuwIBAAKBgQDoMxCTyBnLPSO7CRU3RyfJLANLKBZ3/LdcsyNaARctaRA5gzRb
+XdTFFU+rWKfxv+otm0KyCOepLtWy8tjKRYb7Ni46USlGwtM0Adx/3vR4iWNfipDP
+K2V4O97JyMe3wsbF7siC01U4b8Ki+J44iFG9nuRnOTHqUWI615mraQRwlQIVAMsX
+nsPGH8QrU11F1ScAIfZC165dAoGACCXyOHFkxABpJDtJs6AE7Hl3XjI4dnlim/XH
+Y60W6gcO7gHSE2r2ljCubJqoUXmxd5mLKgnu91jIG/4URwDM4V7pb2k99sXpAi8I
+L52eQl88C0bRD9+lEJfR4PMT39EccDRPB4+E055RoYQZ/McIyad8sF3Qwt084Eq+
+IkUt2coCgYEAxZRpCY82sM9Mu4B0EcH6O8seRqIRScmelljhUtKxuvf2PChwIWkR
+HK9lORHBE3iKyurC5Muf3abuHKwMFjrOjHKOTqXBRrDZ7RgLQA0aUAQD3lWc9OTP
+NShjphpq5xr0HZB31eJg3/Mo6KxYlRpzMXbTyenZP0XLICSSAywvTDoCFG5whl2k
+Y2FLGfi9V6ylUVH6jKgE
+-----END DSA PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/dsa_2.fp b/regress/unittests/sshkey/testdata/dsa_2.fp
new file mode 100644
index 000000000..ba9de82a8
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_2.fp
@@ -0,0 +1 @@
+72:5f:50:6b:e5:64:c5:62:21:92:3f:8b:10:9b:9f:1a
diff --git a/regress/unittests/sshkey/testdata/dsa_2.fp.bb b/regress/unittests/sshkey/testdata/dsa_2.fp.bb
new file mode 100644
index 000000000..37a5221a7
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_2.fp.bb
@@ -0,0 +1 @@
+xesoh-mebaf-feced-lenuz-sicam-pevok-bosak-nogaz-ligen-fekef-fixex
diff --git a/regress/unittests/sshkey/testdata/dsa_2.pub b/regress/unittests/sshkey/testdata/dsa_2.pub
new file mode 100644
index 000000000..6ed2736b1
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_2.pub
@@ -0,0 +1 @@
+ssh-dss AAAAB3NzaC1kc3MAAACBAOgzEJPIGcs9I7sJFTdHJ8ksA0soFnf8t1yzI1oBFy1pEDmDNFtd1MUVT6tYp/G/6i2bQrII56ku1bLy2MpFhvs2LjpRKUbC0zQB3H/e9HiJY1+KkM8rZXg73snIx7fCxsXuyILTVThvwqL4njiIUb2e5Gc5MepRYjrXmatpBHCVAAAAFQDLF57Dxh/EK1NdRdUnACH2QteuXQAAAIAIJfI4cWTEAGkkO0mzoATseXdeMjh2eWKb9cdjrRbqBw7uAdITavaWMK5smqhRebF3mYsqCe73WMgb/hRHAMzhXulvaT32xekCLwgvnZ5CXzwLRtEP36UQl9Hg8xPf0RxwNE8Hj4TTnlGhhBn8xwjJp3ywXdDC3TzgSr4iRS3ZygAAAIEAxZRpCY82sM9Mu4B0EcH6O8seRqIRScmelljhUtKxuvf2PChwIWkRHK9lORHBE3iKyurC5Muf3abuHKwMFjrOjHKOTqXBRrDZ7RgLQA0aUAQD3lWc9OTPNShjphpq5xr0HZB31eJg3/Mo6KxYlRpzMXbTyenZP0XLICSSAywvTDo= DSA test key #2
diff --git a/regress/unittests/sshkey/testdata/dsa_n b/regress/unittests/sshkey/testdata/dsa_n
new file mode 100644
index 000000000..34346869f
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_n
@@ -0,0 +1,12 @@
+-----BEGIN DSA PRIVATE KEY-----
+MIIBuwIBAAKBgQCxBNwH8TmLXqiZa0b9pxC6W+zS4Voqp8S+QwecYpNPTmhjaUYI
+E/aJWAzFVtdbysLM89ukvw/z8qBkbMSefdypKmjUtgv51ZD4nfV4Wxb+G+1QExHr
+M+kowOOL3XbcsdbPLUt8vxDJbBlQRch4zyai7CWjQR3JFXpR8sevUFJxSQIVAIdE
+oncp2DEY2U/ZZnIyGCwApCzfAoGARW+eewZTv1Eosxv3ANKx372pf5+fQKwnWizI
+j5z/GY3w3xobRCP9FiL4K3Nip2FvHLTGpRrlfm19RWYAg77VsNgztC4V9C8QrKWc
+WJdkUkoQpZ3VoO25rO13hmIelkal3omKCF4ZE/edeF3d2B8DlzYs0aBcjTCMDrub
+/CJILcYCgYEAgJt9jefGQi4Sl5F8h3jYo52LygE8sNYyurElMKVmyhFSKJ1Ifi9j
+4hNp2jZzu7jpZWhYndUoPaG6gbRB7fL3p5knlRo3P2Dznd6u6NAdhrADWW+JX9n1
+/EMKUv0h8rRFI/3b9RY1HVVzBQH7V3sNJ6iekH8JqOy1liCMaMylw4gCFBl7Lc6V
+hmTiTuhLXjoRdCZS/p/m
+-----END DSA PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/dsa_n_pw b/regress/unittests/sshkey/testdata/dsa_n_pw
new file mode 100644
index 000000000..42f70dd23
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/dsa_n_pw
@@ -0,0 +1,22 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABD5nB+Nkw
+LNoPtAG7C3IdXmAAAAEAAAAAEAAAGyAAAAB3NzaC1kc3MAAACBALEE3AfxOYteqJlrRv2n
+ELpb7NLhWiqnxL5DB5xik09OaGNpRggT9olYDMVW11vKwszz26S/D/PyoGRsxJ593KkqaN
+S2C/nVkPid9XhbFv4b7VATEesz6SjA44vddtyx1s8tS3y/EMlsGVBFyHjPJqLsJaNBHckV
+elHyx69QUnFJAAAAFQCHRKJ3KdgxGNlP2WZyMhgsAKQs3wAAAIBFb557BlO/USizG/cA0r
+Hfval/n59ArCdaLMiPnP8ZjfDfGhtEI/0WIvgrc2KnYW8ctMalGuV+bX1FZgCDvtWw2DO0
+LhX0LxCspZxYl2RSShClndWg7bms7XeGYh6WRqXeiYoIXhkT9514Xd3YHwOXNizRoFyNMI
+wOu5v8IkgtxgAAAIEAgJt9jefGQi4Sl5F8h3jYo52LygE8sNYyurElMKVmyhFSKJ1Ifi9j
+4hNp2jZzu7jpZWhYndUoPaG6gbRB7fL3p5knlRo3P2Dznd6u6NAdhrADWW+JX9n1/EMKUv
+0h8rRFI/3b9RY1HVVzBQH7V3sNJ6iekH8JqOy1liCMaMylw4gAAAHw8P1DtkBulOGv85qf
+P+md2+LL+NKufVzHl9k2UKQFjeqY6uqs4HSDqvhXe7oiXd5mz6I7orxjtKU9hGjNF4ABUD
+OawVGe/GCRUQ4WgpAgDnqQLeFcdIwtMSIrRZU6xjs314EI7TM7IIiG26JEuXDfZI1e7C3y
+Cc38ZsP3zmg/UjgcCQar5c4n++vhOmeO36+fcUyZ1QlR05SaEtFYJA+otP3RmKTiDwob8Q
+zRMr8Y57i2NTTtFjkmnnnQCibP62yz7N22Dve7RTOH8jiaW7p02Vn/6WmCarevN1rxtLLR
+lkuWtPoKY8z/Ktcev8YE9f2+9H2TfXDRKYqIEfxgZLCJ4yP2gxDe6zurabS0hAO1CP+ej5
+htdJM3/rTqHAIevXX5uhIDmMvRHnLGldaIX1xux8TIJvSfMkYNIwscIP4kx7BGMk04vXtW
+5DLm6IZhzw9T3hjr8R0kBugmT6/h9vD5iN1D+wiHIhHYzQKMU9nOeFNsMBFWgJjU0l8VlF
+gEjEMgAEfwynnmIoKB1iA/0em1tdU3naS59DBK+buE0trxUpTAAB5z8yPhAm6DdqrPE8cA
+N3HlMoWrbCuak2A0uyOlEJjPg4UJUnv12ve2c9pAMsAu/4CAszCEM0prR+qd/RA4nn4M5u
+Xrny2wNtt/DybCkA==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1 b/regress/unittests/sshkey/testdata/ecdsa_1
new file mode 100644
index 000000000..aec73dd61
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_1
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFghsFR1K95tz8qOl3+tX6fv8a/O6AfNbxOSFZX3ihxooAoGCCqGSM49
+AwEHoUQDQgAEalpgP0BOePHtTw0Pus4tdhTb8P9yWUZluvLf1D8vrHImT+G4vr/W
+xo5iXGKQVEifuUVyLkAW2kDrq8J/szeRiQ==
+-----END EC PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
new file mode 100644
index 000000000..a56dbc8d0
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_1-cert.fp
@@ -0,0 +1 @@
+f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1-cert.pub b/regress/unittests/sshkey/testdata/ecdsa_1-cert.pub
new file mode 100644
index 000000000..29b06a4dd
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_1-cert.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256-cert-v01@openssh.com AAAAKGVjZHNhLXNoYTItbmlzdHAyNTYtY2VydC12MDFAb3BlbnNzaC5jb20AAAAgjpoHehzmM54xz776HOiTOLPhkOwSWyXOMYeqDhDEcLgAAAAIbmlzdHAyNTYAAABBBGpaYD9ATnjx7U8ND7rOLXYU2/D/cllGZbry39Q/L6xyJk/huL6/1saOYlxikFRIn7lFci5AFtpA66vCf7M3kYkAAAAAAAAABwAAAAIAAAAGanVsaXVzAAAAEgAAAAVob3N0MQAAAAVob3N0MgAAAAA2i4NgAAAAAE0d4eAAAAAAAAAAAAAAAAAAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGpaYD9ATnjx7U8ND7rOLXYU2/D/cllGZbry39Q/L6xyJk/huL6/1saOYlxikFRIn7lFci5AFtpA66vCf7M3kYkAAABjAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAABIAAAAIFZM1PXlXf0a3VuGs7MVdWSealDXprT1nN5hQTg+m+EYAAAAIGN1yNXWEY5V315NhOD3mBuh/xCpfDn5rZjF4YntA7du ecdsa_1.pub
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.fp b/regress/unittests/sshkey/testdata/ecdsa_1.fp
new file mode 100644
index 000000000..a56dbc8d0
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_1.fp
@@ -0,0 +1 @@
+f7:be:4c:02:65:ed:4c:11:af:ab:a8:dd:0a:92:e7:44
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.fp.bb b/regress/unittests/sshkey/testdata/ecdsa_1.fp.bb
new file mode 100644
index 000000000..f01a5dd44
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_1.fp.bb
@@ -0,0 +1 @@
+xotah-hecal-zibyb-nadug-romuc-hator-venum-hobip-ruluh-ripus-naxix
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.param.curve b/regress/unittests/sshkey/testdata/ecdsa_1.param.curve
new file mode 100644
index 000000000..fa0400467
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_1.param.curve
@@ -0,0 +1 @@
+prime256v1
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.param.priv b/regress/unittests/sshkey/testdata/ecdsa_1.param.priv
new file mode 100644
index 000000000..3475f1fe9
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_1.param.priv
@@ -0,0 +1 @@
+5821b054752bde6dcfca8e977fad5fa7eff1afcee807cd6f13921595f78a1c68
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.param.pub b/regress/unittests/sshkey/testdata/ecdsa_1.param.pub
new file mode 100644
index 000000000..11847a394
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_1.param.pub
@@ -0,0 +1 @@
+046a5a603f404e78f1ed4f0d0fbace2d7614dbf0ff72594665baf2dfd43f2fac72264fe1b8bebfd6c68e625c629054489fb945722e4016da40ebabc27fb3379189
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1.pub b/regress/unittests/sshkey/testdata/ecdsa_1.pub
new file mode 100644
index 000000000..eca1620bc
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_1.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGpaYD9ATnjx7U8ND7rOLXYU2/D/cllGZbry39Q/L6xyJk/huL6/1saOYlxikFRIn7lFci5AFtpA66vCf7M3kYk= ECDSA test key #1
diff --git a/regress/unittests/sshkey/testdata/ecdsa_1_pw b/regress/unittests/sshkey/testdata/ecdsa_1_pw
new file mode 100644
index 000000000..071154ab2
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_1_pw
@@ -0,0 +1,8 @@
+-----BEGIN EC PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,74C8AEA5BFAFCC2B1C8B13DE671F5610
+
+vUsgOvCqezxPmcZcFqrSy9Y1MMlVguY0h9cfSPFC7gUrRr+45uCOYX5bOwEXecKn
+/9uCXZtlBwwqDS9iK5IPoUrjEHvzI5rVbHWUxDrEOVbsfiDuCxrQM19It6QIqC1v
+OSQEdXuBWR5WmhKNc3dqLbWsU8u2s60YwKQmZrj9nM4=
+-----END EC PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/ecdsa_2 b/regress/unittests/sshkey/testdata/ecdsa_2
new file mode 100644
index 000000000..76ae07ad4
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_2
@@ -0,0 +1,7 @@
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBg4kVxUfoo/RE/78/QBRqG6PZuHZ82eLnhmZVzBa7XREUiYI/Jw7r
+Qwp4FTBVfXL76Pt5AyBMf+52aVeOUlLRERSgBwYFK4EEACOhgYkDgYYABACNTJ5O
+uNo5dNgIQRLHzKU91m7immKFiutJ6BlDbkRkKr+Envj13J6HOgYvOTm0n7SPlKHS
+STZ4/T36d/rzQOAbIwEnbbwD9HMj6IzE4WH9lJzH7Zy7Tcyu6dOM8L7nOxCp3DUk
+F3aAnPSFJhD7NN0jBWOFsD6uy1OmaTklPfRAnCt1MQ==
+-----END EC PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.fp b/regress/unittests/sshkey/testdata/ecdsa_2.fp
new file mode 100644
index 000000000..eb4bbdf03
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_2.fp
@@ -0,0 +1 @@
+51:bd:ff:2b:6d:26:9b:90:f9:e1:4a:ca:a0:29:8e:70
diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.fp.bb b/regress/unittests/sshkey/testdata/ecdsa_2.fp.bb
new file mode 100644
index 000000000..267bc63fd
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_2.fp.bb
@@ -0,0 +1 @@
+xuzaz-zuzuk-virop-vypah-zumel-gylak-selih-fevad-varag-zynif-haxox
diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.param.curve b/regress/unittests/sshkey/testdata/ecdsa_2.param.curve
new file mode 100644
index 000000000..617ea2fb8
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_2.param.curve
@@ -0,0 +1 @@
+secp521r1
diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.param.priv b/regress/unittests/sshkey/testdata/ecdsa_2.param.priv
new file mode 100644
index 000000000..537cdaac3
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_2.param.priv
@@ -0,0 +1 @@
+01838915c547e8a3f444ffbf3f40146a1ba3d9b8767cd9e2e7866655cc16bb5d111489823f270eeb430a781530557d72fbe8fb7903204c7fee7669578e5252d11114
diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.param.pub b/regress/unittests/sshkey/testdata/ecdsa_2.param.pub
new file mode 100644
index 000000000..3352ac769
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_2.param.pub
@@ -0,0 +1 @@
+04008d4c9e4eb8da3974d8084112c7cca53dd66ee29a62858aeb49e819436e44642abf849ef8f5dc9e873a062f3939b49fb48f94a1d2493678fd3dfa77faf340e01b2301276dbc03f47323e88cc4e161fd949cc7ed9cbb4dccaee9d38cf0bee73b10a9dc35241776809cf4852610fb34dd23056385b03eaecb53a66939253df4409c2b7531
diff --git a/regress/unittests/sshkey/testdata/ecdsa_2.pub b/regress/unittests/sshkey/testdata/ecdsa_2.pub
new file mode 100644
index 000000000..34e1881dd
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_2.pub
@@ -0,0 +1 @@
+ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBACNTJ5OuNo5dNgIQRLHzKU91m7immKFiutJ6BlDbkRkKr+Envj13J6HOgYvOTm0n7SPlKHSSTZ4/T36d/rzQOAbIwEnbbwD9HMj6IzE4WH9lJzH7Zy7Tcyu6dOM8L7nOxCp3DUkF3aAnPSFJhD7NN0jBWOFsD6uy1OmaTklPfRAnCt1MQ== ECDSA test key #2
diff --git a/regress/unittests/sshkey/testdata/ecdsa_n b/regress/unittests/sshkey/testdata/ecdsa_n
new file mode 100644
index 000000000..aec73dd61
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_n
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIFghsFR1K95tz8qOl3+tX6fv8a/O6AfNbxOSFZX3ihxooAoGCCqGSM49
+AwEHoUQDQgAEalpgP0BOePHtTw0Pus4tdhTb8P9yWUZluvLf1D8vrHImT+G4vr/W
+xo5iXGKQVEifuUVyLkAW2kDrq8J/szeRiQ==
+-----END EC PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/ecdsa_n_pw b/regress/unittests/sshkey/testdata/ecdsa_n_pw
new file mode 100644
index 000000000..75d585908
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ecdsa_n_pw
@@ -0,0 +1,9 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABBXqI6Z6o
+uRM+jAwdhnDoIMAAAAEAAAAAEAAABoAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlz
+dHAyNTYAAABBBGpaYD9ATnjx7U8ND7rOLXYU2/D/cllGZbry39Q/L6xyJk/huL6/1saOYl
+xikFRIn7lFci5AFtpA66vCf7M3kYkAAACwYMnoCTqvUTG0ktSSMNsOZLCdal5J4avEpM1L
+sV9SL/RVcwo3ChprhwsnQsaAtMiJCRcHerKgD9qy1MNNaE5VNfVJ0Ih/7ut04cbFKed8p6
+0V+w8WP7WvFffBPoHn+GGbQd1FDGzHhXUB61pH8Qzd1bI/sld/XEtMk7iYjNGQe9Rt0RaK
+Wi8trwaA0Fb2w/EFnrdsFFxrIhQEqYBdEQJo782IqAsMG9OwUaM0vy+8bcI=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/ed25519_1 b/regress/unittests/sshkey/testdata/ed25519_1
new file mode 100644
index 000000000..a537ae13d
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_1
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACC5PeVeSdyylcfG3C0geNO90e3dGgL0fICaz751dA9zEAAAAJglsAcYJbAH
+GAAAAAtzc2gtZWQyNTUxOQAAACC5PeVeSdyylcfG3C0geNO90e3dGgL0fICaz751dA9zEA
+AAAED6HJ8Bh8tdQvhMd5o8IxtIwBv8/FV48FpBFWAbYdsIsLk95V5J3LKVx8bcLSB4073R
+7d0aAvR8gJrPvnV0D3MQAAAAE0VEMjU1MTkgdGVzdCBrZXkgIzEBAg==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/ed25519_1-cert.fp b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
new file mode 100644
index 000000000..e6d23d0b8
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_1-cert.fp
@@ -0,0 +1 @@
+19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
diff --git a/regress/unittests/sshkey/testdata/ed25519_1-cert.pub b/regress/unittests/sshkey/testdata/ed25519_1-cert.pub
new file mode 100644
index 000000000..ad0b9a888
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_1-cert.pub
@@ -0,0 +1 @@
+ssh-ed25519-cert-v01@openssh.com AAAAIHNzaC1lZDI1NTE5LWNlcnQtdjAxQG9wZW5zc2guY29tAAAAIHmdL66MkkOvncpc0W4MdvlJZMfQthHiOUv+XKm7gvzOAAAAILk95V5J3LKVx8bcLSB4073R7d0aAvR8gJrPvnV0D3MQAAAAAAAAAAgAAAACAAAABmp1bGl1cwAAABIAAAAFaG9zdDEAAAAFaG9zdDIAAAAANouDYAAAAABNHeHgAAAAAAAAAAAAAAAAAAAAMwAAAAtzc2gtZWQyNTUxOQAAACC5PeVeSdyylcfG3C0geNO90e3dGgL0fICaz751dA9zEAAAAFMAAAALc3NoLWVkMjU1MTkAAABAsUStKm1z3Rtvwy3eXE1DrgVp6kix2iEQXfB66IHX2UpAj5yl0eQGXWTSEDIxHDIb0SJvUH43OWX0PrEeAs0mAA== ed25519_1.pub
diff --git a/regress/unittests/sshkey/testdata/ed25519_1.fp b/regress/unittests/sshkey/testdata/ed25519_1.fp
new file mode 100644
index 000000000..e6d23d0b8
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_1.fp
@@ -0,0 +1 @@
+19:08:8e:7e:4d:e5:de:86:2a:09:47:65:eb:0a:51:2f
diff --git a/regress/unittests/sshkey/testdata/ed25519_1.fp.bb b/regress/unittests/sshkey/testdata/ed25519_1.fp.bb
new file mode 100644
index 000000000..591a711b4
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_1.fp.bb
@@ -0,0 +1 @@
+xofip-nuhoh-botam-cypeg-panig-tunef-bimav-numeb-nikic-gocyf-paxax
diff --git a/regress/unittests/sshkey/testdata/ed25519_1.pub b/regress/unittests/sshkey/testdata/ed25519_1.pub
new file mode 100644
index 000000000..633e05077
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_1.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILk95V5J3LKVx8bcLSB4073R7d0aAvR8gJrPvnV0D3MQ ED25519 test key #1
diff --git a/regress/unittests/sshkey/testdata/ed25519_1_pw b/regress/unittests/sshkey/testdata/ed25519_1_pw
new file mode 100644
index 000000000..9fc635208
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_1_pw
@@ -0,0 +1,8 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABAlT1eewp
+9gl0gue+sSrBWKAAAAEAAAAAEAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILk95V5J3LKVx8bc
+LSB4073R7d0aAvR8gJrPvnV0D3MQAAAAoMrL9ixIQHoJ86DcKMGt26+bCeaoyGjW5hha2Y
+IxAZ+rRvNjUuv3MGvbUxtUpPZkTP/vk2fVSCuCD9St5Lbt/LKdIk2MfWIFbjZ6iEfdzxz0
+DHmsSDMps8dbePqqIPULR8av447jEzQEkUc8GSR6WqFSJOjJ8OvrJat1KcEK7V2tjZnLS1
+GoLMqVAtCVhuXwUkeJiRQE/JRl172hxB+LAVw=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/ed25519_2 b/regress/unittests/sshkey/testdata/ed25519_2
new file mode 100644
index 000000000..a6e5f0040
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_2
@@ -0,0 +1,7 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW
+QyNTUxOQAAACBXUfO5Kid+jhRnyVt+1r9wj2FN/mZ6RfgGdySeYoq4WAAAAJjGeKsZxnir
+GQAAAAtzc2gtZWQyNTUxOQAAACBXUfO5Kid+jhRnyVt+1r9wj2FN/mZ6RfgGdySeYoq4WA
+AAAEB+gn4gGClQl2WMeOkikY+w0A0kSw1KH4Oyami7hlypsFdR87kqJ36OFGfJW37Wv3CP
+YU3+ZnpF+AZ3JJ5iirhYAAAAE0VEMjU1MTkgdGVzdCBrZXkgIzEBAg==
+-----END OPENSSH PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/ed25519_2.fp b/regress/unittests/sshkey/testdata/ed25519_2.fp
new file mode 100644
index 000000000..02c684f36
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_2.fp
@@ -0,0 +1 @@
+5c:c9:ae:a3:0c:aa:28:29:b8:fc:7c:64:ba:6e:e9:c9
diff --git a/regress/unittests/sshkey/testdata/ed25519_2.fp.bb b/regress/unittests/sshkey/testdata/ed25519_2.fp.bb
new file mode 100644
index 000000000..ebe782e2c
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_2.fp.bb
@@ -0,0 +1 @@
+xenoz-tovup-zecyt-hohar-motam-sugid-fecyz-tutyk-gosom-ginar-kixux
diff --git a/regress/unittests/sshkey/testdata/ed25519_2.pub b/regress/unittests/sshkey/testdata/ed25519_2.pub
new file mode 100644
index 000000000..37b93352a
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/ed25519_2.pub
@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdR87kqJ36OFGfJW37Wv3CPYU3+ZnpF+AZ3JJ5iirhY ED25519 test key #1
diff --git a/regress/unittests/sshkey/testdata/pw b/regress/unittests/sshkey/testdata/pw
new file mode 100644
index 000000000..8a1dff98a
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/pw
@@ -0,0 +1 @@
+mekmitasdigoat
diff --git a/regress/unittests/sshkey/testdata/rsa1_1 b/regress/unittests/sshkey/testdata/rsa1_1
new file mode 100644
index 000000000..d22014e88
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_1
diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp b/regress/unittests/sshkey/testdata/rsa1_1.fp
new file mode 100644
index 000000000..782ece0db
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_1.fp
@@ -0,0 +1 @@
+a8:82:9b:98:c5:e6:19:d6:83:39:9f:4d:3a:8f:7c:80
diff --git a/regress/unittests/sshkey/testdata/rsa1_1.fp.bb b/regress/unittests/sshkey/testdata/rsa1_1.fp.bb
new file mode 100644
index 000000000..caaf9511a
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_1.fp.bb
@@ -0,0 +1 @@
+xukib-cymuf-mylib-kecih-rogyb-sorid-belys-kytem-dinin-cicil-kyxex
diff --git a/regress/unittests/sshkey/testdata/rsa1_1.param.n b/regress/unittests/sshkey/testdata/rsa1_1.param.n
new file mode 100644
index 000000000..4ceb37362
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_1.param.n
@@ -0,0 +1 @@
+00cf68059e5c7743318d740d3ebb55eb577891c9c3098817703f4c3157285055c2daa50102509ebdcade324e541c965e2931fd3459052fe65d013722da805d7ec8ef5b97cc006789d0566c5578b23e7aaa5be2b055d85798030cdead2eb2cc4eb3
diff --git a/regress/unittests/sshkey/testdata/rsa1_1.pub b/regress/unittests/sshkey/testdata/rsa1_1.pub
new file mode 100644
index 000000000..56cf30d30
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_1.pub
@@ -0,0 +1 @@
+768 65537 1257820658919101781627826212425999371251377782154008557690434337796299274692579921603319269571889066123773172648045269780061837011867522525764583065919572648969392756890567918758763032103894830246827894023662422727333291801518558899 RSA1 test key #1
diff --git a/regress/unittests/sshkey/testdata/rsa1_1_pw b/regress/unittests/sshkey/testdata/rsa1_1_pw
new file mode 100644
index 000000000..3113dbc0f
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_1_pw
diff --git a/regress/unittests/sshkey/testdata/rsa1_2 b/regress/unittests/sshkey/testdata/rsa1_2
new file mode 100644
index 000000000..e75e665ff
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_2
diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp b/regress/unittests/sshkey/testdata/rsa1_2.fp
new file mode 100644
index 000000000..c3325371d
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_2.fp
@@ -0,0 +1 @@
+c0:83:1c:97:5f:32:77:7e:e4:e3:e9:29:b9:eb:76:9c
diff --git a/regress/unittests/sshkey/testdata/rsa1_2.fp.bb b/regress/unittests/sshkey/testdata/rsa1_2.fp.bb
new file mode 100644
index 000000000..cd8037140
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_2.fp.bb
@@ -0,0 +1 @@
+xifad-vevot-sozyl-fapeb-meryf-kylut-cydiv-firik-gavyb-lanad-kaxox
diff --git a/regress/unittests/sshkey/testdata/rsa1_2.param.n b/regress/unittests/sshkey/testdata/rsa1_2.param.n
new file mode 100644
index 000000000..f8143a4b9
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_2.param.n
@@ -0,0 +1 @@
+00b08a9fa386aceaab2ec3e9cdc7e6cb4eac9e98620279eed6762e1f513739a417ac8a86231fad3b8727a9de994973a7aae674a132547341984ade91aa1c22f01d2f0204ea7fa121969c367a5d04bda384066cf94e0b56d1efc47f50ca28e90603547df41c0676550d82d369f699b457d4f0f077999d9e76ab679fbf4206d418dbabed1823f14e4ddf3aac987686e6b006f8a23ea6af13b4c0e5b1fb5b1eb4db2f47b229422c450574cae9c64db5dcfce050836b6bdfa8fb541b4d426444a5ea20ad51a25d3048414ced2e199da2997968273e8beb10f3a351e98a57b00dadfa8f00a39bb55be94dae898fda6021d728f32b2ec93edd16e51073be3ac7511e5085
diff --git a/regress/unittests/sshkey/testdata/rsa1_2.pub b/regress/unittests/sshkey/testdata/rsa1_2.pub
new file mode 100644
index 000000000..de1afbb8b
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa1_2.pub
@@ -0,0 +1 @@
+2048 65537 22286299513474010485021611215236051675183880694440075228245854420062562171290421803318459093678819161498086077099067169041536315773126601869537036602014639497662916952995546870691495931205282427606841521014293638607226118353743812583642616889028731910222603216563207637006843580936568089467160095319593442255227365472917576488012409542775346105980501967996562422764758836868135158147777193940857952623773420292946843206784104932927528915610322518810753953608862466374219925252817405397507396462117715293725218947744085154122395590957537510003558169729949140038634486299736757269280065662263306737701939154762092925061 RSA1 test key #2
diff --git a/regress/unittests/sshkey/testdata/rsa_1 b/regress/unittests/sshkey/testdata/rsa_1
new file mode 100644
index 000000000..09e79a72e
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_1
@@ -0,0 +1,12 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBywIBAAJhAM/6MDmVVm/uNQmZpOcthoAAgMDUg7G4H6ZLLyPEhboKaBBHvIdw
+ZdDmB+0LDf3D1aWXyUd2/pCkCysiBzqd/523zAzjY7HayqL6A940AxKBBbWLn+X6
+i2yJR7dTOYkk6QIDAQABAmAgKanBjfWzE5yCIo+c7K5rJyjCKVtAZaAHYIMmveKM
+VcWoFt/x9hDY0GoTX21HfDxLX8oDxnsmhsOrnvSmgUChFwkm45eSETqeVDWwIVFA
+FGL1s38xQsciWZWBFNppAIECMQD7nslReAxwz/Ad++ACXswfJg1l2wUQ1gJA3zh3
+jln6a4s3aV1zxbKlIn8iqBv0BZkCMQDTmO4WqyNnin73XCZs0DWu7GsfcuaH8QnD
+wqPjJgrclTZXedxHkeqO2oyZW4mLC9ECMBb/blsZ49kzyDiVWuYcj/+Q1MyodhAR
+32bagCi9RBAVYEYSRU5dlXRucLxULSnikQIxAJ5teY5Vcru6kZfJUifUuO0QrKAu
+WnbcPVBqMmUHfchsm/RhFFIt6W4uKmlEhTYrkQIxAMAStb7QCU3yU6ZkN7uL22Zs
+498i4jY6y+VEXv+L9O09VdlEnXhbUisOhy1bhyS3yg==
+-----END RSA PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/rsa_1-cert.fp b/regress/unittests/sshkey/testdata/rsa_1-cert.fp
new file mode 100644
index 000000000..bf9c2e362
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_1-cert.fp
@@ -0,0 +1 @@
+be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
diff --git a/regress/unittests/sshkey/testdata/rsa_1-cert.pub b/regress/unittests/sshkey/testdata/rsa_1-cert.pub
new file mode 100644
index 000000000..51b1ce0dd
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_1-cert.pub
@@ -0,0 +1 @@
+ssh-rsa-cert-v01@openssh.com AAAAHHNzaC1yc2EtY2VydC12MDFAb3BlbnNzaC5jb20AAAAg1i9Ueveqg9sFSGsEYmsQqlI+dpC3nqhucPfwBVo3DtcAAAADAQABAAAAYQDP+jA5lVZv7jUJmaTnLYaAAIDA1IOxuB+mSy8jxIW6CmgQR7yHcGXQ5gftCw39w9Wll8lHdv6QpAsrIgc6nf+dt8wM42Ox2sqi+gPeNAMSgQW1i5/l+otsiUe3UzmJJOkAAAAAAAAABQAAAAIAAAAGanVsaXVzAAAAEgAAAAVob3N0MQAAAAVob3N0MgAAAAA2i4NgAAAAAE0d4eAAAAAAAAAAAAAAAAAAAAAzAAAAC3NzaC1lZDI1NTE5AAAAILk95V5J3LKVx8bcLSB4073R7d0aAvR8gJrPvnV0D3MQAAAAUwAAAAtzc2gtZWQyNTUxOQAAAED0TLf2Mv2F9TBt1Skf/1vviUgt7bt9xvL5HqugnVDfKaEg+RNKgfa5Rtpteb39EODkH8v4FJPWlmNG0F9w0cYF rsa_1.pub
diff --git a/regress/unittests/sshkey/testdata/rsa_1.fp b/regress/unittests/sshkey/testdata/rsa_1.fp
new file mode 100644
index 000000000..bf9c2e362
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_1.fp
@@ -0,0 +1 @@
+be:27:4c:16:27:f5:04:03:62:a8:b7:91:df:a5:b1:3b
diff --git a/regress/unittests/sshkey/testdata/rsa_1.fp.bb b/regress/unittests/sshkey/testdata/rsa_1.fp.bb
new file mode 100644
index 000000000..448133bad
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_1.fp.bb
@@ -0,0 +1 @@
+xetif-zuvul-nylyc-vykor-lumac-gyhyv-bacih-cimyk-sycen-gikym-pixax
diff --git a/regress/unittests/sshkey/testdata/rsa_1.param.n b/regress/unittests/sshkey/testdata/rsa_1.param.n
new file mode 100644
index 000000000..2ffc2ba7e
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_1.param.n
@@ -0,0 +1 @@
+00cffa303995566fee350999a4e72d86800080c0d483b1b81fa64b2f23c485ba0a681047bc877065d0e607ed0b0dfdc3d5a597c94776fe90a40b2b22073a9dff9db7cc0ce363b1dacaa2fa03de3403128105b58b9fe5fa8b6c8947b753398924e9
diff --git a/regress/unittests/sshkey/testdata/rsa_1.param.p b/regress/unittests/sshkey/testdata/rsa_1.param.p
new file mode 100644
index 000000000..4fcf148c3
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_1.param.p
@@ -0,0 +1 @@
+00fb9ec951780c70cff01dfbe0025ecc1f260d65db0510d60240df38778e59fa6b8b37695d73c5b2a5227f22a81bf40599
diff --git a/regress/unittests/sshkey/testdata/rsa_1.param.q b/regress/unittests/sshkey/testdata/rsa_1.param.q
new file mode 100644
index 000000000..3473f5144
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_1.param.q
@@ -0,0 +1 @@
+00d398ee16ab23678a7ef75c266cd035aeec6b1f72e687f109c3c2a3e3260adc95365779dc4791ea8eda8c995b898b0bd1
diff --git a/regress/unittests/sshkey/testdata/rsa_1.pub b/regress/unittests/sshkey/testdata/rsa_1.pub
new file mode 100644
index 000000000..889fdae86
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_1.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAYQDP+jA5lVZv7jUJmaTnLYaAAIDA1IOxuB+mSy8jxIW6CmgQR7yHcGXQ5gftCw39w9Wll8lHdv6QpAsrIgc6nf+dt8wM42Ox2sqi+gPeNAMSgQW1i5/l+otsiUe3UzmJJOk= RSA test key #1
diff --git a/regress/unittests/sshkey/testdata/rsa_1_pw b/regress/unittests/sshkey/testdata/rsa_1_pw
new file mode 100644
index 000000000..71637a59b
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_1_pw
@@ -0,0 +1,15 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: AES-128-CBC,1E851A01F12A49FDC256E7A665C61D4B
+
++sfWU7kg3idmHL6vShby5LXnfF4bZDPhJjv89uldae7qPEgEW8qS8o0Ssokxf7Au
+/vTQnbSB+gy/qZaUOykOzqiV1YL7UfkbOkM2QYnzzrVeGzI5RZ0G9iH8HBn2owQ+
+Ejf1UKDUVZEea5X0IwQRfE0zaZqFS4tyEex0iKz8dI4FvyabKLZsCs1DBGO7A3ml
+LgP947mh10yKWTP2fbq8LOhDUEWCXrh2NzuH6Rl5nNyC4MNQEkLzK1wL7J/WCNaL
+sciYmuqEQRDikDDQQFZw2wjBD638fhK+IhuN3VGegiXFnu5C+p9kzUvqVk4X9g2r
+BMmlP0pceFv/fEwtNNaeI2Tt7mIsWsZTmCqdzOUAYqGIiNjzykWw64nMO3TpVpbA
+i4854RhblbeiyjENbMVPU6BAk4fx7OJvDElLxwN43CS3U0MldbI7A4uG3B3RTSCj
+1rGxRNAHWC3q3zzrn6gLwrUVje4iTedaKItLIHQeo1A091Tr8AqQdZi/Ck2Ju0Hl
+4Qdwzjw1Y5n1Akm+EWh31ydxtUQ0YBOz/W6DKwTNA1D8oH9bZBG4f0pnvVhtttAO
+WKj+DUqMa+f3OOmQ9UXlitk2pEgjeMngTgfQnhZiCts=
+-----END RSA PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/rsa_2 b/regress/unittests/sshkey/testdata/rsa_2
new file mode 100644
index 000000000..058cf777a
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_2
@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEAlDS/ygeFfsR/mhZK/XMHU/gzRogPuMQIYUd17WDjMprA6dQb
+ckTDrNm/mrf09I6YAhjgooEL16oWM1z6cesDE0KwaJsy6uTmXFMLO+Ha4mtFHhmu
+tiyJcQ9MKKr0vC64384WQZygZk0OlVz7x9WSPiGXzal5MzsX4TYq5B05o2Cb+epA
+FxK0c8cdYZD0Sy57gWRpRA3yJq4zh/hks98jzn0XA3HAJA39MKhUG5tf5e6z5BeP
+Yi5FvdnDQ9WcasRiEvkmHbg59pbgg/Lbsl6OgZQruS8hKiJ3YBARt2euCCeg7qAF
+KbXRR9TMwfphH3Ai4Oi/w6HPRAhdrwooA/gKkQIDAQABAoIBAH22OLB/rMaYmrvz
+COzvM1oQgD3lj6Bj98+8M9WEh3MXPWeaGSXWGjx1/0aXn1oJ0fqFa5Wr7IWkqmwr
+A+y5McSWntg8PPZt7tCFSFQlAetonhooIsA4CuUx2qHsUOeGoh6EyvAgkRX1atdb
+Jd6d1AyLph43EK1aBKltrvgLqiZfs7mcuwyvKtN9ktdKY2FDhn6DHpm9pE9MEHJV
+Xv1isNc6a0qNoRlKqxrSZHNEN4fbjLw31wBySzmmnIog5wVEwaHeASwLJT6TmuIZ
+eZxnd7/jMwRZWH8ZIGKvkTMp4fYzK9QkehO7A2HFD3FPDBVrkSJjqRdkujF8vu1C
+0RwrD1kCgYEAxFXUoE1ero6vp9akvR/mw94kYjXE/YOz1yi0KTkZUs6gURc8Kzsm
+MzlEZ31rnngE4jQHYAvuPEfiqcnUgylW3QuevMgo2hCLYO7aG5C0fk8TeOiuvnrF
+YPO8rSJWk/BgdrPtzu45P7jmWsjkHn+y+t8cKvq1sZY40sn2YgIhYK8CgYEAwT6j
+5tReI6sxpHltPUbvOdpD04eL6ggBAKwzb5aBoa/Dj+sU1zg5uyY8diggQEEznlBW
+iWTQmmmfy1ef9i6YAwNuZveKOrVwNMcdubQJ2X26XoFrmA59PjsbLtr1bdUb02gz
+6P5x6pcw5qzEq0mddgvHiU3RhL24xdc1LW8nmL8CgYEAmgaT1macPuklmNBlURGz
+4jll5b41GoW2EreWDzkCStpbHwLRa0DuCQWGSoI0aY/SlPsoRgtWDOiAQ59ZHsTR
+pnw1PfjxQ5HzJkp7xWBSmTzEE/jHDhwWuKa+gD0OGuVbaARkLhDpzLnrzZEIlXyt
+Fu7tlDI3VGh7j7Jtnhn5wXUCgYBKmPbGfcaVeFmih2lfFUn2CEbUmmetgUd5zf/R
+HMWP9/zDStlxt3e5winm5tiEVWcqvxKY2T0Zzppr8biDXTs7NpDg2MAYp7/X7+GO
+tWxz8/AE2WsCeN1qL4Dv1oCV1IV4V6pqUAcDqzeqZJlLEhDh5+wwGcU+u8pfPRN/
+JYCgmwKBgDa+kXPqzcc6vzD9cwEEk4ftn9/Vk2yBx0XOu8RdEkRhXj1QXGJckCqh
+FkXzVbuurFhsBt+H0B4arw+51T9fVCZqfcaU34u+Qa/FQvTod4OJUSRxYUaDqygs
+VTyuP+zGZlIw7JWktxjVazENsM/ef5wBH0Nf839OZbPVDLfn7K0j
+-----END RSA PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/rsa_2.fp b/regress/unittests/sshkey/testdata/rsa_2.fp
new file mode 100644
index 000000000..53939f413
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_2.fp
@@ -0,0 +1 @@
+fb:8f:7b:26:3d:42:40:ef:ed:f1:ed:ee:66:9e:ba:b0
diff --git a/regress/unittests/sshkey/testdata/rsa_2.fp.bb b/regress/unittests/sshkey/testdata/rsa_2.fp.bb
new file mode 100644
index 000000000..e90a3571a
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_2.fp.bb
@@ -0,0 +1 @@
+xepev-gupub-vuvyg-femiv-gonat-defiv-hirak-betub-pahut-veryd-hexix
diff --git a/regress/unittests/sshkey/testdata/rsa_2.param.n b/regress/unittests/sshkey/testdata/rsa_2.param.n
new file mode 100644
index 000000000..389de4226
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_2.param.n
@@ -0,0 +1 @@
+009434bfca07857ec47f9a164afd730753f83346880fb8c408614775ed60e3329ac0e9d41b7244c3acd9bf9ab7f4f48e980218e0a2810bd7aa16335cfa71eb031342b0689b32eae4e65c530b3be1dae26b451e19aeb62c89710f4c28aaf4bc2eb8dfce16419ca0664d0e955cfbc7d5923e2197cda979333b17e1362ae41d39a3609bf9ea401712b473c71d6190f44b2e7b816469440df226ae3387f864b3df23ce7d170371c0240dfd30a8541b9b5fe5eeb3e4178f622e45bdd9c343d59c6ac46212f9261db839f696e083f2dbb25e8e81942bb92f212a2277601011b767ae0827a0eea00529b5d147d4ccc1fa611f7022e0e8bfc3a1cf44085daf0a2803f80a91
diff --git a/regress/unittests/sshkey/testdata/rsa_2.param.p b/regress/unittests/sshkey/testdata/rsa_2.param.p
new file mode 100644
index 000000000..c3c9a130a
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_2.param.p
@@ -0,0 +1 @@
+00c455d4a04d5eae8eafa7d6a4bd1fe6c3de246235c4fd83b3d728b429391952cea051173c2b3b26333944677d6b9e7804e23407600bee3c47e2a9c9d4832956dd0b9ebcc828da108b60eeda1b90b47e4f1378e8aebe7ac560f3bcad225693f06076b3edceee393fb8e65ac8e41e7fb2fadf1c2afab5b19638d2c9f662022160af
diff --git a/regress/unittests/sshkey/testdata/rsa_2.param.q b/regress/unittests/sshkey/testdata/rsa_2.param.q
new file mode 100644
index 000000000..728c474b0
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_2.param.q
@@ -0,0 +1 @@
+00c13ea3e6d45e23ab31a4796d3d46ef39da43d3878bea080100ac336f9681a1afc38feb14d73839bb263c7628204041339e50568964d09a699fcb579ff62e9803036e66f78a3ab57034c71db9b409d97dba5e816b980e7d3e3b1b2edaf56dd51bd36833e8fe71ea9730e6acc4ab499d760bc7894dd184bdb8c5d7352d6f2798bf
diff --git a/regress/unittests/sshkey/testdata/rsa_2.pub b/regress/unittests/sshkey/testdata/rsa_2.pub
new file mode 100644
index 000000000..ed9f78cad
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_2.pub
@@ -0,0 +1 @@
+ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCUNL/KB4V+xH+aFkr9cwdT+DNGiA+4xAhhR3XtYOMymsDp1BtyRMOs2b+at/T0jpgCGOCigQvXqhYzXPpx6wMTQrBomzLq5OZcUws74dria0UeGa62LIlxD0woqvS8LrjfzhZBnKBmTQ6VXPvH1ZI+IZfNqXkzOxfhNirkHTmjYJv56kAXErRzxx1hkPRLLnuBZGlEDfImrjOH+GSz3yPOfRcDccAkDf0wqFQbm1/l7rPkF49iLkW92cND1ZxqxGIS+SYduDn2luCD8tuyXo6BlCu5LyEqIndgEBG3Z64IJ6DuoAUptdFH1MzB+mEfcCLg6L/Doc9ECF2vCigD+AqR RSA test key #2
diff --git a/regress/unittests/sshkey/testdata/rsa_n b/regress/unittests/sshkey/testdata/rsa_n
new file mode 100644
index 000000000..09e79a72e
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_n
@@ -0,0 +1,12 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIBywIBAAJhAM/6MDmVVm/uNQmZpOcthoAAgMDUg7G4H6ZLLyPEhboKaBBHvIdw
+ZdDmB+0LDf3D1aWXyUd2/pCkCysiBzqd/523zAzjY7HayqL6A940AxKBBbWLn+X6
+i2yJR7dTOYkk6QIDAQABAmAgKanBjfWzE5yCIo+c7K5rJyjCKVtAZaAHYIMmveKM
+VcWoFt/x9hDY0GoTX21HfDxLX8oDxnsmhsOrnvSmgUChFwkm45eSETqeVDWwIVFA
+FGL1s38xQsciWZWBFNppAIECMQD7nslReAxwz/Ad++ACXswfJg1l2wUQ1gJA3zh3
+jln6a4s3aV1zxbKlIn8iqBv0BZkCMQDTmO4WqyNnin73XCZs0DWu7GsfcuaH8QnD
+wqPjJgrclTZXedxHkeqO2oyZW4mLC9ECMBb/blsZ49kzyDiVWuYcj/+Q1MyodhAR
+32bagCi9RBAVYEYSRU5dlXRucLxULSnikQIxAJ5teY5Vcru6kZfJUifUuO0QrKAu
+WnbcPVBqMmUHfchsm/RhFFIt6W4uKmlEhTYrkQIxAMAStb7QCU3yU6ZkN7uL22Zs
+498i4jY6y+VEXv+L9O09VdlEnXhbUisOhy1bhyS3yg==
+-----END RSA PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/testdata/rsa_n_pw b/regress/unittests/sshkey/testdata/rsa_n_pw
new file mode 100644
index 000000000..0166fd5f1
--- /dev/null
+++ b/regress/unittests/sshkey/testdata/rsa_n_pw
@@ -0,0 +1,14 @@
+-----BEGIN OPENSSH PRIVATE KEY-----
+b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jYmMAAAAGYmNyeXB0AAAAGAAAABClELgtaZ
+qAmMwESpqXDN0uAAAAEAAAAAEAAAB3AAAAB3NzaC1yc2EAAAADAQABAAAAYQDP+jA5lVZv
+7jUJmaTnLYaAAIDA1IOxuB+mSy8jxIW6CmgQR7yHcGXQ5gftCw39w9Wll8lHdv6QpAsrIg
+c6nf+dt8wM42Ox2sqi+gPeNAMSgQW1i5/l+otsiUe3UzmJJOkAAAGgwJpHy/nshQa9+Jbw
+yomvgNMYvuuoD7Ll7iCY/RFFGXivTkki27C9q0qx3afauSLQQWFanGhjeJn7JPy98lMcVl
+qnn5XOE5+xxZqA8ONOBD8eH0KBcTH17DH1A1z94p5zZ1VJKIWsBZ0krxgHIXcdv9ucAckj
+N0vAEBm+0wsfy2TTOtuqXvcj65wFwknpyy/SSvU0QTr99FiYe9PIhIslBHO6wlqxfKj+Tm
+E/nCb75dAVu6gTtS2P0pdOqV/V7VHX5C0z3BROqpKDJJcVeoc7vRkEl+MWfvvQrG66IPEW
+luohFXPDPDrxu1zDduyRsmNwpBHChi2rFhxtsjxNK0svMwESeCCKAWmPxnzLJfvMbTCv00
+SpaCr7WhtzsGt73axqSkeOdynp5NNrN7MEdwruMZFirF4BcI2z2H9ugpS+qbLPuE2H5vln
+h7NSwBUNwmZ+4TC8MXFH9KIpRg8dNhf66OU610LYiN4+ZfOYCmfQfgQuBGhMTYFMY6O4SB
+NCdIavvWY6rDSBq7QC1f4rHpwiXxpkiE43Rd8fM32TaPlBPtA=
+-----END OPENSSH PRIVATE KEY-----
diff --git a/regress/unittests/sshkey/tests.c b/regress/unittests/sshkey/tests.c
new file mode 100644
index 000000000..13f265cdb
--- /dev/null
+++ b/regress/unittests/sshkey/tests.c
@@ -0,0 +1,27 @@
+/*      $OpenBSD: tests.c,v 1.1 2014/06/24 01:14:18 djm Exp $ */
+/*
+ * Regress test for sshbuf.h buffer API
+ *
+ * Placed in the public domain
+ */
+
+#include "includes.h"
+
+#include <openssl/evp.h>
+
+#include "../test_helper/test_helper.h"
+
+void sshkey_tests(void);
+void sshkey_file_tests(void);
+void sshkey_fuzz_tests(void);
+
+void
+tests(void)
+{
+        OpenSSL_add_all_algorithms();
+        ERR_load_CRYPTO_strings();
+
+        sshkey_tests();
+        sshkey_file_tests();
+        sshkey_fuzz_tests();
+}
diff --git a/regress/unittests/test_helper/Makefile b/regress/unittests/test_helper/Makefile
new file mode 100644
index 000000000..3e90903ef
--- /dev/null
+++ b/regress/unittests/test_helper/Makefile
@@ -0,0 +1,13 @@
+#       $OpenBSD: Makefile,v 1.1 2014/04/30 05:32:00 djm Exp $
+
+LIB=    test_helper
+SRCS=   test_helper.c fuzz.c
+
+DEBUGLIBS= no
+NOPROFILE= yes
+NOPIC=  yes
+
+install:
+        @echo -n
+
+.include <bsd.lib.mk>
diff --git a/regress/unittests/test_helper/fuzz.c b/regress/unittests/test_helper/fuzz.c
new file mode 100644
index 000000000..77c6e7cad
--- /dev/null
+++ b/regress/unittests/test_helper/fuzz.c
@@ -0,0 +1,378 @@
+/*      $OpenBSD: fuzz.c,v 1.3 2014/05/02 09:41:32 andre Exp $  */
+/*
+ * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* Utility functions/framework for fuzz tests */
+
+#include "includes.h"
+
+#include <sys/types.h>
+
+#include <assert.h>
+#include <ctype.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+
+#include "test_helper.h"
+
+/* #define FUZZ_DEBUG */
+
+#ifdef FUZZ_DEBUG
+# define FUZZ_DBG(x) do { \
+                printf("%s:%d %s: ", __FILE__, __LINE__, __func__); \
+                printf x; \
+                printf("\n"); \
+                fflush(stdout); \
+        } while (0)
+#else
+# define FUZZ_DBG(x)
+#endif
+
+/* For brevity later */
+typedef unsigned long long fuzz_ullong;
+
+/* For base-64 fuzzing */
+static const char fuzz_b64chars[] =
+    "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
+
+struct fuzz {
+        /* Fuzz method currently in use */
+        int strategy;
+
+        /* Fuzz methods remaining */
+        int strategies;
+
+        /* Original seed data blob */
+        void *seed;
+        size_t slen;
+
+        /* Current working copy of seed with fuzz mutations applied */
+        u_char *fuzzed;
+
+        /* Used by fuzz methods */
+        size_t o1, o2;
+};
+
+static const char *
+fuzz_ntop(u_int n)
+{
+        switch (n) {
+        case 0:
+                return "NONE";
+        case FUZZ_1_BIT_FLIP:
+                return "FUZZ_1_BIT_FLIP";
+        case FUZZ_2_BIT_FLIP:
+                return "FUZZ_2_BIT_FLIP";
+        case FUZZ_1_BYTE_FLIP:
+                return "FUZZ_1_BYTE_FLIP";
+        case FUZZ_2_BYTE_FLIP:
+                return "FUZZ_2_BYTE_FLIP";
+        case FUZZ_TRUNCATE_START:
+                return "FUZZ_TRUNCATE_START";
+        case FUZZ_TRUNCATE_END:
+                return "FUZZ_TRUNCATE_END";
+        case FUZZ_BASE64:
+                return "FUZZ_BASE64";
+        default:
+                abort();
+        }
+}
+
+void
+fuzz_dump(struct fuzz *fuzz)
+{
+        u_char *p = fuzz_ptr(fuzz);
+        size_t i, j, len = fuzz_len(fuzz);
+
+        switch (fuzz->strategy) {
+        case FUZZ_1_BIT_FLIP:
+                fprintf(stderr, "%s case %zu of %zu (bit: %zu)\n",
+                    fuzz_ntop(fuzz->strategy),
+                    fuzz->o1, fuzz->slen * 8, fuzz->o1);
+                break;
+        case FUZZ_2_BIT_FLIP:
+                fprintf(stderr, "%s case %llu of %llu (bits: %zu, %zu)\n",
+                    fuzz_ntop(fuzz->strategy),
+                    (((fuzz_ullong)fuzz->o2) * fuzz->slen * 8) + fuzz->o1,
+                    ((fuzz_ullong)fuzz->slen * 8) * fuzz->slen * 8,
+                    fuzz->o1, fuzz->o2);
+                break;
+        case FUZZ_1_BYTE_FLIP:
+                fprintf(stderr, "%s case %zu of %zu (byte: %zu)\n",
+                    fuzz_ntop(fuzz->strategy),
+                    fuzz->o1, fuzz->slen, fuzz->o1);
+                break;
+        case FUZZ_2_BYTE_FLIP:
+                fprintf(stderr, "%s case %llu of %llu (bytes: %zu, %zu)\n",
+                    fuzz_ntop(fuzz->strategy),
+                    (((fuzz_ullong)fuzz->o2) * fuzz->slen) + fuzz->o1,
+                    ((fuzz_ullong)fuzz->slen) * fuzz->slen,
+                    fuzz->o1, fuzz->o2);
+                break;
+        case FUZZ_TRUNCATE_START:
+                fprintf(stderr, "%s case %zu of %zu (offset: %zu)\n",
+                    fuzz_ntop(fuzz->strategy),
+                    fuzz->o1, fuzz->slen, fuzz->o1);
+                break;
+        case FUZZ_TRUNCATE_END:
+                fprintf(stderr, "%s case %zu of %zu (offset: %zu)\n",
+                    fuzz_ntop(fuzz->strategy),
+                    fuzz->o1, fuzz->slen, fuzz->o1);
+                break;
+        case FUZZ_BASE64:
+                assert(fuzz->o2 < sizeof(fuzz_b64chars) - 1);
+                fprintf(stderr, "%s case %llu of %llu (offset: %zu char: %c)\n",
+                    fuzz_ntop(fuzz->strategy),
+                    (fuzz->o1 * (fuzz_ullong)64) + fuzz->o2,
+                    fuzz->slen * (fuzz_ullong)64, fuzz->o1,
+                    fuzz_b64chars[fuzz->o2]);
+                break;
+        default:
+                abort();
+        }
+
+        fprintf(stderr, "fuzz context %p len = %zu\n", fuzz, len);
+        for (i = 0; i < len; i += 16) {
+                fprintf(stderr, "%.4zd: ", i);
+                for (j = i; j < i + 16; j++) {
+                        if (j < len)
+                                fprintf(stderr, "%02x ", p[j]);
+                        else
+                                fprintf(stderr, "   ");
+                }
+                fprintf(stderr, " ");
+                for (j = i; j < i + 16; j++) {
+                        if (j < len) {
+                                if  (isascii(p[j]) && isprint(p[j]))
+                                        fprintf(stderr, "%c", p[j]);
+                                else
+                                        fprintf(stderr, ".");
+                        }
+                }
+                fprintf(stderr, "\n");
+        }
+}
+
+struct fuzz *
+fuzz_begin(u_int strategies, const void *p, size_t l)
+{
+        struct fuzz *ret = calloc(sizeof(*ret), 1);
+
+        assert(p != NULL);
+        assert(ret != NULL);
+        ret->seed = malloc(l);
+        assert(ret->seed != NULL);
+        memcpy(ret->seed, p, l);
+        ret->slen = l;
+        ret->strategies = strategies;
+
+        assert(ret->slen < SIZE_MAX / 8);
+        assert(ret->strategies <= (FUZZ_MAX|(FUZZ_MAX-1)));
+
+        FUZZ_DBG(("begin, ret = %p", ret));
+
+        fuzz_next(ret);
+        return ret;
+}
+
+void
+fuzz_cleanup(struct fuzz *fuzz)
+{
+        FUZZ_DBG(("cleanup, fuzz = %p", fuzz));
+        assert(fuzz != NULL);
+        assert(fuzz->seed != NULL);
+        assert(fuzz->fuzzed != NULL);
+        free(fuzz->seed);
+        free(fuzz->fuzzed);
+        free(fuzz);
+}
+
+static int
+fuzz_strategy_done(struct fuzz *fuzz)
+{
+        FUZZ_DBG(("fuzz = %p, strategy = %s, o1 = %zu, o2 = %zu, slen = %zu",
+            fuzz, fuzz_ntop(fuzz->strategy), fuzz->o1, fuzz->o2, fuzz->slen));
+
+        switch (fuzz->strategy) {
+        case FUZZ_1_BIT_FLIP:
+                return fuzz->o1 >= fuzz->slen * 8;
+        case FUZZ_2_BIT_FLIP:
+                return fuzz->o2 >= fuzz->slen * 8;
+        case FUZZ_2_BYTE_FLIP:
+                return fuzz->o2 >= fuzz->slen;
+        case FUZZ_1_BYTE_FLIP:
+        case FUZZ_TRUNCATE_START:
+        case FUZZ_TRUNCATE_END:
+        case FUZZ_BASE64:
+                return fuzz->o1 >= fuzz->slen;
+        default:
+                abort();
+        }
+}
+
+void
+fuzz_next(struct fuzz *fuzz)
+{
+        u_int i;
+
+        FUZZ_DBG(("start, fuzz = %p, strategy = %s, strategies = 0x%lx, "
+            "o1 = %zu, o2 = %zu, slen = %zu", fuzz, fuzz_ntop(fuzz->strategy),
+            (u_long)fuzz->strategies, fuzz->o1, fuzz->o2, fuzz->slen));
+
+        if (fuzz->strategy == 0 || fuzz_strategy_done(fuzz)) {
+                /* If we are just starting out, we need to allocate too */
+                if (fuzz->fuzzed == NULL) {
+                        FUZZ_DBG(("alloc"));
+                        fuzz->fuzzed = calloc(fuzz->slen, 1);
+                }
+                /* Pick next strategy */
+                FUZZ_DBG(("advance"));
+                for (i = 1; i <= FUZZ_MAX; i <<= 1) {
+                        if ((fuzz->strategies & i) != 0) {
+                                fuzz->strategy = i;
+                                break;
+                        }
+                }
+                FUZZ_DBG(("selected = %u", fuzz->strategy));
+                if (fuzz->strategy == 0) {
+                        FUZZ_DBG(("done, no more strategies"));
+                        return;
+                }
+                fuzz->strategies &= ~(fuzz->strategy);
+                fuzz->o1 = fuzz->o2 = 0;
+        }
+
+        assert(fuzz->fuzzed != NULL);
+
+        switch (fuzz->strategy) {
+        case FUZZ_1_BIT_FLIP:
+                assert(fuzz->o1 / 8 < fuzz->slen);
+                memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
+                fuzz->fuzzed[fuzz->o1 / 8] ^= 1 << (fuzz->o1 % 8);
+                fuzz->o1++;
+                break;
+        case FUZZ_2_BIT_FLIP:
+                assert(fuzz->o1 / 8 < fuzz->slen);
+                assert(fuzz->o2 / 8 < fuzz->slen);
+                memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
+                fuzz->fuzzed[fuzz->o1 / 8] ^= 1 << (fuzz->o1 % 8);
+                fuzz->fuzzed[fuzz->o2 / 8] ^= 1 << (fuzz->o2 % 8);
+                fuzz->o1++;
+                if (fuzz->o1 >= fuzz->slen * 8) {
+                        fuzz->o1 = 0;
+                        fuzz->o2++;
+                }
+                break;
+        case FUZZ_1_BYTE_FLIP:
+                assert(fuzz->o1 < fuzz->slen);
+                memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
+                fuzz->fuzzed[fuzz->o1] ^= 0xff;
+                fuzz->o1++;
+                break;
+        case FUZZ_2_BYTE_FLIP:
+                assert(fuzz->o1 < fuzz->slen);
+                assert(fuzz->o2 < fuzz->slen);
+                memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
+                fuzz->fuzzed[fuzz->o1] ^= 0xff;
+                fuzz->fuzzed[fuzz->o2] ^= 0xff;
+                fuzz->o1++;
+                if (fuzz->o1 >= fuzz->slen) {
+                        fuzz->o1 = 0;
+                        fuzz->o2++;
+                }
+                break;
+        case FUZZ_TRUNCATE_START:
+        case FUZZ_TRUNCATE_END:
+                assert(fuzz->o1 < fuzz->slen);
+                memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
+                fuzz->o1++;
+                break;
+        case FUZZ_BASE64:
+                assert(fuzz->o1 < fuzz->slen);
+                assert(fuzz->o2 < sizeof(fuzz_b64chars) - 1);
+                memcpy(fuzz->fuzzed, fuzz->seed, fuzz->slen);
+                fuzz->fuzzed[fuzz->o1] = fuzz_b64chars[fuzz->o2];
+                fuzz->o2++;
+                if (fuzz->o2 >= sizeof(fuzz_b64chars) - 1) {
+                        fuzz->o2 = 0;
+                        fuzz->o1++;
+                }
+                break;
+        default:
+                abort();
+        }
+
+        FUZZ_DBG(("done, fuzz = %p, strategy = %s, strategies = 0x%lx, "
+            "o1 = %zu, o2 = %zu, slen = %zu", fuzz, fuzz_ntop(fuzz->strategy),
+            (u_long)fuzz->strategies, fuzz->o1, fuzz->o2, fuzz->slen));
+}
+
+int
+fuzz_done(struct fuzz *fuzz)
+{
+        FUZZ_DBG(("fuzz = %p, strategies = 0x%lx", fuzz,
+            (u_long)fuzz->strategies));
+
+        return fuzz_strategy_done(fuzz) && fuzz->strategies == 0;
+}
+
+size_t
+fuzz_len(struct fuzz *fuzz)
+{
+        assert(fuzz->fuzzed != NULL);
+        switch (fuzz->strategy) {
+        case FUZZ_1_BIT_FLIP:
+        case FUZZ_2_BIT_FLIP:
+        case FUZZ_1_BYTE_FLIP:
+        case FUZZ_2_BYTE_FLIP:
+        case FUZZ_BASE64:
+                return fuzz->slen;
+        case FUZZ_TRUNCATE_START:
+        case FUZZ_TRUNCATE_END:
+                assert(fuzz->o1 <= fuzz->slen);
+                return fuzz->slen - fuzz->o1;
+        default:
+                abort();
+        }
+}
+
+u_char *
+fuzz_ptr(struct fuzz *fuzz)
+{
+        assert(fuzz->fuzzed != NULL);
+        switch (fuzz->strategy) {
+        case FUZZ_1_BIT_FLIP:
+        case FUZZ_2_BIT_FLIP:
+        case FUZZ_1_BYTE_FLIP:
+        case FUZZ_2_BYTE_FLIP:
+        case FUZZ_BASE64:
+                return fuzz->fuzzed;
+        case FUZZ_TRUNCATE_START:
+                assert(fuzz->o1 <= fuzz->slen);
+                return fuzz->fuzzed + fuzz->o1;
+        case FUZZ_TRUNCATE_END:
+                assert(fuzz->o1 <= fuzz->slen);
+                return fuzz->fuzzed;
+        default:
+                abort();
+        }
+}
+
diff --git a/regress/unittests/test_helper/test_helper.c b/regress/unittests/test_helper/test_helper.c
new file mode 100644
index 000000000..d0bc67833
--- /dev/null
+++ b/regress/unittests/test_helper/test_helper.c
@@ -0,0 +1,471 @@
+/*      $OpenBSD: test_helper.c,v 1.2 2014/05/02 09:41:32 andre Exp $   */
+/*
+ * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* Utility functions/framework for regress tests */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+
+#include <fcntl.h>
+#include <stdio.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+#include <stdlib.h>
+#include <string.h>
+#include <assert.h>
+#include <unistd.h>
+
+#include <openssl/bn.h>
+
+#if defined(HAVE_STRNVIS) && defined(HAVE_VIS_H) && !defined(BROKEN_STRNVIS)
+# include <vis.h>
+#endif
+
+#include "test_helper.h"
+
+#define TEST_CHECK_INT(r, pred) do {            \
+                switch (pred) {                 \
+                case TEST_EQ:                   \
+                        if (r == 0)             \
+                                return;         \
+                        break;                  \
+                case TEST_NE:                   \
+                        if (r != 0)             \
+                                return;         \
+                        break;                  \
+                case TEST_LT:                   \
+                        if (r < 0)              \
+                                return;         \
+                        break;                  \
+                case TEST_LE:                   \
+                        if (r <= 0)             \
+                                return;         \
+                        break;                  \
+                case TEST_GT:                   \
+                        if (r > 0)              \
+                                return;         \
+                        break;                  \
+                case TEST_GE:                   \
+                        if (r >= 0)             \
+                                return;         \
+                        break;                  \
+                default:                        \
+                        abort();                \
+                }                               \
+        } while (0)
+
+#define TEST_CHECK(x1, x2, pred) do {           \
+                switch (pred) {                 \
+                case TEST_EQ:                   \
+                        if (x1 == x2)           \
+                                return;         \
+                        break;                  \
+                case TEST_NE:                   \
+                        if (x1 != x2)           \
+                                return;         \
+                        break;                  \
+                case TEST_LT:                   \
+                        if (x1 < x2)            \
+                                return;         \
+                        break;                  \
+                case TEST_LE:                   \
+                        if (x1 <= x2)           \
+                                return;         \
+                        break;                  \
+                case TEST_GT:                   \
+                        if (x1 > x2)            \
+                                return;         \
+                        break;                  \
+                case TEST_GE:                   \
+                        if (x1 >= x2)           \
+                                return;         \
+                        break;                  \
+                default:                        \
+                        abort();                \
+                }                               \
+        } while (0)
+
+extern char *__progname;
+
+static int verbose_mode = 0;
+static int quiet_mode = 0;
+static char *active_test_name = NULL;
+static u_int test_number = 0;
+static test_onerror_func_t *test_onerror = NULL;
+static void *onerror_ctx = NULL;
+static const char *data_dir = NULL;
+
+int
+main(int argc, char **argv)
+{
+        int ch;
+
+        /* Handle systems without __progname */
+        if (__progname == NULL) {
+                __progname = strrchr(argv[0], '/');
+                if (__progname == NULL || __progname[1] == '\0')
+                        __progname = argv[0];   
+                else
+                        __progname++;
+                if ((__progname = strdup(__progname)) == NULL) {
+                        fprintf(stderr, "strdup failed\n");
+                        exit(1);
+                }
+        }
+
+        while ((ch = getopt(argc, argv, "vqd:")) != -1) {
+                switch (ch) {
+                case 'd':
+                        data_dir = optarg;
+                        break;
+                case 'q':
+                        verbose_mode = 0;
+                        quiet_mode = 1;
+                        break;
+                case 'v':
+                        verbose_mode = 1;
+                        quiet_mode = 0;
+                        break;
+                default:
+                        fprintf(stderr, "Unrecognised command line option\n");
+                        fprintf(stderr, "Usage: %s [-v]\n", __progname);
+                        exit(1);
+                }
+        }
+        setvbuf(stdout, NULL, _IONBF, 0);
+        if (!quiet_mode)
+                printf("%s: ", __progname);
+        if (verbose_mode)
+                printf("\n");
+
+        tests();
+
+        if (!quiet_mode)
+                printf(" %u tests ok\n", test_number);
+        return 0;
+}
+
+const char *
+test_data_file(const char *name)
+{
+        static char ret[PATH_MAX];
+
+        if (data_dir != NULL)
+                snprintf(ret, sizeof(ret), "%s/%s", data_dir, name);
+        else
+                strlcpy(ret, name, sizeof(ret));
+        if (access(ret, F_OK) != 0) {
+                fprintf(stderr, "Cannot access data file %s: %s\n",
+                    ret, strerror(errno));
+                exit(1);
+        }
+        return ret;
+}
+
+void
+test_start(const char *n)
+{
+        assert(active_test_name == NULL);
+        assert((active_test_name = strdup(n)) != NULL);
+        if (verbose_mode)
+                printf("test %u - \"%s\": ", test_number, active_test_name);
+        test_number++;
+}
+
+void
+set_onerror_func(test_onerror_func_t *f, void *ctx)
+{
+        test_onerror = f;
+        onerror_ctx = ctx;
+}
+
+void
+test_done(void)
+{
+        assert(active_test_name != NULL);
+        free(active_test_name);
+        active_test_name = NULL;
+        if (verbose_mode)
+                printf("OK\n");
+        else if (!quiet_mode) {
+                printf(".");
+                fflush(stdout);
+        }
+}
+
+void
+ssl_err_check(const char *file, int line)
+{
+        long openssl_error = ERR_get_error();
+
+        if (openssl_error == 0)
+                return;
+
+        fprintf(stderr, "\n%s:%d: uncaught OpenSSL error: %s",
+            file, line, ERR_error_string(openssl_error, NULL));
+        abort();
+}
+
+static const char *
+pred_name(enum test_predicate p)
+{
+        switch (p) {
+        case TEST_EQ:
+                return "EQ";
+        case TEST_NE:
+                return "NE";
+        case TEST_LT:
+                return "LT";
+        case TEST_LE:
+                return "LE";
+        case TEST_GT:
+                return "GT";
+        case TEST_GE:
+                return "GE";
+        default:
+                return "UNKNOWN";
+        }
+}
+
+static void
+test_die(void)
+{
+        if (test_onerror != NULL)
+                test_onerror(onerror_ctx);
+        abort();
+}
+
+static void
+test_header(const char *file, int line, const char *a1, const char *a2,
+    const char *name, enum test_predicate pred)
+{
+        fprintf(stderr, "\n%s:%d test #%u \"%s\"\n", 
+            file, line, test_number, active_test_name);
+        fprintf(stderr, "ASSERT_%s_%s(%s%s%s) failed:\n",
+            name, pred_name(pred), a1,
+            a2 != NULL ? ", " : "", a2 != NULL ? a2 : "");
+}
+
+void
+assert_bignum(const char *file, int line, const char *a1, const char *a2,
+    const BIGNUM *aa1, const BIGNUM *aa2, enum test_predicate pred)
+{
+        int r = BN_cmp(aa1, aa2);
+
+        TEST_CHECK_INT(r, pred);
+        test_header(file, line, a1, a2, "BIGNUM", pred);
+        fprintf(stderr, "%12s = 0x%s\n", a1, BN_bn2hex(aa1));
+        fprintf(stderr, "%12s = 0x%s\n", a2, BN_bn2hex(aa2));
+        test_die();
+}
+
+void
+assert_string(const char *file, int line, const char *a1, const char *a2,
+    const char *aa1, const char *aa2, enum test_predicate pred)
+{
+        int r = strcmp(aa1, aa2);
+
+        TEST_CHECK_INT(r, pred);
+        test_header(file, line, a1, a2, "STRING", pred);
+        fprintf(stderr, "%12s = %s (len %zu)\n", a1, aa1, strlen(aa1));
+        fprintf(stderr, "%12s = %s (len %zu)\n", a2, aa2, strlen(aa2));
+        test_die();
+}
+
+static char *
+tohex(const void *_s, size_t l)
+{
+        u_int8_t *s = (u_int8_t *)_s;
+        size_t i, j;
+        const char *hex = "0123456789abcdef";
+        char *r = malloc((l * 2) + 1);
+
+        assert(r != NULL);
+        for (i = j = 0; i < l; i++) {
+                r[j++] = hex[(s[i] >> 4) & 0xf];
+                r[j++] = hex[s[i] & 0xf];
+        }
+        r[j] = '\0';
+        return r;
+}
+
+void
+assert_mem(const char *file, int line, const char *a1, const char *a2,
+    const void *aa1, const void *aa2, size_t l, enum test_predicate pred)
+{
+        int r = memcmp(aa1, aa2, l);
+
+        TEST_CHECK_INT(r, pred);
+        test_header(file, line, a1, a2, "STRING", pred);
+        fprintf(stderr, "%12s = %s (len %zu)\n", a1, tohex(aa1, MIN(l, 256)), l);
+        fprintf(stderr, "%12s = %s (len %zu)\n", a2, tohex(aa2, MIN(l, 256)), l);
+        test_die();
+}
+
+static int
+memvalcmp(const u_int8_t *s, u_char v, size_t l, size_t *where)
+{
+        size_t i;
+
+        for (i = 0; i < l; i++) {
+                if (s[i] != v) {
+                        *where = i;
+                        return 1;
+                }
+        }
+        return 0;
+}
+
+void
+assert_mem_filled(const char *file, int line, const char *a1,
+    const void *aa1, u_char v, size_t l, enum test_predicate pred)
+{
+        size_t where = -1;
+        int r = memvalcmp(aa1, v, l, &where);
+        char tmp[64];
+
+        if (l == 0)
+                return;
+        TEST_CHECK_INT(r, pred);
+        test_header(file, line, a1, NULL, "MEM_ZERO", pred);
+        fprintf(stderr, "%20s = %s%s (len %zu)\n", a1,
+            tohex(aa1, MIN(l, 20)), l > 20 ? "..." : "", l);
+        snprintf(tmp, sizeof(tmp), "(%s)[%zu]", a1, where);
+        fprintf(stderr, "%20s = 0x%02x (expected 0x%02x)\n", tmp,
+            ((u_char *)aa1)[where], v);
+        test_die();
+}
+
+void
+assert_int(const char *file, int line, const char *a1, const char *a2,
+    int aa1, int aa2, enum test_predicate pred)
+{
+        TEST_CHECK(aa1, aa2, pred);
+        test_header(file, line, a1, a2, "INT", pred);
+        fprintf(stderr, "%12s = %d\n", a1, aa1);
+        fprintf(stderr, "%12s = %d\n", a2, aa2);
+        test_die();
+}
+
+void
+assert_size_t(const char *file, int line, const char *a1, const char *a2,
+    size_t aa1, size_t aa2, enum test_predicate pred)
+{
+        TEST_CHECK(aa1, aa2, pred);
+        test_header(file, line, a1, a2, "SIZE_T", pred);
+        fprintf(stderr, "%12s = %zu\n", a1, aa1);
+        fprintf(stderr, "%12s = %zu\n", a2, aa2);
+        test_die();
+}
+
+void
+assert_u_int(const char *file, int line, const char *a1, const char *a2,
+    u_int aa1, u_int aa2, enum test_predicate pred)
+{
+        TEST_CHECK(aa1, aa2, pred);
+        test_header(file, line, a1, a2, "U_INT", pred);
+        fprintf(stderr, "%12s = %u / 0x%x\n", a1, aa1, aa1);
+        fprintf(stderr, "%12s = %u / 0x%x\n", a2, aa2, aa2);
+        test_die();
+}
+
+void
+assert_long_long(const char *file, int line, const char *a1, const char *a2,
+    long long aa1, long long aa2, enum test_predicate pred)
+{
+        TEST_CHECK(aa1, aa2, pred);
+        test_header(file, line, a1, a2, "LONG LONG", pred);
+        fprintf(stderr, "%12s = %lld / 0x%llx\n", a1, aa1, aa1);
+        fprintf(stderr, "%12s = %lld / 0x%llx\n", a2, aa2, aa2);
+        test_die();
+}
+
+void
+assert_char(const char *file, int line, const char *a1, const char *a2,
+    char aa1, char aa2, enum test_predicate pred)
+{
+        char buf[8];
+
+        TEST_CHECK(aa1, aa2, pred);
+        test_header(file, line, a1, a2, "CHAR", pred);
+        fprintf(stderr, "%12s = '%s' / 0x02%x\n", a1,
+            vis(buf, aa1, VIS_SAFE|VIS_NL|VIS_TAB|VIS_OCTAL, 0), aa1);
+        fprintf(stderr, "%12s = '%s' / 0x02%x\n", a1,
+            vis(buf, aa2, VIS_SAFE|VIS_NL|VIS_TAB|VIS_OCTAL, 0), aa2);
+        test_die();
+}
+
+void
+assert_u8(const char *file, int line, const char *a1, const char *a2,
+    u_int8_t aa1, u_int8_t aa2, enum test_predicate pred)
+{
+        TEST_CHECK(aa1, aa2, pred);
+        test_header(file, line, a1, a2, "U8", pred);
+        fprintf(stderr, "%12s = 0x%02x %u\n", a1, aa1, aa1);
+        fprintf(stderr, "%12s = 0x%02x %u\n", a2, aa2, aa2);
+        test_die();
+}
+
+void
+assert_u16(const char *file, int line, const char *a1, const char *a2,
+    u_int16_t aa1, u_int16_t aa2, enum test_predicate pred)
+{
+        TEST_CHECK(aa1, aa2, pred);
+        test_header(file, line, a1, a2, "U16", pred);
+        fprintf(stderr, "%12s = 0x%04x %u\n", a1, aa1, aa1);
+        fprintf(stderr, "%12s = 0x%04x %u\n", a2, aa2, aa2);
+        test_die();
+}
+
+void
+assert_u32(const char *file, int line, const char *a1, const char *a2,
+    u_int32_t aa1, u_int32_t aa2, enum test_predicate pred)
+{
+        TEST_CHECK(aa1, aa2, pred);
+        test_header(file, line, a1, a2, "U32", pred);
+        fprintf(stderr, "%12s = 0x%08x %u\n", a1, aa1, aa1);
+        fprintf(stderr, "%12s = 0x%08x %u\n", a2, aa2, aa2);
+        test_die();
+}
+
+void
+assert_u64(const char *file, int line, const char *a1, const char *a2,
+    u_int64_t aa1, u_int64_t aa2, enum test_predicate pred)
+{
+        TEST_CHECK(aa1, aa2, pred);
+        test_header(file, line, a1, a2, "U64", pred);
+        fprintf(stderr, "%12s = 0x%016llx %llu\n", a1,
+            (unsigned long long)aa1, (unsigned long long)aa1);
+        fprintf(stderr, "%12s = 0x%016llx %llu\n", a2,
+            (unsigned long long)aa2, (unsigned long long)aa2);
+        test_die();
+}
+
+void
+assert_ptr(const char *file, int line, const char *a1, const char *a2,
+    const void *aa1, const void *aa2, enum test_predicate pred)
+{
+        TEST_CHECK(aa1, aa2, pred);
+        test_header(file, line, a1, a2, "PTR", pred);
+        fprintf(stderr, "%12s = %p\n", a1, aa1);
+        fprintf(stderr, "%12s = %p\n", a2, aa2);
+        test_die();
+}
+
diff --git a/regress/unittests/test_helper/test_helper.h b/regress/unittests/test_helper/test_helper.h
new file mode 100644
index 000000000..a398c615f
--- /dev/null
+++ b/regress/unittests/test_helper/test_helper.h
@@ -0,0 +1,292 @@
+/*      $OpenBSD: test_helper.h,v 1.3 2014/05/02 09:41:32 andre Exp $   */
+/*
+ * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+/* Utility functions/framework for regress tests */
+
+#ifndef _TEST_HELPER_H
+#define _TEST_HELPER_H
+
+#include "includes.h"
+
+#include <sys/types.h>
+#ifdef HAVE_STDINT_H
+# include <stdint.h>
+#endif
+
+#include <openssl/bn.h>
+#include <openssl/err.h>
+
+enum test_predicate {
+        TEST_EQ, TEST_NE, TEST_LT, TEST_LE, TEST_GT, TEST_GE
+};
+typedef void (test_onerror_func_t)(void *);
+
+/* Supplied by test suite */
+void tests(void);
+
+const char *test_data_file(const char *name);
+void test_start(const char *n);
+void set_onerror_func(test_onerror_func_t *f, void *ctx);
+void test_done(void);
+void ssl_err_check(const char *file, int line);
+void assert_bignum(const char *file, int line,
+    const char *a1, const char *a2,
+    const BIGNUM *aa1, const BIGNUM *aa2, enum test_predicate pred);
+void assert_string(const char *file, int line,
+    const char *a1, const char *a2,
+    const char *aa1, const char *aa2, enum test_predicate pred);
+void assert_mem(const char *file, int line,
+    const char *a1, const char *a2,
+    const void *aa1, const void *aa2, size_t l, enum test_predicate pred);
+void assert_mem_filled(const char *file, int line,
+    const char *a1,
+    const void *aa1, u_char v, size_t l, enum test_predicate pred);
+void assert_int(const char *file, int line,
+    const char *a1, const char *a2,
+    int aa1, int aa2, enum test_predicate pred);
+void assert_size_t(const char *file, int line,
+    const char *a1, const char *a2,
+    size_t aa1, size_t aa2, enum test_predicate pred);
+void assert_u_int(const char *file, int line,
+    const char *a1, const char *a2,
+    u_int aa1, u_int aa2, enum test_predicate pred);
+void assert_long_long(const char *file, int line,
+    const char *a1, const char *a2,
+    long long aa1, long long aa2, enum test_predicate pred);
+void assert_char(const char *file, int line,
+    const char *a1, const char *a2,
+    char aa1, char aa2, enum test_predicate pred);
+void assert_ptr(const char *file, int line,
+    const char *a1, const char *a2,
+    const void *aa1, const void *aa2, enum test_predicate pred);
+void assert_u8(const char *file, int line,
+    const char *a1, const char *a2,
+    u_int8_t aa1, u_int8_t aa2, enum test_predicate pred);
+void assert_u16(const char *file, int line,
+    const char *a1, const char *a2,
+    u_int16_t aa1, u_int16_t aa2, enum test_predicate pred);
+void assert_u32(const char *file, int line,
+    const char *a1, const char *a2,
+    u_int32_t aa1, u_int32_t aa2, enum test_predicate pred);
+void assert_u64(const char *file, int line,
+    const char *a1, const char *a2,
+    u_int64_t aa1, u_int64_t aa2, enum test_predicate pred);
+
+#define TEST_START(n)                   test_start(n)
+#define TEST_DONE()                     test_done()
+#define TEST_ONERROR(f, c)              set_onerror_func(f, c)
+#define SSL_ERR_CHECK()                 ssl_err_check(__FILE__, __LINE__)
+
+#define ASSERT_BIGNUM_EQ(a1, a2) \
+        assert_bignum(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_STRING_EQ(a1, a2) \
+        assert_string(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_MEM_EQ(a1, a2, l) \
+        assert_mem(__FILE__, __LINE__, #a1, #a2, a1, a2, l, TEST_EQ)
+#define ASSERT_MEM_FILLED_EQ(a1, c, l) \
+        assert_mem_filled(__FILE__, __LINE__, #a1, a1, c, l, TEST_EQ)
+#define ASSERT_MEM_ZERO_EQ(a1, l) \
+        assert_mem_filled(__FILE__, __LINE__, #a1, a1, '\0', l, TEST_EQ)
+#define ASSERT_INT_EQ(a1, a2) \
+        assert_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_SIZE_T_EQ(a1, a2) \
+        assert_size_t(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_U_INT_EQ(a1, a2) \
+        assert_u_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_LONG_LONG_EQ(a1, a2) \
+        assert_long_long(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_CHAR_EQ(a1, a2) \
+        assert_char(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_PTR_EQ(a1, a2) \
+        assert_ptr(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_U8_EQ(a1, a2) \
+        assert_u8(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_U16_EQ(a1, a2) \
+        assert_u16(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_U32_EQ(a1, a2) \
+        assert_u32(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+#define ASSERT_U64_EQ(a1, a2) \
+        assert_u64(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_EQ)
+
+#define ASSERT_BIGNUM_NE(a1, a2) \
+        assert_bignum(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_STRING_NE(a1, a2) \
+        assert_string(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_MEM_NE(a1, a2, l) \
+        assert_mem(__FILE__, __LINE__, #a1, #a2, a1, a2, l, TEST_NE)
+#define ASSERT_MEM_ZERO_NE(a1, l) \
+        assert_mem_filled(__FILE__, __LINE__, #a1, a1, '\0', l, TEST_NE)
+#define ASSERT_INT_NE(a1, a2) \
+        assert_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_SIZE_T_NE(a1, a2) \
+        assert_size_t(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_U_INT_NE(a1, a2) \
+        assert_u_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_LONG_LONG_NE(a1, a2) \
+        assert_long_long(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_CHAR_NE(a1, a2) \
+        assert_char(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_PTR_NE(a1, a2) \
+        assert_ptr(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_U8_NE(a1, a2) \
+        assert_u8(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_U16_NE(a1, a2) \
+        assert_u16(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_U32_NE(a1, a2) \
+        assert_u32(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+#define ASSERT_U64_NE(a1, a2) \
+        assert_u64(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_NE)
+
+#define ASSERT_BIGNUM_LT(a1, a2) \
+        assert_bignum(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_STRING_LT(a1, a2) \
+        assert_string(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_MEM_LT(a1, a2, l) \
+        assert_mem(__FILE__, __LINE__, #a1, #a2, a1, a2, l, TEST_LT)
+#define ASSERT_INT_LT(a1, a2) \
+        assert_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_SIZE_T_LT(a1, a2) \
+        assert_size_t(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_U_INT_LT(a1, a2) \
+        assert_u_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_LONG_LONG_LT(a1, a2) \
+        assert_long_long(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_CHAR_LT(a1, a2) \
+        assert_char(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_PTR_LT(a1, a2) \
+        assert_ptr(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_U8_LT(a1, a2) \
+        assert_u8(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_U16_LT(a1, a2) \
+        assert_u16(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_U32_LT(a1, a2) \
+        assert_u32(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+#define ASSERT_U64_LT(a1, a2) \
+        assert_u64(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LT)
+
+#define ASSERT_BIGNUM_LE(a1, a2) \
+        assert_bignum(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_STRING_LE(a1, a2) \
+        assert_string(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_MEM_LE(a1, a2, l) \
+        assert_mem(__FILE__, __LINE__, #a1, #a2, a1, a2, l, TEST_LE)
+#define ASSERT_INT_LE(a1, a2) \
+        assert_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_SIZE_T_LE(a1, a2) \
+        assert_size_t(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_U_INT_LE(a1, a2) \
+        assert_u_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_LONG_LONG_LE(a1, a2) \
+        assert_long_long(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_CHAR_LE(a1, a2) \
+        assert_char(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_PTR_LE(a1, a2) \
+        assert_ptr(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_U8_LE(a1, a2) \
+        assert_u8(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_U16_LE(a1, a2) \
+        assert_u16(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_U32_LE(a1, a2) \
+        assert_u32(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+#define ASSERT_U64_LE(a1, a2) \
+        assert_u64(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_LE)
+
+#define ASSERT_BIGNUM_GT(a1, a2) \
+        assert_bignum(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_STRING_GT(a1, a2) \
+        assert_string(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_MEM_GT(a1, a2, l) \
+        assert_mem(__FILE__, __LINE__, #a1, #a2, a1, a2, l, TEST_GT)
+#define ASSERT_INT_GT(a1, a2) \
+        assert_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_SIZE_T_GT(a1, a2) \
+        assert_size_t(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_U_INT_GT(a1, a2) \
+        assert_u_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_LONG_LONG_GT(a1, a2) \
+        assert_long_long(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_CHAR_GT(a1, a2) \
+        assert_char(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_PTR_GT(a1, a2) \
+        assert_ptr(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_U8_GT(a1, a2) \
+        assert_u8(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_U16_GT(a1, a2) \
+        assert_u16(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_U32_GT(a1, a2) \
+        assert_u32(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+#define ASSERT_U64_GT(a1, a2) \
+        assert_u64(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GT)
+
+#define ASSERT_BIGNUM_GE(a1, a2) \
+        assert_bignum(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_STRING_GE(a1, a2) \
+        assert_string(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_MEM_GE(a1, a2, l) \
+        assert_mem(__FILE__, __LINE__, #a1, #a2, a1, a2, l, TEST_GE)
+#define ASSERT_INT_GE(a1, a2) \
+        assert_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_SIZE_T_GE(a1, a2) \
+        assert_size_t(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_U_INT_GE(a1, a2) \
+        assert_u_int(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_LONG_LONG_GE(a1, a2) \
+        assert_long_long(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_CHAR_GE(a1, a2) \
+        assert_char(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_PTR_GE(a1, a2) \
+        assert_ptr(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_U8_GE(a1, a2) \
+        assert_u8(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_U16_GE(a1, a2) \
+        assert_u16(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_U32_GE(a1, a2) \
+        assert_u32(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+#define ASSERT_U64_GE(a1, a2) \
+        assert_u64(__FILE__, __LINE__, #a1, #a2, a1, a2, TEST_GE)
+
+/* Fuzzing support */
+
+struct fuzz;
+#define FUZZ_1_BIT_FLIP         0x00000001      /* Flip one bit at a time */
+#define FUZZ_2_BIT_FLIP         0x00000002      /* Flip two bits at a time */
+#define FUZZ_1_BYTE_FLIP        0x00000004      /* Flip one byte at a time */
+#define FUZZ_2_BYTE_FLIP        0x00000008      /* Flip two bytes at a time */
+#define FUZZ_TRUNCATE_START     0x00000010      /* Truncate from beginning */
+#define FUZZ_TRUNCATE_END       0x00000020      /* Truncate from end */
+#define FUZZ_BASE64             0x00000040      /* Try all base64 chars */
+#define FUZZ_MAX                FUZZ_BASE64
+
+/* Start fuzzing a blob of data with selected strategies (bitmask) */
+struct fuzz *fuzz_begin(u_int strategies, const void *p, size_t l);
+
+/* Free a fuzz context */
+void fuzz_cleanup(struct fuzz *fuzz);
+
+/* Prepare the next fuzz case in the series */
+void fuzz_next(struct fuzz *fuzz);
+
+/* Determine whether the current fuzz sequence is exhausted (nonzero = yes) */
+int fuzz_done(struct fuzz *fuzz);
+
+/* Return the length and a pointer to the current fuzzed case */
+size_t fuzz_len(struct fuzz *fuzz);
+u_char *fuzz_ptr(struct fuzz *fuzz);
+
+/* Dump the current fuzz case to stderr */
+void fuzz_dump(struct fuzz *fuzz);
+#endif /* _TEST_HELPER_H */
diff --git a/rijndael.c b/rijndael.c
index 7432ea2e4..cde90789e 100644
--- a/rijndael.c
+++ b/rijndael.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: rijndael.c,v 1.16 2004/06/23 00:39:38 mouring Exp $ */
+/*      $OpenBSD: rijndael.c,v 1.18 2014/04/29 15:42:07 markus Exp $ */
 
 /**
  * rijndael-alg-fst.c
@@ -25,6 +25,7 @@
  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
  * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
+
 #include "includes.h"
 
 #include <stdlib.h>
@@ -32,7 +33,7 @@
 
 #include "rijndael.h"
 
-#define FULL_UNROLL
+#undef FULL_UNROLL
 
 /*
 Te0[x] = S [x].[02, 01, 01, 03];
@@ -247,7 +248,6 @@ static const u32 Te2[256] = {
     0xb0cb7bb0U, 0x54fca854U, 0xbbd66dbbU, 0x163a2c16U,
 };
 static const u32 Te3[256] = {
-
     0x6363a5c6U, 0x7c7c84f8U, 0x777799eeU, 0x7b7b8df6U,
     0xf2f20dffU, 0x6b6bbdd6U, 0x6f6fb1deU, 0xc5c55491U,
     0x30305060U, 0x01010302U, 0x6767a9ceU, 0x2b2b7d56U,
@@ -532,7 +532,6 @@ static const u32 Td2[256] = {
     0xf4cd65daU, 0xbed50605U, 0x621fd134U, 0xfe8ac4a6U,
     0x539d342eU, 0x55a0a2f3U, 0xe132058aU, 0xeb75a4f6U,
     0xec390b83U, 0xefaa4060U, 0x9f065e71U, 0x1051bd6eU,
-
     0x8af93e21U, 0x063d96ddU, 0x05aedd3eU, 0xbd464de6U,
     0x8db59154U, 0x5d0571c4U, 0xd46f0406U, 0x15ff6050U,
     0xfb241998U, 0xe997d6bdU, 0x43cc8940U, 0x9e7767d9U,
@@ -724,8 +723,10 @@ static const u32 rcon[] = {
  *
  * @return      the number of rounds for the given cipher key size.
  */
-static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits) {
-        int i = 0;
+int
+rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits)
+{
+        int i = 0;
         u32 temp;
 
         rk[0] = GETU32(cipherKey     );
@@ -786,9 +787,9 @@ static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int
                         rk[ 9] = rk[ 1] ^ rk[ 8];
                         rk[10] = rk[ 2] ^ rk[ 9];
                         rk[11] = rk[ 3] ^ rk[10];
-                                if (++i == 7) {
-                                        return 14;
-                                }
+                        if (++i == 7) {
+                                return 14;
+                        }
                         temp = rk[11];
                         rk[12] = rk[ 4] ^
                                 (Te4[(temp >> 24)       ] & 0xff000000) ^
@@ -797,7 +798,7 @@ static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int
                                 (Te4[(temp      ) & 0xff] & 0x000000ff);
                         rk[13] = rk[ 5] ^ rk[12];
                         rk[14] = rk[ 6] ^ rk[13];
-                        rk[15] = rk[ 7] ^ rk[14];
+                        rk[15] = rk[ 7] ^ rk[14];
                         rk += 8;
                 }
         }
@@ -809,18 +810,21 @@ static int rijndaelKeySetupEnc(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int
  *
  * @return      the number of rounds for the given cipher key size.
  */
-static int
+int
 rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits,
-    int have_encrypt) {
+    int have_encrypt)
+{
         int Nr, i, j;
         u32 temp;
 
-        if (have_encrypt) {
+        /* expand the cipher key: */
+        if (have_encrypt > 0) {
+                /* Already done */
                 Nr = have_encrypt;
         } else {
-                /* expand the cipher key: */
                 Nr = rijndaelKeySetupEnc(rk, cipherKey, keyBits);
         }
+
         /* invert the order of the round keys: */
         for (i = 0, j = 4*Nr; i < j; i += 4, j -= 4) {
                 temp = rk[i    ]; rk[i    ] = rk[j    ]; rk[j    ] = temp;
@@ -855,7 +859,10 @@ rijndaelKeySetupDec(u32 rk[/*4*(Nr + 1)*/], const u8 cipherKey[], int keyBits,
         return Nr;
 }
 
-static void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16], u8 ct[16]) {
+void
+rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16],
+    u8 ct[16])
+{
         u32 s0, s1, s2, s3, t0, t1, t2, t3;
 #ifndef FULL_UNROLL
     int r;
@@ -871,50 +878,50 @@ static void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16
         s3 = GETU32(pt + 12) ^ rk[3];
 #ifdef FULL_UNROLL
     /* round 1: */
-        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4];
-        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5];
-        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6];
-        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];
-        /* round 2: */
-        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8];
-        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9];
-        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
-        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[ 4];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[ 5];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[ 6];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[ 7];
+        /* round 2: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[ 8];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[ 9];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[10];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[11];
     /* round 3: */
-        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
-        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
-        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
-        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15];
-        /* round 4: */
-        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16];
-        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
-        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
-        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[12];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[13];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[14];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[15];
+        /* round 4: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[16];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[17];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[18];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[19];
     /* round 5: */
-        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
-        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
-        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
-        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23];
-        /* round 6: */
-        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24];
-        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
-        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
-        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[20];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[21];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[22];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[23];
+        /* round 6: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[24];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[25];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[26];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[27];
     /* round 7: */
-        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
-        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
-        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
-        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31];
-        /* round 8: */
-        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32];
-        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
-        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
-        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[28];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[29];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[30];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[31];
+        /* round 8: */
+        s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[32];
+        s1 = Te0[t1 >> 24] ^ Te1[(t2 >> 16) & 0xff] ^ Te2[(t3 >>  8) & 0xff] ^ Te3[t0 & 0xff] ^ rk[33];
+        s2 = Te0[t2 >> 24] ^ Te1[(t3 >> 16) & 0xff] ^ Te2[(t0 >>  8) & 0xff] ^ Te3[t1 & 0xff] ^ rk[34];
+        s3 = Te0[t3 >> 24] ^ Te1[(t0 >> 16) & 0xff] ^ Te2[(t1 >>  8) & 0xff] ^ Te3[t2 & 0xff] ^ rk[35];
     /* round 9: */
-        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
-        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
-        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
-        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
+        t0 = Te0[s0 >> 24] ^ Te1[(s1 >> 16) & 0xff] ^ Te2[(s2 >>  8) & 0xff] ^ Te3[s3 & 0xff] ^ rk[36];
+        t1 = Te0[s1 >> 24] ^ Te1[(s2 >> 16) & 0xff] ^ Te2[(s3 >>  8) & 0xff] ^ Te3[s0 & 0xff] ^ rk[37];
+        t2 = Te0[s2 >> 24] ^ Te1[(s3 >> 16) & 0xff] ^ Te2[(s0 >>  8) & 0xff] ^ Te3[s1 & 0xff] ^ rk[38];
+        t3 = Te0[s3 >> 24] ^ Te1[(s0 >> 16) & 0xff] ^ Te2[(s1 >>  8) & 0xff] ^ Te3[s2 & 0xff] ^ rk[39];
     if (Nr > 10) {
         /* round 10: */
         s0 = Te0[t0 >> 24] ^ Te1[(t1 >> 16) & 0xff] ^ Te2[(t2 >>  8) & 0xff] ^ Te3[t3 & 0xff] ^ rk[40];
@@ -1036,7 +1043,10 @@ static void rijndaelEncrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 pt[16
         PUTU32(ct + 12, s3);
 }
 
-static void rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16], u8 pt[16]) {
+static void
+rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16],
+    u8 pt[16])
+{
         u32 s0, s1, s2, s3, t0, t1, t2, t3;
 #ifndef FULL_UNROLL
     int r;
@@ -1187,33 +1197,33 @@ static void rijndaelDecrypt(const u32 rk[/*4*(Nr + 1)*/], int Nr, const u8 ct[16
          * apply last round and
          * map cipher state to byte array block:
          */
-        s0 =
-                (Td4[(t0 >> 24)       ] & 0xff000000) ^
-                (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
-                (Td4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
-                (Td4[(t1      ) & 0xff] & 0x000000ff) ^
-                rk[0];
+        s0 =
+                (Td4[(t0 >> 24)       ] & 0xff000000) ^
+                (Td4[(t3 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t2 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t1      ) & 0xff] & 0x000000ff) ^
+                rk[0];
         PUTU32(pt     , s0);
-        s1 =
-                (Td4[(t1 >> 24)       ] & 0xff000000) ^
-                (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
-                (Td4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
-                (Td4[(t2      ) & 0xff] & 0x000000ff) ^
-                rk[1];
+        s1 =
+                (Td4[(t1 >> 24)       ] & 0xff000000) ^
+                (Td4[(t0 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t3 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t2      ) & 0xff] & 0x000000ff) ^
+                rk[1];
         PUTU32(pt +  4, s1);
-        s2 =
-                (Td4[(t2 >> 24)       ] & 0xff000000) ^
-                (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
-                (Td4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
-                (Td4[(t3      ) & 0xff] & 0x000000ff) ^
-                rk[2];
+        s2 =
+                (Td4[(t2 >> 24)       ] & 0xff000000) ^
+                (Td4[(t1 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t0 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t3      ) & 0xff] & 0x000000ff) ^
+                rk[2];
         PUTU32(pt +  8, s2);
-        s3 =
-                (Td4[(t3 >> 24)       ] & 0xff000000) ^
-                (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
-                (Td4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
-                (Td4[(t0      ) & 0xff] & 0x000000ff) ^
-                rk[3];
+        s3 =
+                (Td4[(t3 >> 24)       ] & 0xff000000) ^
+                (Td4[(t2 >> 16) & 0xff] & 0x00ff0000) ^
+                (Td4[(t1 >>  8) & 0xff] & 0x0000ff00) ^
+                (Td4[(t0      ) & 0xff] & 0x000000ff) ^
+                rk[3];
         PUTU32(pt + 12, s3);
 }
 
diff --git a/rijndael.h b/rijndael.h
index c614bb188..53e74e0a8 100644
--- a/rijndael.h
+++ b/rijndael.h
@@ -1,4 +1,4 @@
-/*      $OpenBSD: rijndael.h,v 1.12 2001/12/19 07:18:56 deraadt Exp $ */
+/*      $OpenBSD: rijndael.h,v 1.14 2014/04/29 15:42:07 markus Exp $ */
 
 /**
  * rijndael-alg-fst.h
@@ -25,27 +25,32 @@
  * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE,
  * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-#ifndef __RIJNDAEL_H
-#define __RIJNDAEL_H
+#ifndef _PRIVATE_RIJNDAEL_H
+#define _PRIVATE_RIJNDAEL_H
 
-#define MAXKC   (256/32)
-#define MAXKB   (256/8)
-#define MAXNR   14
+#define AES_MAXKEYBITS  (256)
+#define AES_MAXKEYBYTES (AES_MAXKEYBITS/8)
+/* for 256-bit keys, fewer for less */
+#define AES_MAXROUNDS   14
 
 typedef unsigned char   u8;
 typedef unsigned short  u16;
 typedef unsigned int    u32;
 
+int     rijndaelKeySetupEnc(unsigned int [], const unsigned char [], int);
+void    rijndaelEncrypt(const unsigned int [], int, const unsigned char [],
+            unsigned char []);
+
 /*  The structure for key information */
 typedef struct {
         int     decrypt;
-        int     Nr;                     /* key-length-dependent number of rounds */
-        u32     ek[4*(MAXNR + 1)];      /* encrypt key schedule */
-        u32     dk[4*(MAXNR + 1)];      /* decrypt key schedule */
+        int     Nr;             /* key-length-dependent number of rounds */
+        u32     ek[4*(AES_MAXROUNDS + 1)];      /* encrypt key schedule */
+        u32     dk[4*(AES_MAXROUNDS + 1)];      /* decrypt key schedule */
 } rijndael_ctx;
 
 void     rijndael_set_key(rijndael_ctx *, u_char *, int, int);
 void     rijndael_decrypt(rijndael_ctx *, u_char *, u_char *);
 void     rijndael_encrypt(rijndael_ctx *, u_char *, u_char *);
 
-#endif /* __RIJNDAEL_H */
+#endif /* _PRIVATE_RIJNDAEL_H */
diff --git a/roaming_client.c b/roaming_client.c
index de049cdc1..5e5c28b2b 100644
--- a/roaming_client.c
+++ b/roaming_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: roaming_client.c,v 1.7 2014/01/09 23:20:00 djm Exp $ */
+/* $OpenBSD: roaming_client.c,v 1.8 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Copyright (c) 2004-2009 AppGate Network Security AB
  *
@@ -28,9 +28,6 @@
 #include <string.h>
 #include <unistd.h>
 
-#include <openssl/crypto.h>
-#include <openssl/sha.h>
-
 #include "xmalloc.h"
 #include "buffer.h"
 #include "channels.h"
diff --git a/rsa.c b/rsa.c
index d0b5bbf5e..5ecacef90 100644
--- a/rsa.c
+++ b/rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.c,v 1.31 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: rsa.c,v 1.32 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -67,85 +67,122 @@
 #include <stdarg.h>
 #include <string.h>
 
-#include "xmalloc.h"
 #include "rsa.h"
 #include "log.h"
+#include "ssherr.h"
 
-void
+int
 rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
 {
-        u_char *inbuf, *outbuf;
-        int len, ilen, olen;
+        u_char *inbuf = NULL, *outbuf = NULL;
+        int len, ilen, olen, r = SSH_ERR_INTERNAL_ERROR;
 
         if (BN_num_bits(key->e) < 2 || !BN_is_odd(key->e))
-                fatal("rsa_public_encrypt() exponent too small or not odd");
+                return SSH_ERR_INVALID_ARGUMENT;
 
         olen = BN_num_bytes(key->n);
-        outbuf = xmalloc(olen);
+        if ((outbuf = malloc(olen)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
 
         ilen = BN_num_bytes(in);
-        inbuf = xmalloc(ilen);
+        if ((inbuf = malloc(ilen)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
         BN_bn2bin(in, inbuf);
 
         if ((len = RSA_public_encrypt(ilen, inbuf, outbuf, key,
-            RSA_PKCS1_PADDING)) <= 0)
-                fatal("rsa_public_encrypt() failed");
+            RSA_PKCS1_PADDING)) <= 0) {
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
 
-        if (BN_bin2bn(outbuf, len, out) == NULL)
-                fatal("rsa_public_encrypt: BN_bin2bn failed");
+        if (BN_bin2bn(outbuf, len, out) == NULL) {
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        r = 0;
 
-        explicit_bzero(outbuf, olen);
-        explicit_bzero(inbuf, ilen);
-        free(outbuf);
-        free(inbuf);
+ out:
+        if (outbuf != NULL) {
+                explicit_bzero(outbuf, olen);
+                free(outbuf);
+        }
+        if (inbuf != NULL) {
+                explicit_bzero(inbuf, ilen);
+                free(inbuf);
+        }
+        return r;
 }
 
 int
 rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
 {
-        u_char *inbuf, *outbuf;
-        int len, ilen, olen;
+        u_char *inbuf = NULL, *outbuf = NULL;
+        int len, ilen, olen, r = SSH_ERR_INTERNAL_ERROR;
 
         olen = BN_num_bytes(key->n);
-        outbuf = xmalloc(olen);
+        if ((outbuf = malloc(olen)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
 
         ilen = BN_num_bytes(in);
-        inbuf = xmalloc(ilen);
+        if ((inbuf = malloc(ilen)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
         BN_bn2bin(in, inbuf);
 
         if ((len = RSA_private_decrypt(ilen, inbuf, outbuf, key,
             RSA_PKCS1_PADDING)) <= 0) {
-                error("rsa_private_decrypt() failed");
-        } else {
-                if (BN_bin2bn(outbuf, len, out) == NULL)
-                        fatal("rsa_private_decrypt: BN_bin2bn failed");
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        } else if (BN_bin2bn(outbuf, len, out) == NULL) {
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        r = 0;
+ out:
+        if (outbuf != NULL) {
+                explicit_bzero(outbuf, olen);
+                free(outbuf);
+        }
+        if (inbuf != NULL) {
+                explicit_bzero(inbuf, ilen);
+                free(inbuf);
         }
-        explicit_bzero(outbuf, olen);
-        explicit_bzero(inbuf, ilen);
-        free(outbuf);
-        free(inbuf);
-        return len;
+        return r;
 }
 
 /* calculate p-1 and q-1 */
-void
+int
 rsa_generate_additional_parameters(RSA *rsa)
 {
-        BIGNUM *aux;
-        BN_CTX *ctx;
+        BIGNUM *aux = NULL;
+        BN_CTX *ctx = NULL;
+        int r;
 
-        if ((aux = BN_new()) == NULL)
-                fatal("rsa_generate_additional_parameters: BN_new failed");
         if ((ctx = BN_CTX_new()) == NULL)
-                fatal("rsa_generate_additional_parameters: BN_CTX_new failed");
+                return SSH_ERR_ALLOC_FAIL;
+        if ((aux = BN_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
 
         if ((BN_sub(aux, rsa->q, BN_value_one()) == 0) ||
             (BN_mod(rsa->dmq1, rsa->d, aux, ctx) == 0) ||
             (BN_sub(aux, rsa->p, BN_value_one()) == 0) ||
-            (BN_mod(rsa->dmp1, rsa->d, aux, ctx) == 0))
-                fatal("rsa_generate_additional_parameters: BN_sub/mod failed");
-
+            (BN_mod(rsa->dmp1, rsa->d, aux, ctx) == 0)) {
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        r = 0;
+ out:
         BN_clear_free(aux);
         BN_CTX_free(ctx);
+        return r;
 }
 
diff --git a/rsa.h b/rsa.h
index b841ea4e1..c476707d5 100644
--- a/rsa.h
+++ b/rsa.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.h,v 1.16 2006/03/25 22:22:43 djm Exp $ */
+/* $OpenBSD: rsa.h,v 1.17 2014/06/24 01:13:21 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -19,8 +19,8 @@
 #include <openssl/bn.h>
 #include <openssl/rsa.h>
 
-void     rsa_public_encrypt(BIGNUM *, BIGNUM *, RSA *);
+int      rsa_public_encrypt(BIGNUM *, BIGNUM *, RSA *);
 int      rsa_private_decrypt(BIGNUM *, BIGNUM *, RSA *);
-void     rsa_generate_additional_parameters(RSA *);
+int      rsa_generate_additional_parameters(RSA *);
 
 #endif                          /* RSA_H */
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index c0c17c2fc..b6f6258f2 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -25,6 +25,8 @@
  */
 /* #define SANDBOX_SECCOMP_FILTER_DEBUG 1 */
 
+/* XXX it should be possible to do logging via the log socket safely */
+
 #ifdef SANDBOX_SECCOMP_FILTER_DEBUG
 /* Use the kernel headers in case of an older toolchain. */
 # include <asm/siginfo.h>
@@ -89,6 +91,7 @@ static const struct sock_filter preauth_insns[] = {
         BPF_STMT(BPF_LD+BPF_W+BPF_ABS,
                 offsetof(struct seccomp_data, nr)),
         SC_DENY(open, EACCES),
+        SC_DENY(stat, EACCES),
         SC_ALLOW(getpid),
         SC_ALLOW(gettimeofday),
         SC_ALLOW(clock_gettime),
@@ -115,6 +118,10 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_mmap
         SC_ALLOW(mmap),
 #endif
+#ifdef __dietlibc__
+        SC_ALLOW(mremap),
+        SC_ALLOW(exit),
+#endif
         SC_ALLOW(munmap),
         SC_ALLOW(exit_group),
 #ifdef __NR_rt_sigprocmask
diff --git a/sandbox-systrace.c b/sandbox-systrace.c
index 6706c9a80..aaa3d8f0a 100644
--- a/sandbox-systrace.c
+++ b/sandbox-systrace.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sandbox-systrace.c,v 1.9 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: sandbox-systrace.c,v 1.13 2014/07/17 00:10:56 djm Exp $ */
 /*
  * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
  *
@@ -52,7 +52,17 @@ struct sandbox_policy {
 static const struct sandbox_policy preauth_policy[] = {
         { SYS_open, SYSTR_POLICY_NEVER },
 
+#ifdef SYS_getentropy
+        /* OpenBSD 5.6 and newer use getentropy(2) to seed arc4random(3). */
+        { SYS_getentropy, SYSTR_POLICY_PERMIT },
+#else
+        /* Previous releases used sysctl(3)'s kern.arnd variable. */
         { SYS___sysctl, SYSTR_POLICY_PERMIT },
+#endif
+
+#ifdef SYS_sendsyslog
+        { SYS_sendsyslog, SYSTR_POLICY_PERMIT },
+#endif
         { SYS_close, SYSTR_POLICY_PERMIT },
         { SYS_exit, SYSTR_POLICY_PERMIT },
         { SYS_getpid, SYSTR_POLICY_PERMIT },
diff --git a/scp.0 b/scp.0
index b9eeffc4e..0495f2555 100644
--- a/scp.0
+++ b/scp.0
@@ -1,4 +1,4 @@
-SCP(1)                     OpenBSD Reference Manual                     SCP(1)
+SCP(1)                      General Commands Manual                     SCP(1)
 
 NAME
      scp - secure copy (remote file copy program)
@@ -11,8 +11,8 @@ SYNOPSIS
 DESCRIPTION
      scp copies files between hosts on a network.  It uses ssh(1) for data
      transfer, and uses the same authentication and provides the same security
-     as ssh(1).  Unlike rcp(1), scp will ask for passwords or passphrases if
-     they are needed for authentication.
+     as ssh(1).  scp will ask for passwords or passphrases if they are needed
+     for authentication.
 
      File names may contain a user and host specification to indicate that the
      file is to be copied to/from that host.  Local file names can be made
@@ -125,8 +125,7 @@ DESCRIPTION
      -P port
              Specifies the port to connect to on the remote host.  Note that
              this option is written with a capital `P', because -p is already
-             reserved for preserving the times and modes of the file in
-             rcp(1).
+             reserved for preserving the times and modes of the file.
 
      -p      Preserves modification times, access times, and modes from the
              original file.
@@ -149,15 +148,15 @@ EXIT STATUS
      The scp utility exits 0 on success, and >0 if an error occurs.
 
 SEE ALSO
-     rcp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
-     ssh_config(5), sshd(8)
+     sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh_config(5),
+     sshd(8)
 
 HISTORY
-     scp is based on the rcp(1) program in BSD source code from the Regents of
+     scp is based on the rcp program in BSD source code from the Regents of
      the University of California.
 
 AUTHORS
      Timo Rinne <tri@iki.fi>
      Tatu Ylonen <ylo@cs.hut.fi>
 
-OpenBSD 5.5                    October 20, 2013                    OpenBSD 5.5
+OpenBSD 5.6                     March 19, 2014                     OpenBSD 5.6
diff --git a/scp.1 b/scp.1
index 3b67cff0e..1791b6189 100644
--- a/scp.1
+++ b/scp.1
@@ -8,9 +8,9 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.61 2013/10/20 09:51:26 djm Exp $
+.\" $OpenBSD: scp.1,v 1.62 2014/03/19 14:42:44 tedu Exp $
 .\"
-.Dd $Mdocdate: October 20 2013 $
+.Dd $Mdocdate: March 19 2014 $
 .Dt SCP 1
 .Os
 .Sh NAME
@@ -49,8 +49,6 @@ It uses
 for data transfer, and uses the same authentication and provides the
 same security as
 .Xr ssh 1 .
-Unlike
-.Xr rcp 1 ,
 .Nm
 will ask for passwords or passphrases if they are needed for
 authentication.
@@ -191,8 +189,7 @@ Note that this option is written with a capital
 .Sq P ,
 because
 .Fl p
-is already reserved for preserving the times and modes of the file in
-.Xr rcp 1 .
+is already reserved for preserving the times and modes of the file.
 .It Fl p
 Preserves modification times, access times, and modes from the
 original file.
@@ -225,7 +222,6 @@ debugging connection, authentication, and configuration problems.
 .Sh EXIT STATUS
 .Ex -std scp
 .Sh SEE ALSO
-.Xr rcp 1 ,
 .Xr sftp 1 ,
 .Xr ssh 1 ,
 .Xr ssh-add 1 ,
@@ -235,9 +231,7 @@ debugging connection, authentication, and configuration problems.
 .Xr sshd 8
 .Sh HISTORY
 .Nm
-is based on the
-.Xr rcp 1
-program in
+is based on the rcp program in
 .Bx
 source code from the Regents of the University of California.
 .Sh AUTHORS
diff --git a/scp.c b/scp.c
index 18d3b1dc9..1ec3b7087 100644
--- a/scp.c
+++ b/scp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.179 2013/11/20 20:53:10 deraadt Exp $ */
+/* $OpenBSD: scp.c,v 1.180 2014/06/24 02:21:01 djm Exp $ */
 /*
  * scp - secure remote copy.  This is basically patched BSD rcp which
  * uses ssh to do the data transfer (instead of using rcmd).
@@ -747,7 +747,7 @@ source(int argc, char **argv)
         static BUF buffer;
         BUF *bp;
         off_t i, statbytes;
-        size_t amt;
+        size_t amt, nr;
         int fd = -1, haderr, indx;
         char *last, *name, buf[2048], encname[MAXPATHLEN];
         int len;
@@ -820,12 +820,16 @@ next:			if (fd != -1) {
                         if (i + (off_t)amt > stb.st_size)
                                 amt = stb.st_size - i;
                         if (!haderr) {
-                                if (atomicio(read, fd, bp->buf, amt) != amt)
+                                if ((nr = atomicio(read, fd,
+                                    bp->buf, amt)) != amt) {
                                         haderr = errno;
+                                        memset(bp->buf + nr, 0, amt - nr);
+                                }
                         }
                         /* Keep writing after error to retain sync */
                         if (haderr) {
                                 (void)atomicio(vwrite, remout, bp->buf, amt);
+                                memset(bp->buf, 0, amt);
                                 continue;
                         }
                         if (atomicio6(vwrite, remout, bp->buf, amt, scpio,
diff --git a/servconf.c b/servconf.c
index 7ba65d51d..b7f329447 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */
+/* $OpenBSD: servconf.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -39,10 +39,10 @@
 #include "ssh.h"
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 #include "compat.h"
 #include "pathnames.h"
-#include "misc.h"
 #include "cipher.h"
 #include "key.h"
 #include "kex.h"
@@ -93,6 +93,7 @@ initialize_server_options(ServerOptions *options)
         options->x11_display_offset = -1;
         options->x11_use_localhost = -1;
         options->permit_tty = -1;
+        options->permit_user_rc = -1;
         options->xauth_location = NULL;
         options->strict_modes = -1;
         options->tcp_keep_alive = -1;
@@ -119,6 +120,7 @@ initialize_server_options(ServerOptions *options)
         options->rekey_limit = -1;
         options->rekey_interval = -1;
         options->allow_tcp_forwarding = -1;
+        options->allow_streamlocal_forwarding = -1;
         options->allow_agent_forwarding = -1;
         options->num_allow_users = 0;
         options->num_deny_users = 0;
@@ -128,7 +130,9 @@ initialize_server_options(ServerOptions *options)
         options->macs = NULL;
         options->kex_algorithms = NULL;
         options->protocol = SSH_PROTO_UNKNOWN;
-        options->gateway_ports = -1;
+        options->fwd_opts.gateway_ports = -1;
+        options->fwd_opts.streamlocal_bind_mask = (mode_t)-1;
+        options->fwd_opts.streamlocal_bind_unlink = -1;
         options->num_subsystems = 0;
         options->max_startups_begin = -1;
         options->max_startups_rate = -1;
@@ -216,6 +220,8 @@ fill_default_server_options(ServerOptions *options)
                 options->xauth_location = _PATH_XAUTH;
         if (options->permit_tty == -1)
                 options->permit_tty = 1;
+        if (options->permit_user_rc == -1)
+                options->permit_user_rc = 1;
         if (options->strict_modes == -1)
                 options->strict_modes = 1;
         if (options->tcp_keep_alive == -1)
@@ -266,10 +272,12 @@ fill_default_server_options(ServerOptions *options)
                 options->rekey_interval = 0;
         if (options->allow_tcp_forwarding == -1)
                 options->allow_tcp_forwarding = FORWARD_ALLOW;
+        if (options->allow_streamlocal_forwarding == -1)
+                options->allow_streamlocal_forwarding = FORWARD_ALLOW;
         if (options->allow_agent_forwarding == -1)
                 options->allow_agent_forwarding = 1;
-        if (options->gateway_ports == -1)
-                options->gateway_ports = 0;
+        if (options->fwd_opts.gateway_ports == -1)
+                options->fwd_opts.gateway_ports = 0;
         if (options->max_startups == -1)
                 options->max_startups = 100;
         if (options->max_startups_rate == -1)
@@ -300,6 +308,10 @@ fill_default_server_options(ServerOptions *options)
                 options->ip_qos_bulk = IPTOS_THROUGHPUT;
         if (options->version_addendum == NULL)
                 options->version_addendum = xstrdup("");
+        if (options->fwd_opts.streamlocal_bind_mask == (mode_t)-1)
+                options->fwd_opts.streamlocal_bind_mask = 0177;
+        if (options->fwd_opts.streamlocal_bind_unlink == -1)
+                options->fwd_opts.streamlocal_bind_unlink = 0;
         /* Turn privilege separation on by default */
         if (use_privsep == -1)
                 use_privsep = PRIVSEP_NOSANDBOX;
@@ -347,7 +359,9 @@ typedef enum {
         sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
         sKexAlgorithms, sIPQoS, sVersionAddendum,
         sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
-        sAuthenticationMethods, sHostKeyAgent,
+        sAuthenticationMethods, sHostKeyAgent, sPermitUserRC,
+        sStreamLocalBindMask, sStreamLocalBindUnlink,
+        sAllowStreamLocalForwarding,
         sDeprecated, sUnsupported
 } ServerOpCodes;
 
@@ -460,6 +474,7 @@ static struct {
         { "acceptenv", sAcceptEnv, SSHCFG_ALL },
         { "permittunnel", sPermitTunnel, SSHCFG_ALL },
         { "permittty", sPermitTTY, SSHCFG_ALL },
+        { "permituserrc", sPermitUserRC, SSHCFG_ALL },
         { "match", sMatch, SSHCFG_ALL },
         { "permitopen", sPermitOpen, SSHCFG_ALL },
         { "forcecommand", sForceCommand, SSHCFG_ALL },
@@ -474,6 +489,9 @@ static struct {
         { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
         { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
         { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
+        { "streamlocalbindmask", sStreamLocalBindMask, SSHCFG_ALL },
+        { "streamlocalbindunlink", sStreamLocalBindUnlink, SSHCFG_ALL },
+        { "allowstreamlocalforwarding", sAllowStreamLocalForwarding, SSHCFG_ALL },
         { NULL, sBadOption, 0 }
 };
 
@@ -1130,6 +1148,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->permit_tty;
                 goto parse_flag;
 
+        case sPermitUserRC:
+                intptr = &options->permit_user_rc;
+                goto parse_flag;
+
         case sStrictModes:
                 intptr = &options->strict_modes;
                 goto parse_flag;
@@ -1187,7 +1209,7 @@ process_server_config_line(ServerOptions *options, char *line,
                 break;
 
         case sGatewayPorts:
-                intptr = &options->gateway_ports;
+                intptr = &options->fwd_opts.gateway_ports;
                 multistate_ptr = multistate_gatewayports;
                 goto parse_multistate;
 
@@ -1222,6 +1244,11 @@ process_server_config_line(ServerOptions *options, char *line,
                 multistate_ptr = multistate_tcpfwd;
                 goto parse_multistate;
 
+        case sAllowStreamLocalForwarding:
+                intptr = &options->allow_streamlocal_forwarding;
+                multistate_ptr = multistate_tcpfwd;
+                goto parse_multistate;
+
         case sAllowAgentForwarding:
                 intptr = &options->allow_agent_forwarding;
                 goto parse_flag;
@@ -1620,6 +1647,22 @@ process_server_config_line(ServerOptions *options, char *line,
                 }
                 return 0;
 
+        case sStreamLocalBindMask:
+                arg = strdelim(&cp);
+                if (!arg || *arg == '\0')
+                        fatal("%s line %d: missing StreamLocalBindMask argument.",
+                            filename, linenum);
+                /* Parse mode in octal format */
+                value = strtol(arg, &p, 8);
+                if (arg == p || value < 0 || value > 0777)
+                        fatal("%s line %d: Bad mask.", filename, linenum);
+                options->fwd_opts.streamlocal_bind_mask = (mode_t)value;
+                break;
+
+        case sStreamLocalBindUnlink:
+                intptr = &options->fwd_opts.streamlocal_bind_unlink;
+                goto parse_flag;
+
         case sDeprecated:
                 logit("%s line %d: Deprecated option %s",
                     filename, linenum, arg);
@@ -1759,13 +1802,15 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
         M_CP_INTOPT(permit_empty_passwd);
 
         M_CP_INTOPT(allow_tcp_forwarding);
+        M_CP_INTOPT(allow_streamlocal_forwarding);
         M_CP_INTOPT(allow_agent_forwarding);
         M_CP_INTOPT(permit_tun);
-        M_CP_INTOPT(gateway_ports);
+        M_CP_INTOPT(fwd_opts.gateway_ports);
         M_CP_INTOPT(x11_display_offset);
         M_CP_INTOPT(x11_forwarding);
         M_CP_INTOPT(x11_use_localhost);
         M_CP_INTOPT(permit_tty);
+        M_CP_INTOPT(permit_user_rc);
         M_CP_INTOPT(max_sessions);
         M_CP_INTOPT(max_authtries);
         M_CP_INTOPT(ip_qos_interactive);
@@ -1858,6 +1903,8 @@ fmt_intarg(ServerOpCodes code, int val)
                 return fmt_multistate_int(val, multistate_privsep);
         case sAllowTcpForwarding:
                 return fmt_multistate_int(val, multistate_tcpfwd);
+        case sAllowStreamLocalForwarding:
+                return fmt_multistate_int(val, multistate_tcpfwd);
         case sProtocol:
                 switch (val) {
                 case SSH_PROTO_1:
@@ -2007,15 +2054,17 @@ dump_config(ServerOptions *o)
         dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
         dump_cfg_fmtint(sX11UseLocalhost, o->x11_use_localhost);
         dump_cfg_fmtint(sPermitTTY, o->permit_tty);
+        dump_cfg_fmtint(sPermitUserRC, o->permit_user_rc);
         dump_cfg_fmtint(sStrictModes, o->strict_modes);
         dump_cfg_fmtint(sTCPKeepAlive, o->tcp_keep_alive);
         dump_cfg_fmtint(sEmptyPasswd, o->permit_empty_passwd);
         dump_cfg_fmtint(sPermitUserEnvironment, o->permit_user_env);
         dump_cfg_fmtint(sUseLogin, o->use_login);
         dump_cfg_fmtint(sCompression, o->compression);
-        dump_cfg_fmtint(sGatewayPorts, o->gateway_ports);
+        dump_cfg_fmtint(sGatewayPorts, o->fwd_opts.gateway_ports);
         dump_cfg_fmtint(sUseDNS, o->use_dns);
         dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
+        dump_cfg_fmtint(sAllowStreamLocalForwarding, o->allow_streamlocal_forwarding);
         dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
 
         /* string arguments */
diff --git a/servconf.h b/servconf.h
index 752d1c5ae..766db3a3d 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.112 2014/01/29 06:18:35 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.114 2014/07/15 15:54:14 millert Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -83,6 +83,7 @@ typedef struct {
         int     x11_use_localhost;      /* If true, use localhost for fake X11 server. */
         char   *xauth_location; /* Location of xauth program */
         int     permit_tty;     /* If false, deny pty allocation */
+        int     permit_user_rc; /* If false, deny ~/.ssh/rc execution */
         int     strict_modes;   /* If true, require string home dir modes. */
         int     tcp_keep_alive; /* If true, set SO_KEEPALIVE. */
         int     ip_qos_interactive;     /* IP ToS/DSCP/class for interactive */
@@ -91,7 +92,7 @@ typedef struct {
         char   *macs;           /* Supported SSH2 macs. */
         char   *kex_algorithms; /* SSH2 kex methods in order of preference. */
         int     protocol;       /* Supported protocol versions. */
-        int     gateway_ports;  /* If true, allow remote connects to forwarded ports. */
+        struct ForwardOptions fwd_opts; /* forwarding options */
         SyslogFacility log_facility;    /* Facility for system logging. */
         LogLevel log_level;     /* Level for system logging. */
         int     rhosts_rsa_authentication;      /* If true, permit rhosts RSA
@@ -123,6 +124,7 @@ typedef struct {
         int     use_login;      /* If true, login(1) is used */
         int     compression;    /* If true, compression is allowed */
         int     allow_tcp_forwarding; /* One of FORWARD_* */
+        int     allow_streamlocal_forwarding; /* One of FORWARD_* */
         int     allow_agent_forwarding;
         u_int num_allow_users;
         char   *allow_users[MAX_ALLOW_USERS];
diff --git a/serverloop.c b/serverloop.c
index 2f8e3a06a..e92f9e27b 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.170 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: serverloop.c,v 1.172 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -61,6 +61,7 @@
 #include "packet.h"
 #include "buffer.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 #include "canohost.h"
 #include "sshpty.h"
@@ -77,7 +78,6 @@
 #include "dispatch.h"
 #include "auth-options.h"
 #include "serverloop.h"
-#include "misc.h"
 #include "roaming.h"
 
 extern ServerOptions options;
@@ -970,7 +970,7 @@ server_request_direct_tcpip(void)
         /* XXX fine grained permissions */
         if ((options.allow_tcp_forwarding & FORWARD_LOCAL) != 0 &&
             !no_port_forwarding_flag) {
-                c = channel_connect_to(target, target_port,
+                c = channel_connect_to_port(target, target_port,
                     "direct-tcpip", "direct-tcpip");
         } else {
                 logit("refused local port forward: "
@@ -985,6 +985,38 @@ server_request_direct_tcpip(void)
 }
 
 static Channel *
+server_request_direct_streamlocal(void)
+{
+        Channel *c = NULL;
+        char *target, *originator;
+        u_short originator_port;
+
+        target = packet_get_string(NULL);
+        originator = packet_get_string(NULL);
+        originator_port = packet_get_int();
+        packet_check_eom();
+
+        debug("server_request_direct_streamlocal: originator %s port %d, target %s",
+            originator, originator_port, target);
+
+        /* XXX fine grained permissions */
+        if ((options.allow_streamlocal_forwarding & FORWARD_LOCAL) != 0 &&
+            !no_port_forwarding_flag) {
+                c = channel_connect_to_path(target,
+                    "direct-streamlocal@openssh.com", "direct-streamlocal");
+        } else {
+                logit("refused streamlocal port forward: "
+                    "originator %s port %d, target %s",
+                    originator, originator_port, target);
+        }
+
+        free(originator);
+        free(target);
+
+        return c;
+}
+
+static Channel *
 server_request_tun(void)
 {
         Channel *c = NULL;
@@ -1081,6 +1113,8 @@ server_input_channel_open(int type, u_int32_t seq, void *ctxt)
                 c = server_request_session();
         } else if (strcmp(ctype, "direct-tcpip") == 0) {
                 c = server_request_direct_tcpip();
+        } else if (strcmp(ctype, "direct-streamlocal@openssh.com") == 0) {
+                c = server_request_direct_streamlocal();
         } else if (strcmp(ctype, "tun@openssh.com") == 0) {
                 c = server_request_tun();
         }
@@ -1125,47 +1159,74 @@ server_input_global_request(int type, u_int32_t seq, void *ctxt)
         /* -R style forwarding */
         if (strcmp(rtype, "tcpip-forward") == 0) {
                 struct passwd *pw;
-                char *listen_address;
-                u_short listen_port;
+                struct Forward fwd;
 
                 pw = the_authctxt->pw;
                 if (pw == NULL || !the_authctxt->valid)
                         fatal("server_input_global_request: no/invalid user");
-                listen_address = packet_get_string(NULL);
-                listen_port = (u_short)packet_get_int();
+                memset(&fwd, 0, sizeof(fwd));
+                fwd.listen_host = packet_get_string(NULL);
+                fwd.listen_port = (u_short)packet_get_int();
                 debug("server_input_global_request: tcpip-forward listen %s port %d",
-                    listen_address, listen_port);
+                    fwd.listen_host, fwd.listen_port);
 
                 /* check permissions */
                 if ((options.allow_tcp_forwarding & FORWARD_REMOTE) == 0 ||
                     no_port_forwarding_flag ||
-                    (!want_reply && listen_port == 0)
+                    (!want_reply && fwd.listen_port == 0)
 #ifndef NO_IPPORT_RESERVED_CONCEPT
-                    || (listen_port != 0 && listen_port < IPPORT_RESERVED &&
-                    pw->pw_uid != 0)
+                    || (fwd.listen_port != 0 && fwd.listen_port < IPPORT_RESERVED &&
+                    pw->pw_uid != 0)
 #endif
                     ) {
                         success = 0;
                         packet_send_debug("Server has disabled port forwarding.");
                 } else {
                         /* Start listening on the port */
-                        success = channel_setup_remote_fwd_listener(
-                            listen_address, listen_port,
-                            &allocated_listen_port, options.gateway_ports);
+                        success = channel_setup_remote_fwd_listener(&fwd,
+                            &allocated_listen_port, &options.fwd_opts);
                 }
-                free(listen_address);
+                free(fwd.listen_host);
         } else if (strcmp(rtype, "cancel-tcpip-forward") == 0) {
-                char *cancel_address;
-                u_short cancel_port;
+                struct Forward fwd;
 
-                cancel_address = packet_get_string(NULL);
-                cancel_port = (u_short)packet_get_int();
+                memset(&fwd, 0, sizeof(fwd));
+                fwd.listen_host = packet_get_string(NULL);
+                fwd.listen_port = (u_short)packet_get_int();
                 debug("%s: cancel-tcpip-forward addr %s port %d", __func__,
-                    cancel_address, cancel_port);
+                    fwd.listen_host, fwd.listen_port);
+
+                success = channel_cancel_rport_listener(&fwd);
+                free(fwd.listen_host);
+        } else if (strcmp(rtype, "streamlocal-forward@openssh.com") == 0) {
+                struct Forward fwd;
+
+                memset(&fwd, 0, sizeof(fwd));
+                fwd.listen_path = packet_get_string(NULL);
+                debug("server_input_global_request: streamlocal-forward listen path %s",
+                    fwd.listen_path);
+
+                /* check permissions */
+                if ((options.allow_streamlocal_forwarding & FORWARD_REMOTE) == 0
+                    || no_port_forwarding_flag) {
+                        success = 0;
+                        packet_send_debug("Server has disabled port forwarding.");
+                } else {
+                        /* Start listening on the socket */
+                        success = channel_setup_remote_fwd_listener(
+                            &fwd, NULL, &options.fwd_opts);
+                }
+                free(fwd.listen_path);
+        } else if (strcmp(rtype, "cancel-streamlocal-forward@openssh.com") == 0) {
+                struct Forward fwd;
+
+                memset(&fwd, 0, sizeof(fwd));
+                fwd.listen_path = packet_get_string(NULL);
+                debug("%s: cancel-streamlocal-forward path %s", __func__,
+                    fwd.listen_path);
 
-                success = channel_cancel_rport_listener(cancel_address,
-                    cancel_port);
-                free(cancel_address);
+                success = channel_cancel_rport_listener(&fwd);
+                free(fwd.listen_path);
         } else if (strcmp(rtype, "no-more-sessions@openssh.com") == 0) {
                 no_more_sessions = 1;
                 success = 1;
@@ -1204,7 +1265,7 @@ server_input_channel_req(int type, u_int32_t seq, void *ctxt)
         } else if ((c->type == SSH_CHANNEL_LARVAL ||
             c->type == SSH_CHANNEL_OPEN) && strcmp(c->ctype, "session") == 0)
                 success = session_input_channel_req(c, rtype);
-        if (reply) {
+        if (reply && !(c->flags & CHAN_CLOSE_SENT)) {
                 packet_start(success ?
                     SSH2_MSG_CHANNEL_SUCCESS : SSH2_MSG_CHANNEL_FAILURE);
                 packet_put_int(c->remote_id);
diff --git a/session.c b/session.c
index 2bcf8185c..3e96557b8 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.270 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: session.c,v 1.274 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -49,6 +49,7 @@
 #include <errno.h>
 #include <fcntl.h>
 #include <grp.h>
+#include <netdb.h>
 #ifdef HAVE_PATHS_H
 #include <paths.h>
 #endif
@@ -83,11 +84,11 @@
 #include "authfd.h"
 #include "pathnames.h"
 #include "log.h"
+#include "misc.h"
 #include "servconf.h"
 #include "sshlogin.h"
 #include "serverloop.h"
 #include "canohost.h"
-#include "misc.h"
 #include "session.h"
 #include "kex.h"
 #include "monitor_wrap.h"
@@ -182,7 +183,6 @@ auth_input_request_forwarding(struct passwd * pw)
 {
         Channel *nc;
         int sock = -1;
-        struct sockaddr_un sunaddr;
 
         if (auth_sock_name != NULL) {
                 error("authentication forwarding requested twice.");
@@ -208,33 +208,15 @@ auth_input_request_forwarding(struct passwd * pw)
         xasprintf(&auth_sock_name, "%s/agent.%ld",
             auth_sock_dir, (long) getpid());
 
-        /* Create the socket. */
-        sock = socket(AF_UNIX, SOCK_STREAM, 0);
-        if (sock < 0) {
-                error("socket: %.100s", strerror(errno));
-                restore_uid();
-                goto authsock_err;
-        }
-
-        /* Bind it to the name. */
-        memset(&sunaddr, 0, sizeof(sunaddr));
-        sunaddr.sun_family = AF_UNIX;
-        strlcpy(sunaddr.sun_path, auth_sock_name, sizeof(sunaddr.sun_path));
-
-        if (bind(sock, (struct sockaddr *)&sunaddr, sizeof(sunaddr)) < 0) {
-                error("bind: %.100s", strerror(errno));
-                restore_uid();
-                goto authsock_err;
-        }
+        /* Start a Unix listener on auth_sock_name. */
+        sock = unix_listener(auth_sock_name, SSH_LISTEN_BACKLOG, 0);
 
         /* Restore the privileged uid. */
         restore_uid();
 
-        /* Start listening on the socket. */
-        if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
-                error("listen: %.100s", strerror(errno));
+        /* Check for socket/bind/listen failure. */
+        if (sock < 0)
                 goto authsock_err;
-        }
 
         /* Allocate a channel for the authentication agent socket. */
         nc = channel_new("auth socket",
@@ -273,6 +255,7 @@ do_authenticated(Authctxt *authctxt)
         setproctitle("%s", authctxt->pw->pw_name);
 
         /* setup the channel layer */
+        /* XXX - streamlocal? */
         if (no_port_forwarding_flag ||
             (options.allow_tcp_forwarding & FORWARD_LOCAL) == 0)
                 channel_disable_adm_local_opens();
@@ -392,7 +375,7 @@ do_authenticated1(Authctxt *authctxt)
                         }
                         debug("Received TCP/IP port forwarding request.");
                         if (channel_input_port_forward_request(s->pw->pw_uid == 0,
-                            options.gateway_ports) < 0) {
+                            &options.fwd_opts) < 0) {
                                 debug("Port forwarding failed.");
                                 break;
                         }
@@ -1358,7 +1341,8 @@ do_rc_files(Session *s, const char *shell)
 
         /* ignore _PATH_SSH_USER_RC for subsystems and admin forced commands */
         if (!s->is_subsystem && options.adm_forced_command == NULL &&
-            !no_user_rc && stat(_PATH_SSH_USER_RC, &st) >= 0) {
+            !no_user_rc && options.permit_user_rc &&
+            stat(_PATH_SSH_USER_RC, &st) >= 0) {
                 snprintf(cmd, sizeof cmd, "%s -c '%s %s'",
                     shell, _PATH_BSHELL, _PATH_SSH_USER_RC);
                 if (debug_flag)
@@ -1505,6 +1489,9 @@ void
 do_setusercontext(struct passwd *pw)
 {
         char *chroot_path, *tmp;
+#ifdef USE_LIBIAF
+        int doing_chroot = 0;
+#endif
 
         platform_setusercontext(pw);
 
@@ -1544,6 +1531,9 @@ do_setusercontext(struct passwd *pw)
                         /* Make sure we don't attempt to chroot again */
                         free(options.chroot_directory);
                         options.chroot_directory = NULL;
+#ifdef USE_LIBIAF
+                        doing_chroot = 1;
+#endif
                 }
 
 #ifdef HAVE_LOGIN_CAP
@@ -1558,7 +1548,14 @@ do_setusercontext(struct passwd *pw)
                 (void) setusercontext(lc, pw, pw->pw_uid, LOGIN_SETUMASK);
 #else
 # ifdef USE_LIBIAF
-        if (set_id(pw->pw_name) != 0) {
+/* In a chroot environment, the set_id() will always fail; typically 
+ * because of the lack of necessary authentication services and runtime
+ * such as ./usr/lib/libiaf.so, ./usr/lib/libpam.so.1, and ./etc/passwd
+ * We skip it in the internal sftp chroot case.
+ * We'll lose auditing and ACLs but permanently_set_uid will
+ * take care of the rest.
+ */
+        if ((doing_chroot == 0) && set_id(pw->pw_name) != 0) {
                 fatal("set_id(%s) Failed", pw->pw_name);
         }
 # endif /* USE_LIBIAF */
@@ -2640,7 +2637,7 @@ session_setup_x11fwd(Session *s)
 {
         struct stat st;
         char display[512], auth_display[512];
-        char hostname[MAXHOSTNAMELEN];
+        char hostname[NI_MAXHOST];
         u_int i;
 
         if (no_x11_forwarding_flag) {
diff --git a/sftp-client.c b/sftp-client.c
index 2f5907c85..990b58d14 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.c,v 1.114 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.115 2014/04/21 14:36:16 logan Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -1420,7 +1420,7 @@ download_dir(struct sftp_conn *conn, char *src, char *dst,
 
 int
 do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
-    int preserve_flag, int fsync_flag)
+    int preserve_flag, int resume, int fsync_flag)
 {
         int local_fd;
         int status = SSH2_FX_OK;
@@ -1429,7 +1429,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
         char *handle, *data;
         Buffer msg;
         struct stat sb;
-        Attrib a;
+        Attrib a, *c = NULL;
         u_int32_t startid;
         u_int32_t ackid;
         struct outstanding_ack {
@@ -1467,6 +1467,26 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
         if (!preserve_flag)
                 a.flags &= ~SSH2_FILEXFER_ATTR_ACMODTIME;
 
+        if (resume) {
+                /* Get remote file size if it exists */
+                if ((c = do_stat(conn, remote_path, 0)) == NULL) {
+                        close(local_fd);                
+                        return -1;
+                }
+
+                if ((off_t)c->size >= sb.st_size) {
+                        error("destination file bigger or same size as "
+                              "source file");
+                        close(local_fd);
+                        return -1;
+                }
+
+                if (lseek(local_fd, (off_t)c->size, SEEK_SET) == -1) {
+                        close(local_fd);
+                        return -1;
+                }
+        }
+
         buffer_init(&msg);
 
         /* Send open request */
@@ -1474,7 +1494,8 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
         buffer_put_char(&msg, SSH2_FXP_OPEN);
         buffer_put_int(&msg, id);
         buffer_put_cstring(&msg, remote_path);
-        buffer_put_int(&msg, SSH2_FXF_WRITE|SSH2_FXF_CREAT|SSH2_FXF_TRUNC);
+        buffer_put_int(&msg, SSH2_FXF_WRITE|SSH2_FXF_CREAT|
+                      (resume ? SSH2_FXF_APPEND : SSH2_FXF_TRUNC));
         encode_attrib(&msg, &a);
         send_msg(conn, &msg);
         debug3("Sent message SSH2_FXP_OPEN I:%u P:%s", id, remote_path);
@@ -1493,7 +1514,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
         data = xmalloc(conn->transfer_buflen);
 
         /* Read from local and write to remote */
-        offset = progress_counter = 0;
+        offset = progress_counter = (resume ? c->size : 0);
         if (showprogress)
                 start_progress_meter(local_path, sb.st_size,
                     &progress_counter);
@@ -1608,7 +1629,7 @@ do_upload(struct sftp_conn *conn, char *local_path, char *remote_path,
 
 static int
 upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
-    int preserve_flag, int print_flag, int fsync_flag)
+    int preserve_flag, int print_flag, int resume, int fsync_flag)
 {
         int ret = 0, status;
         DIR *dirp;
@@ -1677,12 +1698,12 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
                                 continue;
 
                         if (upload_dir_internal(conn, new_src, new_dst,
-                            depth + 1, preserve_flag, print_flag,
+                            depth + 1, preserve_flag, print_flag, resume,
                             fsync_flag) == -1)
                                 ret = -1;
                 } else if (S_ISREG(sb.st_mode)) {
                         if (do_upload(conn, new_src, new_dst,
-                            preserve_flag, fsync_flag) == -1) {
+                            preserve_flag, resume, fsync_flag) == -1) {
                                 error("Uploading of file %s to %s failed!",
                                     new_src, new_dst);
                                 ret = -1;
@@ -1701,7 +1722,7 @@ upload_dir_internal(struct sftp_conn *conn, char *src, char *dst, int depth,
 
 int
 upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag,
-    int print_flag, int fsync_flag)
+    int print_flag, int resume, int fsync_flag)
 {
         char *dst_canon;
         int ret;
@@ -1712,7 +1733,7 @@ upload_dir(struct sftp_conn *conn, char *src, char *dst, int preserve_flag,
         }
 
         ret = upload_dir_internal(conn, src, dst_canon, 0, preserve_flag,
-            print_flag, fsync_flag);
+            print_flag, resume, fsync_flag);
 
         free(dst_canon);
         return ret;
diff --git a/sftp-client.h b/sftp-client.h
index ba92ad01a..967840b9c 100644
--- a/sftp-client.h
+++ b/sftp-client.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.h,v 1.24 2013/10/17 00:30:13 djm Exp $ */
+/* $OpenBSD: sftp-client.h,v 1.25 2014/04/21 14:36:16 logan Exp $ */
 
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
@@ -120,13 +120,13 @@ int download_dir(struct sftp_conn *, char *, char *, Attrib *, int,
  * Upload 'local_path' to 'remote_path'. Preserve permissions and times
  * if 'pflag' is set
  */
-int do_upload(struct sftp_conn *, char *, char *, int, int);
+int do_upload(struct sftp_conn *, char *, char *, int, int, int);
 
 /*
  * Recursively upload 'local_directory' to 'remote_directory'. Preserve 
  * times if 'pflag' is set
  */
-int upload_dir(struct sftp_conn *, char *, char *, int, int, int);
+int upload_dir(struct sftp_conn *, char *, char *, int, int, int, int);
 
 /* Concatenate paths, taking care of slashes. Caller must free result. */
 char *path_append(char *, char *);
diff --git a/sftp-server.0 b/sftp-server.0
index ce7ddc07f..d811e252d 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -1,4 +1,4 @@
-SFTP-SERVER(8)          OpenBSD System Manager's Manual         SFTP-SERVER(8)
+SFTP-SERVER(8)              System Manager's Manual             SFTP-SERVER(8)
 
 NAME
      sftp-server - SFTP server subsystem
@@ -76,9 +76,10 @@ DESCRIPTION
              Sets an explicit umask(2) to be applied to newly-created files
              and directories, instead of the user's default mask.
 
-     For logging to work, sftp-server must be able to access /dev/log.  Use of
-     sftp-server in a chroot configuration therefore requires that syslogd(8)
-     establish a logging socket inside the chroot directory.
+     On some systems, sftp-server must be able to access /dev/log for logging
+     to work, and use of sftp-server in a chroot configuration therefore
+     requires that syslogd(8) establish a logging socket inside the chroot
+     directory.
 
 SEE ALSO
      sftp(1), ssh(1), sshd_config(5), sshd(8)
@@ -92,4 +93,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 5.5                    October 14, 2013                    OpenBSD 5.5
+OpenBSD 5.6                      July 28, 2014                     OpenBSD 5.6
diff --git a/sftp-server.8 b/sftp-server.8
index 1e0b277b4..75d8d8d53 100644
--- a/sftp-server.8
+++ b/sftp-server.8
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp-server.8,v 1.25 2013/10/14 14:18:56 jmc Exp $
+.\" $OpenBSD: sftp-server.8,v 1.26 2014/07/28 15:40:08 schwarze Exp $
 .\"
 .\" Copyright (c) 2000 Markus Friedl.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 14 2013 $
+.Dd $Mdocdate: July 28 2014 $
 .Dt SFTP-SERVER 8
 .Os
 .Sh NAME
@@ -140,11 +140,11 @@ to be applied to newly-created files and directories, instead of the
 user's default mask.
 .El
 .Pp
-For logging to work,
+On some systems,
 .Nm
 must be able to access
-.Pa /dev/log .
-Use of
+.Pa /dev/log
+for logging to work, and use of
 .Nm
 in a chroot configuration therefore requires that
 .Xr syslogd 8
diff --git a/sftp-server.c b/sftp-server.c
index b8eb59c36..0177130cf 100644
--- a/sftp-server.c
+++ b/sftp-server.c
@@ -29,6 +29,9 @@
 #ifdef HAVE_SYS_STATVFS_H
 #include <sys/statvfs.h>
 #endif
+#ifdef HAVE_SYS_PRCTL_H
+#include <sys/prctl.h>
+#endif
 
 #include <dirent.h>
 #include <errno.h>
@@ -1523,6 +1526,17 @@ sftp_server_main(int argc, char **argv, struct passwd *user_pw)
 
         log_init(__progname, log_level, log_facility, log_stderr);
 
+#if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
+        /*
+         * On Linux, we should try to avoid making /proc/self/{mem,maps}
+         * available to the user so that sftp access doesn't automatically
+         * imply arbitrary code execution access that will break
+         * restricted configurations.
+         */
+        if (prctl(PR_SET_DUMPABLE, 0) != 0)
+                fatal("unable to make the process undumpable");
+#endif /* defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE) */
+
         if ((cp = getenv("SSH_CONNECTION")) != NULL) {
                 client_addr = xstrdup(cp);
                 if ((cp = strchr(client_addr, ' ')) == NULL) {
diff --git a/sftp.0 b/sftp.0
index 7139aac43..e37043455 100644
--- a/sftp.0
+++ b/sftp.0
@@ -1,4 +1,4 @@
-SFTP(1)                    OpenBSD Reference Manual                    SFTP(1)
+SFTP(1)                     General Commands Manual                    SFTP(1)
 
 NAME
      sftp - secure file transfer program
@@ -44,9 +44,9 @@ DESCRIPTION
 
      -6      Forces sftp to use IPv6 addresses only.
 
-     -a      Attempt to continue interrupted downloads rather than overwriting
-             existing partial or complete copies of files.  If the remote file
-             contents differ from the partial local copy then the resultant
+     -a      Attempt to continue interrupted transfers rather than overwriting
+             existing partial or complete copies of files.  If the partial
+             contents differ from those being transferred, then the resultant
              file is likely to be corrupt.
 
      -B buffer_size
@@ -60,10 +60,11 @@ DESCRIPTION
              used in conjunction with non-interactive authentication.  A
              batchfile of `-' may be used to indicate standard input.  sftp
              will abort if any of the following commands fail: get, put,
-             reget, rename, ln, rm, mkdir, chdir, ls, lchdir, chmod, chown,
-             chgrp, lpwd, df, symlink, and lmkdir.  Termination on error can
-             be suppressed on a command by command basis by prefixing the
-             command with a `-' character (for example, -rm /tmp/blah*).
+             reget, reput, rename, ln, rm, mkdir, chdir, ls, lchdir, chmod,
+             chown, chgrp, lpwd, df, symlink, and lmkdir.  Termination on
+             error can be suppressed on a command by command basis by
+             prefixing the command with a `-' character (for example, -rm
+             /tmp/blah*).
 
      -C      Enables compression (via ssh's -C flag).
 
@@ -310,7 +311,7 @@ INTERACTIVE COMMANDS
      progress
              Toggle display of progress meter.
 
-     put [-fPpr] local-path [remote-path]
+     put [-afPpr] local-path [remote-path]
              Upload local-path and store it on the remote machine.  If the
              remote path name is not specified, it is given the same name it
              has on the local machine.  local-path may contain glob(3)
@@ -318,6 +319,12 @@ INTERACTIVE COMMANDS
              remote-path is specified, then remote-path must specify a
              directory.
 
+             If the -a flag is specified, then attempt to resume partial
+             transfers of existing files.  Note that resumption assumes that
+             any partial copy of the remote file matches the local copy.  If
+             the local file contents differ from the remote local copy then
+             the resultant file is likely to be corrupt.
+
              If the -f flag is specified, then a request will be sent to the
              server to call fsync(2) after the file has been transferred.
              Note that this is only supported by servers that implement the
@@ -338,6 +345,10 @@ INTERACTIVE COMMANDS
              Resume download of remote-path.  Equivalent to get with the -a
              flag set.
 
+     reput [-Ppr] [local-path] remote-path
+             Resume upload of [local-path].  Equivalent to put with the -a
+             flag set.
+
      rename oldpath newpath
              Rename remote file from oldpath to newpath.
 
@@ -367,4 +378,4 @@ SEE ALSO
      T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
      filexfer-00.txt, January 2001, work in progress material.
 
-OpenBSD 5.5                    October 20, 2013                    OpenBSD 5.5
+OpenBSD 5.6                     April 22, 2014                     OpenBSD 5.6
diff --git a/sftp.1 b/sftp.1
index a700c2adb..7eb9970ab 100644
--- a/sftp.1
+++ b/sftp.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.97 2013/10/20 09:51:26 djm Exp $
+.\" $OpenBSD: sftp.1,v 1.99 2014/04/22 14:16:30 jmc Exp $
 .\"
 .\" Copyright (c) 2001 Damien Miller.  All rights reserved.
 .\"
@@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: October 20 2013 $
+.Dd $Mdocdate: April 22 2014 $
 .Dt SFTP 1
 .Os
 .Sh NAME
@@ -108,10 +108,10 @@ Forces
 .Nm
 to use IPv6 addresses only.
 .It Fl a
-Attempt to continue interrupted downloads rather than overwriting existing
-partial or complete copies of files.
-If the remote file contents differ from the partial local copy then the
-resultant file is likely to be corrupt.
+Attempt to continue interrupted transfers rather than overwriting
+existing partial or complete copies of files.
+If the partial contents differ from those being transferred,
+then the resultant file is likely to be corrupt.
 .It Fl B Ar buffer_size
 Specify the size of the buffer that
 .Nm
@@ -134,7 +134,7 @@ may be used to indicate standard input.
 .Nm
 will abort if any of the following
 commands fail:
-.Ic get , put , reget , rename , ln ,
+.Ic get , put , reget , reput, rename , ln ,
 .Ic rm , mkdir , chdir , ls ,
 .Ic lchdir , chmod , chown ,
 .Ic chgrp , lpwd , df , symlink ,
@@ -495,7 +495,7 @@ Create remote directory specified by
 .It Ic progress
 Toggle display of progress meter.
 .It Xo Ic put
-.Op Fl fPpr
+.Op Fl afPpr
 .Ar local-path
 .Op Ar remote-path
 .Xc
@@ -515,6 +515,15 @@ is specified, then
 must specify a directory.
 .Pp
 If the
+.Fl a
+flag is specified, then attempt to resume partial
+transfers of existing files.
+Note that resumption assumes that any partial copy of the remote file
+matches the local copy.
+If the local file contents differ from the remote local copy then
+the resultant file is likely to be corrupt.
+.Pp
+If the
 .Fl f
 flag is specified, then a request will be sent to the server to call
 .Xr fsync 2
@@ -552,6 +561,18 @@ Equivalent to
 with the
 .Fl a
 flag set.
+.It Xo Ic reput
+.Op Fl Ppr
+.Op Ar local-path
+.Ar remote-path
+.Xc
+Resume upload of
+.Op Ar local-path .
+Equivalent to
+.Ic put
+with the
+.Fl a
+flag set.
 .It Ic rename Ar oldpath Ar newpath
 Rename remote file from
 .Ar oldpath
diff --git a/sftp.c b/sftp.c
index ad1f8c84d..ff4d63d5c 100644
--- a/sftp.c
+++ b/sftp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.158 2013/11/20 20:54:10 deraadt Exp $ */
+/* $OpenBSD: sftp.c,v 1.164 2014/07/09 01:45:10 djm Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -88,7 +88,7 @@ int showprogress = 1;
 /* When this option is set, we always recursively download/upload directories */
 int global_rflag = 0;
 
-/* When this option is set, we resume download if possible */
+/* When this option is set, we resume download or upload if possible */
 int global_aflag = 0;
 
 /* When this option is set, the file transfers will always preserve times */
@@ -151,14 +151,15 @@ enum sftp_command {
         I_PUT,
         I_PWD,
         I_QUIT,
+        I_REGET,
         I_RENAME,
+        I_REPUT,
         I_RM,
         I_RMDIR,
         I_SHELL,
         I_SYMLINK,
         I_VERSION,
         I_PROGRESS,
-        I_REGET,
 };
 
 struct CMD {
@@ -201,6 +202,7 @@ static const struct CMD cmds[] = {
         { "quit",       I_QUIT,         NOARGS  },
         { "reget",      I_REGET,        REMOTE  },
         { "rename",     I_RENAME,       REMOTE  },
+        { "reput",      I_REPUT,        LOCAL   },
         { "rm",         I_RM,           REMOTE  },
         { "rmdir",      I_RMDIR,        REMOTE  },
         { "symlink",    I_SYMLINK,      REMOTE  },
@@ -250,6 +252,7 @@ help(void)
             "exit                               Quit sftp\n"
             "get [-Ppr] remote [local]          Download file\n"
             "reget remote [local]               Resume download file\n"
+            "reput [local] remote               Resume upload file\n"
             "help                               Display this help text\n"
             "lcd path                           Change local directory to 'path'\n"
             "lls [ls-options [path]]            Display local directory listing\n"
@@ -586,15 +589,19 @@ process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
         char *abs_dst = NULL;
         glob_t g;
         char *filename, *tmp=NULL;
-        int i, err = 0;
+        int i, r, err = 0;
 
         abs_src = xstrdup(src);
         abs_src = make_absolute(abs_src, pwd);
         memset(&g, 0, sizeof(g));
 
         debug3("Looking up %s", abs_src);
-        if (remote_glob(conn, abs_src, GLOB_MARK, NULL, &g)) {
-                error("File \"%s\" not found.", abs_src);
+        if ((r = remote_glob(conn, abs_src, GLOB_MARK, NULL, &g)) != 0) {
+                if (r == GLOB_NOSPACE) {
+                        error("Too many matches for \"%s\".", abs_src);
+                } else {
+                        error("File \"%s\" not found.", abs_src);
+                }
                 err = -1;
                 goto out;
         }
@@ -660,7 +667,7 @@ out:
 
 static int
 process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
-    int pflag, int rflag, int fflag)
+    int pflag, int rflag, int resume, int fflag)
 {
         char *tmp_dst = NULL;
         char *abs_dst = NULL;
@@ -723,16 +730,20 @@ process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
                 }
                 free(tmp);
 
-                if (!quiet)
+                resume |= global_aflag;
+                if (!quiet && resume)
+                        printf("Resuming upload of %s to %s\n", g.gl_pathv[i], 
+                                abs_dst);
+                else if (!quiet && !resume)
                         printf("Uploading %s to %s\n", g.gl_pathv[i], abs_dst);
                 if (pathname_is_dir(g.gl_pathv[i]) && (rflag || global_rflag)) {
                         if (upload_dir(conn, g.gl_pathv[i], abs_dst,
-                            pflag || global_pflag, 1,
+                            pflag || global_pflag, 1, resume,
                             fflag || global_fflag) == -1)
                                 err = -1;
                 } else {
                         if (do_upload(conn, g.gl_pathv[i], abs_dst,
-                            pflag || global_pflag,
+                            pflag || global_pflag, resume,
                             fflag || global_fflag) == -1)
                                 err = -1;
                 }
@@ -855,19 +866,23 @@ do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
 {
         char *fname, *lname;
         glob_t g;
-        int err;
+        int err, r;
         struct winsize ws;
         u_int i, c = 1, colspace = 0, columns = 1, m = 0, width = 80;
 
         memset(&g, 0, sizeof(g));
 
-        if (remote_glob(conn, path,
+        if ((r = remote_glob(conn, path,
             GLOB_MARK|GLOB_NOCHECK|GLOB_BRACE|GLOB_KEEPSTAT|GLOB_NOSORT,
-            NULL, &g) ||
+            NULL, &g)) != 0 ||
             (g.gl_pathc && !g.gl_matchc)) {
                 if (g.gl_pathc)
                         globfree(&g);
-                error("Can't ls: \"%s\" not found", path);
+                if (r == GLOB_NOSPACE) {
+                        error("Can't ls: Too many matches for \"%s\"", path);
+                } else {
+                        error("Can't ls: \"%s\" not found", path);
+                }
                 return -1;
         }
 
@@ -1186,8 +1201,9 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
 }
 
 static int
-parse_args(const char **cpp, int *ignore_errors, int *aflag, int *fflag,
-    int *hflag, int *iflag, int *lflag, int *pflag, int *rflag, int *sflag,
+parse_args(const char **cpp, int *ignore_errors, int *aflag,
+          int *fflag, int *hflag, int *iflag, int *lflag, int *pflag, 
+          int *rflag, int *sflag,
     unsigned long *n_arg, char **path1, char **path2)
 {
         const char *cmd, *cp = *cpp;
@@ -1239,6 +1255,7 @@ parse_args(const char **cpp, int *ignore_errors, int *aflag, int *fflag,
         switch (cmdnum) {
         case I_GET:
         case I_REGET:
+        case I_REPUT:
         case I_PUT:
                 if ((optidx = parse_getput_flags(cmd, argv, argc,
                     aflag, fflag, pflag, rflag)) == -1)
@@ -1256,11 +1273,6 @@ parse_args(const char **cpp, int *ignore_errors, int *aflag, int *fflag,
                         /* Destination is not globbed */
                         undo_glob_escape(*path2);
                 }
-                if (*aflag && cmdnum == I_PUT) {
-                        /* XXX implement resume for uploads */
-                        error("Resume is not supported for uploads");
-                        return -1;
-                }
                 break;
         case I_LINK:
                 if ((optidx = parse_link_flags(cmd, argv, argc, sflag)) == -1)
@@ -1382,7 +1394,8 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
     int err_abort)
 {
         char *path1, *path2, *tmp;
-        int ignore_errors = 0, aflag = 0, fflag = 0, hflag = 0, iflag = 0;
+        int ignore_errors = 0, aflag = 0, fflag = 0, hflag = 0, 
+        iflag = 0;
         int lflag = 0, pflag = 0, rflag = 0, sflag = 0;
         int cmdnum, i;
         unsigned long n_arg = 0;
@@ -1415,9 +1428,12 @@ parse_dispatch_command(struct sftp_conn *conn, const char *cmd, char **pwd,
                 err = process_get(conn, path1, path2, *pwd, pflag,
                     rflag, aflag, fflag);
                 break;
+        case I_REPUT:
+                aflag = 1;
+                /* FALLTHROUGH */
         case I_PUT:
                 err = process_put(conn, path1, path2, *pwd, pflag,
-                    rflag, fflag);
+                    rflag, aflag, fflag);
                 break;
         case I_RENAME:
                 path1 = make_absolute(path1, *pwd);
@@ -1834,6 +1850,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
                         pwdlen = tmplen + 1;    /* track last seen '/' */
         }
         free(tmp);
+        tmp = NULL;
 
         if (g.gl_matchc == 0)
                 goto out;
@@ -1841,7 +1858,6 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
         if (g.gl_matchc > 1)
                 complete_display(g.gl_pathv, pwdlen);
 
-        tmp = NULL;
         /* Don't try to extend globs */
         if (file == NULL || hadglob)
                 goto out;
@@ -1904,7 +1920,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
         lf = el_line(el);
         if (g.gl_matchc == 1) {
                 i = 0;
-                if (!terminated)
+                if (!terminated && quote != '\0')
                         ins[i++] = quote;
                 if (*(lf->cursor - 1) != '/' &&
                     (lastarg || *(lf->cursor) != ' '))
diff --git a/ssh-add.0 b/ssh-add.0
index ba43fee69..f16165ae5 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -1,4 +1,4 @@
-SSH-ADD(1)                 OpenBSD Reference Manual                 SSH-ADD(1)
+SSH-ADD(1)                  General Commands Manual                 SSH-ADD(1)
 
 NAME
      ssh-add - adds private key identities to the authentication agent
@@ -120,4 +120,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.5                    December 7, 2013                    OpenBSD 5.5
+OpenBSD 5.6                    December 7, 2013                    OpenBSD 5.6
diff --git a/ssh-add.c b/ssh-add.c
index 3421452af..78a3359ad 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.109 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.113 2014/07/09 14:15:56 benno Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -62,6 +62,7 @@
 #include "authfile.h"
 #include "pathnames.h"
 #include "misc.h"
+#include "ssherr.h"
 
 /* argv0 */
 extern char *__progname;
@@ -170,7 +171,7 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
         Key *private, *cert;
         char *comment = NULL;
         char msg[1024], *certpath = NULL;
-        int fd, perms_ok, ret = -1;
+        int r, fd, perms_ok, ret = -1;
         Buffer keyblob;
 
         if (strcmp(filename, "-") == 0) {
@@ -201,12 +202,18 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
         close(fd);
 
         /* At first, try empty passphrase */
-        private = key_parse_private(&keyblob, filename, "", &comment);
+        if ((r = sshkey_parse_private_fileblob(&keyblob, "", filename,
+            &private, &comment)) != 0 && r != SSH_ERR_KEY_WRONG_PASSPHRASE)
+                fatal("Cannot parse %s: %s", filename, ssh_err(r));
+        /* try last */
+        if (private == NULL && pass != NULL) {
+                if ((r = sshkey_parse_private_fileblob(&keyblob, pass, filename,
+                    &private, &comment)) != 0 &&
+                    r != SSH_ERR_KEY_WRONG_PASSPHRASE)
+                        fatal("Cannot parse %s: %s", filename, ssh_err(r));
+        }
         if (comment == NULL)
                 comment = xstrdup(filename);
-        /* try last */
-        if (private == NULL && pass != NULL)
-                private = key_parse_private(&keyblob, filename, pass, NULL);
         if (private == NULL) {
                 /* clear passphrase since it did not work */
                 clear_pass();
@@ -220,8 +227,11 @@ add_file(AuthenticationConnection *ac, const char *filename, int key_only)
                                 buffer_free(&keyblob);
                                 return -1;
                         }
-                        private = key_parse_private(&keyblob, filename, pass,
-                            &comment);
+                        if ((r = sshkey_parse_private_fileblob(&keyblob,
+                             pass, filename, &private, NULL)) != 0 &&
+                            r != SSH_ERR_KEY_WRONG_PASSPHRASE)
+                                fatal("Cannot parse %s: %s",
+                                            filename, ssh_err(r));
                         if (private != NULL)
                                 break;
                         clear_pass();
@@ -427,6 +437,8 @@ main(int argc, char **argv)
 
         OpenSSL_add_all_algorithms();
 
+        setlinebuf(stdout);
+
         /* At first, get a connection to the authentication agent. */
         ac = ssh_get_authentication_connection();
         if (ac == NULL) {
diff --git a/ssh-agent.0 b/ssh-agent.0
index c11523db3..cac40e048 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -1,4 +1,4 @@
-SSH-AGENT(1)               OpenBSD Reference Manual               SSH-AGENT(1)
+SSH-AGENT(1)                General Commands Manual               SSH-AGENT(1)
 
 NAME
      ssh-agent - authentication agent
@@ -9,12 +9,18 @@ SYNOPSIS
 
 DESCRIPTION
      ssh-agent is a program to hold private keys used for public key
-     authentication (RSA, DSA, ECDSA, ED25519).  The idea is that ssh-agent is
-     started in the beginning of an X-session or a login session, and all
-     other windows or programs are started as clients to the ssh-agent
-     program.  Through use of environment variables the agent can be located
-     and automatically used for authentication when logging in to other
-     machines using ssh(1).
+     authentication (RSA, DSA, ECDSA, ED25519).  ssh-agent is usually started
+     in the beginning of an X-session or a login session, and all other
+     windows or programs are started as clients to the ssh-agent program.
+     Through use of environment variables the agent can be located and
+     automatically used for authentication when logging in to other machines
+     using ssh(1).
+
+     The agent initially does not have any private keys.  Keys are added using
+     ssh-add(1).  Multiple identities may be stored in ssh-agent concurrently
+     and ssh(1) will automatically use them if present.  ssh-add(1) is also
+     used to remove keys from ssh-agent and to query the keys that are held in
+     one.
 
      The options are as follows:
 
@@ -44,17 +50,6 @@ DESCRIPTION
      If a commandline is given, this is executed as a subprocess of the agent.
      When the command dies, so does the agent.
 
-     The agent initially does not have any private keys.  Keys are added using
-     ssh-add(1).  When executed without arguments, ssh-add(1) adds the files
-     ~/.ssh/id_rsa, ~/.ssh/id_dsa, ~/.ssh/id_ecdsa, ~/.ssh/id_ed25519 and
-     ~/.ssh/identity.  If the identity has a passphrase, ssh-add(1) asks for
-     the passphrase on the terminal if it has one or from a small X11 program
-     if running under X11.  If neither of these is the case then the
-     authentication will fail.  It then sends the identity to the agent.
-     Several identities can be stored in the agent; the agent can
-     automatically use any of these identities.  ssh-add -l displays the
-     identities currently held by the agent.
-
      The idea is that the agent is run in the user's local PC, laptop, or
      terminal.  Authentication data need not be stored on any other machine,
      and authentication passphrases never go over the network.  However, the
@@ -89,26 +84,6 @@ DESCRIPTION
      terminates.
 
 FILES
-     ~/.ssh/identity
-             Contains the protocol version 1 RSA authentication identity of
-             the user.
-
-     ~/.ssh/id_dsa
-             Contains the protocol version 2 DSA authentication identity of
-             the user.
-
-     ~/.ssh/id_ecdsa
-             Contains the protocol version 2 ECDSA authentication identity of
-             the user.
-
-     ~/.ssh/id_ed25519
-             Contains the protocol version 2 ED25519 authentication identity
-             of the user.
-
-     ~/.ssh/id_rsa
-             Contains the protocol version 2 RSA authentication identity of
-             the user.
-
      $TMPDIR/ssh-XXXXXXXXXX/agent.<ppid>
              UNIX-domain sockets used to contain the connection to the
              authentication agent.  These sockets should only be readable by
@@ -125,4 +100,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.5                    December 7, 2013                    OpenBSD 5.5
+OpenBSD 5.6                     April 16, 2014                     OpenBSD 5.6
diff --git a/ssh-agent.1 b/ssh-agent.1
index 281ecbdcf..a1e634fe0 100644
--- a/ssh-agent.1
+++ b/ssh-agent.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: ssh-agent.1,v 1.54 2013/12/07 11:58:46 naddy Exp $
+.\" $OpenBSD: ssh-agent.1,v 1.55 2014/04/16 23:28:12 djm Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 7 2013 $
+.Dd $Mdocdate: April 16 2014 $
 .Dt SSH-AGENT 1
 .Os
 .Sh NAME
@@ -54,9 +54,8 @@
 .Nm
 is a program to hold private keys used for public key authentication
 (RSA, DSA, ECDSA, ED25519).
-The idea is that
 .Nm
-is started in the beginning of an X-session or a login session, and
+is usually started in the beginning of an X-session or a login session, and
 all other windows or programs are started as clients to the ssh-agent
 program.
 Through use of environment variables the agent can be located
@@ -64,6 +63,19 @@ and automatically used for authentication when logging in to other
 machines using
 .Xr ssh 1 .
 .Pp
+The agent initially does not have any private keys.
+Keys are added using
+.Xr ssh-add 1 .
+Multiple identities may be stored in
+.Nm
+concurrently and
+.Xr ssh 1
+will automatically use them if present.
+.Xr ssh-add 1
+is also used to remove keys from
+.Nm
+and to query the keys that are held in one.
+.Pp
 The options are as follows:
 .Bl -tag -width Ds
 .It Fl a Ar bind_address
@@ -107,29 +119,6 @@ Without this option the default maximum lifetime is forever.
 If a commandline is given, this is executed as a subprocess of the agent.
 When the command dies, so does the agent.
 .Pp
-The agent initially does not have any private keys.
-Keys are added using
-.Xr ssh-add 1 .
-When executed without arguments,
-.Xr ssh-add 1
-adds the files
-.Pa ~/.ssh/id_rsa ,
-.Pa ~/.ssh/id_dsa ,
-.Pa ~/.ssh/id_ecdsa ,
-.Pa ~/.ssh/id_ed25519
-and
-.Pa ~/.ssh/identity .
-If the identity has a passphrase,
-.Xr ssh-add 1
-asks for the passphrase on the terminal if it has one or from a small X11
-program if running under X11.
-If neither of these is the case then the authentication will fail.
-It then sends the identity to the agent.
-Several identities can be stored in the
-agent; the agent can automatically use any of these identities.
-.Ic ssh-add -l
-displays the identities currently held by the agent.
-.Pp
 The idea is that the agent is run in the user's local PC, laptop, or
 terminal.
 Authentication data need not be stored on any other
@@ -185,16 +174,6 @@ The agent exits automatically when the command given on the command
 line terminates.
 .Sh FILES
 .Bl -tag -width Ds
-.It Pa ~/.ssh/identity
-Contains the protocol version 1 RSA authentication identity of the user.
-.It Pa ~/.ssh/id_dsa
-Contains the protocol version 2 DSA authentication identity of the user.
-.It Pa ~/.ssh/id_ecdsa
-Contains the protocol version 2 ECDSA authentication identity of the user.
-.It Pa ~/.ssh/id_ed25519
-Contains the protocol version 2 ED25519 authentication identity of the user.
-.It Pa ~/.ssh/id_rsa
-Contains the protocol version 2 RSA authentication identity of the user.
 .It Pa $TMPDIR/ssh-XXXXXXXXXX/agent.\*(Ltppid\*(Gt
 .Ux Ns -domain
 sockets used to contain the connection to the authentication agent.
diff --git a/ssh-agent.c b/ssh-agent.c
index ba2461211..25f10c549 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.183 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.190 2014/07/25 21:22:03 dtucker Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -49,8 +49,10 @@
 #endif
 #include "openbsd-compat/sys-queue.h"
 
+#ifdef WITH_OPENSSL
 #include <openssl/evp.h>
 #include "openbsd-compat/openssl-compat.h"
+#endif
 
 #include <errno.h>
 #include <fcntl.h>
@@ -124,6 +126,9 @@ int max_fd = 0;
 pid_t parent_pid = -1;
 time_t parent_alive_interval = 0;
 
+/* pid of process for which cleanup_socket is applicable */
+pid_t cleanup_pid = 0;
+
 /* pathname and directory for AUTH_SOCKET */
 char socket_name[MAXPATHLEN];
 char socket_dir[MAXPATHLEN];
@@ -221,9 +226,11 @@ process_request_identities(SocketEntry *e, int version)
         buffer_put_int(&msg, tab->nentries);
         TAILQ_FOREACH(id, &tab->idlist, next) {
                 if (id->key->type == KEY_RSA1) {
+#ifdef WITH_SSH1
                         buffer_put_int(&msg, BN_num_bits(id->key->rsa->n));
                         buffer_put_bignum(&msg, id->key->rsa->e);
                         buffer_put_bignum(&msg, id->key->rsa->n);
+#endif
                 } else {
                         u_char *blob;
                         u_int blen;
@@ -238,6 +245,7 @@ process_request_identities(SocketEntry *e, int version)
         buffer_free(&msg);
 }
 
+#ifdef WITH_SSH1
 /* ssh1 only */
 static void
 process_authentication_challenge1(SocketEntry *e)
@@ -273,7 +281,7 @@ process_authentication_challenge1(SocketEntry *e)
         if (id != NULL && (!id->confirm || confirm_key(id) == 0)) {
                 Key *private = id->key;
                 /* Decrypt the challenge using the private key. */
-                if (rsa_private_decrypt(challenge, challenge, private->rsa) <= 0)
+                if (rsa_private_decrypt(challenge, challenge, private->rsa) != 0)
                         goto failure;
 
                 /* The response is MD5 of decrypted challenge plus session id. */
@@ -308,6 +316,7 @@ send:
         BN_clear_free(challenge);
         buffer_free(&msg);
 }
+#endif
 
 /* ssh2 only */
 static void
@@ -359,12 +368,16 @@ process_sign_request2(SocketEntry *e)
 static void
 process_remove_identity(SocketEntry *e, int version)
 {
-        u_int blen, bits;
+        u_int blen;
         int success = 0;
         Key *key = NULL;
         u_char *blob;
+#ifdef WITH_SSH1
+        u_int bits;
+#endif /* WITH_SSH1 */
 
         switch (version) {
+#ifdef WITH_SSH1
         case 1:
                 key = key_new(KEY_RSA1);
                 bits = buffer_get_int(&e->request);
@@ -375,6 +388,7 @@ process_remove_identity(SocketEntry *e, int version)
                         logit("Warning: identity keysize mismatch: actual %u, announced %u",
                             key_size(key), bits);
                 break;
+#endif /* WITH_SSH1 */
         case 2:
                 blob = buffer_get_string(&e->request, &blen);
                 key = key_from_blob(blob, blen);
@@ -471,6 +485,7 @@ process_add_identity(SocketEntry *e, int version)
         Key *k = NULL;
 
         switch (version) {
+#ifdef WITH_SSH1
         case 1:
                 k = key_new_private(KEY_RSA1);
                 (void) buffer_get_int(&e->request);             /* ignored */
@@ -484,7 +499,9 @@ process_add_identity(SocketEntry *e, int version)
                 buffer_get_bignum(&e->request, k->rsa->p);      /* q */
 
                 /* Generate additional parameters */
-                rsa_generate_additional_parameters(k->rsa);
+                if (rsa_generate_additional_parameters(k->rsa) != 0)
+                        fatal("%s: rsa_generate_additional_parameters "
+                            "error", __func__);
 
                 /* enable blinding */
                 if (RSA_blinding_on(k->rsa, NULL) != 1) {
@@ -493,6 +510,7 @@ process_add_identity(SocketEntry *e, int version)
                         goto send;
                 }
                 break;
+#endif /* WITH_SSH1 */
         case 2:
                 k = key_private_deserialize(&e->request);
                 if (k == NULL) {
@@ -501,11 +519,10 @@ process_add_identity(SocketEntry *e, int version)
                 }
                 break;
         }
-        comment = buffer_get_string(&e->request, NULL);
-        if (k == NULL) {
-                free(comment);
+        if (k == NULL)
                 goto send;
-        }
+        comment = buffer_get_string(&e->request, NULL);
+
         while (buffer_len(&e->request)) {
                 switch ((type = buffer_get_char(&e->request))) {
                 case SSH_AGENT_CONSTRAIN_LIFETIME:
@@ -733,6 +750,7 @@ process_message(SocketEntry *e)
         case SSH_AGENTC_UNLOCK:
                 process_lock_agent(e, type == SSH_AGENTC_LOCK);
                 break;
+#ifdef WITH_SSH1
         /* ssh1 */
         case SSH_AGENTC_RSA_CHALLENGE:
                 process_authentication_challenge1(e);
@@ -750,6 +768,7 @@ process_message(SocketEntry *e)
         case SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES:
                 process_remove_all_identities(e, 1);
                 break;
+#endif
         /* ssh2 */
         case SSH2_AGENTC_SIGN_REQUEST:
                 process_sign_request2(e);
@@ -949,6 +968,7 @@ after_select(fd_set *readset, fd_set *writeset)
                                         break;
                                 }
                                 buffer_append(&sockets[i].input, buf, len);
+                                explicit_bzero(buf, sizeof(buf));
                                 process_message(&sockets[i]);
                         }
                         break;
@@ -960,6 +980,9 @@ after_select(fd_set *readset, fd_set *writeset)
 static void
 cleanup_socket(void)
 {
+        if (cleanup_pid != 0 && getpid() != cleanup_pid)
+                return;
+        debug("%s: cleanup", __func__);
         if (socket_name[0])
                 unlink(socket_name);
         if (socket_dir[0])
@@ -1001,15 +1024,10 @@ check_parent_exists(void)
 static void
 usage(void)
 {
-        fprintf(stderr, "usage: %s [options] [command [arg ...]]\n",
-            __progname);
-        fprintf(stderr, "Options:\n");
-        fprintf(stderr, "  -c          Generate C-shell commands on stdout.\n");
-        fprintf(stderr, "  -s          Generate Bourne shell commands on stdout.\n");
-        fprintf(stderr, "  -k          Kill the current agent.\n");
-        fprintf(stderr, "  -d          Debug mode.\n");
-        fprintf(stderr, "  -a socket   Bind agent socket to given name.\n");
-        fprintf(stderr, "  -t life     Default identity lifetime (seconds).\n");
+        fprintf(stderr,
+            "usage: ssh-agent [-c | -s] [-d] [-a bind_address] [-t life]\n"
+            "                 [command [arg ...]]\n"
+            "       ssh-agent [-c | -s] -k\n");
         exit(1);
 }
 
@@ -1021,17 +1039,16 @@ main(int ac, char **av)
         u_int nalloc;
         char *shell, *format, *pidstr, *agentsocket = NULL;
         fd_set *readsetp = NULL, *writesetp = NULL;
-        struct sockaddr_un sunaddr;
 #ifdef HAVE_SETRLIMIT
         struct rlimit rlim;
 #endif
-        int prev_mask;
         extern int optind;
         extern char *optarg;
         pid_t pid;
         char pidstrbuf[1 + 3 * sizeof pid];
         struct timeval *tvp = NULL;
         size_t len;
+        mode_t prev_mask;
 
         /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
         sanitise_stdfd();
@@ -1045,7 +1062,9 @@ main(int ac, char **av)
         prctl(PR_SET_DUMPABLE, 0);
 #endif
 
+#ifdef WITH_OPENSSL
         OpenSSL_add_all_algorithms();
+#endif
 
         __progname = ssh_get_progname(av[0]);
         seed_rng();
@@ -1142,27 +1161,14 @@ main(int ac, char **av)
          * Create socket early so it will exist before command gets run from
          * the parent.
          */
-        sock = socket(AF_UNIX, SOCK_STREAM, 0);
-        if (sock < 0) {
-                perror("socket");
-                *socket_name = '\0'; /* Don't unlink any existing file */
-                cleanup_exit(1);
-        }
-        memset(&sunaddr, 0, sizeof(sunaddr));
-        sunaddr.sun_family = AF_UNIX;
-        strlcpy(sunaddr.sun_path, socket_name, sizeof(sunaddr.sun_path));
         prev_mask = umask(0177);
-        if (bind(sock, (struct sockaddr *) &sunaddr, sizeof(sunaddr)) < 0) {
-                perror("bind");
+        sock = unix_listener(socket_name, SSH_LISTEN_BACKLOG, 0);
+        if (sock < 0) {
+                /* XXX - unix_listener() calls error() not perror() */
                 *socket_name = '\0'; /* Don't unlink any existing file */
-                umask(prev_mask);
                 cleanup_exit(1);
         }
         umask(prev_mask);
-        if (listen(sock, SSH_LISTEN_BACKLOG) < 0) {
-                perror("listen");
-                cleanup_exit(1);
-        }
 
         /*
          * Fork, and have the parent execute the command, if any, or present
@@ -1231,6 +1237,8 @@ main(int ac, char **av)
 
 skip:
 
+        cleanup_pid = getpid();
+
 #ifdef ENABLE_PKCS11
         pkcs11_init(0);
 #endif
diff --git a/ssh-dss.c b/ssh-dss.c
index 6b4abcb7d..9643d90d8 100644
--- a/ssh-dss.c
+++ b/ssh-dss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-dss.c,v 1.31 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: ssh-dss.c,v 1.32 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -28,162 +28,192 @@
 #include <sys/types.h>
 
 #include <openssl/bn.h>
+#include <openssl/dsa.h>
 #include <openssl/evp.h>
 
 #include <stdarg.h>
 #include <string.h>
 
-#include "xmalloc.h"
-#include "buffer.h"
+#include "sshbuf.h"
 #include "compat.h"
-#include "log.h"
-#include "key.h"
+#include "ssherr.h"
 #include "digest.h"
+#define SSHKEY_INTERNAL
+#include "sshkey.h"
 
 #define INTBLOB_LEN     20
 #define SIGBLOB_LEN     (2*INTBLOB_LEN)
 
 int
-ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
-    const u_char *data, u_int datalen)
+ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat)
 {
-        DSA_SIG *sig;
+        DSA_SIG *sig = NULL;
         u_char digest[SSH_DIGEST_MAX_LENGTH], sigblob[SIGBLOB_LEN];
-        u_int rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
-        Buffer b;
-
-        if (key == NULL || key_type_plain(key->type) != KEY_DSA ||
-            key->dsa == NULL) {
-                error("%s: no DSA key", __func__);
-                return -1;
-        }
-
-        if (ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
-            digest, sizeof(digest)) != 0) {
-                error("%s: ssh_digest_memory failed", __func__);
-                return -1;
-        }
-
-        sig = DSA_do_sign(digest, dlen, key->dsa);
-        explicit_bzero(digest, sizeof(digest));
-
-        if (sig == NULL) {
-                error("ssh_dss_sign: sign failed");
-                return -1;
+        size_t rlen, slen, len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
+        struct sshbuf *b = NULL;
+        int ret = SSH_ERR_INVALID_ARGUMENT;
+
+        if (lenp != NULL)
+                *lenp = 0;
+        if (sigp != NULL)
+                *sigp = NULL;
+
+        if (key == NULL || key->dsa == NULL ||
+            sshkey_type_plain(key->type) != KEY_DSA)
+                return SSH_ERR_INVALID_ARGUMENT;
+        if (dlen == 0)
+                return SSH_ERR_INTERNAL_ERROR;
+
+        if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
+            digest, sizeof(digest))) != 0)
+                goto out;
+
+        if ((sig = DSA_do_sign(digest, dlen, key->dsa)) == NULL) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
         }
 
         rlen = BN_num_bytes(sig->r);
         slen = BN_num_bytes(sig->s);
         if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
-                error("bad sig size %u %u", rlen, slen);
-                DSA_SIG_free(sig);
-                return -1;
+                ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
         }
         explicit_bzero(sigblob, SIGBLOB_LEN);
-        BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
-        BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
-        DSA_SIG_free(sig);
+        BN_bn2bin(sig->r, sigblob + SIGBLOB_LEN - INTBLOB_LEN - rlen);
+        BN_bn2bin(sig->s, sigblob + SIGBLOB_LEN - slen);
 
-        if (datafellows & SSH_BUG_SIGBLOB) {
-                if (lenp != NULL)
-                        *lenp = SIGBLOB_LEN;
+        if (compat & SSH_BUG_SIGBLOB) {
                 if (sigp != NULL) {
-                        *sigp = xmalloc(SIGBLOB_LEN);
+                        if ((*sigp = malloc(SIGBLOB_LEN)) == NULL) {
+                                ret = SSH_ERR_ALLOC_FAIL;
+                                goto out;
+                        }
                         memcpy(*sigp, sigblob, SIGBLOB_LEN);
                 }
+                if (lenp != NULL)
+                        *lenp = SIGBLOB_LEN;
+                ret = 0;
         } else {
                 /* ietf-drafts */
-                buffer_init(&b);
-                buffer_put_cstring(&b, "ssh-dss");
-                buffer_put_string(&b, sigblob, SIGBLOB_LEN);
-                len = buffer_len(&b);
-                if (lenp != NULL)
-                        *lenp = len;
+                if ((b = sshbuf_new()) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                if ((ret = sshbuf_put_cstring(b, "ssh-dss")) != 0 ||
+                    (ret = sshbuf_put_string(b, sigblob, SIGBLOB_LEN)) != 0)
+                        goto out;
+                len = sshbuf_len(b);
                 if (sigp != NULL) {
-                        *sigp = xmalloc(len);
-                        memcpy(*sigp, buffer_ptr(&b), len);
+                        if ((*sigp = malloc(len)) == NULL) {
+                                ret = SSH_ERR_ALLOC_FAIL;
+                                goto out;
+                        }
+                        memcpy(*sigp, sshbuf_ptr(b), len);
                 }
-                buffer_free(&b);
+                if (lenp != NULL)
+                        *lenp = len;
+                ret = 0;
         }
-        return 0;
+ out:
+        explicit_bzero(digest, sizeof(digest));
+        if (sig != NULL)
+                DSA_SIG_free(sig);
+        if (b != NULL)
+                sshbuf_free(b);
+        return ret;
 }
+
 int
-ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
-    const u_char *data, u_int datalen)
+ssh_dss_verify(const struct sshkey *key,
+    const u_char *signature, size_t signaturelen,
+    const u_char *data, size_t datalen, u_int compat)
 {
-        DSA_SIG *sig;
-        u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob;
-        u_int len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
-        int rlen, ret;
-        Buffer b;
-
-        if (key == NULL || key_type_plain(key->type) != KEY_DSA ||
-            key->dsa == NULL) {
-                error("%s: no DSA key", __func__);
-                return -1;
-        }
+        DSA_SIG *sig = NULL;
+        u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob = NULL;
+        size_t len, dlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
+        int ret = SSH_ERR_INTERNAL_ERROR;
+        struct sshbuf *b = NULL;
+        char *ktype = NULL;
+
+        if (key == NULL || key->dsa == NULL ||
+            sshkey_type_plain(key->type) != KEY_DSA)
+                return SSH_ERR_INVALID_ARGUMENT;
+        if (dlen == 0)
+                return SSH_ERR_INTERNAL_ERROR;
 
         /* fetch signature */
-        if (datafellows & SSH_BUG_SIGBLOB) {
-                sigblob = xmalloc(signaturelen);
+        if (compat & SSH_BUG_SIGBLOB) {
+                if ((sigblob = malloc(signaturelen)) == NULL)
+                        return SSH_ERR_ALLOC_FAIL;
                 memcpy(sigblob, signature, signaturelen);
                 len = signaturelen;
         } else {
                 /* ietf-drafts */
-                char *ktype;
-                buffer_init(&b);
-                buffer_append(&b, signature, signaturelen);
-                ktype = buffer_get_cstring(&b, NULL);
+                if ((b = sshbuf_from(signature, signaturelen)) == NULL)
+                        return SSH_ERR_ALLOC_FAIL;
+                if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
+                    sshbuf_get_string(b, &sigblob, &len) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
                 if (strcmp("ssh-dss", ktype) != 0) {
-                        error("%s: cannot handle type %s", __func__, ktype);
-                        buffer_free(&b);
-                        free(ktype);
-                        return -1;
+                        ret = SSH_ERR_KEY_TYPE_MISMATCH;
+                        goto out;
                 }
-                free(ktype);
-                sigblob = buffer_get_string(&b, &len);
-                rlen = buffer_len(&b);
-                buffer_free(&b);
-                if (rlen != 0) {
-                        error("%s: remaining bytes in signature %d",
-                            __func__, rlen);
-                        free(sigblob);
-                        return -1;
+                if (sshbuf_len(b) != 0) {
+                        ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+                        goto out;
                 }
         }
 
         if (len != SIGBLOB_LEN) {
-                fatal("bad sigbloblen %u != SIGBLOB_LEN", len);
+                ret = SSH_ERR_INVALID_FORMAT;
+                goto out;
         }
 
         /* parse signature */
-        if ((sig = DSA_SIG_new()) == NULL)
-                fatal("%s: DSA_SIG_new failed", __func__);
-        if ((sig->r = BN_new()) == NULL)
-                fatal("%s: BN_new failed", __func__);
-        if ((sig->s = BN_new()) == NULL)
-                fatal("ssh_dss_verify: BN_new failed");
+        if ((sig = DSA_SIG_new()) == NULL ||
+            (sig->r = BN_new()) == NULL ||
+            (sig->s = BN_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
         if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
-            (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL))
-                fatal("%s: BN_bin2bn failed", __func__);
-
-        /* clean up */
-        explicit_bzero(sigblob, len);
-        free(sigblob);
+            (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL)) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
 
         /* sha1 the data */
-        if (ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
-            digest, sizeof(digest)) != 0) {
-                error("%s: digest_memory failed", __func__);
-                return -1;
+        if ((ret = ssh_digest_memory(SSH_DIGEST_SHA1, data, datalen,
+            digest, sizeof(digest))) != 0)
+                goto out;
+
+        switch (DSA_do_verify(digest, dlen, sig, key->dsa)) {
+        case 1:
+                ret = 0;
+                break;
+        case 0:
+                ret = SSH_ERR_SIGNATURE_INVALID;
+                goto out;
+        default:
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
         }
 
-        ret = DSA_do_verify(digest, dlen, sig, key->dsa);
+ out:
         explicit_bzero(digest, sizeof(digest));
-
-        DSA_SIG_free(sig);
-
-        debug("%s: signature %s", __func__,
-            ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
+        if (sig != NULL)
+                DSA_SIG_free(sig);
+        if (b != NULL)
+                sshbuf_free(b);
+        if (ktype != NULL)
+                free(ktype);
+        if (sigblob != NULL) {
+                explicit_bzero(sigblob, len);
+                free(sigblob);
+        }
         return ret;
 }
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
index 551c9c460..1119db045 100644
--- a/ssh-ecdsa.c
+++ b/ssh-ecdsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-ecdsa.c,v 1.10 2014/02/03 23:28:00 djm Exp $ */
+/* $OpenBSD: ssh-ecdsa.c,v 1.11 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -37,141 +37,155 @@
 
 #include <string.h>
 
-#include "xmalloc.h"
-#include "buffer.h"
-#include "compat.h"
-#include "log.h"
-#include "key.h"
+#include "sshbuf.h"
+#include "ssherr.h"
 #include "digest.h"
+#define SSHKEY_INTERNAL
+#include "sshkey.h"
 
+/* ARGSUSED */
 int
-ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
-    const u_char *data, u_int datalen)
+ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat)
 {
-        ECDSA_SIG *sig;
+        ECDSA_SIG *sig = NULL;
         int hash_alg;
         u_char digest[SSH_DIGEST_MAX_LENGTH];
-        u_int len, dlen;
-        Buffer b, bb;
+        size_t len, dlen;
+        struct sshbuf *b = NULL, *bb = NULL;
+        int ret = SSH_ERR_INTERNAL_ERROR;
 
-        if (key == NULL || key_type_plain(key->type) != KEY_ECDSA ||
-            key->ecdsa == NULL) {
-                error("%s: no ECDSA key", __func__);
-                return -1;
+        if (lenp != NULL)
+                *lenp = 0;
+        if (sigp != NULL)
+                *sigp = NULL;
+
+        if (key == NULL || key->ecdsa == NULL ||
+            sshkey_type_plain(key->type) != KEY_ECDSA)
+                return SSH_ERR_INVALID_ARGUMENT;
+
+        if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
+            (dlen = ssh_digest_bytes(hash_alg)) == 0)
+                return SSH_ERR_INTERNAL_ERROR;
+        if ((ret = ssh_digest_memory(hash_alg, data, datalen,
+            digest, sizeof(digest))) != 0)
+                goto out;
+
+        if ((sig = ECDSA_do_sign(digest, dlen, key->ecdsa)) == NULL) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
         }
 
-        hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid);
-        if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
-                error("%s: bad hash algorithm %d", __func__, hash_alg);
-                return -1;
-        }
-        if (ssh_digest_memory(hash_alg, data, datalen,
-            digest, sizeof(digest)) != 0) {
-                error("%s: digest_memory failed", __func__);
-                return -1;
+        if ((bb = sshbuf_new()) == NULL || (b = sshbuf_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
         }
-
-        sig = ECDSA_do_sign(digest, dlen, key->ecdsa);
-        explicit_bzero(digest, sizeof(digest));
-
-        if (sig == NULL) {
-                error("%s: sign failed", __func__);
-                return -1;
+        if ((ret = sshbuf_put_bignum2(bb, sig->r)) != 0 ||
+            (ret = sshbuf_put_bignum2(bb, sig->s)) != 0)
+                goto out;
+        if ((ret = sshbuf_put_cstring(b, sshkey_ssh_name_plain(key))) != 0 ||
+            (ret = sshbuf_put_stringb(b, bb)) != 0)
+                goto out;
+        len = sshbuf_len(b);
+        if (sigp != NULL) {
+                if ((*sigp = malloc(len)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                memcpy(*sigp, sshbuf_ptr(b), len);
         }
-
-        buffer_init(&bb);
-        buffer_put_bignum2(&bb, sig->r);
-        buffer_put_bignum2(&bb, sig->s);
-        ECDSA_SIG_free(sig);
-
-        buffer_init(&b);
-        buffer_put_cstring(&b, key_ssh_name_plain(key));
-        buffer_put_string(&b, buffer_ptr(&bb), buffer_len(&bb));
-        buffer_free(&bb);
-        len = buffer_len(&b);
         if (lenp != NULL)
                 *lenp = len;
-        if (sigp != NULL) {
-                *sigp = xmalloc(len);
-                memcpy(*sigp, buffer_ptr(&b), len);
-        }
-        buffer_free(&b);
-
-        return 0;
+        ret = 0;
+ out:
+        explicit_bzero(digest, sizeof(digest));
+        if (b != NULL)
+                sshbuf_free(b);
+        if (bb != NULL)
+                sshbuf_free(bb);
+        if (sig != NULL)
+                ECDSA_SIG_free(sig);
+        return ret;
 }
+
+/* ARGSUSED */
 int
-ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
-    const u_char *data, u_int datalen)
+ssh_ecdsa_verify(const struct sshkey *key,
+    const u_char *signature, size_t signaturelen,
+    const u_char *data, size_t datalen, u_int compat)
 {
-        ECDSA_SIG *sig;
+        ECDSA_SIG *sig = NULL;
         int hash_alg;
-        u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob;
-        u_int len, dlen;
-        int rlen, ret;
-        Buffer b, bb;
-        char *ktype;
-
-        if (key == NULL || key_type_plain(key->type) != KEY_ECDSA ||
-            key->ecdsa == NULL) {
-                error("%s: no ECDSA key", __func__);
-                return -1;
-        }
+        u_char digest[SSH_DIGEST_MAX_LENGTH];
+        size_t dlen;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+        struct sshbuf *b = NULL, *sigbuf = NULL;
+        char *ktype = NULL;
+
+        if (key == NULL || key->ecdsa == NULL ||
+            sshkey_type_plain(key->type) != KEY_ECDSA)
+                return SSH_ERR_INVALID_ARGUMENT;
+
+        if ((hash_alg = sshkey_ec_nid_to_hash_alg(key->ecdsa_nid)) == -1 ||
+            (dlen = ssh_digest_bytes(hash_alg)) == 0)
+                return SSH_ERR_INTERNAL_ERROR;
 
         /* fetch signature */
-        buffer_init(&b);
-        buffer_append(&b, signature, signaturelen);
-        ktype = buffer_get_string(&b, NULL);
-        if (strcmp(key_ssh_name_plain(key), ktype) != 0) {
-                error("%s: cannot handle type %s", __func__, ktype);
-                buffer_free(&b);
-                free(ktype);
-                return -1;
+        if ((b = sshbuf_from(signature, signaturelen)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if (sshbuf_get_cstring(b, &ktype, NULL) != 0 ||
+            sshbuf_froms(b, &sigbuf) != 0) {
+                ret = SSH_ERR_INVALID_FORMAT;
+                goto out;
         }
-        free(ktype);
-        sigblob = buffer_get_string(&b, &len);
-        rlen = buffer_len(&b);
-        buffer_free(&b);
-        if (rlen != 0) {
-                error("%s: remaining bytes in signature %d", __func__, rlen);
-                free(sigblob);
-                return -1;
+        if (strcmp(sshkey_ssh_name_plain(key), ktype) != 0) {
+                ret = SSH_ERR_KEY_TYPE_MISMATCH;
+                goto out;
+        }
+        if (sshbuf_len(b) != 0) {
+                ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+                goto out;
         }
 
         /* parse signature */
-        if ((sig = ECDSA_SIG_new()) == NULL)
-                fatal("%s: ECDSA_SIG_new failed", __func__);
-
-        buffer_init(&bb);
-        buffer_append(&bb, sigblob, len);
-        buffer_get_bignum2(&bb, sig->r);
-        buffer_get_bignum2(&bb, sig->s);
-        if (buffer_len(&bb) != 0)
-                fatal("%s: remaining bytes in inner sigblob", __func__);
-        buffer_free(&bb);
-
-        /* clean up */
-        explicit_bzero(sigblob, len);
-        free(sigblob);
-
-        /* hash the data */
-        hash_alg = key_ec_nid_to_hash_alg(key->ecdsa_nid);
-        if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
-                error("%s: bad hash algorithm %d", __func__, hash_alg);
-                return -1;
+        if ((sig = ECDSA_SIG_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if (sshbuf_get_bignum2(sigbuf, sig->r) != 0 ||
+            sshbuf_get_bignum2(sigbuf, sig->s) != 0) {
+                ret = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+        if (sshbuf_len(sigbuf) != 0) {
+                ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+                goto out;
         }
-        if (ssh_digest_memory(hash_alg, data, datalen,
-            digest, sizeof(digest)) != 0) {
-                error("%s: digest_memory failed", __func__);
-                return -1;
+        if ((ret = ssh_digest_memory(hash_alg, data, datalen,
+            digest, sizeof(digest))) != 0)
+                goto out;
+
+        switch (ECDSA_do_verify(digest, dlen, sig, key->ecdsa)) {
+        case 1:
+                ret = 0;
+                break;
+        case 0:
+                ret = SSH_ERR_SIGNATURE_INVALID;
+                goto out;
+        default:
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
         }
 
-        ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa);
+ out:
         explicit_bzero(digest, sizeof(digest));
-
-        ECDSA_SIG_free(sig);
-
-        debug("%s: signature %s", __func__,
-            ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
+        if (sigbuf != NULL)
+                sshbuf_free(sigbuf);
+        if (b != NULL)
+                sshbuf_free(b);
+        if (sig != NULL)
+                ECDSA_SIG_free(sig);
+        free(ktype);
         return ret;
 }
 
diff --git a/ssh-ed25519.c b/ssh-ed25519.c
index 160d1f23b..cb87d4790 100644
--- a/ssh-ed25519.c
+++ b/ssh-ed25519.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-ed25519.c,v 1.3 2014/02/23 20:03:42 djm Exp $ */
+/* $OpenBSD: ssh-ed25519.c,v 1.4 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2013 Markus Friedl <markus@openbsd.org>
  *
@@ -18,132 +18,149 @@
 #include "includes.h"
 
 #include <sys/types.h>
+#include <limits.h>
 
 #include "crypto_api.h"
 
-#include <limits.h>
 #include <string.h>
 #include <stdarg.h>
 
 #include "xmalloc.h"
 #include "log.h"
 #include "buffer.h"
-#include "key.h"
+#define SSHKEY_INTERNAL
+#include "sshkey.h"
+#include "ssherr.h"
 #include "ssh.h"
 
 int
-ssh_ed25519_sign(const Key *key, u_char **sigp, u_int *lenp,
-    const u_char *data, u_int datalen)
+ssh_ed25519_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat)
 {
-        u_char *sig;
-        u_int slen, len;
+        u_char *sig = NULL;
+        size_t slen = 0, len;
         unsigned long long smlen;
-        int ret;
-        Buffer b;
+        int r, ret;
+        struct sshbuf *b = NULL;
 
-        if (key == NULL || key_type_plain(key->type) != KEY_ED25519 ||
-            key->ed25519_sk == NULL) {
-                error("%s: no ED25519 key", __func__);
-                return -1;
-        }
+        if (lenp != NULL)
+                *lenp = 0;
+        if (sigp != NULL)
+                *sigp = NULL;
 
-        if (datalen >= UINT_MAX - crypto_sign_ed25519_BYTES) {
-                error("%s: datalen %u too long", __func__, datalen);
-                return -1;
-        }
+        if (key == NULL ||
+            sshkey_type_plain(key->type) != KEY_ED25519 ||
+            key->ed25519_sk == NULL ||
+            datalen >= INT_MAX - crypto_sign_ed25519_BYTES)
+                return SSH_ERR_INVALID_ARGUMENT;
         smlen = slen = datalen + crypto_sign_ed25519_BYTES;
-        sig = xmalloc(slen);
+        if ((sig = malloc(slen)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
 
         if ((ret = crypto_sign_ed25519(sig, &smlen, data, datalen,
             key->ed25519_sk)) != 0 || smlen <= datalen) {
-                error("%s: crypto_sign_ed25519 failed: %d", __func__, ret);
-                free(sig);
-                return -1;
+                r = SSH_ERR_INVALID_ARGUMENT; /* XXX better error? */
+                goto out;
         }
         /* encode signature */
-        buffer_init(&b);
-        buffer_put_cstring(&b, "ssh-ed25519");
-        buffer_put_string(&b, sig, smlen - datalen);
-        len = buffer_len(&b);
+        if ((b = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if ((r = sshbuf_put_cstring(b, "ssh-ed25519")) != 0 ||
+            (r = sshbuf_put_string(b, sig, smlen - datalen)) != 0)
+                goto out;
+        len = sshbuf_len(b);
+        if (sigp != NULL) {
+                if ((*sigp = malloc(len)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                memcpy(*sigp, sshbuf_ptr(b), len);
+        }
         if (lenp != NULL)
                 *lenp = len;
-        if (sigp != NULL) {
-                *sigp = xmalloc(len);
-                memcpy(*sigp, buffer_ptr(&b), len);
+        /* success */
+        r = 0;
+ out:
+        sshbuf_free(b);
+        if (sig != NULL) {
+                explicit_bzero(sig, slen);
+                free(sig);
         }
-        buffer_free(&b);
-        explicit_bzero(sig, slen);
-        free(sig);
 
-        return 0;
+        return r;
 }
 
 int
-ssh_ed25519_verify(const Key *key, const u_char *signature, u_int signaturelen,
-    const u_char *data, u_int datalen)
+ssh_ed25519_verify(const struct sshkey *key,
+    const u_char *signature, size_t signaturelen,
+    const u_char *data, size_t datalen, u_int compat)
 {
-        Buffer b;
-        char *ktype;
-        u_char *sigblob, *sm, *m;
-        u_int len;
-        unsigned long long smlen, mlen;
-        int rlen, ret;
+        struct sshbuf *b = NULL;
+        char *ktype = NULL;
+        const u_char *sigblob;
+        u_char *sm = NULL, *m = NULL;
+        size_t len;
+        unsigned long long smlen = 0, mlen = 0;
+        int r, ret;
 
-        if (key == NULL || key_type_plain(key->type) != KEY_ED25519 ||
-            key->ed25519_pk == NULL) {
-                error("%s: no ED25519 key", __func__);
-                return -1;
-        }
-        buffer_init(&b);
-        buffer_append(&b, signature, signaturelen);
-        ktype = buffer_get_cstring(&b, NULL);
+        if (key == NULL ||
+            sshkey_type_plain(key->type) != KEY_ED25519 ||
+            key->ed25519_pk == NULL ||
+            datalen >= INT_MAX - crypto_sign_ed25519_BYTES)
+                return SSH_ERR_INVALID_ARGUMENT;
+
+        if ((b = sshbuf_from(signature, signaturelen)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((r = sshbuf_get_cstring(b, &ktype, NULL)) != 0 ||
+            (r = sshbuf_get_string_direct(b, &sigblob, &len)) != 0)
+                goto out;
         if (strcmp("ssh-ed25519", ktype) != 0) {
-                error("%s: cannot handle type %s", __func__, ktype);
-                buffer_free(&b);
-                free(ktype);
-                return -1;
+                r = SSH_ERR_KEY_TYPE_MISMATCH;
+                goto out;
         }
-        free(ktype);
-        sigblob = buffer_get_string(&b, &len);
-        rlen = buffer_len(&b);
-        buffer_free(&b);
-        if (rlen != 0) {
-                error("%s: remaining bytes in signature %d", __func__, rlen);
-                free(sigblob);
-                return -1;
+        if (sshbuf_len(b) != 0) {
+                r = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+                goto out;
         }
         if (len > crypto_sign_ed25519_BYTES) {
-                error("%s: len %u > crypto_sign_ed25519_BYTES %u", __func__,
-                    len, crypto_sign_ed25519_BYTES);
-                free(sigblob);
-                return -1;
+                r = SSH_ERR_INVALID_FORMAT;
+                goto out;
         }
+        if (datalen >= SIZE_MAX - len)
+                return SSH_ERR_INVALID_ARGUMENT;
         smlen = len + datalen;
-        sm = xmalloc(smlen);
+        mlen = smlen;
+        if ((sm = malloc(smlen)) == NULL || (m = xmalloc(mlen)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
         memcpy(sm, sigblob, len);
         memcpy(sm+len, data, datalen);
-        mlen = smlen;
-        m = xmalloc(mlen);
         if ((ret = crypto_sign_ed25519_open(m, &mlen, sm, smlen,
             key->ed25519_pk)) != 0) {
                 debug2("%s: crypto_sign_ed25519_open failed: %d",
                     __func__, ret);
         }
-        if (ret == 0 && mlen != datalen) {
-                debug2("%s: crypto_sign_ed25519_open "
-                    "mlen != datalen (%llu != %u)", __func__, mlen, datalen);
-                ret = -1;
+        if (ret != 0 || mlen != datalen) {
+                r = SSH_ERR_SIGNATURE_INVALID;
+                goto out;
         }
         /* XXX compare 'm' and 'data' ? */
-
-        explicit_bzero(sigblob, len);
-        explicit_bzero(sm, smlen);
-        explicit_bzero(m, smlen); /* NB. mlen may be invalid if ret != 0 */
-        free(sigblob);
-        free(sm);
-        free(m);
-        debug("%s: signature %scorrect", __func__, (ret != 0) ? "in" : "");
-
-        /* translate return code carefully */
-        return (ret == 0) ? 1 : -1;
+        /* success */
+        r = 0;
+ out:
+        if (sm != NULL) {
+                explicit_bzero(sm, smlen);
+                free(sm);
+        }
+        if (m != NULL) {
+                explicit_bzero(m, smlen); /* NB mlen may be invalid if r != 0 */
+                free(m);
+        }
+        sshbuf_free(b);
+        free(ktype);
+        return r;
 }
+
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index c43678ff0..648f3017f 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -1,11 +1,11 @@
-SSH-KEYGEN(1)              OpenBSD Reference Manual              SSH-KEYGEN(1)
+SSH-KEYGEN(1)               General Commands Manual              SSH-KEYGEN(1)
 
 NAME
      ssh-keygen - authentication key generation, management and conversion
 
 SYNOPSIS
-     ssh-keygen [-q] [-b bits] [-t type] [-N new_passphrase] [-C comment]
-                [-f output_keyfile]
+     ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]
+                [-N new_passphrase] [-C comment] [-f output_keyfile]
      ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
      ssh-keygen -i [-m key_format] [-f input_keyfile]
      ssh-keygen -e [-m key_format] [-f input_keyfile]
@@ -164,7 +164,9 @@ DESCRIPTION
 
      -i      This option will read an unencrypted private (or public) key file
              in the format specified by the -m option and print an OpenSSH
-             compatible private (or public) key to stdout.
+             compatible private (or public) key to stdout.  This option allows
+             importing keys from other software, including several commercial
+             SSH implementations.  The default import format is ``RFC4716''.
 
      -J num_lines
              Exit after screening the specified number of lines while
@@ -178,9 +180,7 @@ DESCRIPTION
              Write the last line processed to the file checkpt while
              performing DH candidate screening using the -T option.  This will
              be used to skip lines in the input file that have already been
-             processed if the job is restarted.  This option allows importing
-             keys from other software, including several commercial SSH
-             implementations.  The default import format is ``RFC4716''.
+             processed if the job is restarted.
 
      -k      Generate a KRL file.  In this mode, ssh-keygen will generate a
              KRL file at the location specified via the -f flag that revokes
@@ -313,7 +313,7 @@ DESCRIPTION
              Test DH group exchange candidate primes (generated using the -G
              option) for safety.
 
-     -t type
+     -t dsa | ecdsa | ed25519 | rsa | rsa1
              Specifies the type of key to create.  The possible values are
              ``rsa1'' for protocol version 1 and ``dsa'', ``ecdsa'',
              ``ed25519'', or ``rsa'' for protocol version 2.
@@ -559,4 +559,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.5                    February 5, 2014                    OpenBSD 5.5
+OpenBSD 5.6                     March 31, 2014                     OpenBSD 5.6
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 12e00d416..723a0162e 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.120 2014/02/05 20:13:25 naddy Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.122 2014/03/31 13:39:34 jmc Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: February 5 2014 $
+.Dd $Mdocdate: March 31 2014 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -46,7 +46,7 @@
 .Nm ssh-keygen
 .Op Fl q
 .Op Fl b Ar bits
-.Op Fl t Ar type
+.Op Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
 .Op Fl N Ar new_passphrase
 .Op Fl C Ar comment
 .Op Fl f Ar output_keyfile
@@ -332,6 +332,10 @@ in the format specified by the
 .Fl m
 option and print an OpenSSH compatible private
 (or public) key to stdout.
+This option allows importing keys from other software, including several
+commercial SSH implementations.
+The default import format is
+.Dq RFC4716 .
 .It Fl J Ar num_lines
 Exit after screening the specified number of lines
 while performing DH candidate screening using the
@@ -350,10 +354,6 @@ while performing DH candidate screening using the
 option.
 This will be used to skip lines in the input file that have already been
 processed if the job is restarted.
-This option allows importing keys from other software, including several
-commercial SSH implementations.
-The default import format is
-.Dq RFC4716 .
 .It Fl k
 Generate a KRL file.
 In this mode,
@@ -514,7 +514,7 @@ section for details.
 Test DH group exchange candidate primes (generated using the
 .Fl G
 option) for safety.
-.It Fl t Ar type
+.It Fl t Cm dsa | ecdsa | ed25519 | rsa | rsa1
 Specifies the type of key to create.
 The possible values are
 .Dq rsa1
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 2a316bcea..23058ee99 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.241 2014/02/05 20:13:25 naddy Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.249 2014/07/03 03:47:27 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -165,7 +165,7 @@ int rounds = 0;
 /* argv0 */
 extern char *__progname;
 
-char hostname[MAXHOSTNAMELEN];
+char hostname[NI_MAXHOST];
 
 /* moduli.c */
 int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *);
@@ -195,6 +195,7 @@ type_bits_valid(int type, u_int32_t *bitsp)
                 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
                 exit(1);
         }
+#ifdef WITH_OPENSSL
         if (type == KEY_DSA && *bitsp != 1024)
                 fatal("DSA keys must be 1024 bits");
         else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
@@ -202,6 +203,7 @@ type_bits_valid(int type, u_int32_t *bitsp)
         else if (type == KEY_ECDSA && key_ecdsa_bits_to_nid(*bitsp) == -1)
                 fatal("Invalid ECDSA key length - valid lengths are "
                     "256, 384 or 521 bits");
+#endif
 }
 
 static void
@@ -278,6 +280,7 @@ load_identity(char *filename)
 #define SSH_COM_PRIVATE_BEGIN           "---- BEGIN SSH2 ENCRYPTED PRIVATE KEY ----"
 #define SSH_COM_PRIVATE_KEY_MAGIC       0x3f6ff9eb
 
+#ifdef WITH_OPENSSL
 static void
 do_convert_to_ssh2(struct passwd *pw, Key *k)
 {
@@ -408,7 +411,7 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
         Buffer b;
         Key *key = NULL;
         char *type, *cipher;
-        u_char *sig, data[] = "abcde12345";
+        u_char *sig = NULL, data[] = "abcde12345";
         int magic, rlen, ktype, i1, i2, i3, i4;
         u_int slen;
         u_long e;
@@ -479,7 +482,9 @@ do_convert_private_ssh2_from_blob(u_char *blob, u_int blen)
                 buffer_get_bignum_bits(&b, key->rsa->iqmp);
                 buffer_get_bignum_bits(&b, key->rsa->q);
                 buffer_get_bignum_bits(&b, key->rsa->p);
-                rsa_generate_additional_parameters(key->rsa);
+                if (rsa_generate_additional_parameters(key->rsa) != 0)
+                        fatal("%s: rsa_generate_additional_parameters "
+                            "error", __func__);
                 break;
         }
         rlen = buffer_len(&b);
@@ -711,6 +716,7 @@ do_convert_from(struct passwd *pw)
         key_free(k);
         exit(0);
 }
+#endif
 
 static void
 do_print_public(struct passwd *pw)
@@ -981,7 +987,7 @@ do_gen_all_hostkeys(struct passwd *pw)
 }
 
 static void
-printhost(FILE *f, const char *name, Key *public, int ca, int hash)
+printhost(FILE *f, const char *name, Key *public, int ca, int revoked, int hash)
 {
         if (print_fingerprint) {
                 enum fp_rep rep;
@@ -1001,7 +1007,8 @@ printhost(FILE *f, const char *name, Key *public, int ca, int hash)
         } else {
                 if (hash && (name = host_hash(name, NULL, 0)) == NULL)
                         fatal("hash_host failed");
-                fprintf(f, "%s%s%s ", ca ? CA_MARKER : "", ca ? " " : "", name);
+                fprintf(f, "%s%s%s ", ca ? CA_MARKER " " : "",
+                    revoked ? REVOKE_MARKER " " : "" , name);
                 if (!key_write(public, f))
                         fatal("key_write failed");
                 fprintf(f, "\n");
@@ -1016,7 +1023,7 @@ do_known_hosts(struct passwd *pw, const char *name)
         char *cp, *cp2, *kp, *kp2;
         char line[16*1024], tmp[MAXPATHLEN], old[MAXPATHLEN];
         int c, skip = 0, inplace = 0, num = 0, invalid = 0, has_unhashed = 0;
-        int ca;
+        int ca, revoked;
         int found_key = 0;
 
         if (!have_identity) {
@@ -1030,6 +1037,7 @@ do_known_hosts(struct passwd *pw, const char *name)
         if ((in = fopen(identity_file, "r")) == NULL)
                 fatal("%s: %s: %s", __progname, identity_file, strerror(errno));
 
+        /* XXX this code is a mess; refactor -djm */
         /*
          * Find hosts goes to stdout, hash and deletions happen in-place
          * A corner case is ssh-keygen -HF foo, which should go to stdout
@@ -1073,7 +1081,7 @@ do_known_hosts(struct passwd *pw, const char *name)
                                 fprintf(out, "%s\n", cp);
                         continue;
                 }
-                /* Check whether this is a CA key */
+                /* Check whether this is a CA key or revocation marker */
                 if (strncasecmp(cp, CA_MARKER, sizeof(CA_MARKER) - 1) == 0 &&
                     (cp[sizeof(CA_MARKER) - 1] == ' ' ||
                     cp[sizeof(CA_MARKER) - 1] == '\t')) {
@@ -1081,6 +1089,14 @@ do_known_hosts(struct passwd *pw, const char *name)
                         cp += sizeof(CA_MARKER);
                 } else
                         ca = 0;
+                if (strncasecmp(cp, REVOKE_MARKER,
+                    sizeof(REVOKE_MARKER) - 1) == 0 &&
+                    (cp[sizeof(REVOKE_MARKER) - 1] == ' ' ||
+                    cp[sizeof(REVOKE_MARKER) - 1] == '\t')) {
+                        revoked = 1;
+                        cp += sizeof(REVOKE_MARKER);
+                } else
+                        revoked = 0;
 
                 /* Find the end of the host name portion. */
                 for (kp = cp; *kp && *kp != ' ' && *kp != '\t'; kp++)
@@ -1124,20 +1140,23 @@ do_known_hosts(struct passwd *pw, const char *name)
                                                 printf("# Host %s found: "
                                                     "line %d type %s%s\n", name,
                                                     num, key_type(pub),
-                                                    ca ? " (CA key)" : "");
-                                        printhost(out, cp, pub, ca, 0);
+                                                    ca ? " (CA key)" :
+                                                    revoked? " (revoked)" : "");
+                                        printhost(out, cp, pub, ca, revoked, 0);
                                         found_key = 1;
                                 }
                                 if (delete_host) {
-                                        if (!c && !ca)
-                                                printhost(out, cp, pub, ca, 0);
-                                        else
+                                        if (!c || ca || revoked) {
+                                                printhost(out, cp, pub,
+                                                    ca, revoked, 0);
+                                        } else {
                                                 printf("# Host %s found: "
                                                     "line %d type %s\n", name,
                                                     num, key_type(pub));
+                                        }
                                 }
                         } else if (hash_hosts)
-                                printhost(out, cp, pub, ca, 0);
+                                printhost(out, cp, pub, ca, revoked, 0);
                 } else {
                         if (find_host || delete_host) {
                                 c = (match_hostname(name, cp,
@@ -1148,38 +1167,43 @@ do_known_hosts(struct passwd *pw, const char *name)
                                                     "line %d type %s%s\n", name,
                                                     num, key_type(pub),
                                                     ca ? " (CA key)" : "");
-                                        printhost(out, name, pub,
-                                            ca, hash_hosts && !ca);
+                                        printhost(out, name, pub, ca, revoked,
+                                            hash_hosts && !(ca || revoked));
                                         found_key = 1;
                                 }
                                 if (delete_host) {
-                                        if (!c && !ca)
-                                                printhost(out, cp, pub, ca, 0);
-                                        else
+                                        if (!c || ca || revoked) {
+                                                printhost(out, cp, pub,
+                                                    ca, revoked, 0);
+                                        } else {
                                                 printf("# Host %s found: "
                                                     "line %d type %s\n", name,
                                                     num, key_type(pub));
+                                        }
                                 }
+                        } else if (hash_hosts && (ca || revoked)) {
+                                /* Don't hash CA and revoked keys' hostnames */
+                                printhost(out, cp, pub, ca, revoked, 0);
+                                has_unhashed = 1;
                         } else if (hash_hosts) {
+                                /* Hash each hostname separately */
                                 for (cp2 = strsep(&cp, ",");
                                     cp2 != NULL && *cp2 != '\0';
                                     cp2 = strsep(&cp, ",")) {
-                                        if (ca) {
-                                                fprintf(stderr, "Warning: "
-                                                    "ignoring CA key for host: "
-                                                    "%.64s\n", cp2);
-                                                printhost(out, cp2, pub, ca, 0);
-                                        } else if (strcspn(cp2, "*?!") !=
+                                        if (strcspn(cp2, "*?!") !=
                                             strlen(cp2)) {
                                                 fprintf(stderr, "Warning: "
                                                     "ignoring host name with "
                                                     "metacharacters: %.64s\n",
                                                     cp2);
-                                                printhost(out, cp2, pub, ca, 0);
-                                        } else
-                                                printhost(out, cp2, pub, ca, 1);
+                                                printhost(out, cp2, pub, ca,
+                                                    revoked, 0);
+                                                has_unhashed = 1;
+                                        } else {
+                                                printhost(out, cp2, pub, ca,
+                                                    revoked, 1);
+                                        }
                                 }
-                                has_unhashed = 1;
                         }
                 }
                 key_free(pub);
@@ -1589,7 +1613,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
                 }
         }
 
+#ifdef ENABLE_PKCS11
         pkcs11_init(1);
+#endif
         tmp = tilde_expand_filename(ca_key_path, pw->pw_uid);
         if (pkcs11provider != NULL) {
                 if ((ca = load_pkcs11_key(tmp)) == NULL)
@@ -1631,12 +1657,12 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
                 public->cert->valid_after = cert_valid_from;
                 public->cert->valid_before = cert_valid_to;
                 if (v00) {
-                        prepare_options_buf(&public->cert->critical,
+                        prepare_options_buf(public->cert->critical,
                             OPTIONS_CRITICAL|OPTIONS_EXTENSIONS);
                 } else {
-                        prepare_options_buf(&public->cert->critical,
+                        prepare_options_buf(public->cert->critical,
                             OPTIONS_CRITICAL);
-                        prepare_options_buf(&public->cert->extensions,
+                        prepare_options_buf(public->cert->extensions,
                             OPTIONS_EXTENSIONS);
                 }
                 public->cert->signature_key = key_from_private(ca);
@@ -1672,7 +1698,9 @@ do_ca_sign(struct passwd *pw, int argc, char **argv)
                 key_free(public);
                 free(out);
         }
+#ifdef ENABLE_PKCS11
         pkcs11_terminate();
+#endif
         exit(0);
 }
 
@@ -1820,8 +1848,8 @@ add_cert_option(char *opt)
 static void
 show_options(const Buffer *optbuf, int v00, int in_critical)
 {
-        char *name;
-        u_char *data;
+        char *name, *arg;
+        const u_char *data;
         u_int dlen;
         Buffer options, option;
 
@@ -1844,9 +1872,9 @@ show_options(const Buffer *optbuf, int v00, int in_critical)
                 else if ((v00 || in_critical) &&
                     (strcmp(name, "force-command") == 0 ||
                     strcmp(name, "source-address") == 0)) {
-                        data = buffer_get_string(&option, NULL);
-                        printf(" %s\n", data);
-                        free(data);
+                        arg = buffer_get_cstring(&option, NULL);
+                        printf(" %s\n", arg);
+                        free(arg);
                 } else {
                         printf(" UNKNOWN OPTION (len %u)\n",
                             buffer_len(&option));
@@ -1905,24 +1933,25 @@ do_show_cert(struct passwd *pw)
                 printf("\n");
         }
         printf("        Critical Options: ");
-        if (buffer_len(&key->cert->critical) == 0)
+        if (buffer_len(key->cert->critical) == 0)
                 printf("(none)\n");
         else {
                 printf("\n");
-                show_options(&key->cert->critical, v00, 1);
+                show_options(key->cert->critical, v00, 1);
         }
         if (!v00) {
                 printf("        Extensions: ");
-                if (buffer_len(&key->cert->extensions) == 0)
+                if (buffer_len(key->cert->extensions) == 0)
                         printf("(none)\n");
                 else {
                         printf("\n");
-                        show_options(&key->cert->extensions, v00, 0);
+                        show_options(key->cert->extensions, v00, 0);
                 }
         }
         exit(0);
 }
 
+#ifdef WITH_OPENSSL
 static void
 load_krl(const char *path, struct ssh_krl **krlp)
 {
@@ -2145,60 +2174,40 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
         ssh_krl_free(krl);
         exit(ret);
 }
+#endif
 
 static void
 usage(void)
 {
-        fprintf(stderr, "usage: %s [options]\n", __progname);
-        fprintf(stderr, "Options:\n");
-        fprintf(stderr, "  -A          Generate non-existent host keys for all key types.\n");
-        fprintf(stderr, "  -a number   Number of KDF rounds for new key format or moduli primality tests.\n");
-        fprintf(stderr, "  -B          Show bubblebabble digest of key file.\n");
-        fprintf(stderr, "  -b bits     Number of bits in the key to create.\n");
-        fprintf(stderr, "  -C comment  Provide new comment.\n");
-        fprintf(stderr, "  -c          Change comment in private and public key files.\n");
+        fprintf(stderr,
+            "usage: ssh-keygen [-q] [-b bits] [-t dsa | ecdsa | ed25519 | rsa | rsa1]\n"
+            "                  [-N new_passphrase] [-C comment] [-f output_keyfile]\n"
+            "       ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]\n"
+            "       ssh-keygen -i [-m key_format] [-f input_keyfile]\n"
+            "       ssh-keygen -e [-m key_format] [-f input_keyfile]\n"
+            "       ssh-keygen -y [-f input_keyfile]\n"
+            "       ssh-keygen -c [-P passphrase] [-C comment] [-f keyfile]\n"
+            "       ssh-keygen -l [-f input_keyfile]\n"
+            "       ssh-keygen -B [-f input_keyfile]\n");
 #ifdef ENABLE_PKCS11
-        fprintf(stderr, "  -D pkcs11   Download public key from pkcs11 token.\n");
+        fprintf(stderr,
+            "       ssh-keygen -D pkcs11\n");
 #endif
-        fprintf(stderr, "  -e          Export OpenSSH to foreign format key file.\n");
-        fprintf(stderr, "  -F hostname Find hostname in known hosts file.\n");
-        fprintf(stderr, "  -f filename Filename of the key file.\n");
-        fprintf(stderr, "  -G file     Generate candidates for DH-GEX moduli.\n");
-        fprintf(stderr, "  -g          Use generic DNS resource record format.\n");
-        fprintf(stderr, "  -H          Hash names in known_hosts file.\n");
-        fprintf(stderr, "  -h          Generate host certificate instead of a user certificate.\n");
-        fprintf(stderr, "  -I key_id   Key identifier to include in certificate.\n");
-        fprintf(stderr, "  -i          Import foreign format to OpenSSH key file.\n");
-        fprintf(stderr, "  -J number   Screen this number of moduli lines.\n");
-        fprintf(stderr, "  -j number   Start screening moduli at specified line.\n");
-        fprintf(stderr, "  -K checkpt  Write checkpoints to this file.\n");
-        fprintf(stderr, "  -k          Generate a KRL file.\n");
-        fprintf(stderr, "  -L          Print the contents of a certificate.\n");
-        fprintf(stderr, "  -l          Show fingerprint of key file.\n");
-        fprintf(stderr, "  -M memory   Amount of memory (MB) to use for generating DH-GEX moduli.\n");
-        fprintf(stderr, "  -m key_fmt  Conversion format for -e/-i (PEM|PKCS8|RFC4716).\n");
-        fprintf(stderr, "  -N phrase   Provide new passphrase.\n");
-        fprintf(stderr, "  -n name,... User/host principal names to include in certificate\n");
-        fprintf(stderr, "  -O option   Specify a certificate option.\n");
-        fprintf(stderr, "  -o          Enforce new private key format.\n");
-        fprintf(stderr, "  -P phrase   Provide old passphrase.\n");
-        fprintf(stderr, "  -p          Change passphrase of private key file.\n");
-        fprintf(stderr, "  -Q          Test whether key(s) are revoked in KRL.\n");
-        fprintf(stderr, "  -q          Quiet.\n");
-        fprintf(stderr, "  -R hostname Remove host from known_hosts file.\n");
-        fprintf(stderr, "  -r hostname Print DNS resource record.\n");
-        fprintf(stderr, "  -S start    Start point (hex) for generating DH-GEX moduli.\n");
-        fprintf(stderr, "  -s ca_key   Certify keys with CA key.\n");
-        fprintf(stderr, "  -T file     Screen candidates for DH-GEX moduli.\n");
-        fprintf(stderr, "  -t type     Specify type of key to create.\n");
-        fprintf(stderr, "  -u          Update KRL rather than creating a new one.\n");
-        fprintf(stderr, "  -V from:to  Specify certificate validity interval.\n");
-        fprintf(stderr, "  -v          Verbose.\n");
-        fprintf(stderr, "  -W gen      Generator to use for generating DH-GEX moduli.\n");
-        fprintf(stderr, "  -y          Read private key file and print public key.\n");
-        fprintf(stderr, "  -Z cipher   Specify a cipher for new private key format.\n");
-        fprintf(stderr, "  -z serial   Specify a serial number.\n");
-
+        fprintf(stderr,
+            "       ssh-keygen -F hostname [-f known_hosts_file] [-l]\n"
+            "       ssh-keygen -H [-f known_hosts_file]\n"
+            "       ssh-keygen -R hostname [-f known_hosts_file]\n"
+            "       ssh-keygen -r hostname [-f input_keyfile] [-g]\n"
+            "       ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n"
+            "       ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n"
+            "                  [-j start_line] [-K checkpt] [-W generator]\n"
+            "       ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n"
+            "                  [-O option] [-V validity_interval] [-z serial_number] file ...\n"
+            "       ssh-keygen -L [-f input_keyfile]\n"
+            "       ssh-keygen -A\n"
+            "       ssh-keygen -k -f krl_file [-u] [-s ca_public] [-z version_number]\n"
+            "                  file ...\n"
+            "       ssh-keygen -Q -f krl_file file ...\n");
         exit(1);
 }
 
@@ -2469,6 +2478,7 @@ main(int argc, char **argv)
                 printf("Cannot use -l with -H or -R.\n");
                 usage();
         }
+#ifdef WITH_OPENSSL
         if (gen_krl) {
                 do_gen_krl(pw, update_krl, argc, argv);
                 return (0);
@@ -2477,6 +2487,7 @@ main(int argc, char **argv)
                 do_check_krl(pw, argc, argv);
                 return (0);
         }
+#endif
         if (ca_key_path != NULL) {
                 if (cert_key_id == NULL)
                         fatal("Must specify key id (-I) when certifying");
@@ -2494,10 +2505,12 @@ main(int argc, char **argv)
                 do_change_passphrase(pw);
         if (change_comment)
                 do_change_comment(pw);
+#ifdef WITH_OPENSSL
         if (convert_to)
                 do_convert_to(pw);
         if (convert_from)
                 do_convert_from(pw);
+#endif
         if (print_public)
                 do_print_public(pw);
         if (rr_hostname != NULL) {
@@ -2519,7 +2532,8 @@ main(int argc, char **argv)
                             _PATH_HOST_DSA_KEY_FILE, rr_hostname);
                         n += do_print_resource_record(pw,
                             _PATH_HOST_ECDSA_KEY_FILE, rr_hostname);
-
+                        n += do_print_resource_record(pw,
+                            _PATH_HOST_ED25519_KEY_FILE, rr_hostname);
                         if (n == 0)
                                 fatal("no keys found.");
                         exit(0);
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 638c19b48..853bd5152 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -1,4 +1,4 @@
-SSH-KEYSCAN(1)             OpenBSD Reference Manual             SSH-KEYSCAN(1)
+SSH-KEYSCAN(1)              General Commands Manual             SSH-KEYSCAN(1)
 
 NAME
      ssh-keyscan - gather ssh public keys
@@ -51,7 +51,8 @@ DESCRIPTION
              The possible values are ``rsa1'' for protocol version 1 and
              ``dsa'', ``ecdsa'', ``ed25519'', or ``rsa'' for protocol version
              2.  Multiple values may be specified by separating them with
-             commas.  The default is to fetch ``rsa'' and ``ecdsa'' keys.
+             commas.  The default is to fetch ``rsa'', ``ecdsa'', and
+             ``ed25519'' keys.
 
      -v      Verbose mode.  Causes ssh-keyscan to print debugging messages
              about its progress.
@@ -69,11 +70,11 @@ FILES
 
      1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
 
-     Output format for rsa1 keys:
+     Output format for RSA1 keys:
 
      host-or-namelist bits exponent modulus
 
-     Output format for rsa, dsa and ecdsa keys:
+     Output format for RSA, DSA, ECDSA, and ED25519 keys:
 
      host-or-namelist keytype base64-encoded-key
 
@@ -90,7 +91,7 @@ EXAMPLES
      Find all hosts from the file ssh_hosts which have new or different keys
      from those in the sorted file ssh_known_hosts:
 
-     $ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \
+     $ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \
              sort -u - ssh_known_hosts | diff ssh_known_hosts -
 
 SEE ALSO
@@ -107,4 +108,4 @@ BUGS
      This is because it opens a connection to the ssh port, reads the public
      key, and drops the connection as soon as it gets the key.
 
-OpenBSD 5.5                    January 28, 2014                    OpenBSD 5.5
+OpenBSD 5.6                     March 12, 2014                     OpenBSD 5.6
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index dae4fd9fb..5c32ea9c7 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keyscan.1,v 1.34 2014/01/28 14:13:39 jmc Exp $
+.\"     $OpenBSD: ssh-keyscan.1,v 1.35 2014/03/12 13:06:59 naddy Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: January 28 2014 $
+.Dd $Mdocdate: March 12 2014 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -98,9 +98,10 @@ or
 for protocol version 2.
 Multiple values may be specified by separating them with commas.
 The default is to fetch
-.Dq rsa
+.Dq rsa ,
+.Dq ecdsa ,
 and
-.Dq ecdsa
+.Dq ed25519
 keys.
 .It Fl v
 Verbose mode.
@@ -124,12 +125,12 @@ Input format:
 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
 .Ed
 .Pp
-Output format for rsa1 keys:
+Output format for RSA1 keys:
 .Bd -literal
 host-or-namelist bits exponent modulus
 .Ed
 .Pp
-Output format for rsa, dsa and ecdsa keys:
+Output format for RSA, DSA, ECDSA, and ED25519 keys:
 .Bd -literal
 host-or-namelist keytype base64-encoded-key
 .Ed
@@ -158,7 +159,7 @@ Find all hosts from the file
 which have new or different keys from those in the sorted file
 .Pa ssh_known_hosts :
 .Bd -literal
-$ ssh-keyscan -t rsa,dsa,ecdsa -f ssh_hosts | \e
+$ ssh-keyscan -t rsa,dsa,ecdsa,ed25519 -f ssh_hosts | \e
         sort -u - ssh_known_hosts | diff ssh_known_hosts -
 .Ed
 .Sh SEE ALSO
diff --git a/ssh-keyscan.c b/ssh-keyscan.c
index 8d0a6b8d8..3fabfba14 100644
--- a/ssh-keyscan.c
+++ b/ssh-keyscan.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keyscan.c,v 1.89 2013/12/06 13:39:49 markus Exp $ */
+/* $OpenBSD: ssh-keyscan.c,v 1.92 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
  *
@@ -58,7 +58,7 @@ int ssh_port = SSH_DEFAULT_PORT;
 #define KT_ECDSA        8
 #define KT_ED25519      16
 
-int get_keytypes = KT_RSA|KT_ECDSA;/* Get RSA and ECDSA keys by default */
+int get_keytypes = KT_RSA|KT_ECDSA|KT_ED25519;
 
 int hash_hosts = 0;             /* Hash hostname on output */
 
@@ -182,6 +182,7 @@ strnnsep(char **stringp, char *delim)
         return (tok);
 }
 
+#ifdef WITH_SSH1
 static Key *
 keygrab_ssh1(con *c)
 {
@@ -215,6 +216,7 @@ keygrab_ssh1(con *c)
 
         return (rsa);
 }
+#endif
 
 static int
 hostjump(Key *hostkey)
@@ -242,6 +244,7 @@ ssh2_capable(int remote_major, int remote_minor)
 static Key *
 keygrab_ssh2(con *c)
 {
+        char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
         int j;
 
         packet_set_connection(c->c_fd, c->c_fd);
@@ -252,11 +255,13 @@ keygrab_ssh2(con *c)
             (c->c_keytype == KT_ED25519 ? "ssh-ed25519" :
             "ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521"));
         c->c_kex = kex_setup(myproposal);
+#ifdef WITH_OPENSSL
         c->c_kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
         c->c_kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
         c->c_kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
         c->c_kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
         c->c_kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+#endif
         c->c_kex->kex[KEX_C25519_SHA256] = kexc25519_client;
         c->c_kex->verify_host_key = hostjump;
 
@@ -506,10 +511,12 @@ conread(int s)
                         c->c_data = xmalloc(c->c_len);
                         c->c_status = CS_KEYS;
                         break;
+#ifdef WITH_SSH1
                 case CS_KEYS:
                         keyprint(c, keygrab_ssh1(c));
                         confree(s);
                         return;
+#endif
                 default:
                         fatal("conread: invalid status %d", c->c_status);
                         break;
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index 5f18b54e3..c34125b72 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -1,4 +1,4 @@
-SSH-KEYSIGN(8)          OpenBSD System Manager's Manual         SSH-KEYSIGN(8)
+SSH-KEYSIGN(8)              System Manager's Manual             SSH-KEYSIGN(8)
 
 NAME
      ssh-keysign - ssh helper program for host-based authentication
@@ -50,4 +50,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 5.5                    December 7, 2013                    OpenBSD 5.5
+OpenBSD 5.6                    December 7, 2013                    OpenBSD 5.6
diff --git a/ssh-keysign.c b/ssh-keysign.c
index 6bde8ad17..d95bb7d9d 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keysign.c,v 1.39 2013/12/06 13:39:49 markus Exp $ */
+/* $OpenBSD: ssh-keysign.c,v 1.42 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Copyright (c) 2002 Markus Friedl.  All rights reserved.
  *
@@ -155,7 +155,7 @@ main(int argc, char **argv)
         struct passwd *pw;
         int key_fd[NUM_KEYTYPES], i, found, version = 2, fd;
         u_char *signature, *data;
-        char *host;
+        char *host, *fp;
         u_int slen, dlen;
         u_int32_t rnd[256];
 
@@ -201,8 +201,7 @@ main(int argc, char **argv)
                 fatal("could not open any host key");
 
         OpenSSL_add_all_algorithms();
-        for (i = 0; i < 256; i++)
-                rnd[i] = arc4random();
+        arc4random_buf(rnd, sizeof(rnd));
         RAND_seed(rnd, sizeof(rnd));
 
         found = 0;
@@ -210,8 +209,11 @@ main(int argc, char **argv)
                 keys[i] = NULL;
                 if (key_fd[i] == -1)
                         continue;
+#ifdef WITH_OPENSSL
+/* XXX wrong api */
                 keys[i] = key_load_private_pem(key_fd[i], KEY_UNSPEC,
                     NULL, NULL);
+#endif
                 close(key_fd[i]);
                 if (keys[i] != NULL)
                         found = 1;
@@ -243,8 +245,11 @@ main(int argc, char **argv)
                         break;
                 }
         }
-        if (!found)
-                fatal("no matching hostkey found");
+        if (!found) {
+                fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
+                fatal("no matching hostkey found for key %s %s",
+                    key_type(key), fp);
+        }
 
         if (key_sign(keys[i], &signature, &slen, data, dlen) != 0)
                 fatal("key_sign failed");
diff --git a/ssh-pkcs11-client.c b/ssh-pkcs11-client.c
index 6c9f9d2c1..8c74864aa 100644
--- a/ssh-pkcs11-client.c
+++ b/ssh-pkcs11-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11-client.c,v 1.4 2013/05/17 00:13:14 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11-client.c,v 1.5 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -30,6 +30,8 @@
 #include <unistd.h>
 #include <errno.h>
 
+#include <openssl/rsa.h>
+
 #include "pathnames.h"
 #include "xmalloc.h"
 #include "buffer.h"
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index 20d62f7a9..279ec5486 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -1,4 +1,4 @@
-SSH-PKCS11-HELPER(8)    OpenBSD System Manager's Manual   SSH-PKCS11-HELPER(8)
+SSH-PKCS11-HELPER(8)        System Manager's Manual       SSH-PKCS11-HELPER(8)
 
 NAME
      ssh-pkcs11-helper - ssh-agent helper program for PKCS#11 support
@@ -22,4 +22,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 5.5                      July 16, 2013                     OpenBSD 5.5
+OpenBSD 5.6                      July 16, 2013                     OpenBSD 5.6
diff --git a/ssh-pkcs11-helper.c b/ssh-pkcs11-helper.c
index b7c52beb8..0b1d8e4cc 100644
--- a/ssh-pkcs11-helper.c
+++ b/ssh-pkcs11-helper.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11-helper.c,v 1.7 2013/12/02 02:56:17 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11-helper.c,v 1.8 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -169,7 +169,7 @@ process_sign(void)
 {
         u_char *blob, *data, *signature = NULL;
         u_int blen, dlen, slen = 0;
-        int ok = -1, ret;
+        int ok = -1;
         Key *key, *found;
         Buffer msg;
 
@@ -179,6 +179,9 @@ process_sign(void)
 
         if ((key = key_from_blob(blob, blen)) != NULL) {
                 if ((found = lookup_key(key)) != NULL) {
+#ifdef WITH_OPENSSL
+                        int ret;
+
                         slen = RSA_size(key->rsa);
                         signature = xmalloc(slen);
                         if ((ret = RSA_private_encrypt(dlen, data, signature,
@@ -186,6 +189,7 @@ process_sign(void)
                                 slen = ret;
                                 ok = 0;
                         }
+#endif /* WITH_OPENSSL */
                 }
                 key_free(key);
         }
diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index c49cbf42b..c96be3bd2 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.11 2013/11/13 13:48:20 markus Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.14 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -520,7 +520,7 @@ pkcs11_fetch_keys_filter(struct pkcs11_provider *p, CK_ULONG slotidx,
                         key = key_new(KEY_UNSPEC);
                         key->rsa = rsa;
                         key->type = KEY_RSA;
-                        key->flags |= KEY_FLAG_EXT;
+                        key->flags |= SSHKEY_FLAG_EXT;
                         if (pkcs11_key_included(keysp, nkeys, key)) {
                                 key_free(key);
                         } else {
diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
index 59f456adf..4d2efda13 100644
--- a/ssh-pkcs11.h
+++ b/ssh-pkcs11.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.h,v 1.2 2010/02/24 06:12:53 djm Exp $ */
+/* $OpenBSD: ssh-pkcs11.h,v 1.3 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -18,3 +18,7 @@ int	pkcs11_init(int);
 void    pkcs11_terminate(void);
 int     pkcs11_add_provider(char *, char *, Key ***);
 int     pkcs11_del_provider(char *);
+
+#if !defined(WITH_OPENSSL) && defined(ENABLE_PKCS11)
+#undef ENABLE_PKCS11
+#endif
diff --git a/ssh-rsa.c b/ssh-rsa.c
index c6f25b3ee..fec1953b4 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-rsa.c,v 1.51 2014/02/02 03:44:31 djm Exp $ */
+/* $OpenBSD: ssh-rsa.c,v 1.52 2014/06/24 01:13:21 djm Exp $ */
 /*
  * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
  *
@@ -25,163 +25,167 @@
 #include <stdarg.h>
 #include <string.h>
 
-#include "xmalloc.h"
-#include "log.h"
-#include "buffer.h"
-#include "key.h"
+#include "sshbuf.h"
 #include "compat.h"
-#include "misc.h"
-#include "ssh.h"
+#include "ssherr.h"
+#define SSHKEY_INTERNAL
+#include "sshkey.h"
 #include "digest.h"
 
-static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);
+static int openssh_RSA_verify(int, u_char *, size_t, u_char *, size_t, RSA *);
 
 /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
 int
-ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
-    const u_char *data, u_int datalen)
+ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat)
 {
         int hash_alg;
-        u_char digest[SSH_DIGEST_MAX_LENGTH], *sig;
-        u_int slen, dlen, len;
-        int ok, nid;
-        Buffer b;
+        u_char digest[SSH_DIGEST_MAX_LENGTH], *sig = NULL;
+        size_t slen;
+        u_int dlen, len;
+        int nid, ret = SSH_ERR_INTERNAL_ERROR;
+        struct sshbuf *b = NULL;
 
-        if (key == NULL || key_type_plain(key->type) != KEY_RSA ||
-            key->rsa == NULL) {
-                error("%s: no RSA key", __func__);
-                return -1;
-        }
+        if (lenp != NULL)
+                *lenp = 0;
+        if (sigp != NULL)
+                *sigp = NULL;
+
+        if (key == NULL || key->rsa == NULL ||
+            sshkey_type_plain(key->type) != KEY_RSA)
+                return SSH_ERR_INVALID_ARGUMENT;
+        slen = RSA_size(key->rsa);
+        if (slen <= 0 || slen > SSHBUF_MAX_BIGNUM)
+                return SSH_ERR_INVALID_ARGUMENT;
 
         /* hash the data */
         hash_alg = SSH_DIGEST_SHA1;
         nid = NID_sha1;
-        if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
-                error("%s: bad hash algorithm %d", __func__, hash_alg);
-                return -1;
-        }
-        if (ssh_digest_memory(hash_alg, data, datalen,
-            digest, sizeof(digest)) != 0) {
-                error("%s: ssh_digest_memory failed", __func__);
-                return -1;
-        }
-
-        slen = RSA_size(key->rsa);
-        sig = xmalloc(slen);
-
-        ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
-        explicit_bzero(digest, sizeof(digest));
+        if ((dlen = ssh_digest_bytes(hash_alg)) == 0)
+                return SSH_ERR_INTERNAL_ERROR;
+        if ((ret = ssh_digest_memory(hash_alg, data, datalen,
+            digest, sizeof(digest))) != 0)
+                goto out;
 
-        if (ok != 1) {
-                int ecode = ERR_get_error();
+        if ((sig = malloc(slen)) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
 
-                error("%s: RSA_sign failed: %s", __func__,
-                    ERR_error_string(ecode, NULL));
-                free(sig);
-                return -1;
+        if (RSA_sign(nid, digest, dlen, sig, &len, key->rsa) != 1) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
         }
         if (len < slen) {
-                u_int diff = slen - len;
-                debug("slen %u > len %u", slen, len);
+                size_t diff = slen - len;
                 memmove(sig + diff, sig, len);
                 explicit_bzero(sig, diff);
         } else if (len > slen) {
-                error("%s: slen %u slen2 %u", __func__, slen, len);
-                free(sig);
-                return -1;
+                ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
         }
         /* encode signature */
-        buffer_init(&b);
-        buffer_put_cstring(&b, "ssh-rsa");
-        buffer_put_string(&b, sig, slen);
-        len = buffer_len(&b);
+        if ((b = sshbuf_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if ((ret = sshbuf_put_cstring(b, "ssh-rsa")) != 0 ||
+            (ret = sshbuf_put_string(b, sig, slen)) != 0)
+                goto out;
+        len = sshbuf_len(b);
+        if (sigp != NULL) {
+                if ((*sigp = malloc(len)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                memcpy(*sigp, sshbuf_ptr(b), len);
+        }
         if (lenp != NULL)
                 *lenp = len;
-        if (sigp != NULL) {
-                *sigp = xmalloc(len);
-                memcpy(*sigp, buffer_ptr(&b), len);
+        ret = 0;
+ out:
+        explicit_bzero(digest, sizeof(digest));
+        if (sig != NULL) {
+                explicit_bzero(sig, slen);
+                free(sig);
         }
-        buffer_free(&b);
-        explicit_bzero(sig, slen);
-        free(sig);
-
+        if (b != NULL)
+                sshbuf_free(b);
         return 0;
 }
 
 int
-ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
-    const u_char *data, u_int datalen)
+ssh_rsa_verify(const struct sshkey *key,
+    const u_char *signature, size_t signaturelen,
+    const u_char *data, size_t datalen, u_int compat)
 {
-        Buffer b;
-        int hash_alg;
-        char *ktype;
-        u_char digest[SSH_DIGEST_MAX_LENGTH], *sigblob;
-        u_int len, dlen, modlen;
-        int rlen, ret;
+        char *ktype = NULL;
+        int hash_alg, ret = SSH_ERR_INTERNAL_ERROR;
+        size_t len, diff, modlen, dlen;
+        struct sshbuf *b = NULL;
+        u_char digest[SSH_DIGEST_MAX_LENGTH], *osigblob, *sigblob = NULL;
 
-        if (key == NULL || key_type_plain(key->type) != KEY_RSA ||
-            key->rsa == NULL) {
-                error("%s: no RSA key", __func__);
-                return -1;
-        }
+        if (key == NULL || key->rsa == NULL ||
+            sshkey_type_plain(key->type) != KEY_RSA ||
+            BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE)
+                return SSH_ERR_INVALID_ARGUMENT;
 
-        if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-                error("%s: RSA modulus too small: %d < minimum %d bits",
-                    __func__, BN_num_bits(key->rsa->n),
-                    SSH_RSA_MINIMUM_MODULUS_SIZE);
-                return -1;
+        if ((b = sshbuf_from(signature, signaturelen)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
+                ret = SSH_ERR_INVALID_FORMAT;
+                goto out;
         }
-        buffer_init(&b);
-        buffer_append(&b, signature, signaturelen);
-        ktype = buffer_get_cstring(&b, NULL);
         if (strcmp("ssh-rsa", ktype) != 0) {
-                error("%s: cannot handle type %s", __func__, ktype);
-                buffer_free(&b);
-                free(ktype);
-                return -1;
+                ret = SSH_ERR_KEY_TYPE_MISMATCH;
+                goto out;
         }
-        free(ktype);
-        sigblob = buffer_get_string(&b, &len);
-        rlen = buffer_len(&b);
-        buffer_free(&b);
-        if (rlen != 0) {
-                error("%s: remaining bytes in signature %d", __func__, rlen);
-                free(sigblob);
-                return -1;
+        if (sshbuf_get_string(b, &sigblob, &len) != 0) {
+                ret = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+        if (sshbuf_len(b) != 0) {
+                ret = SSH_ERR_UNEXPECTED_TRAILING_DATA;
+                goto out;
         }
         /* RSA_verify expects a signature of RSA_size */
         modlen = RSA_size(key->rsa);
         if (len > modlen) {
-                error("%s: len %u > modlen %u", __func__, len, modlen);
-                free(sigblob);
-                return -1;
+                ret = SSH_ERR_KEY_BITS_MISMATCH;
+                goto out;
         } else if (len < modlen) {
-                u_int diff = modlen - len;
-                debug("%s: add padding: modlen %u > len %u", __func__,
-                    modlen, len);
-                sigblob = xrealloc(sigblob, 1, modlen);
+                diff = modlen - len;
+                osigblob = sigblob;
+                if ((sigblob = realloc(sigblob, modlen)) == NULL) {
+                        sigblob = osigblob; /* put it back for clear/free */
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
                 memmove(sigblob + diff, sigblob, len);
                 explicit_bzero(sigblob, diff);
                 len = modlen;
         }
-        /* hash the data */
         hash_alg = SSH_DIGEST_SHA1;
         if ((dlen = ssh_digest_bytes(hash_alg)) == 0) {
-                error("%s: bad hash algorithm %d", __func__, hash_alg);
-                return -1;
-        }
-        if (ssh_digest_memory(hash_alg, data, datalen,
-            digest, sizeof(digest)) != 0) {
-                error("%s: ssh_digest_memory failed", __func__);
-                return -1;
+                ret = SSH_ERR_INTERNAL_ERROR;
+                goto out;
         }
+        if ((ret = ssh_digest_memory(hash_alg, data, datalen,
+            digest, sizeof(digest))) != 0)
+                goto out;
 
         ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,
             key->rsa);
+ out:
+        if (sigblob != NULL) {
+                explicit_bzero(sigblob, len);
+                free(sigblob);
+        }
+        if (ktype != NULL)
+                free(ktype);
+        if (b != NULL)
+                sshbuf_free(b);
         explicit_bzero(digest, sizeof(digest));
-        explicit_bzero(sigblob, len);
-        free(sigblob);
-        debug("%s: signature %scorrect", __func__, (ret == 0) ? "in" : "");
         return ret;
 }
 
@@ -204,15 +208,15 @@ static const u_char id_sha1[] = {
 };
 
 static int
-openssh_RSA_verify(int hash_alg, u_char *hash, u_int hashlen,
-    u_char *sigbuf, u_int siglen, RSA *rsa)
+openssh_RSA_verify(int hash_alg, u_char *hash, size_t hashlen,
+    u_char *sigbuf, size_t siglen, RSA *rsa)
 {
-        u_int ret, rsasize, oidlen = 0, hlen = 0;
+        size_t ret, rsasize = 0, oidlen = 0, hlen = 0;
         int len, oidmatch, hashmatch;
         const u_char *oid = NULL;
         u_char *decrypted = NULL;
 
-        ret = 0;
+        ret = SSH_ERR_INTERNAL_ERROR;
         switch (hash_alg) {
         case SSH_DIGEST_SHA1:
                 oid = id_sha1;
@@ -223,37 +227,39 @@ openssh_RSA_verify(int hash_alg, u_char *hash, u_int hashlen,
                 goto done;
         }
         if (hashlen != hlen) {
-                error("bad hashlen");
+                ret = SSH_ERR_INVALID_ARGUMENT;
                 goto done;
         }
         rsasize = RSA_size(rsa);
-        if (siglen == 0 || siglen > rsasize) {
-                error("bad siglen");
+        if (rsasize <= 0 || rsasize > SSHBUF_MAX_BIGNUM ||
+            siglen == 0 || siglen > rsasize) {
+                ret = SSH_ERR_INVALID_ARGUMENT;
+                goto done;
+        }
+        if ((decrypted = malloc(rsasize)) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
                 goto done;
         }
-        decrypted = xmalloc(rsasize);
         if ((len = RSA_public_decrypt(siglen, sigbuf, decrypted, rsa,
             RSA_PKCS1_PADDING)) < 0) {
-                error("RSA_public_decrypt failed: %s",
-                    ERR_error_string(ERR_get_error(), NULL));
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
                 goto done;
         }
-        if (len < 0 || (u_int)len != hlen + oidlen) {
-                error("bad decrypted len: %d != %d + %d", len, hlen, oidlen);
+        if (len < 0 || (size_t)len != hlen + oidlen) {
+                ret = SSH_ERR_INVALID_FORMAT;
                 goto done;
         }
         oidmatch = timingsafe_bcmp(decrypted, oid, oidlen) == 0;
         hashmatch = timingsafe_bcmp(decrypted + oidlen, hash, hlen) == 0;
-        if (!oidmatch) {
-                error("oid mismatch");
-                goto done;
-        }
-        if (!hashmatch) {
-                error("hash mismatch");
+        if (!oidmatch || !hashmatch) {
+                ret = SSH_ERR_SIGNATURE_INVALID;
                 goto done;
         }
-        ret = 1;
+        ret = 0;
 done:
-        free(decrypted);
+        if (decrypted) {
+                explicit_bzero(decrypted, rsasize);
+                free(decrypted);
+        }
         return ret;
 }
diff --git a/ssh.0 b/ssh.0
index 16868cfca..70ea37733 100644
--- a/ssh.0
+++ b/ssh.0
@@ -1,4 +1,4 @@
-SSH(1)                     OpenBSD Reference Manual                     SSH(1)
+SSH(1)                      General Commands Manual                     SSH(1)
 
 NAME
      ssh - OpenSSH SSH client (remote login program)
@@ -17,8 +17,9 @@ DESCRIPTION
      ssh (SSH client) is a program for logging into a remote machine and for
      executing commands on a remote machine.  It is intended to replace rlogin
      and rsh, and provide secure encrypted communications between two
-     untrusted hosts over an insecure network.  X11 connections and arbitrary
-     TCP ports can also be forwarded over the secure channel.
+     untrusted hosts over an insecure network.  X11 connections, arbitrary TCP
+     ports and UNIX-domain sockets can also be forwarded over the secure
+     channel.
 
      ssh connects and logs into the specified hostname (with optional user
      name).  The user must prove his/her identity to the remote machine using
@@ -58,28 +59,21 @@ DESCRIPTION
              address.
 
      -C      Requests compression of all data (including stdin, stdout,
-             stderr, and data for forwarded X11 and TCP connections).  The
-             compression algorithm is the same used by gzip(1), and the
-             ``level'' can be controlled by the CompressionLevel option for
-             protocol version 1.  Compression is desirable on modem lines and
-             other slow connections, but will only slow down things on fast
-             networks.  The default value can be set on a host-by-host basis
-             in the configuration files; see the Compression option.
+             stderr, and data for forwarded X11, TCP and UNIX-domain
+             connections).  The compression algorithm is the same used by
+             gzip(1), and the ``level'' can be controlled by the
+             CompressionLevel option for protocol version 1.  Compression is
+             desirable on modem lines and other slow connections, but will
+             only slow down things on fast networks.  The default value can be
+             set on a host-by-host basis in the configuration files; see the
+             Compression option.
 
      -c cipher_spec
              Selects the cipher specification for encrypting the session.
 
              Protocol version 1 allows specification of a single cipher.  The
-             supported values are ``3des'', ``blowfish'', and ``des''.  3des
-             (triple-des) is an encrypt-decrypt-encrypt triple with three
-             different keys.  It is believed to be secure.  blowfish is a fast
-             block cipher; it appears very secure and is much faster than
-             3des.  des is only supported in the ssh client for
-             interoperability with legacy protocol 1 implementations that do
-             not support the 3des cipher.  Its use is strongly discouraged due
-             to cryptographic weaknesses.  The default is ``3des''.
-
-             For protocol version 2, cipher_spec is a comma-separated list of
+             supported values are ``3des'', ``blowfish'', and ``des''.  For
+             protocol version 2, cipher_spec is a comma-separated list of
              ciphers listed in order of preference.  See the Ciphers keyword
              in ssh_config(5) for more information.
 
@@ -133,7 +127,9 @@ DESCRIPTION
              port forwards to be successfully established before placing
              itself in the background.
 
-     -g      Allows remote hosts to connect to local forwarded ports.
+     -g      Allows remote hosts to connect to local forwarded ports.  If used
+             on a multiplexed connection, then this option must be specified
+             on the master process.
 
      -I pkcs11
              Specify the PKCS#11 shared library ssh should use to communicate
@@ -286,6 +282,8 @@ DESCRIPTION
                    SendEnv
                    ServerAliveInterval
                    ServerAliveCountMax
+                   StreamLocalBindMask
+                   StreamLocalBindUnlink
                    StrictHostKeyChecking
                    TCPKeepAlive
                    Tunnel
@@ -890,7 +888,7 @@ EXIT STATUS
 
 SEE ALSO
      scp(1), sftp(1), ssh-add(1), ssh-agent(1), ssh-keygen(1), ssh-keyscan(1),
-     tun(4), hosts.equiv(5), ssh_config(5), ssh-keysign(8), sshd(8)
+     tun(4), ssh_config(5), ssh-keysign(8), sshd(8)
 
 STANDARDS
      S. Lehtinen and C. Lonvick, The Secure Shell (SSH) Protocol Assigned
@@ -943,4 +941,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.5                    December 7, 2013                    OpenBSD 5.5
+OpenBSD 5.6                      July 24, 2014                     OpenBSD 5.6
diff --git a/ssh.1 b/ssh.1
index 27794e2d0..fa5cfb2c2 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.343 2013/12/07 11:58:46 naddy Exp $
-.Dd $Mdocdate: December 7 2013 $
+.\" $OpenBSD: ssh.1,v 1.348 2014/07/24 22:57:10 millert Exp $
+.Dd $Mdocdate: July 24 2014 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -73,8 +73,9 @@ executing commands on a remote machine.
 It is intended to replace rlogin and rsh,
 and provide secure encrypted communications between
 two untrusted hosts over an insecure network.
-X11 connections and arbitrary TCP ports
-can also be forwarded over the secure channel.
+X11 connections, arbitrary TCP ports and
+.Ux Ns -domain
+sockets can also be forwarded over the secure channel.
 .Pp
 .Nm
 connects and logs into the specified
@@ -131,7 +132,9 @@ of the connection.
 Only useful on systems with more than one address.
 .It Fl C
 Requests compression of all data (including stdin, stdout, stderr, and
-data for forwarded X11 and TCP connections).
+data for forwarded X11, TCP and
+.Ux Ns -domain
+connections).
 The compression algorithm is the same used by
 .Xr gzip 1 ,
 and the
@@ -154,23 +157,6 @@ The supported values are
 .Dq blowfish ,
 and
 .Dq des .
-.Ar 3des
-(triple-des) is an encrypt-decrypt-encrypt triple with three different keys.
-It is believed to be secure.
-.Ar blowfish
-is a fast block cipher; it appears very secure and is much faster than
-.Ar 3des .
-.Ar des
-is only supported in the
-.Nm
-client for interoperability with legacy protocol 1 implementations
-that do not support the
-.Ar 3des
-cipher.
-Its use is strongly discouraged due to cryptographic weaknesses.
-The default is
-.Dq 3des .
-.Pp
 For protocol version 2,
 .Ar cipher_spec
 is a comma-separated list of ciphers
@@ -267,6 +253,8 @@ will wait for all remote port forwards to be successfully established
 before placing itself in the background.
 .It Fl g
 Allows remote hosts to connect to local forwarded ports.
+If used on a multiplexed connection, then this option must be specified
+on the master process.
 .It Fl I Ar pkcs11
 Specify the PKCS#11 shared library
 .Nm
@@ -481,6 +469,8 @@ For full details of the options listed below, and their possible values, see
 .It SendEnv
 .It ServerAliveInterval
 .It ServerAliveCountMax
+.It StreamLocalBindMask
+.It StreamLocalBindUnlink
 .It StrictHostKeyChecking
 .It TCPKeepAlive
 .It Tunnel
@@ -1465,7 +1455,6 @@ if an error occurred.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr tun 4 ,
-.Xr hosts.equiv 5 ,
 .Xr ssh_config 5 ,
 .Xr ssh-keysign 8 ,
 .Xr sshd 8
diff --git a/ssh.c b/ssh.c
index 1e6cb9000..26e9681b7 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.401 2014/02/26 20:18:37 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.407 2014/07/17 07:22:19 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -71,8 +71,10 @@
 #include <netinet/in.h>
 #include <arpa/inet.h>
 
+#ifdef WITH_OPENSSL
 #include <openssl/evp.h>
 #include <openssl/err.h>
+#endif
 #include "openbsd-compat/openssl-compat.h"
 #include "openbsd-compat/sys-queue.h"
 
@@ -83,6 +85,7 @@
 #include "canohost.h"
 #include "compat.h"
 #include "cipher.h"
+#include "digest.h"
 #include "packet.h"
 #include "buffer.h"
 #include "channels.h"
@@ -93,9 +96,9 @@
 #include "dispatch.h"
 #include "clientloop.h"
 #include "log.h"
+#include "misc.h"
 #include "readconf.h"
 #include "sshconnect.h"
-#include "misc.h"
 #include "kex.h"
 #include "mac.h"
 #include "sshpty.h"
@@ -420,8 +423,11 @@ main(int ac, char **av)
         int timeout_ms;
         extern int optind, optreset;
         extern char *optarg;
-        Forward fwd;
+        struct Forward fwd;
         struct addrinfo *addrs = NULL;
+        struct ssh_digest_ctx *md;
+        u_char conn_hash[SSH_DIGEST_MAX_LENGTH];
+        char *conn_hash_hex;
 
         /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
         sanitise_stdfd();
@@ -539,7 +545,7 @@ main(int ac, char **av)
                         options.forward_x11_trusted = 1;
                         break;
                 case 'g':
-                        options.gateway_ports = 1;
+                        options.fwd_opts.gateway_ports = 1;
                         break;
                 case 'O':
                         if (stdio_forward_host != NULL)
@@ -631,7 +637,13 @@ main(int ac, char **av)
                         break;
                 case 'V':
                         fprintf(stderr, "%s, %s\n",
-                            SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
+                            SSH_RELEASE,
+#ifdef WITH_OPENSSL
+                            SSLeay_version(SSLEAY_VERSION)
+#else
+                            "without OpenSSL"
+#endif
+                        );
                         if (opt == 'V')
                                 exit(0);
                         break;
@@ -828,8 +840,10 @@ main(int ac, char **av)
 
         host_arg = xstrdup(host);
 
+#ifdef WITH_OPENSSL
         OpenSSL_add_all_algorithms();
         ERR_load_crypto_strings();
+#endif
 
         /* Initialize the command to execute on remote host. */
         buffer_init(&command);
@@ -876,7 +890,13 @@ main(int ac, char **av)
             SYSLOG_FACILITY_USER, !use_syslog);
 
         if (debug_flag)
-                logit("%s, %s", SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
+                logit("%s, %s", SSH_RELEASE,
+#ifdef WITH_OPENSSL
+                    SSLeay_version(SSLEAY_VERSION)
+#else
+                    "without OpenSSL"
+#endif
+                );
 
         /* Parse the configuration files */
         process_config_files(pw);
@@ -914,10 +934,14 @@ main(int ac, char **av)
         if (addrs == NULL && options.num_permitted_cnames != 0 &&
             (option_clear_or_none(options.proxy_command) ||
             options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
-                if ((addrs = resolve_host(host, options.port, 1,
-                    cname, sizeof(cname))) == NULL)
-                        cleanup_exit(255); /* resolve_host logs the error */
-                check_follow_cname(&host, cname);
+                if ((addrs = resolve_host(host, options.port,
+                    option_clear_or_none(options.proxy_command),
+                    cname, sizeof(cname))) == NULL) {
+                        /* Don't fatal proxied host names not in the DNS */
+                        if (option_clear_or_none(options.proxy_command))
+                                cleanup_exit(255); /* logged in resolve_host */
+                } else
+                        check_follow_cname(&host, cname);
         }
 
         /*
@@ -982,12 +1006,29 @@ main(int ac, char **av)
         shorthost[strcspn(thishost, ".")] = '\0';
         snprintf(portstr, sizeof(portstr), "%d", options.port);
 
+        if ((md = ssh_digest_start(SSH_DIGEST_SHA1)) == NULL ||
+            ssh_digest_update(md, thishost, strlen(thishost)) < 0 ||
+            ssh_digest_update(md, host, strlen(host)) < 0 ||
+            ssh_digest_update(md, portstr, strlen(portstr)) < 0 ||
+            ssh_digest_update(md, options.user, strlen(options.user)) < 0 ||
+            ssh_digest_final(md, conn_hash, sizeof(conn_hash)) < 0)
+                fatal("%s: mux digest failed", __func__);
+        ssh_digest_free(md);
+        conn_hash_hex = tohex(conn_hash, ssh_digest_bytes(SSH_DIGEST_SHA1));
+
         if (options.local_command != NULL) {
                 debug3("expanding LocalCommand: %s", options.local_command);
                 cp = options.local_command;
-                options.local_command = percent_expand(cp, "d", pw->pw_dir,
-                    "h", host, "l", thishost, "n", host_arg, "r", options.user,
-                    "p", portstr, "u", pw->pw_name, "L", shorthost,
+                options.local_command = percent_expand(cp,
+                    "C", conn_hash_hex,
+                    "L", shorthost,
+                    "d", pw->pw_dir,
+                    "h", host,
+                    "l", thishost,
+                    "n", host_arg,
+                    "p", portstr,
+                    "r", options.user,
+                    "u", pw->pw_name,
                     (char *)NULL);
                 debug3("expanded LocalCommand: %s", options.local_command);
                 free(cp);
@@ -997,12 +1038,20 @@ main(int ac, char **av)
                 cp = tilde_expand_filename(options.control_path,
                     original_real_uid);
                 free(options.control_path);
-                options.control_path = percent_expand(cp, "h", host,
-                    "l", thishost, "n", host_arg, "r", options.user,
-                    "p", portstr, "u", pw->pw_name, "L", shorthost,
+                options.control_path = percent_expand(cp,
+                    "C", conn_hash_hex,
+                    "L", shorthost,
+                    "h", host,
+                    "l", thishost,
+                    "n", host_arg,
+                    "p", portstr,
+                    "r", options.user,
+                    "u", pw->pw_name,
                     (char *)NULL);
                 free(cp);
         }
+        free(conn_hash_hex);
+
         if (muxclient_command != 0 && options.control_path == NULL)
                 fatal("No ControlPath specified for \"-O\" command");
         if (options.control_path != NULL)
@@ -1256,13 +1305,17 @@ fork_postauth(void)
 static void
 ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
 {
-        Forward *rfwd = (Forward *)ctxt;
+        struct Forward *rfwd = (struct Forward *)ctxt;
 
         /* XXX verbose() on failure? */
-        debug("remote forward %s for: listen %d, connect %s:%d",
+        debug("remote forward %s for: listen %s%s%d, connect %s:%d",
             type == SSH2_MSG_REQUEST_SUCCESS ? "success" : "failure",
-            rfwd->listen_port, rfwd->connect_host, rfwd->connect_port);
-        if (rfwd->listen_port == 0) {
+            rfwd->listen_path ? rfwd->listen_path :
+            rfwd->listen_host ? rfwd->listen_host : "",
+            (rfwd->listen_path || rfwd->listen_host) ? ":" : "",
+            rfwd->listen_port, rfwd->connect_path ? rfwd->connect_path :
+            rfwd->connect_host, rfwd->connect_port);
+        if (rfwd->listen_path == NULL && rfwd->listen_port == 0) {
                 if (type == SSH2_MSG_REQUEST_SUCCESS) {
                         rfwd->allocated_port = packet_get_int();
                         logit("Allocated port %u for remote forward to %s:%d",
@@ -1276,12 +1329,21 @@ ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
         }
         
         if (type == SSH2_MSG_REQUEST_FAILURE) {
-                if (options.exit_on_forward_failure)
-                        fatal("Error: remote port forwarding failed for "
-                            "listen port %d", rfwd->listen_port);
-                else
-                        logit("Warning: remote port forwarding failed for "
-                            "listen port %d", rfwd->listen_port);
+                if (options.exit_on_forward_failure) {
+                        if (rfwd->listen_path != NULL)
+                                fatal("Error: remote port forwarding failed "
+                                    "for listen path %s", rfwd->listen_path);
+                        else
+                                fatal("Error: remote port forwarding failed "
+                                    "for listen port %d", rfwd->listen_port);
+                } else {
+                        if (rfwd->listen_path != NULL)
+                                logit("Warning: remote port forwarding failed "
+                                    "for listen path %s", rfwd->listen_path);
+                        else
+                                logit("Warning: remote port forwarding failed "
+                                    "for listen port %d", rfwd->listen_port);
+                }
         }
         if (++remote_forward_confirms_received == options.num_remote_forwards) {
                 debug("All remote forwarding requests processed");
@@ -1298,6 +1360,13 @@ client_cleanup_stdio_fwd(int id, void *arg)
 }
 
 static void
+ssh_stdio_confirm(int id, int success, void *arg)
+{
+        if (!success)
+                fatal("stdio forwarding failed");
+}
+
+static void
 ssh_init_stdio_forwarding(void)
 {
         Channel *c;
@@ -1317,6 +1386,7 @@ ssh_init_stdio_forwarding(void)
             stdio_forward_port, in, out)) == NULL)
                 fatal("%s: channel_connect_stdio_fwd failed", __func__);
         channel_register_cleanup(c->self, client_cleanup_stdio_fwd, 0);
+        channel_register_open_confirm(c->self, ssh_stdio_confirm, NULL);
 }
 
 static void
@@ -1329,18 +1399,18 @@ ssh_init_forwarding(void)
         for (i = 0; i < options.num_local_forwards; i++) {
                 debug("Local connections to %.200s:%d forwarded to remote "
                     "address %.200s:%d",
+                    (options.local_forwards[i].listen_path != NULL) ?
+                    options.local_forwards[i].listen_path :
                     (options.local_forwards[i].listen_host == NULL) ?
-                    (options.gateway_ports ? "*" : "LOCALHOST") :
+                    (options.fwd_opts.gateway_ports ? "*" : "LOCALHOST") :
                     options.local_forwards[i].listen_host,
                     options.local_forwards[i].listen_port,
+                    (options.local_forwards[i].connect_path != NULL) ?
+                    options.local_forwards[i].connect_path :
                     options.local_forwards[i].connect_host,
                     options.local_forwards[i].connect_port);
                 success += channel_setup_local_fwd_listener(
-                    options.local_forwards[i].listen_host,
-                    options.local_forwards[i].listen_port,
-                    options.local_forwards[i].connect_host,
-                    options.local_forwards[i].connect_port,
-                    options.gateway_ports);
+                    &options.local_forwards[i], &options.fwd_opts);
         }
         if (i > 0 && success != i && options.exit_on_forward_failure)
                 fatal("Could not request local forwarding.");
@@ -1351,17 +1421,18 @@ ssh_init_forwarding(void)
         for (i = 0; i < options.num_remote_forwards; i++) {
                 debug("Remote connections from %.200s:%d forwarded to "
                     "local address %.200s:%d",
+                    (options.remote_forwards[i].listen_path != NULL) ?
+                    options.remote_forwards[i].listen_path :
                     (options.remote_forwards[i].listen_host == NULL) ?
                     "LOCALHOST" : options.remote_forwards[i].listen_host,
                     options.remote_forwards[i].listen_port,
+                    (options.remote_forwards[i].connect_path != NULL) ?
+                    options.remote_forwards[i].connect_path :
                     options.remote_forwards[i].connect_host,
                     options.remote_forwards[i].connect_port);
                 options.remote_forwards[i].handle =
                     channel_request_remote_forwarding(
-                    options.remote_forwards[i].listen_host,
-                    options.remote_forwards[i].listen_port,
-                    options.remote_forwards[i].connect_host,
-                    options.remote_forwards[i].connect_port);
+                    &options.remote_forwards[i]);
                 if (options.remote_forwards[i].handle < 0) {
                         if (options.exit_on_forward_failure)
                                 fatal("Could not request remote forwarding.");
diff --git a/ssh_config.0 b/ssh_config.0
index 6fbd10d61..c40ce5f08 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -1,4 +1,4 @@
-SSH_CONFIG(5)             OpenBSD Programmer's Manual            SSH_CONFIG(5)
+SSH_CONFIG(5)                 File Formats Manual                SSH_CONFIG(5)
 
 NAME
      ssh_config - OpenSSH SSH client configuration files
@@ -176,19 +176,30 @@ DESCRIPTION
              preference.  Multiple ciphers must be comma-separated.  The
              supported ciphers are:
 
-             ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
-             ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
-             ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',
-             ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
-             ``cast128-cbc'', and ``chacha20-poly1305@openssh.com''.
+                   3des-cbc
+                   aes128-cbc
+                   aes192-cbc
+                   aes256-cbc
+                   aes128-ctr
+                   aes192-ctr
+                   aes256-ctr
+                   aes128-gcm@openssh.com
+                   aes256-gcm@openssh.com
+                   arcfour
+                   arcfour128
+                   arcfour256
+                   blowfish-cbc
+                   cast128-cbc
+                   chacha20-poly1305@openssh.com
 
              The default is:
 
-                aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
-                aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-                chacha20-poly1305@openssh.com,
-                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-                aes256-cbc,arcfour
+                   aes128-ctr,aes192-ctr,aes256-ctr,
+                   aes128-gcm@openssh.com,aes256-gcm@openssh.com,
+                   chacha20-poly1305@openssh.com,
+                   arcfour256,arcfour128,
+                   aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
+                   aes192-cbc,aes256-cbc,arcfour
 
              The list of available ciphers may also be obtained using the -Q
              option of ssh(1).
@@ -261,10 +272,12 @@ DESCRIPTION
              any domain name), `%h' will be substituted by the target host
              name, `%n' will be substituted by the original target host name
              specified on the command line, `%p' the destination port, `%r' by
-             the remote login username, and `%u' by the username of the user
-             running ssh(1).  It is recommended that any ControlPath used for
-             opportunistic connection sharing include at least %h, %p, and %r.
-             This ensures that shared connections are uniquely identified.
+             the remote login username, `%u' by the username of the user
+             running ssh(1), and `%C' by a hash of the concatenation:
+             %l%h%p%r.  It is recommended that any ControlPath used for
+             opportunistic connection sharing include at least %h, %p, and %r
+             (or alternatively %C).  This ensures that shared connections are
+             uniquely identified.
 
      ControlPersist
              When used in conjunction with ControlMaster, specifies that the
@@ -437,10 +450,13 @@ DESCRIPTION
              specify nicknames or abbreviations for hosts.  If the hostname
              contains the character sequence `%h', then this will be replaced
              with the host name specified on the command line (this is useful
-             for manipulating unqualified names).  The default is the name
-             given on the command line.  Numeric IP addresses are also
-             permitted (both on the command line and in HostName
-             specifications).
+             for manipulating unqualified names).  The character sequence `%%'
+             will be replaced by a single `%' character, which may be used
+             when specifying IPv6 link-local addresses.
+
+             The default is the name given on the command line.  Numeric IP
+             addresses are also permitted (both on the command line and in
+             HostName specifications).
 
      IdentitiesOnly
              Specifies that ssh(1) should only use the authentication identity
@@ -517,8 +533,8 @@ DESCRIPTION
                    curve25519-sha256@libssh.org,
                    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                    diffie-hellman-group-exchange-sha256,
-                   diffie-hellman-group-exchange-sha1,
                    diffie-hellman-group14-sha1,
+                   diffie-hellman-group-exchange-sha1,
                    diffie-hellman-group1-sha1
 
      LocalCommand
@@ -529,7 +545,8 @@ DESCRIPTION
              performed: `%d' (local user's home directory), `%h' (remote host
              name), `%l' (local host name), `%n' (host name as provided on the
              command line), `%p' (remote port), `%r' (remote user name) or
-             `%u' (local user name).
+             `%u' (local user name) or `%C' by a hash of the concatenation:
+             %l%h%p%r.
 
              The command is run synchronously and does not have access to the
              session of the ssh(1) that spawned it.  It should not be used for
@@ -568,13 +585,14 @@ DESCRIPTION
              calculate the MAC after encryption (encrypt-then-mac).  These are
              considered safer and their use recommended.  The default is:
 
-                   hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
                    umac-64-etm@openssh.com,umac-128-etm@openssh.com,
                    hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-                   hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
-                   hmac-md5-96-etm@openssh.com,
-                   hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
-                   hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
+                   umac-64@openssh.com,umac-128@openssh.com,
+                   hmac-sha2-256,hmac-sha2-512,
+                   hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
+                   hmac-ripemd160-etm@openssh.com,
+                   hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
+                   hmac-md5,hmac-sha1,hmac-ripemd160,
                    hmac-sha1-96,hmac-md5-96
 
      NoHostAuthenticationForLocalhost
@@ -628,17 +646,19 @@ DESCRIPTION
      ProxyCommand
              Specifies the command to use to connect to the server.  The
              command string extends to the end of the line, and is executed
-             with the user's shell.  In the command string, any occurrence of
-             `%h' will be substituted by the host name to connect, `%p' by the
-             port, and `%r' by the remote user name.  The command can be
-             basically anything, and should read from its standard input and
-             write to its standard output.  It should eventually connect an
-             sshd(8) server running on some machine, or execute sshd -i
-             somewhere.  Host key management will be done using the HostName
-             of the host being connected (defaulting to the name typed by the
-             user).  Setting the command to ``none'' disables this option
-             entirely.  Note that CheckHostIP is not available for connects
-             with a proxy command.
+             using the user's shell `exec' directive to avoid a lingering
+             shell process.
+
+             In the command string, any occurrence of `%h' will be substituted
+             by the host name to connect, `%p' by the port, and `%r' by the
+             remote user name.  The command can be basically anything, and
+             should read from its standard input and write to its standard
+             output.  It should eventually connect an sshd(8) server running
+             on some machine, or execute sshd -i somewhere.  Host key
+             management will be done using the HostName of the host being
+             connected (defaulting to the name typed by the user).  Setting
+             the command to ``none'' disables this option entirely.  Note that
+             CheckHostIP is not available for connects with a proxy command.
 
              This directive is useful in conjunction with nc(1) and its proxy
              support.  For example, the following directive would connect via
@@ -751,6 +771,27 @@ DESCRIPTION
              default is 0, indicating that these messages will not be sent to
              the server.  This option applies to protocol version 2 only.
 
+     StreamLocalBindMask
+             Sets the octal file creation mode mask (umask) used when creating
+             a Unix-domain socket file for local or remote port forwarding.
+             This option is only used for port forwarding to a Unix-domain
+             socket file.
+
+             The default value is 0177, which creates a Unix-domain socket
+             file that is readable and writable only by the owner.  Note that
+             not all operating systems honor the file mode on Unix-domain
+             socket files.
+
+     StreamLocalBindUnlink
+             Specifies whether to remove an existing Unix-domain socket file
+             for local or remote port forwarding before creating a new one.
+             If the socket file already exists and StreamLocalBindUnlink is
+             not enabled, ssh will be unable to forward the port to the Unix-
+             domain socket file.  This option is only used for port forwarding
+             to a Unix-domain socket file.
+
+             The argument must be ``yes'' or ``no''.  The default is ``no''.
+
      StrictHostKeyChecking
              If this flag is set to ``yes'', ssh(1) will never automatically
              add host keys to the ~/.ssh/known_hosts file, and refuses to
@@ -886,4 +927,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.5                    February 23, 2014                   OpenBSD 5.5
+OpenBSD 5.6                      July 15, 2014                     OpenBSD 5.6
diff --git a/ssh_config.5 b/ssh_config.5
index b5803920f..f9ede7a31 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.185 2014/02/23 20:11:36 djm Exp $
-.Dd $Mdocdate: February 23 2014 $
+.\" $OpenBSD: ssh_config.5,v 1.191 2014/07/15 15:54:14 millert Exp $
+.Dd $Mdocdate: July 15 2014 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -342,30 +342,47 @@ in order of preference.
 Multiple ciphers must be comma-separated.
 The supported ciphers are:
 .Pp
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq aes128-gcm@openssh.com ,
-.Dq aes256-gcm@openssh.com ,
-.Dq arcfour128 ,
-.Dq arcfour256 ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
-.Dq cast128-cbc ,
-and
-.Dq chacha20-poly1305@openssh.com .
+.Bl -item -compact -offset indent
+.It
+3des-cbc
+.It
+aes128-cbc
+.It
+aes192-cbc
+.It
+aes256-cbc
+.It
+aes128-ctr
+.It
+aes192-ctr
+.It
+aes256-ctr
+.It
+aes128-gcm@openssh.com
+.It
+aes256-gcm@openssh.com
+.It
+arcfour
+.It
+arcfour128
+.It
+arcfour256
+.It
+blowfish-cbc
+.It
+cast128-cbc
+.It
+chacha20-poly1305@openssh.com
+.El
 .Pp
 The default is:
-.Bd -literal -offset 3n
-aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+.Bd -literal -offset indent
+aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
 chacha20-poly1305@openssh.com,
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-aes256-cbc,arcfour
+arcfour256,arcfour128,
+aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,
+aes192-cbc,aes256-cbc,arcfour
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
@@ -482,14 +499,16 @@ specified on the command line,
 .Ql %p
 the destination port,
 .Ql %r
-by the remote login username, and
+by the remote login username,
 .Ql %u
 by the username of the user running
-.Xr ssh 1 .
+.Xr ssh 1 , and
+.Ql \&%C
+by a hash of the concatenation: %l%h%p%r.
 It is recommended that any
 .Cm ControlPath
 used for opportunistic connection sharing include
-at least %h, %p, and %r.
+at least %h, %p, and %r (or alternatively %C).
 This ensures that shared connections are uniquely identified.
 .It Cm ControlPersist
 When used in conjunction with
@@ -746,6 +765,12 @@ If the hostname contains the character sequence
 .Ql %h ,
 then this will be replaced with the host name specified on the command line
 (this is useful for manipulating unqualified names).
+The character sequence
+.Ql %%
+will be replaced by a single
+.Ql %
+character, which may be used when specifying IPv6 link-local addresses.
+.Pp
 The default is the name given on the command line.
 Numeric IP addresses are also permitted (both on the command line and in
 .Cm HostName
@@ -893,8 +918,8 @@ The default is:
 curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
 diffie-hellman-group14-sha1,
+diffie-hellman-group-exchange-sha1,
 diffie-hellman-group1-sha1
 .Ed
 .It Cm LocalCommand
@@ -916,7 +941,9 @@ The following escape character substitutions will be performed:
 .Ql %r
 (remote user name) or
 .Ql %u
-(local user name).
+(local user name) or
+.Ql \&%C
+by a hash of the concatenation: %l%h%p%r.
 .Pp
 The command is run synchronously and does not have access to the
 session of the
@@ -974,13 +1001,14 @@ calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
 The default is:
 .Bd -literal -offset indent
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
-hmac-md5-96-etm@openssh.com,
-hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
+umac-64@openssh.com,umac-128@openssh.com,
+hmac-sha2-256,hmac-sha2-512,
+hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
+hmac-ripemd160-etm@openssh.com,
+hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,
+hmac-md5,hmac-sha1,hmac-ripemd160,
 hmac-sha1-96,hmac-md5-96
 .Ed
 .It Cm NoHostAuthenticationForLocalhost
@@ -1058,8 +1086,11 @@ The default is
 .It Cm ProxyCommand
 Specifies the command to use to connect to the server.
 The command
-string extends to the end of the line, and is executed with
-the user's shell.
+string extends to the end of the line, and is executed
+using the user's shell
+.Ql exec
+directive to avoid a lingering shell process.
+.Pp
 In the command string, any occurrence of
 .Ql %h
 will be substituted by the host name to
@@ -1272,6 +1303,33 @@ channel to request a response from the server.
 The default
 is 0, indicating that these messages will not be sent to the server.
 This option applies to protocol version 2 only.
+.It Cm StreamLocalBindMask
+Sets the octal file creation mode mask
+.Pq umask
+used when creating a Unix-domain socket file for local or remote
+port forwarding.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The default value is 0177, which creates a Unix-domain socket file that is
+readable and writable only by the owner.
+Note that not all operating systems honor the file mode on Unix-domain
+socket files.
+.It Cm StreamLocalBindUnlink
+Specifies whether to remove an existing Unix-domain socket file for local
+or remote port forwarding before creating a new one.
+If the socket file already exists and
+.Cm StreamLocalBindUnlink
+is not enabled,
+.Nm ssh
+will be unable to forward the port to the Unix-domain socket file.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
 .It Cm StrictHostKeyChecking
 If this flag is set to
 .Dq yes ,
diff --git a/sshbuf-getput-basic.c b/sshbuf-getput-basic.c
new file mode 100644
index 000000000..b7d0758c2
--- /dev/null
+++ b/sshbuf-getput-basic.c
@@ -0,0 +1,421 @@
+/*      $OpenBSD: sshbuf-getput-basic.c,v 1.1 2014/04/30 05:29:56 djm Exp $     */
+/*
+ * Copyright (c) 2011 Damien Miller
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#define SSHBUF_INTERNAL
+#include "includes.h"
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "ssherr.h"
+#include "sshbuf.h"
+
+int
+sshbuf_get(struct sshbuf *buf, void *v, size_t len)
+{
+        const u_char *p = sshbuf_ptr(buf);
+        int r;
+
+        if ((r = sshbuf_consume(buf, len)) < 0)
+                return r;
+        if (v != NULL)
+                memcpy(v, p, len);
+        return 0;
+}
+
+int
+sshbuf_get_u64(struct sshbuf *buf, u_int64_t *valp)
+{
+        const u_char *p = sshbuf_ptr(buf);
+        int r;
+
+        if ((r = sshbuf_consume(buf, 8)) < 0)
+                return r;
+        if (valp != NULL)
+                *valp = PEEK_U64(p);
+        return 0;
+}
+
+int
+sshbuf_get_u32(struct sshbuf *buf, u_int32_t *valp)
+{
+        const u_char *p = sshbuf_ptr(buf);
+        int r;
+
+        if ((r = sshbuf_consume(buf, 4)) < 0)
+                return r;
+        if (valp != NULL)
+                *valp = PEEK_U32(p);
+        return 0;
+}
+
+int
+sshbuf_get_u16(struct sshbuf *buf, u_int16_t *valp)
+{
+        const u_char *p = sshbuf_ptr(buf);
+        int r;
+
+        if ((r = sshbuf_consume(buf, 2)) < 0)
+                return r;
+        if (valp != NULL)
+                *valp = PEEK_U16(p);
+        return 0;
+}
+
+int
+sshbuf_get_u8(struct sshbuf *buf, u_char *valp)
+{
+        const u_char *p = sshbuf_ptr(buf);
+        int r;
+
+        if ((r = sshbuf_consume(buf, 1)) < 0)
+                return r;
+        if (valp != NULL)
+                *valp = (u_int8_t)*p;
+        return 0;
+}
+
+int
+sshbuf_get_string(struct sshbuf *buf, u_char **valp, size_t *lenp)
+{
+        const u_char *val;
+        size_t len;
+        int r;
+
+        if (valp != NULL)
+                *valp = NULL;
+        if (lenp != NULL)
+                *lenp = 0;
+        if ((r = sshbuf_get_string_direct(buf, &val, &len)) < 0)
+                return r;
+        if (valp != NULL) {
+                if ((*valp = malloc(len + 1)) == NULL) {
+                        SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL"));
+                        return SSH_ERR_ALLOC_FAIL;
+                }
+                memcpy(*valp, val, len);
+                (*valp)[len] = '\0';
+        }
+        if (lenp != NULL)
+                *lenp = len;
+        return 0;
+}
+
+int
+sshbuf_get_string_direct(struct sshbuf *buf, const u_char **valp, size_t *lenp)
+{
+        size_t len;
+        const u_char *p;
+        int r;
+
+        if (valp != NULL)
+                *valp = NULL;
+        if (lenp != NULL)
+                *lenp = 0;
+        if ((r = sshbuf_peek_string_direct(buf, &p, &len)) < 0)
+                return r;
+        if (valp != 0)
+                *valp = p;
+        if (lenp != NULL)
+                *lenp = len;
+        if (sshbuf_consume(buf, len + 4) != 0) {
+                /* Shouldn't happen */
+                SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR"));
+                SSHBUF_ABORT();
+                return SSH_ERR_INTERNAL_ERROR;
+        }
+        return 0;
+}
+
+int
+sshbuf_peek_string_direct(const struct sshbuf *buf, const u_char **valp,
+    size_t *lenp)
+{
+        u_int32_t len;
+        const u_char *p = sshbuf_ptr(buf);
+
+        if (valp != NULL)
+                *valp = NULL;
+        if (lenp != NULL)
+                *lenp = 0;
+        if (sshbuf_len(buf) < 4) {
+                SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE"));
+                return SSH_ERR_MESSAGE_INCOMPLETE;
+        }
+        len = PEEK_U32(p);
+        if (len > SSHBUF_SIZE_MAX - 4) {
+                SSHBUF_DBG(("SSH_ERR_STRING_TOO_LARGE"));
+                return SSH_ERR_STRING_TOO_LARGE;
+        }
+        if (sshbuf_len(buf) - 4 < len) {
+                SSHBUF_DBG(("SSH_ERR_MESSAGE_INCOMPLETE"));
+                return SSH_ERR_MESSAGE_INCOMPLETE;
+        }
+        if (valp != 0)
+                *valp = p + 4;
+        if (lenp != NULL)
+                *lenp = len;
+        return 0;
+}
+
+int
+sshbuf_get_cstring(struct sshbuf *buf, char **valp, size_t *lenp)
+{
+        size_t len;
+        const u_char *p, *z;
+        int r;
+
+        if (valp != NULL)
+                *valp = NULL;
+        if (lenp != NULL)
+                *lenp = 0;
+        if ((r = sshbuf_peek_string_direct(buf, &p, &len)) != 0)
+                return r;
+        /* Allow a \0 only at the end of the string */
+        if (len > 0 &&
+            (z = memchr(p , '\0', len)) != NULL && z < p + len - 1) {
+                SSHBUF_DBG(("SSH_ERR_INVALID_FORMAT"));
+                return SSH_ERR_INVALID_FORMAT;
+        }
+        if ((r = sshbuf_skip_string(buf)) != 0)
+                return -1;
+        if (valp != NULL) {
+                if ((*valp = malloc(len + 1)) == NULL) {
+                        SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL"));
+                        return SSH_ERR_ALLOC_FAIL;
+                }
+                memcpy(*valp, p, len);
+                (*valp)[len] = '\0';
+        }
+        if (lenp != NULL)
+                *lenp = (size_t)len;
+        return 0;
+}
+
+int
+sshbuf_get_stringb(struct sshbuf *buf, struct sshbuf *v)
+{
+        u_int32_t len;
+        u_char *p;
+        int r;
+
+        /*
+         * Use sshbuf_peek_string_direct() to figure out if there is
+         * a complete string in 'buf' and copy the string directly
+         * into 'v'.
+         */
+        if ((r = sshbuf_peek_string_direct(buf, NULL, NULL)) != 0 ||
+            (r = sshbuf_get_u32(buf, &len)) != 0 ||
+            (r = sshbuf_reserve(v, len, &p)) != 0 ||
+            (r = sshbuf_get(buf, p, len)) != 0)
+                return r;
+        return 0;
+}
+
+int
+sshbuf_put(struct sshbuf *buf, const void *v, size_t len)
+{
+        u_char *p;
+        int r;
+
+        if ((r = sshbuf_reserve(buf, len, &p)) < 0)
+                return r;
+        memcpy(p, v, len);
+        return 0;
+}
+
+int
+sshbuf_putb(struct sshbuf *buf, const struct sshbuf *v)
+{
+        return sshbuf_put(buf, sshbuf_ptr(v), sshbuf_len(v));
+}
+
+int
+sshbuf_putf(struct sshbuf *buf, const char *fmt, ...)
+{
+        va_list ap;
+        int r;
+
+        va_start(ap, fmt);
+        r = sshbuf_putfv(buf, fmt, ap);
+        va_end(ap);
+        return r;
+}
+
+int
+sshbuf_putfv(struct sshbuf *buf, const char *fmt, va_list ap)
+{
+        va_list ap2;
+        int r, len;
+        u_char *p;
+
+        va_copy(ap2, ap);
+        if ((len = vsnprintf(NULL, 0, fmt, ap2)) < 0) {
+                r = SSH_ERR_INVALID_ARGUMENT;
+                goto out;
+        }
+        if (len == 0) {
+                r = 0;
+                goto out; /* Nothing to do */
+        }
+        va_end(ap2);
+        va_copy(ap2, ap);
+        if ((r = sshbuf_reserve(buf, (size_t)len + 1, &p)) < 0)
+                goto out;
+        if ((r = vsnprintf((char *)p, len + 1, fmt, ap2)) != len) {
+                r = SSH_ERR_INTERNAL_ERROR;
+                goto out; /* Shouldn't happen */
+        }
+        /* Consume terminating \0 */
+        if ((r = sshbuf_consume_end(buf, 1)) != 0)
+                goto out;
+        r = 0;
+ out:
+        va_end(ap2);
+        return r;
+}
+
+int
+sshbuf_put_u64(struct sshbuf *buf, u_int64_t val)
+{
+        u_char *p;
+        int r;
+
+        if ((r = sshbuf_reserve(buf, 8, &p)) < 0)
+                return r;
+        POKE_U64(p, val);
+        return 0;
+}
+
+int
+sshbuf_put_u32(struct sshbuf *buf, u_int32_t val)
+{
+        u_char *p;
+        int r;
+
+        if ((r = sshbuf_reserve(buf, 4, &p)) < 0)
+                return r;
+        POKE_U32(p, val);
+        return 0;
+}
+
+int
+sshbuf_put_u16(struct sshbuf *buf, u_int16_t val)
+{
+        u_char *p;
+        int r;
+
+        if ((r = sshbuf_reserve(buf, 2, &p)) < 0)
+                return r;
+        POKE_U16(p, val);
+        return 0;
+}
+
+int
+sshbuf_put_u8(struct sshbuf *buf, u_char val)
+{
+        u_char *p;
+        int r;
+
+        if ((r = sshbuf_reserve(buf, 1, &p)) < 0)
+                return r;
+        p[0] = val;
+        return 0;
+}
+
+int
+sshbuf_put_string(struct sshbuf *buf, const void *v, size_t len)
+{
+        u_char *d;
+        int r;
+
+        if (len > SSHBUF_SIZE_MAX - 4) {
+                SSHBUF_DBG(("SSH_ERR_NO_BUFFER_SPACE"));
+                return SSH_ERR_NO_BUFFER_SPACE;
+        }
+        if ((r = sshbuf_reserve(buf, len + 4, &d)) < 0)
+                return r;
+        POKE_U32(d, len);
+        memcpy(d + 4, v, len);
+        return 0;
+}
+
+int
+sshbuf_put_cstring(struct sshbuf *buf, const char *v)
+{
+        return sshbuf_put_string(buf, (u_char *)v, strlen(v));
+}
+
+int
+sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v)
+{
+        return sshbuf_put_string(buf, sshbuf_ptr(v), sshbuf_len(v));
+}
+
+int
+sshbuf_froms(struct sshbuf *buf, struct sshbuf **bufp)
+{
+        const u_char *p;
+        size_t len;
+        struct sshbuf *ret;
+        int r;
+
+        if (buf == NULL || bufp == NULL)
+                return SSH_ERR_INVALID_ARGUMENT;
+        *bufp = NULL;
+        if ((r = sshbuf_peek_string_direct(buf, &p, &len)) != 0)
+                return r;
+        if ((ret = sshbuf_from(p, len)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((r = sshbuf_consume(buf, len + 4)) != 0 ||  /* Shouldn't happen */
+            (r = sshbuf_set_parent(ret, buf)) != 0) {
+                sshbuf_free(ret);
+                return r;
+        }
+        *bufp = ret;
+        return 0;
+}
+
+int
+sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t len)
+{
+        u_char *d;
+        const u_char *s = (const u_char *)v;
+        int r, prepend;
+
+        if (len > SSHBUF_SIZE_MAX - 5) {
+                SSHBUF_DBG(("SSH_ERR_NO_BUFFER_SPACE"));
+                return SSH_ERR_NO_BUFFER_SPACE;
+        }
+        /* Skip leading zero bytes */
+        for (; len > 0 && *s == 0; len--, s++)
+                ;
+        /*
+         * If most significant bit is set then prepend a zero byte to
+         * avoid interpretation as a negative number.
+         */
+        prepend = len > 0 && (s[0] & 0x80) != 0;
+        if ((r = sshbuf_reserve(buf, len + 4 + prepend, &d)) < 0)
+                return r;
+        POKE_U32(d, len + prepend);
+        if (prepend)
+                d[4] = 0;
+        memcpy(d + 4 + prepend, s, len);
+        return 0;
+}
diff --git a/sshbuf-getput-crypto.c b/sshbuf-getput-crypto.c
new file mode 100644
index 000000000..74351d3e5
--- /dev/null
+++ b/sshbuf-getput-crypto.c
@@ -0,0 +1,237 @@
+/*      $OpenBSD: sshbuf-getput-crypto.c,v 1.2 2014/06/18 15:42:09 naddy Exp $  */
+/*
+ * Copyright (c) 2011 Damien Miller
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#define SSHBUF_INTERNAL
+#include "includes.h"
+
+#include <sys/types.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include <openssl/bn.h>
+#ifdef OPENSSL_HAS_ECC
+# include <openssl/ec.h>
+#endif /* OPENSSL_HAS_ECC */
+
+#include "ssherr.h"
+#include "sshbuf.h"
+
+int
+sshbuf_get_bignum2(struct sshbuf *buf, BIGNUM *v)
+{
+        const u_char *d;
+        size_t len;
+        int r;
+
+        if ((r = sshbuf_peek_string_direct(buf, &d, &len)) < 0)
+                return r;
+        /* Refuse negative (MSB set) bignums */
+        if ((len != 0 && (*d & 0x80) != 0))
+                return SSH_ERR_BIGNUM_IS_NEGATIVE;
+        /* Refuse overlong bignums, allow prepended \0 to avoid MSB set */
+        if (len > SSHBUF_MAX_BIGNUM + 1 ||
+            (len == SSHBUF_MAX_BIGNUM + 1 && *d != 0))
+                return SSH_ERR_BIGNUM_TOO_LARGE;
+        if (v != NULL && BN_bin2bn(d, len, v) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        /* Consume the string */
+        if (sshbuf_get_string_direct(buf, NULL, NULL) != 0) {
+                /* Shouldn't happen */
+                SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR"));
+                SSHBUF_ABORT();
+                return SSH_ERR_INTERNAL_ERROR;
+        }
+        return 0;
+}
+
+int
+sshbuf_get_bignum1(struct sshbuf *buf, BIGNUM *v)
+{
+        const u_char *d = sshbuf_ptr(buf);
+        u_int16_t len_bits;
+        size_t len_bytes;
+
+        /* Length in bits */
+        if (sshbuf_len(buf) < 2)
+                return SSH_ERR_MESSAGE_INCOMPLETE;
+        len_bits = PEEK_U16(d);
+        len_bytes = (len_bits + 7) >> 3;
+        if (len_bytes > SSHBUF_MAX_BIGNUM)
+                return SSH_ERR_BIGNUM_TOO_LARGE;
+        if (sshbuf_len(buf) < 2 + len_bytes)
+                return SSH_ERR_MESSAGE_INCOMPLETE;
+        if (v != NULL && BN_bin2bn(d + 2, len_bytes, v) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if (sshbuf_consume(buf, 2 + len_bytes) != 0) {
+                SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR"));
+                SSHBUF_ABORT();
+                return SSH_ERR_INTERNAL_ERROR;
+        }
+        return 0;
+}
+
+#ifdef OPENSSL_HAS_ECC
+static int
+get_ec(const u_char *d, size_t len, EC_POINT *v, const EC_GROUP *g)
+{
+        /* Refuse overlong bignums */
+        if (len == 0 || len > SSHBUF_MAX_ECPOINT)
+                return SSH_ERR_ECPOINT_TOO_LARGE;
+        /* Only handle uncompressed points */
+        if (*d != POINT_CONVERSION_UNCOMPRESSED)
+                return SSH_ERR_INVALID_FORMAT;
+        if (v != NULL && EC_POINT_oct2point(g, v, d, len, NULL) != 1)
+                return SSH_ERR_INVALID_FORMAT; /* XXX assumption */
+        return 0;
+}
+
+int
+sshbuf_get_ec(struct sshbuf *buf, EC_POINT *v, const EC_GROUP *g)
+{
+        const u_char *d;
+        size_t len;
+        int r;
+
+        if ((r = sshbuf_peek_string_direct(buf, &d, &len)) < 0)
+                return r;
+        if ((r = get_ec(d, len, v, g)) != 0)
+                return r;
+        /* Skip string */
+        if (sshbuf_get_string_direct(buf, NULL, NULL) != 0) {
+                /* Shouldn't happen */
+                SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR"));
+                SSHBUF_ABORT();
+                return SSH_ERR_INTERNAL_ERROR;
+        }
+        return 0;
+}
+
+int
+sshbuf_get_eckey(struct sshbuf *buf, EC_KEY *v)
+{
+        EC_POINT *pt = EC_POINT_new(EC_KEY_get0_group(v));
+        int r;
+        const u_char *d;
+        size_t len;
+
+        if (pt == NULL) {
+                SSHBUF_DBG(("SSH_ERR_ALLOC_FAIL"));
+                return SSH_ERR_ALLOC_FAIL;
+        }
+        if ((r = sshbuf_peek_string_direct(buf, &d, &len)) < 0) {
+                EC_POINT_free(pt);
+                return r;
+        }
+        if ((r = get_ec(d, len, pt, EC_KEY_get0_group(v))) != 0) {
+                EC_POINT_free(pt);
+                return r;
+        }
+        if (EC_KEY_set_public_key(v, pt) != 1) {
+                EC_POINT_free(pt);
+                return SSH_ERR_ALLOC_FAIL; /* XXX assumption */
+        }
+        EC_POINT_free(pt);
+        /* Skip string */
+        if (sshbuf_get_string_direct(buf, NULL, NULL) != 0) {
+                /* Shouldn't happen */
+                SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR"));
+                SSHBUF_ABORT();
+                return SSH_ERR_INTERNAL_ERROR;
+        }
+        return 0;       
+}
+#endif /* OPENSSL_HAS_ECC */
+
+int
+sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v)
+{
+        u_char d[SSHBUF_MAX_BIGNUM + 1];
+        int len = BN_num_bytes(v), prepend = 0, r;
+
+        if (len < 0 || len > SSHBUF_MAX_BIGNUM)
+                return SSH_ERR_INVALID_ARGUMENT;
+        *d = '\0';
+        if (BN_bn2bin(v, d + 1) != len)
+                return SSH_ERR_INTERNAL_ERROR; /* Shouldn't happen */
+        /* If MSB is set, prepend a \0 */
+        if (len > 0 && (d[1] & 0x80) != 0)
+                prepend = 1;
+        if ((r = sshbuf_put_string(buf, d + 1 - prepend, len + prepend)) < 0) {
+                bzero(d, sizeof(d));
+                return r;
+        }
+        bzero(d, sizeof(d));
+        return 0;
+}
+
+int
+sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v)
+{
+        int r, len_bits = BN_num_bits(v);
+        size_t len_bytes = (len_bits + 7) / 8;
+        u_char d[SSHBUF_MAX_BIGNUM], *dp;
+
+        if (len_bits < 0 || len_bytes > SSHBUF_MAX_BIGNUM)
+                return SSH_ERR_INVALID_ARGUMENT;
+        if (BN_bn2bin(v, d) != (int)len_bytes)
+                return SSH_ERR_INTERNAL_ERROR; /* Shouldn't happen */
+        if ((r = sshbuf_reserve(buf, len_bytes + 2, &dp)) < 0) {
+                bzero(d, sizeof(d));
+                return r;
+        }
+        POKE_U16(dp, len_bits);
+        memcpy(dp + 2, d, len_bytes);
+        bzero(d, sizeof(d));
+        return 0;
+}
+
+#ifdef OPENSSL_HAS_ECC
+int
+sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g)
+{
+        u_char d[SSHBUF_MAX_ECPOINT];
+        BN_CTX *bn_ctx;
+        size_t len;
+        int ret;
+
+        if ((bn_ctx = BN_CTX_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((len = EC_POINT_point2oct(g, v, POINT_CONVERSION_UNCOMPRESSED,
+            NULL, 0, bn_ctx)) > SSHBUF_MAX_ECPOINT) {
+                BN_CTX_free(bn_ctx);
+                return SSH_ERR_INVALID_ARGUMENT;
+        }
+        if (EC_POINT_point2oct(g, v, POINT_CONVERSION_UNCOMPRESSED,
+            d, len, bn_ctx) != len) {
+                BN_CTX_free(bn_ctx);
+                return SSH_ERR_INTERNAL_ERROR; /* Shouldn't happen */
+        }
+        BN_CTX_free(bn_ctx);
+        ret = sshbuf_put_string(buf, d, len);
+        bzero(d, len);
+        return ret;
+}
+
+int
+sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v)
+{
+        return sshbuf_put_ec(buf, EC_KEY_get0_public_key(v),
+            EC_KEY_get0_group(v));
+}
+#endif /* OPENSSL_HAS_ECC */
+
diff --git a/sshbuf-misc.c b/sshbuf-misc.c
new file mode 100644
index 000000000..bfeffe674
--- /dev/null
+++ b/sshbuf-misc.c
@@ -0,0 +1,135 @@
+/*      $OpenBSD: sshbuf-misc.c,v 1.2 2014/06/24 01:13:21 djm Exp $     */
+/*
+ * Copyright (c) 2011 Damien Miller
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <limits.h>
+#include <string.h>
+#include <resolv.h>
+#include <ctype.h>
+
+#include "ssherr.h"
+#define SSHBUF_INTERNAL
+#include "sshbuf.h"
+
+void
+sshbuf_dump_data(const void *s, size_t len, FILE *f)
+{
+        size_t i, j;
+        const u_char *p = (const u_char *)s;
+
+        for (i = 0; i < len; i += 16) {
+                fprintf(f, "%.4zd: ", i);
+                for (j = i; j < i + 16; j++) {
+                        if (j < len)
+                                fprintf(f, "%02x ", p[j]);
+                        else
+                                fprintf(f, "   ");
+                }
+                fprintf(f, " ");
+                for (j = i; j < i + 16; j++) {
+                        if (j < len) {
+                                if  (isascii(p[j]) && isprint(p[j]))
+                                        fprintf(f, "%c", p[j]);
+                                else
+                                        fprintf(f, ".");
+                        }
+                }
+                fprintf(f, "\n");
+        }
+}
+
+void
+sshbuf_dump(struct sshbuf *buf, FILE *f)
+{
+        fprintf(f, "buffer %p len = %zu\n", buf, sshbuf_len(buf));
+        sshbuf_dump_data(sshbuf_ptr(buf), sshbuf_len(buf), f);
+}
+
+char *
+sshbuf_dtob16(struct sshbuf *buf)
+{
+        size_t i, j, len = sshbuf_len(buf);
+        const u_char *p = sshbuf_ptr(buf);
+        char *ret;
+        const char hex[] = "0123456789abcdef";
+
+        if (len == 0)
+                return strdup("");
+        if (SIZE_MAX / 2 <= len || (ret = malloc(len * 2 + 1)) == NULL)
+                return NULL;
+        for (i = j = 0; i < len; i++) {
+                ret[j++] = hex[(p[i] >> 4) & 0xf];
+                ret[j++] = hex[p[i] & 0xf];
+        }
+        ret[j] = '\0';
+        return ret;
+}
+
+char *
+sshbuf_dtob64(struct sshbuf *buf)
+{
+        size_t len = sshbuf_len(buf), plen;
+        const u_char *p = sshbuf_ptr(buf);
+        char *ret;
+        int r;
+
+        if (len == 0)
+                return strdup("");
+        plen = ((len + 2) / 3) * 4 + 1;
+        if (SIZE_MAX / 2 <= len || (ret = malloc(plen)) == NULL)
+                return NULL;
+        if ((r = b64_ntop(p, len, ret, plen)) == -1) {
+                bzero(ret, plen);
+                free(ret);
+                return NULL;
+        }
+        return ret;
+}
+
+int
+sshbuf_b64tod(struct sshbuf *buf, const char *b64)
+{
+        size_t plen = strlen(b64);
+        int nlen, r;
+        u_char *p;
+
+        if (plen == 0)
+                return 0;
+        if ((p = malloc(plen)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((nlen = b64_pton(b64, p, plen)) < 0) {
+                bzero(p, plen);
+                free(p);
+                return SSH_ERR_INVALID_FORMAT;
+        }
+        if ((r = sshbuf_put(buf, p, nlen)) < 0) {
+                bzero(p, plen);
+                free(p);
+                return r;
+        }
+        bzero(p, plen);
+        free(p);
+        return 0;
+}
+
diff --git a/sshbuf.c b/sshbuf.c
new file mode 100644
index 000000000..78f5340a1
--- /dev/null
+++ b/sshbuf.c
@@ -0,0 +1,406 @@
+/*      $OpenBSD: sshbuf.c,v 1.2 2014/06/25 14:16:09 deraadt Exp $      */
+/*
+ * Copyright (c) 2011 Damien Miller
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#define SSHBUF_INTERNAL
+#include "includes.h"
+
+#include <sys/types.h>
+#include <sys/param.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+#include "ssherr.h"
+#include "sshbuf.h"
+
+static inline int
+sshbuf_check_sanity(const struct sshbuf *buf)
+{
+        SSHBUF_TELL("sanity");
+        if (__predict_false(buf == NULL ||
+            (!buf->readonly && buf->d != buf->cd) ||
+            buf->refcount < 1 || buf->refcount > SSHBUF_REFS_MAX ||
+            buf->cd == NULL ||
+            (buf->dont_free && (buf->readonly || buf->parent != NULL)) ||
+            buf->max_size > SSHBUF_SIZE_MAX ||
+            buf->alloc > buf->max_size ||
+            buf->size > buf->alloc ||
+            buf->off > buf->size)) {
+                /* Do not try to recover from corrupted buffer internals */
+                SSHBUF_DBG(("SSH_ERR_INTERNAL_ERROR"));
+                signal(SIGSEGV, SIG_DFL);
+                raise(SIGSEGV);
+                return SSH_ERR_INTERNAL_ERROR;
+        }
+        return 0;
+}
+
+static void
+sshbuf_maybe_pack(struct sshbuf *buf, int force)
+{
+        SSHBUF_DBG(("force %d", force));
+        SSHBUF_TELL("pre-pack");
+        if (buf->off == 0 || buf->readonly || buf->refcount > 1)
+                return;
+        if (force ||
+            (buf->off >= SSHBUF_PACK_MIN && buf->off >= buf->size / 2)) {
+                memmove(buf->d, buf->d + buf->off, buf->size - buf->off);
+                buf->size -= buf->off;
+                buf->off = 0;
+                SSHBUF_TELL("packed");
+        }
+}
+
+struct sshbuf *
+sshbuf_new(void)
+{
+        struct sshbuf *ret;
+
+        if ((ret = calloc(sizeof(*ret), 1)) == NULL)
+                return NULL;
+        ret->alloc = SSHBUF_SIZE_INIT;
+        ret->max_size = SSHBUF_SIZE_MAX;
+        ret->readonly = 0;
+        ret->refcount = 1;
+        ret->parent = NULL;
+        if ((ret->cd = ret->d = calloc(1, ret->alloc)) == NULL) {
+                free(ret);
+                return NULL;
+        }
+        return ret;
+}
+
+struct sshbuf *
+sshbuf_from(const void *blob, size_t len)
+{
+        struct sshbuf *ret;
+
+        if (blob == NULL || len > SSHBUF_SIZE_MAX ||
+            (ret = calloc(sizeof(*ret), 1)) == NULL)
+                return NULL;
+        ret->alloc = ret->size = ret->max_size = len;
+        ret->readonly = 1;
+        ret->refcount = 1;
+        ret->parent = NULL;
+        ret->cd = blob;
+        ret->d = NULL;
+        return ret;
+}
+
+int
+sshbuf_set_parent(struct sshbuf *child, struct sshbuf *parent)
+{
+        int r;
+
+        if ((r = sshbuf_check_sanity(child)) != 0 ||
+            (r = sshbuf_check_sanity(parent)) != 0)
+                return r;
+        child->parent = parent;
+        child->parent->refcount++;
+        return 0;
+}
+
+struct sshbuf *
+sshbuf_fromb(struct sshbuf *buf)
+{
+        struct sshbuf *ret;
+
+        if (sshbuf_check_sanity(buf) != 0)
+                return NULL;
+        if ((ret = sshbuf_from(sshbuf_ptr(buf), sshbuf_len(buf))) == NULL)
+                return NULL;
+        if (sshbuf_set_parent(ret, buf) != 0) {
+                sshbuf_free(ret);
+                return NULL;
+        }
+        return ret;
+}
+
+void
+sshbuf_init(struct sshbuf *ret)
+{
+        bzero(ret, sizeof(*ret));
+        ret->alloc = SSHBUF_SIZE_INIT;
+        ret->max_size = SSHBUF_SIZE_MAX;
+        ret->readonly = 0;
+        ret->dont_free = 1;
+        ret->refcount = 1;
+        if ((ret->cd = ret->d = calloc(1, ret->alloc)) == NULL)
+                ret->alloc = 0;
+}
+
+void
+sshbuf_free(struct sshbuf *buf)
+{
+        int dont_free = 0;
+
+        if (buf == NULL)
+                return;
+        /*
+         * The following will leak on insane buffers, but this is the safest
+         * course of action - an invalid pointer or already-freed pointer may
+         * have been passed to us and continuing to scribble over memory would
+         * be bad.
+         */
+        if (sshbuf_check_sanity(buf) != 0)
+                return;
+        /*
+         * If we are a child, the free our parent to decrement its reference
+         * count and possibly free it.
+         */
+        if (buf->parent != NULL) {
+                sshbuf_free(buf->parent);
+                buf->parent = NULL;
+        }
+        /*
+         * If we are a parent with still-extant children, then don't free just
+         * yet. The last child's call to sshbuf_free should decrement our
+         * refcount to 0 and trigger the actual free.
+         */
+        buf->refcount--;
+        if (buf->refcount > 0)
+                return;
+        dont_free = buf->dont_free;
+        if (!buf->readonly) {
+                bzero(buf->d, buf->alloc);
+                free(buf->d);
+        }
+        bzero(buf, sizeof(*buf));
+        if (!dont_free)
+                free(buf);
+}
+
+void
+sshbuf_reset(struct sshbuf *buf)
+{
+        u_char *d;
+
+        if (buf->readonly || buf->refcount > 1) {
+                /* Nonsensical. Just make buffer appear empty */
+                buf->off = buf->size;
+                return;
+        }
+        if (sshbuf_check_sanity(buf) == 0)
+                bzero(buf->d, buf->alloc);
+        buf->off = buf->size = 0;
+        if (buf->alloc != SSHBUF_SIZE_INIT) {
+                if ((d = realloc(buf->d, SSHBUF_SIZE_INIT)) != NULL) {
+                        buf->cd = buf->d = d;
+                        buf->alloc = SSHBUF_SIZE_INIT;
+                }
+        }
+}
+
+size_t
+sshbuf_max_size(const struct sshbuf *buf)
+{
+        return buf->max_size;
+}
+
+size_t
+sshbuf_alloc(const struct sshbuf *buf)
+{
+        return buf->alloc;
+}
+
+const struct sshbuf *
+sshbuf_parent(const struct sshbuf *buf)
+{
+        return buf->parent;
+}
+
+u_int
+sshbuf_refcount(const struct sshbuf *buf)
+{
+        return buf->refcount;
+}
+
+int
+sshbuf_set_max_size(struct sshbuf *buf, size_t max_size)
+{
+        size_t rlen;
+        u_char *dp;
+        int r;
+
+        SSHBUF_DBG(("set max buf = %p len = %zu", buf, max_size));
+        if ((r = sshbuf_check_sanity(buf)) != 0)
+                return r;
+        if (max_size == buf->max_size)
+                return 0;
+        if (buf->readonly || buf->refcount > 1)
+                return SSH_ERR_BUFFER_READ_ONLY;
+        if (max_size > SSHBUF_SIZE_MAX)
+                return SSH_ERR_NO_BUFFER_SPACE;
+        /* pack and realloc if necessary */
+        sshbuf_maybe_pack(buf, max_size < buf->size);
+        if (max_size < buf->alloc && max_size > buf->size) {
+                if (buf->size < SSHBUF_SIZE_INIT)
+                        rlen = SSHBUF_SIZE_INIT;
+                else
+                        rlen = roundup(buf->size, SSHBUF_SIZE_INC);
+                if (rlen > max_size)
+                        rlen = max_size;
+                bzero(buf->d + buf->size, buf->alloc - buf->size);
+                SSHBUF_DBG(("new alloc = %zu", rlen));
+                if ((dp = realloc(buf->d, rlen)) == NULL)
+                        return SSH_ERR_ALLOC_FAIL;
+                buf->cd = buf->d = dp;
+                buf->alloc = rlen;
+        }
+        SSHBUF_TELL("new-max");
+        if (max_size < buf->alloc)
+                return SSH_ERR_NO_BUFFER_SPACE;
+        buf->max_size = max_size;
+        return 0;
+}
+
+size_t
+sshbuf_len(const struct sshbuf *buf)
+{
+        if (sshbuf_check_sanity(buf) != 0)
+                return 0;
+        return buf->size - buf->off;
+}
+
+size_t
+sshbuf_avail(const struct sshbuf *buf)
+{
+        if (sshbuf_check_sanity(buf) != 0 || buf->readonly || buf->refcount > 1)
+                return 0;
+        return buf->max_size - (buf->size - buf->off);
+}
+
+const u_char *
+sshbuf_ptr(const struct sshbuf *buf)
+{
+        if (sshbuf_check_sanity(buf) != 0)
+                return NULL;
+        return buf->cd + buf->off;
+}
+
+u_char *
+sshbuf_mutable_ptr(const struct sshbuf *buf)
+{
+        if (sshbuf_check_sanity(buf) != 0 || buf->readonly || buf->refcount > 1)
+                return NULL;
+        return buf->d + buf->off;
+}
+
+int
+sshbuf_check_reserve(const struct sshbuf *buf, size_t len)
+{
+        int r;
+
+        if ((r = sshbuf_check_sanity(buf)) != 0)
+                return r;
+        if (buf->readonly || buf->refcount > 1)
+                return SSH_ERR_BUFFER_READ_ONLY;
+        SSHBUF_TELL("check");
+        /* Check that len is reasonable and that max_size + available < len */
+        if (len > buf->max_size || buf->max_size - len < buf->size - buf->off)
+                return SSH_ERR_NO_BUFFER_SPACE;
+        return 0;
+}
+
+int
+sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp)
+{
+        size_t rlen, need;
+        u_char *dp;
+        int r;
+
+        if (dpp != NULL)
+                *dpp = NULL;
+
+        SSHBUF_DBG(("reserve buf = %p len = %zu", buf, len));
+        if ((r = sshbuf_check_reserve(buf, len)) != 0)
+                return r;
+        /*
+         * If the requested allocation appended would push us past max_size
+         * then pack the buffer, zeroing buf->off.
+         */
+        sshbuf_maybe_pack(buf, buf->size + len > buf->max_size);
+        SSHBUF_TELL("reserve");
+        if (len + buf->size > buf->alloc) {
+                /*
+                 * Prefer to alloc in SSHBUF_SIZE_INC units, but
+                 * allocate less if doing so would overflow max_size.
+                 */
+                need = len + buf->size - buf->alloc;
+                rlen = roundup(buf->alloc + need, SSHBUF_SIZE_INC);
+                SSHBUF_DBG(("need %zu initial rlen %zu", need, rlen));
+                if (rlen > buf->max_size)
+                        rlen = buf->alloc + need;
+                SSHBUF_DBG(("adjusted rlen %zu", rlen));
+                if ((dp = realloc(buf->d, rlen)) == NULL) {
+                        SSHBUF_DBG(("realloc fail"));
+                        if (dpp != NULL)
+                                *dpp = NULL;
+                        return SSH_ERR_ALLOC_FAIL;
+                }
+                buf->alloc = rlen;
+                buf->cd = buf->d = dp;
+                if ((r = sshbuf_check_reserve(buf, len)) < 0) {
+                        /* shouldn't fail */
+                        if (dpp != NULL)
+                                *dpp = NULL;
+                        return r;
+                }
+        }
+        dp = buf->d + buf->size;
+        buf->size += len;
+        SSHBUF_TELL("done");
+        if (dpp != NULL)
+                *dpp = dp;
+        return 0;
+}
+
+int
+sshbuf_consume(struct sshbuf *buf, size_t len)
+{
+        int r;
+
+        SSHBUF_DBG(("len = %zu", len));
+        if ((r = sshbuf_check_sanity(buf)) != 0)
+                return r;
+        if (len == 0)
+                return 0;
+        if (len > sshbuf_len(buf))
+                return SSH_ERR_MESSAGE_INCOMPLETE;
+        buf->off += len;
+        SSHBUF_TELL("done");
+        return 0;
+}
+
+int
+sshbuf_consume_end(struct sshbuf *buf, size_t len)
+{
+        int r;
+
+        SSHBUF_DBG(("len = %zu", len));
+        if ((r = sshbuf_check_sanity(buf)) != 0)
+                return r;
+        if (len == 0)
+                return 0;
+        if (len > sshbuf_len(buf))
+                return SSH_ERR_MESSAGE_INCOMPLETE;
+        buf->size -= len;
+        SSHBUF_TELL("done");
+        return 0;
+}
+
diff --git a/sshbuf.h b/sshbuf.h
new file mode 100644
index 000000000..3602bc53f
--- /dev/null
+++ b/sshbuf.h
@@ -0,0 +1,336 @@
+/*      $OpenBSD: sshbuf.h,v 1.3 2014/06/24 01:13:21 djm Exp $  */
+/*
+ * Copyright (c) 2011 Damien Miller
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _SSHBUF_H
+#define _SSHBUF_H
+
+#include <sys/types.h>
+#include <stdarg.h>
+#include <stdio.h>
+#ifdef WITH_OPENSSL
+# include <openssl/bn.h>
+# ifdef OPENSSL_HAS_ECC
+#  include <openssl/ec.h>
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+
+#define SSHBUF_SIZE_MAX         0x8000000       /* Hard maximum size */
+#define SSHBUF_REFS_MAX         0x100000        /* Max child buffers */
+#define SSHBUF_MAX_BIGNUM       (16384 / 8)     /* Max bignum *bytes* */
+#define SSHBUF_MAX_ECPOINT      ((528 * 2 / 8) + 1) /* Max EC point *bytes* */
+
+/*
+ * NB. do not depend on the internals of this. It will be made opaque
+ * one day.
+ */
+struct sshbuf {
+        u_char *d;              /* Data */
+        const u_char *cd;       /* Const data */
+        size_t off;             /* First available byte is buf->d + buf->off */
+        size_t size;            /* Last byte is buf->d + buf->size - 1 */
+        size_t max_size;        /* Maximum size of buffer */
+        size_t alloc;           /* Total bytes allocated to buf->d */
+        int readonly;           /* Refers to external, const data */
+        int dont_free;          /* Kludge to support sshbuf_init */
+        u_int refcount;         /* Tracks self and number of child buffers */
+        struct sshbuf *parent;  /* If child, pointer to parent */
+};
+
+#ifndef SSHBUF_NO_DEPREACTED
+/*
+ * NB. Please do not use sshbuf_init() in new code. Please use sshbuf_new()
+ * instead. sshbuf_init() is deprectated and will go away soon (it is
+ * only included to allow compat with buffer_* in OpenSSH)
+ */
+void sshbuf_init(struct sshbuf *buf);
+#endif
+
+/*
+ * Create a new sshbuf buffer.
+ * Returns pointer to buffer on success, or NULL on allocation failure.
+ */
+struct sshbuf *sshbuf_new(void);
+
+/*
+ * Create a new, read-only sshbuf buffer from existing data.
+ * Returns pointer to buffer on success, or NULL on allocation failure.
+ */
+struct sshbuf *sshbuf_from(const void *blob, size_t len);
+
+/*
+ * Create a new, read-only sshbuf buffer from the contents of an existing
+ * buffer. The contents of "buf" must not change in the lifetime of the
+ * resultant buffer.
+ * Returns pointer to buffer on success, or NULL on allocation failure.
+ */
+struct sshbuf *sshbuf_fromb(struct sshbuf *buf);
+
+/*
+ * Create a new, read-only sshbuf buffer from the contents of a string in
+ * an existing buffer (the string is consumed in the process).
+ * The contents of "buf" must not change in the lifetime of the resultant
+ * buffer.
+ * Returns pointer to buffer on success, or NULL on allocation failure.
+ */
+int     sshbuf_froms(struct sshbuf *buf, struct sshbuf **bufp);
+
+/*
+ * Clear and free buf
+ */
+void    sshbuf_free(struct sshbuf *buf);
+
+/*
+ * Reset buf, clearing its contents. NB. max_size is preserved.
+ */
+void    sshbuf_reset(struct sshbuf *buf);
+
+/*
+ * Return the maximum size of buf
+ */
+size_t  sshbuf_max_size(const struct sshbuf *buf);
+
+/*
+ * Set the maximum size of buf
+ * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
+ */
+int     sshbuf_set_max_size(struct sshbuf *buf, size_t max_size);
+
+/*
+ * Returns the length of data in buf
+ */
+size_t  sshbuf_len(const struct sshbuf *buf);
+
+/*
+ * Returns number of bytes left in buffer before hitting max_size.
+ */
+size_t  sshbuf_avail(const struct sshbuf *buf);
+
+/*
+ * Returns a read-only pointer to the start of the the data in buf
+ */
+const u_char *sshbuf_ptr(const struct sshbuf *buf);
+
+/*
+ * Returns a mutable pointer to the start of the the data in buf, or
+ * NULL if the buffer is read-only.
+ */
+u_char *sshbuf_mutable_ptr(const struct sshbuf *buf);
+
+/*
+ * Check whether a reservation of size len will succeed in buf
+ * Safer to use than direct comparisons again sshbuf_avail as it copes
+ * with unsigned overflows correctly.
+ * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
+ */
+int     sshbuf_check_reserve(const struct sshbuf *buf, size_t len);
+
+/*
+ * Reserve len bytes in buf.
+ * Returns 0 on success and a pointer to the first reserved byte via the
+ * optional dpp parameter or a negative * SSH_ERR_* error code on failure.
+ */
+int     sshbuf_reserve(struct sshbuf *buf, size_t len, u_char **dpp);
+
+/*
+ * Consume len bytes from the start of buf
+ * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
+ */
+int     sshbuf_consume(struct sshbuf *buf, size_t len);
+
+/*
+ * Consume len bytes from the end of buf
+ * Returns 0 on success, or a negative SSH_ERR_* error code on failure.
+ */
+int     sshbuf_consume_end(struct sshbuf *buf, size_t len);
+
+/* Extract or deposit some bytes */
+int     sshbuf_get(struct sshbuf *buf, void *v, size_t len);
+int     sshbuf_put(struct sshbuf *buf, const void *v, size_t len);
+int     sshbuf_putb(struct sshbuf *buf, const struct sshbuf *v);
+
+/* Append using a printf(3) format */
+int     sshbuf_putf(struct sshbuf *buf, const char *fmt, ...)
+            __attribute__((format(printf, 2, 3)));
+int     sshbuf_putfv(struct sshbuf *buf, const char *fmt, va_list ap);
+
+/* Functions to extract or store big-endian words of various sizes */
+int     sshbuf_get_u64(struct sshbuf *buf, u_int64_t *valp);
+int     sshbuf_get_u32(struct sshbuf *buf, u_int32_t *valp);
+int     sshbuf_get_u16(struct sshbuf *buf, u_int16_t *valp);
+int     sshbuf_get_u8(struct sshbuf *buf, u_char *valp);
+int     sshbuf_put_u64(struct sshbuf *buf, u_int64_t val);
+int     sshbuf_put_u32(struct sshbuf *buf, u_int32_t val);
+int     sshbuf_put_u16(struct sshbuf *buf, u_int16_t val);
+int     sshbuf_put_u8(struct sshbuf *buf, u_char val);
+
+/*
+ * Functions to extract or store SSH wire encoded strings (u32 len || data)
+ * The "cstring" variants admit no \0 characters in the string contents.
+ * Caller must free *valp.
+ */
+int     sshbuf_get_string(struct sshbuf *buf, u_char **valp, size_t *lenp);
+int     sshbuf_get_cstring(struct sshbuf *buf, char **valp, size_t *lenp);
+int     sshbuf_get_stringb(struct sshbuf *buf, struct sshbuf *v);
+int     sshbuf_put_string(struct sshbuf *buf, const void *v, size_t len);
+int     sshbuf_put_cstring(struct sshbuf *buf, const char *v);
+int     sshbuf_put_stringb(struct sshbuf *buf, const struct sshbuf *v);
+
+/*
+ * "Direct" variant of sshbuf_get_string, returns pointer into the sshbuf to
+ * avoid an malloc+memcpy. The pointer is guaranteed to be valid until the
+ * next sshbuf-modifying function call. Caller does not free.
+ */
+int     sshbuf_get_string_direct(struct sshbuf *buf, const u_char **valp,
+            size_t *lenp);
+
+/* Skip past a string */
+#define sshbuf_skip_string(buf) sshbuf_get_string_direct(buf, NULL, NULL)
+
+/* Another variant: "peeks" into the buffer without modifying it */
+int     sshbuf_peek_string_direct(const struct sshbuf *buf, const u_char **valp,
+            size_t *lenp);
+
+/*
+ * Functions to extract or store SSH wire encoded bignums and elliptic
+ * curve points.
+ */
+int     sshbuf_put_bignum2_bytes(struct sshbuf *buf, const void *v, size_t len);
+#ifdef WITH_OPENSSL
+int     sshbuf_get_bignum2(struct sshbuf *buf, BIGNUM *v);
+int     sshbuf_get_bignum1(struct sshbuf *buf, BIGNUM *v);
+int     sshbuf_put_bignum2(struct sshbuf *buf, const BIGNUM *v);
+int     sshbuf_put_bignum1(struct sshbuf *buf, const BIGNUM *v);
+# ifdef OPENSSL_HAS_ECC
+int     sshbuf_get_ec(struct sshbuf *buf, EC_POINT *v, const EC_GROUP *g);
+int     sshbuf_get_eckey(struct sshbuf *buf, EC_KEY *v);
+int     sshbuf_put_ec(struct sshbuf *buf, const EC_POINT *v, const EC_GROUP *g);
+int     sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v);
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+
+/* Dump the contents of the buffer in a human-readable format */
+void    sshbuf_dump(struct sshbuf *buf, FILE *f);
+
+/* Dump specified memory in a human-readable format */
+void    sshbuf_dump_data(const void *s, size_t len, FILE *f);
+
+/* Return the hexadecimal representation of the contents of the buffer */
+char    *sshbuf_dtob16(struct sshbuf *buf);
+
+/* Encode the contents of the buffer as base64 */
+char    *sshbuf_dtob64(struct sshbuf *buf);
+
+/* Decode base64 data and append it to the buffer */
+int     sshbuf_b64tod(struct sshbuf *buf, const char *b64);
+
+/* Macros for decoding/encoding integers */
+#define PEEK_U64(p) \
+        (((u_int64_t)(((u_char *)(p))[0]) << 56) | \
+         ((u_int64_t)(((u_char *)(p))[1]) << 48) | \
+         ((u_int64_t)(((u_char *)(p))[2]) << 40) | \
+         ((u_int64_t)(((u_char *)(p))[3]) << 32) | \
+         ((u_int64_t)(((u_char *)(p))[4]) << 24) | \
+         ((u_int64_t)(((u_char *)(p))[5]) << 16) | \
+         ((u_int64_t)(((u_char *)(p))[6]) << 8) | \
+          (u_int64_t)(((u_char *)(p))[7]))
+#define PEEK_U32(p) \
+        (((u_int32_t)(((u_char *)(p))[0]) << 24) | \
+         ((u_int32_t)(((u_char *)(p))[1]) << 16) | \
+         ((u_int32_t)(((u_char *)(p))[2]) << 8) | \
+          (u_int32_t)(((u_char *)(p))[3]))
+#define PEEK_U16(p) \
+        (((u_int16_t)(((u_char *)(p))[0]) << 8) | \
+          (u_int16_t)(((u_char *)(p))[1]))
+
+#define POKE_U64(p, v) \
+        do { \
+                ((u_char *)(p))[0] = (((u_int64_t)(v)) >> 56) & 0xff; \
+                ((u_char *)(p))[1] = (((u_int64_t)(v)) >> 48) & 0xff; \
+                ((u_char *)(p))[2] = (((u_int64_t)(v)) >> 40) & 0xff; \
+                ((u_char *)(p))[3] = (((u_int64_t)(v)) >> 32) & 0xff; \
+                ((u_char *)(p))[4] = (((u_int64_t)(v)) >> 24) & 0xff; \
+                ((u_char *)(p))[5] = (((u_int64_t)(v)) >> 16) & 0xff; \
+                ((u_char *)(p))[6] = (((u_int64_t)(v)) >> 8) & 0xff; \
+                ((u_char *)(p))[7] = ((u_int64_t)(v)) & 0xff; \
+        } while (0)
+#define POKE_U32(p, v) \
+        do { \
+                ((u_char *)(p))[0] = (((u_int64_t)(v)) >> 24) & 0xff; \
+                ((u_char *)(p))[1] = (((u_int64_t)(v)) >> 16) & 0xff; \
+                ((u_char *)(p))[2] = (((u_int64_t)(v)) >> 8) & 0xff; \
+                ((u_char *)(p))[3] = ((u_int64_t)(v)) & 0xff; \
+        } while (0)
+#define POKE_U16(p, v) \
+        do { \
+                ((u_char *)(p))[0] = (((u_int64_t)(v)) >> 8) & 0xff; \
+                ((u_char *)(p))[1] = ((u_int64_t)(v)) & 0xff; \
+        } while (0)
+
+/* Internal definitions follow. Exposed for regress tests */
+#ifdef SSHBUF_INTERNAL
+
+/*
+ * Return the allocation size of buf
+ */
+size_t  sshbuf_alloc(const struct sshbuf *buf);
+
+/*
+ * Increment the reference count of buf.
+ */
+int     sshbuf_set_parent(struct sshbuf *child, struct sshbuf *parent);
+
+/*
+ * Return the parent buffer of buf, or NULL if it has no parent.
+ */
+const struct sshbuf *sshbuf_parent(const struct sshbuf *buf);
+
+/*
+ * Return the reference count of buf
+ */
+u_int   sshbuf_refcount(const struct sshbuf *buf);
+
+# define SSHBUF_SIZE_INIT       256             /* Initial allocation */
+# define SSHBUF_SIZE_INC        256             /* Preferred increment length */
+# define SSHBUF_PACK_MIN        8192            /* Minimim packable offset */
+
+/* # define SSHBUF_ABORT abort */
+/* # define SSHBUF_DEBUG */
+
+# ifndef SSHBUF_ABORT
+#  define SSHBUF_ABORT()
+# endif
+
+# ifdef SSHBUF_DEBUG
+#  define SSHBUF_TELL(what) do { \
+                printf("%s:%d %s: %s size %zu alloc %zu off %zu max %zu\n", \
+                    __FILE__, __LINE__, __func__, what, \
+                    buf->size, buf->alloc, buf->off, buf->max_size); \
+                fflush(stdout); \
+        } while (0)
+#  define SSHBUF_DBG(x) do { \
+                printf("%s:%d %s: ", __FILE__, __LINE__, __func__); \
+                printf x; \
+                printf("\n"); \
+                fflush(stdout); \
+        } while (0)
+# else
+#  define SSHBUF_TELL(what)
+#  define SSHBUF_DBG(x)
+# endif
+#endif /* SSHBUF_INTERNAL */
+
+#endif /* _SSHBUF_H */
diff --git a/sshconnect.c b/sshconnect.c
index 573d7a8e8..ac09eae67 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.251 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -54,9 +54,9 @@
 #include "sshconnect.h"
 #include "hostfile.h"
 #include "log.h"
+#include "misc.h"
 #include "readconf.h"
 #include "atomicio.h"
-#include "misc.h"
 #include "dns.h"
 #include "roaming.h"
 #include "monitor_fdpass.h"
@@ -65,6 +65,7 @@
 
 char *client_version_string = NULL;
 char *server_version_string = NULL;
+Key *previous_host_key = NULL;
 
 static int matching_host_key_dns = 0;
 
@@ -709,7 +710,7 @@ check_host_cert(const char *host, const Key *host_key)
                 error("%s", reason);
                 return 0;
         }
-        if (buffer_len(&host_key->cert->critical) != 0) {
+        if (buffer_len(host_key->cert->critical) != 0) {
                 error("Certificate for %s contains unsupported "
                     "critical options(s)", host);
                 return 0;
@@ -1217,36 +1218,60 @@ fail:
 int
 verify_host_key(char *host, struct sockaddr *hostaddr, Key *host_key)
 {
-        int flags = 0;
+        int r = -1, flags = 0;
         char *fp;
+        Key *plain = NULL;
 
         fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
         debug("Server host key: %s %s", key_type(host_key), fp);
         free(fp);
 
-        /* XXX certs are not yet supported for DNS */
-        if (!key_is_cert(host_key) && options.verify_host_key_dns &&
-            verify_host_key_dns(host, hostaddr, host_key, &flags) == 0) {
-                if (flags & DNS_VERIFY_FOUND) {
-
-                        if (options.verify_host_key_dns == 1 &&
-                            flags & DNS_VERIFY_MATCH &&
-                            flags & DNS_VERIFY_SECURE)
-                                return 0;
+        if (key_equal(previous_host_key, host_key)) {
+                debug("%s: server host key matches cached key", __func__);
+                return 0;
+        }
 
-                        if (flags & DNS_VERIFY_MATCH) {
-                                matching_host_key_dns = 1;
-                        } else {
-                                warn_changed_key(host_key);
-                                error("Update the SSHFP RR in DNS with the new "
-                                    "host key to get rid of this message.");
+        if (options.verify_host_key_dns) {
+                /*
+                 * XXX certs are not yet supported for DNS, so downgrade
+                 * them and try the plain key.
+                 */
+                plain = key_from_private(host_key);
+                if (key_is_cert(plain))
+                        key_drop_cert(plain);
+                if (verify_host_key_dns(host, hostaddr, plain, &flags) == 0) {
+                        if (flags & DNS_VERIFY_FOUND) {
+                                if (options.verify_host_key_dns == 1 &&
+                                    flags & DNS_VERIFY_MATCH &&
+                                    flags & DNS_VERIFY_SECURE) {
+                                        key_free(plain);
+                                        r = 0;
+                                        goto done;
+                                }
+                                if (flags & DNS_VERIFY_MATCH) {
+                                        matching_host_key_dns = 1;
+                                } else {
+                                        warn_changed_key(plain);
+                                        error("Update the SSHFP RR in DNS "
+                                            "with the new host key to get rid "
+                                            "of this message.");
+                                }
                         }
                 }
+                key_free(plain);
         }
 
-        return check_host_key(host, hostaddr, options.port, host_key, RDRW,
+        r = check_host_key(host, hostaddr, options.port, host_key, RDRW,
             options.user_hostfiles, options.num_user_hostfiles,
             options.system_hostfiles, options.num_system_hostfiles);
+
+done:
+        if (r == 0 && host_key != NULL) {
+                key_free(previous_host_key);
+                previous_host_key = key_from_private(host_key);
+        }
+
+        return r;
 }
 
 /*
@@ -1282,8 +1307,12 @@ ssh_login(Sensitive *sensitive, const char *orighost,
                 ssh_kex2(host, hostaddr, port);
                 ssh_userauth2(local_user, server_user, host, sensitive);
         } else {
+#ifdef WITH_SSH1
                 ssh_kex(host, hostaddr);
                 ssh_userauth1(local_user, server_user, host, sensitive);
+#else
+                fatal("ssh1 is not unsupported");
+#endif
         }
         free(local_user);
 }
diff --git a/sshconnect1.c b/sshconnect1.c
index 921408ec1..dd12a3af2 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect1.c,v 1.74 2014/02/02 03:44:32 djm Exp $ */
+/* $OpenBSD: sshconnect1.c,v 1.76 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -38,11 +38,11 @@
 #include "kex.h"
 #include "uidswap.h"
 #include "log.h"
+#include "misc.h"
 #include "readconf.h"
 #include "authfd.h"
 #include "sshconnect.h"
 #include "authfile.h"
-#include "misc.h"
 #include "canohost.h"
 #include "hostfile.h"
 #include "auth.h"
@@ -166,7 +166,7 @@ respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
 
         /* Decrypt the challenge using the private key. */
         /* XXX think about Bleichenbacher, too */
-        if (rsa_private_decrypt(challenge, challenge, prv) <= 0)
+        if (rsa_private_decrypt(challenge, challenge, prv) != 0)
                 packet_disconnect(
                     "respond_to_rsa_challenge: rsa_private_decrypt failed");
 
@@ -253,7 +253,7 @@ try_rsa_authentication(int idx)
          * load the private key.  Try first with empty passphrase; if it
          * fails, ask for a passphrase.
          */
-        if (public->flags & KEY_FLAG_EXT)
+        if (public->flags & SSHKEY_FLAG_EXT)
                 private = public;
         else
                 private = key_load_private_type(KEY_RSA1, authfile, "", NULL,
@@ -302,7 +302,7 @@ try_rsa_authentication(int idx)
         respond_to_rsa_challenge(challenge, private->rsa);
 
         /* Destroy the private key unless it in external hardware. */
-        if (!(private->flags & KEY_FLAG_EXT))
+        if (!(private->flags & SSHKEY_FLAG_EXT))
                 key_free(private);
 
         /* We no longer need the challenge. */
@@ -592,8 +592,9 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
                             BN_num_bits(server_key->rsa->n),
                             SSH_KEY_BITS_RESERVED);
                 }
-                rsa_public_encrypt(key, key, server_key->rsa);
-                rsa_public_encrypt(key, key, host_key->rsa);
+                if (rsa_public_encrypt(key, key, server_key->rsa) != 0 ||
+                    rsa_public_encrypt(key, key, host_key->rsa) != 0)
+                        fatal("%s: rsa_public_encrypt failed", __func__);
         } else {
                 /* Host key has smaller modulus (or they are equal). */
                 if (BN_num_bits(server_key->rsa->n) <
@@ -604,8 +605,9 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
                             BN_num_bits(host_key->rsa->n),
                             SSH_KEY_BITS_RESERVED);
                 }
-                rsa_public_encrypt(key, key, host_key->rsa);
-                rsa_public_encrypt(key, key, server_key->rsa);
+                if (rsa_public_encrypt(key, key, host_key->rsa) != 0 ||
+                    rsa_public_encrypt(key, key, server_key->rsa) != 0)
+                        fatal("%s: rsa_public_encrypt failed", __func__);
         }
 
         /* Destroy the public keys since we no longer need them. */
diff --git a/sshconnect2.c b/sshconnect2.c
index 7f4ff4189..68f7f4fdd 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.204 2014/02/02 03:44:32 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.210 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -61,8 +61,8 @@
 #include "dh.h"
 #include "authfd.h"
 #include "log.h"
-#include "readconf.h"
 #include "misc.h"
+#include "readconf.h"
 #include "match.h"
 #include "dispatch.h"
 #include "canohost.h"
@@ -156,6 +156,7 @@ order_hostkeyalgs(char *host, struct sockaddr *hostaddr, u_short port)
 void
 ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 {
+        char *myproposal[PROPOSAL_MAX] = { KEX_CLIENT };
         Kex *kex;
 
         xxx_host = host;
@@ -195,6 +196,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         }
         if (options.kex_algorithms != NULL)
                 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
+        myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+            myproposal[PROPOSAL_KEX_ALGS]);
 
         if (options.rekey_limit || options.rekey_interval)
                 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
@@ -202,11 +205,13 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
 
         /* start key exchange */
         kex = kex_setup(myproposal);
+#ifdef WITH_OPENSSL
         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_client;
         kex->kex[KEX_DH_GRP14_SHA1] = kexdh_client;
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_client;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
+#endif
         kex->kex[KEX_C25519_SHA256] = kexc25519_client;
         kex->client_version_string=client_version_string;
         kex->server_version_string=server_version_string;
@@ -965,7 +970,7 @@ identity_sign(Identity *id, u_char **sigp, u_int *lenp,
          * we have already loaded the private key or
          * the private key is stored in external hardware
          */
-        if (id->isprivate || (id->key->flags & KEY_FLAG_EXT))
+        if (id->isprivate || (id->key->flags & SSHKEY_FLAG_EXT))
                 return (key_sign(id->key, sigp, lenp, data, datalen));
         /* load the private key from the file */
         if ((prv = load_identity_file(id->filename, id->userprovided)) == NULL)
@@ -1173,12 +1178,12 @@ pubkey_prepare(Authctxt *authctxt)
         }
         /* Prefer PKCS11 keys that are explicitly listed */
         TAILQ_FOREACH_SAFE(id, &files, next, tmp) {
-                if (id->key == NULL || (id->key->flags & KEY_FLAG_EXT) == 0)
+                if (id->key == NULL || (id->key->flags & SSHKEY_FLAG_EXT) == 0)
                         continue;
                 found = 0;
                 TAILQ_FOREACH(id2, &files, next) {
                         if (id2->key == NULL ||
-                            (id2->key->flags & KEY_FLAG_EXT) != 0)
+                            (id2->key->flags & SSHKEY_FLAG_EXT) == 0)
                                 continue;
                         if (key_equal(id->key, id2->key)) {
                                 TAILQ_REMOVE(&files, id, next);
diff --git a/sshd.0 b/sshd.0
index c61d51535..3008e01bd 100644
--- a/sshd.0
+++ b/sshd.0
@@ -1,4 +1,4 @@
-SSHD(8)                 OpenBSD System Manager's Manual                SSHD(8)
+SSHD(8)                     System Manager's Manual                    SSHD(8)
 
 NAME
      sshd - OpenSSH SSH daemon
@@ -11,7 +11,7 @@ SYNOPSIS
 
 DESCRIPTION
      sshd (OpenSSH Daemon) is the daemon program for ssh(1).  Together these
-     programs replace rlogin(1) and rsh(1), and provide secure encrypted
+     programs replace rlogin and rsh, and provide secure encrypted
      communications between two untrusted hosts over an insecure network.
 
      sshd listens for connections from clients.  It is normally started at
@@ -228,9 +228,10 @@ LOGIN PROCESS
 
            7.   Changes to user's home directory.
 
-           8.   If ~/.ssh/rc exists, runs it; else if /etc/ssh/sshrc exists,
-                runs it; otherwise runs xauth.  The ``rc'' files are given the
-                X11 authentication protocol and cookie in standard input.  See
+           8.   If ~/.ssh/rc exists and the sshd_config(5) PermitUserRC option
+                is set, runs it; else if /etc/ssh/sshrc exists, runs it;
+                otherwise runs xauth.  The ``rc'' files are given the X11
+                authentication protocol and cookie in standard input.  See
                 SSHRC, below.
 
            9.   Runs user's shell or command.
@@ -545,11 +546,6 @@ FILES
              directory becomes accessible.  This file should be writable only
              by the user, and need not be readable by anyone else.
 
-     /etc/hosts.allow
-     /etc/hosts.deny
-             Access controls that should be enforced by tcp-wrappers are
-             defined here.  Further details are described in hosts_access(5).
-
      /etc/hosts.equiv
              This file is for host-based authentication (see ssh(1)).  It
              should only be writable by root.
@@ -625,8 +621,8 @@ FILES
 
 SEE ALSO
      scp(1), sftp(1), ssh(1), ssh-add(1), ssh-agent(1), ssh-keygen(1),
-     ssh-keyscan(1), chroot(2), hosts_access(5), login.conf(5), moduli(5),
-     sshd_config(5), inetd(8), sftp-server(8)
+     ssh-keyscan(1), chroot(2), login.conf(5), moduli(5), sshd_config(5),
+     inetd(8), sftp-server(8)
 
 AUTHORS
      OpenSSH is a derivative of the original and free ssh 1.2.12 release by
@@ -636,8 +632,4 @@ AUTHORS
      versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
      for privilege separation.
 
-CAVEATS
-     System security is not improved unless rshd, rlogind, and rexecd are
-     disabled (thus completely disabling rlogin and rsh into the machine).
-
-OpenBSD 5.5                    December 7, 2013                    OpenBSD 5.5
+OpenBSD 5.6                      July 3, 2014                      OpenBSD 5.6
diff --git a/sshd.8 b/sshd.8
index e6a900b06..01459d637 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.273 2013/12/07 11:58:46 naddy Exp $
-.Dd $Mdocdate: December 7 2013 $
+.\" $OpenBSD: sshd.8,v 1.276 2014/07/03 22:40:43 djm Exp $
+.Dd $Mdocdate: July 3 2014 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -60,10 +60,7 @@
 .Nm
 (OpenSSH Daemon) is the daemon program for
 .Xr ssh 1 .
-Together these programs replace
-.Xr rlogin 1
-and
-.Xr rsh 1 ,
+Together these programs replace rlogin and rsh,
 and provide secure encrypted communications between two untrusted hosts
 over an insecure network.
 .Pp
@@ -411,7 +408,10 @@ Changes to user's home directory.
 .It
 If
 .Pa ~/.ssh/rc
-exists, runs it; else if
+exists and the
+.Xr sshd_config 5
+.Cm PermitUserRC
+option is set, runs it; else if
 .Pa /etc/ssh/sshrc
 exists, runs
 it; otherwise runs xauth.
@@ -851,12 +851,6 @@ the user's home directory becomes accessible.
 This file should be writable only by the user, and need not be
 readable by anyone else.
 .Pp
-.It Pa /etc/hosts.allow
-.It Pa /etc/hosts.deny
-Access controls that should be enforced by tcp-wrappers are defined here.
-Further details are described in
-.Xr hosts_access 5 .
-.Pp
 .It Pa /etc/hosts.equiv
 This file is for host-based authentication (see
 .Xr ssh 1 ) .
@@ -960,7 +954,6 @@ The content of this file is not sensitive; it can be world-readable.
 .Xr ssh-keygen 1 ,
 .Xr ssh-keyscan 1 ,
 .Xr chroot 2 ,
-.Xr hosts_access 5 ,
 .Xr login.conf 5 ,
 .Xr moduli 5 ,
 .Xr sshd_config 5 ,
@@ -977,14 +970,3 @@ Markus Friedl contributed the support for SSH
 protocol versions 1.5 and 2.0.
 Niels Provos and Markus Friedl contributed support
 for privilege separation.
-.Sh CAVEATS
-System security is not improved unless
-.Nm rshd ,
-.Nm rlogind ,
-and
-.Nm rexecd
-are disabled (thus completely disabling
-.Xr rlogin
-and
-.Xr rsh
-into the machine).
diff --git a/sshd.c b/sshd.c
index 7523de977..481d00155 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.420 2014/02/26 21:53:37 markus Exp $ */
+/* $OpenBSD: sshd.c,v 1.428 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -72,10 +72,12 @@
 #include <string.h>
 #include <unistd.h>
 
+#ifdef WITH_OPENSSL
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include "openbsd-compat/openssl-compat.h"
+#endif
 
 #ifdef HAVE_SECUREWARE
 #include <sys/security.h>
@@ -91,6 +93,7 @@
 #include "packet.h"
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 #include "uidswap.h"
 #include "compat.h"
@@ -98,7 +101,6 @@
 #include "digest.h"
 #include "key.h"
 #include "kex.h"
-#include "dh.h"
 #include "myproposal.h"
 #include "authfile.h"
 #include "pathnames.h"
@@ -107,7 +109,6 @@
 #include "hostfile.h"
 #include "auth.h"
 #include "authfd.h"
-#include "misc.h"
 #include "msg.h"
 #include "dispatch.h"
 #include "channels.h"
@@ -122,13 +123,6 @@
 #include "ssh-sandbox.h"
 #include "version.h"
 
-#ifdef LIBWRAP
-#include <tcpd.h>
-#include <syslog.h>
-int allow_severity;
-int deny_severity;
-#endif /* LIBWRAP */
-
 #ifndef O_NOCTTY
 #define O_NOCTTY        0
 #endif
@@ -263,7 +257,9 @@ struct passwd *privsep_pw = NULL;
 void destroy_sensitive_data(void);
 void demote_sensitive_data(void);
 
+#ifdef WITH_SSH1
 static void do_ssh1_kex(void);
+#endif
 static void do_ssh2_kex(void);
 
 /*
@@ -938,7 +934,13 @@ static void
 usage(void)
 {
         fprintf(stderr, "%s, %s\n",
-            SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
+            SSH_RELEASE,
+#ifdef WITH_OPENSSL
+            SSLeay_version(SSLEAY_VERSION)
+#else
+            "without OpenSSL"
+#endif
+        );
         fprintf(stderr,
 "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n"
 "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
@@ -971,6 +973,7 @@ send_rexec_state(int fd, Buffer *conf)
         buffer_init(&m);
         buffer_put_cstring(&m, buffer_ptr(conf));
 
+#ifdef WITH_SSH1
         if (sensitive_data.server_key != NULL &&
             sensitive_data.server_key->type == KEY_RSA1) {
                 buffer_put_int(&m, 1);
@@ -981,6 +984,7 @@ send_rexec_state(int fd, Buffer *conf)
                 buffer_put_bignum(&m, sensitive_data.server_key->rsa->p);
                 buffer_put_bignum(&m, sensitive_data.server_key->rsa->q);
         } else
+#endif
                 buffer_put_int(&m, 0);
 
 #ifndef OPENSSL_PRNG_ONLY
@@ -1017,6 +1021,7 @@ recv_rexec_state(int fd, Buffer *conf)
         free(cp);
 
         if (buffer_get_int(&m)) {
+#ifdef WITH_SSH1
                 if (sensitive_data.server_key != NULL)
                         key_free(sensitive_data.server_key);
                 sensitive_data.server_key = key_new_private(KEY_RSA1);
@@ -1026,8 +1031,13 @@ recv_rexec_state(int fd, Buffer *conf)
                 buffer_get_bignum(&m, sensitive_data.server_key->rsa->iqmp);
                 buffer_get_bignum(&m, sensitive_data.server_key->rsa->p);
                 buffer_get_bignum(&m, sensitive_data.server_key->rsa->q);
-                rsa_generate_additional_parameters(
-                    sensitive_data.server_key->rsa);
+                if (rsa_generate_additional_parameters(
+                    sensitive_data.server_key->rsa) != 0)
+                        fatal("%s: rsa_generate_additional_parameters "
+                            "error", __func__);
+#else
+                fatal("ssh1 not supported");
+#endif
         }
 
 #ifndef OPENSSL_PRNG_ONLY
@@ -1550,7 +1560,9 @@ main(int ac, char **av)
         else
                 closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
 
+#ifdef WITH_OPENSSL
         OpenSSL_add_all_algorithms();
+#endif
 
         /* If requested, redirect the logs to the specified logfile. */
         if (logfile != NULL) {
@@ -1655,7 +1667,12 @@ main(int ac, char **av)
         }
 
         debug("sshd version %s, %s", SSH_VERSION,
-            SSLeay_version(SSLEAY_VERSION));
+#ifdef WITH_OPENSSL
+            SSLeay_version(SSLEAY_VERSION)
+#else
+            "without OpenSSL"
+#endif
+        );
 
         /* Store privilege separation user for later use if required. */
         if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
@@ -1777,6 +1794,8 @@ main(int ac, char **av)
                 debug("host certificate: #%d type %d %s", j, key->type,
                     key_type(key));
         }
+
+#ifdef WITH_SSH1
         /* Check certain values for sanity. */
         if (options.protocol & SSH_PROTO_1) {
                 if (options.server_key_bits < 512 ||
@@ -1801,6 +1820,7 @@ main(int ac, char **av)
                             options.server_key_bits);
                 }
         }
+#endif
 
         if (use_privsep) {
                 struct stat st;
@@ -2034,24 +2054,6 @@ main(int ac, char **av)
 #ifdef SSH_AUDIT_EVENTS
         audit_connection_from(remote_ip, remote_port);
 #endif
-#ifdef LIBWRAP
-        allow_severity = options.log_facility|LOG_INFO;
-        deny_severity = options.log_facility|LOG_WARNING;
-        /* Check whether logins are denied from this host. */
-        if (packet_connection_is_on_socket()) {
-                struct request_info req;
-
-                request_init(&req, RQ_DAEMON, __progname, RQ_FILE, sock_in, 0);
-                fromhost(&req);
-
-                if (!hosts_access(&req)) {
-                        debug("Connection refused by tcp wrapper");
-                        refuse(&req);
-                        /* NOTREACHED */
-                        fatal("libwrap refuse returns");
-                }
-        }
-#endif /* LIBWRAP */
 
         /* Log the connection. */
         verbose("Connection from %s port %d on %s port %d",
@@ -2102,8 +2104,12 @@ main(int ac, char **av)
                 do_ssh2_kex();
                 do_authentication2(authctxt);
         } else {
+#ifdef WITH_SSH1
                 do_ssh1_kex();
                 do_authentication(authctxt);
+#else
+                fatal("ssh1 not supported");
+#endif
         }
         /*
          * If we use privilege separation, the unprivileged child transfers
@@ -2187,6 +2193,7 @@ main(int ac, char **av)
         exit(0);
 }
 
+#ifdef WITH_SSH1
 /*
  * Decrypt session_key_int using our private server key and private host key
  * (key with larger modulus first).
@@ -2210,10 +2217,10 @@ ssh1_session_key(BIGNUM *session_key_int)
                             SSH_KEY_BITS_RESERVED);
                 }
                 if (rsa_private_decrypt(session_key_int, session_key_int,
-                    sensitive_data.server_key->rsa) <= 0)
+                    sensitive_data.server_key->rsa) != 0)
                         rsafail++;
                 if (rsa_private_decrypt(session_key_int, session_key_int,
-                    sensitive_data.ssh1_host_key->rsa) <= 0)
+                    sensitive_data.ssh1_host_key->rsa) != 0)
                         rsafail++;
         } else {
                 /* Host key has bigger modulus (or they are equal). */
@@ -2228,14 +2235,15 @@ ssh1_session_key(BIGNUM *session_key_int)
                             SSH_KEY_BITS_RESERVED);
                 }
                 if (rsa_private_decrypt(session_key_int, session_key_int,
-                    sensitive_data.ssh1_host_key->rsa) < 0)
+                    sensitive_data.ssh1_host_key->rsa) != 0)
                         rsafail++;
                 if (rsa_private_decrypt(session_key_int, session_key_int,
-                    sensitive_data.server_key->rsa) < 0)
+                    sensitive_data.server_key->rsa) != 0)
                         rsafail++;
         }
         return (rsafail);
 }
+
 /*
  * SSH1 key exchange
  */
@@ -2413,6 +2421,7 @@ do_ssh1_kex(void)
         packet_send();
         packet_write_wait();
 }
+#endif
 
 void
 sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen,
@@ -2437,6 +2446,7 @@ sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen,
 static void
 do_ssh2_kex(void)
 {
+        char *myproposal[PROPOSAL_MAX] = { KEX_SERVER };
         Kex *kex;
 
         if (options.ciphers != NULL) {
@@ -2462,6 +2472,9 @@ do_ssh2_kex(void)
         if (options.kex_algorithms != NULL)
                 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
 
+        myproposal[PROPOSAL_KEX_ALGS] = compat_kex_proposal(
+            myproposal[PROPOSAL_KEX_ALGS]);
+
         if (options.rekey_limit || options.rekey_interval)
                 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                     (time_t)options.rekey_interval);
@@ -2471,11 +2484,13 @@ do_ssh2_kex(void)
 
         /* start key exchange */
         kex = kex_setup(myproposal);
+#ifdef WITH_OPENSSL
         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
         kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+#endif
         kex->kex[KEX_C25519_SHA256] = kexc25519_server;
         kex->server = 1;
         kex->client_version_string=client_version_string;
@@ -2508,7 +2523,8 @@ cleanup_exit(int i)
 {
         if (the_authctxt) {
                 do_cleanup(the_authctxt);
-                if (use_privsep && privsep_is_preauth && pmonitor->m_pid > 1) {
+                if (use_privsep && privsep_is_preauth &&
+                    pmonitor != NULL && pmonitor->m_pid > 1) {
                         debug("Killing privsep child %d", pmonitor->m_pid);
                         if (kill(pmonitor->m_pid, SIGKILL) != 0 &&
                             errno != ESRCH)
diff --git a/sshd_config.0 b/sshd_config.0
index 413c26008..1c82d449f 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -1,4 +1,4 @@
-SSHD_CONFIG(5)            OpenBSD Programmer's Manual           SSHD_CONFIG(5)
+SSHD_CONFIG(5)                File Formats Manual               SSHD_CONFIG(5)
 
 NAME
      sshd_config - OpenSSH SSH daemon configuration file
@@ -62,6 +62,16 @@ DESCRIPTION
              are also denied shell access, as they can always install their
              own forwarders.
 
+     AllowStreamLocalForwarding
+             Specifies whether StreamLocal (Unix-domain socket) forwarding is
+             permitted.  The available options are ``yes'' or ``all'' to allow
+             StreamLocal forwarding, ``no'' to prevent all StreamLocal
+             forwarding, ``local'' to allow local (from the perspective of
+             ssh(1)) forwarding only or ``remote'' to allow remote forwarding
+             only.  The default is ``yes''.  Note that disabling StreamLocal
+             forwarding does not improve security unless users are also denied
+             shell access, as they can always install their own forwarders.
+
      AllowUsers
              This keyword can be followed by a list of user name patterns,
              separated by spaces.  If specified, login is allowed only for
@@ -168,7 +178,7 @@ DESCRIPTION
 
      ChallengeResponseAuthentication
              Specifies whether challenge-response authentication is allowed
-             (e.g. via PAM or though authentication styles supported in
+             (e.g. via PAM or through authentication styles supported in
              login.conf(5)) The default is ``yes''.
 
      ChrootDirectory
@@ -191,8 +201,9 @@ DESCRIPTION
              stderr(4), arandom(4) and tty(4) devices.  For file transfer
              sessions using ``sftp'', no additional configuration of the
              environment is necessary if the in-process sftp server is used,
-             though sessions which use logging do require /dev/log inside the
-             chroot directory (see sftp-server(8) for details).
+             though sessions which use logging may require /dev/log inside the
+             chroot directory on some operating systems (see sftp-server(8)
+             for details).
 
              The default is not to chroot(2).
 
@@ -200,19 +211,27 @@ DESCRIPTION
              Specifies the ciphers allowed for protocol version 2.  Multiple
              ciphers must be comma-separated.  The supported ciphers are:
 
-             ``3des-cbc'', ``aes128-cbc'', ``aes192-cbc'', ``aes256-cbc'',
-             ``aes128-ctr'', ``aes192-ctr'', ``aes256-ctr'',
-             ``aes128-gcm@openssh.com'', ``aes256-gcm@openssh.com'',
-             ``arcfour128'', ``arcfour256'', ``arcfour'', ``blowfish-cbc'',
-             ``cast128-cbc'', and ``chacha20-poly1305@openssh.com''.
+                   3des-cbc
+                   aes128-cbc
+                   aes192-cbc
+                   aes256-cbc
+                   aes128-ctr
+                   aes192-ctr
+                   aes256-ctr
+                   aes128-gcm@openssh.com
+                   aes256-gcm@openssh.com
+                   arcfour
+                   arcfour128
+                   arcfour256
+                   blowfish-cbc
+                   cast128-cbc
+                   chacha20-poly1305@openssh.com
 
              The default is:
 
-                aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
-                aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-                chacha20-poly1305@openssh.com,
-                aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-                aes256-cbc,arcfour
+                   aes128-ctr,aes192-ctr,aes256-ctr,
+                   aes128-gcm@openssh.com,aes256-gcm@openssh.com,
+                   chacha20-poly1305@openssh.com
 
              The list of available ciphers may also be obtained using the -Q
              option of ssh(1).
@@ -403,14 +422,24 @@ DESCRIPTION
 
      KexAlgorithms
              Specifies the available KEX (Key Exchange) algorithms.  Multiple
-             algorithms must be comma-separated.  The default is
+             algorithms must be comma-separated.  The supported algorithms
+             are:
+
+                   curve25519-sha256@libssh.org
+                   diffie-hellman-group1-sha1
+                   diffie-hellman-group14-sha1
+                   diffie-hellman-group-exchange-sha1
+                   diffie-hellman-group-exchange-sha256
+                   ecdh-sha2-nistp256
+                   ecdh-sha2-nistp384
+                   ecdh-sha2-nistp521
+
+             The default is:
 
                    curve25519-sha256@libssh.org,
                    ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
                    diffie-hellman-group-exchange-sha256,
-                   diffie-hellman-group-exchange-sha1,
-                   diffie-hellman-group14-sha1,
-                   diffie-hellman-group1-sha1
+                   diffie-hellman-group14-sha1
 
      KeyRegenerationInterval
              In protocol version 1, the ephemeral server key is automatically
@@ -452,16 +481,33 @@ DESCRIPTION
              data integrity protection.  Multiple algorithms must be comma-
              separated.  The algorithms that contain ``-etm'' calculate the
              MAC after encryption (encrypt-then-mac).  These are considered
-             safer and their use recommended.  The default is:
+             safer and their use recommended.  The supported MACs are:
+
+                   hmac-md5
+                   hmac-md5-96
+                   hmac-ripemd160
+                   hmac-sha1
+                   hmac-sha1-96
+                   hmac-sha2-256
+                   hmac-sha2-512
+                   umac-64@openssh.com
+                   umac-128@openssh.com
+                   hmac-md5-etm@openssh.com
+                   hmac-md5-96-etm@openssh.com
+                   hmac-ripemd160-etm@openssh.com
+                   hmac-sha1-etm@openssh.com
+                   hmac-sha1-96-etm@openssh.com
+                   hmac-sha2-256-etm@openssh.com
+                   hmac-sha2-512-etm@openssh.com
+                   umac-64-etm@openssh.com
+                   umac-128-etm@openssh.com
+
+             The default is:
 
-                   hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
                    umac-64-etm@openssh.com,umac-128-etm@openssh.com,
                    hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-                   hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
-                   hmac-md5-96-etm@openssh.com,
-                   hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
-                   hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
-                   hmac-sha1-96,hmac-md5-96
+                   umac-64@openssh.com,umac-128@openssh.com,
+                   hmac-sha2-256,hmac-sha2-512
 
      Match   Introduces a conditional block.  If all of the criteria on the
              Match line are satisfied, the keywords on the following lines
@@ -496,7 +542,7 @@ DESCRIPTION
              KbdInteractiveAuthentication, KerberosAuthentication,
              MaxAuthTries, MaxSessions, PasswordAuthentication,
              PermitEmptyPasswords, PermitOpen, PermitRootLogin, PermitTTY,
-             PermitTunnel, PubkeyAuthentication, RekeyLimit,
+             PermitTunnel, PermitUserRC, PubkeyAuthentication, RekeyLimit,
              RhostsRSAAuthentication, RSAAuthentication, X11DisplayOffset,
              X11Forwarding and X11UseLocalHost.
 
@@ -580,6 +626,10 @@ DESCRIPTION
              bypass access restrictions in some configurations using
              mechanisms such as LD_PRELOAD.
 
+     PermitUserRC
+             Specifies whether any ~/.ssh/rc file is executed.  The default is
+             ``yes''.
+
      PidFile
              Specifies the file that contains the process ID of the SSH
              daemon.  The default is /var/run/sshd.pid.
@@ -650,6 +700,27 @@ DESCRIPTION
              Defines the number of bits in the ephemeral protocol version 1
              server key.  The minimum value is 512, and the default is 1024.
 
+     StreamLocalBindMask
+             Sets the octal file creation mode mask (umask) used when creating
+             a Unix-domain socket file for local or remote port forwarding.
+             This option is only used for port forwarding to a Unix-domain
+             socket file.
+
+             The default value is 0177, which creates a Unix-domain socket
+             file that is readable and writable only by the owner.  Note that
+             not all operating systems honor the file mode on Unix-domain
+             socket files.
+
+     StreamLocalBindUnlink
+             Specifies whether to remove an existing Unix-domain socket file
+             for local or remote port forwarding before creating a new one.
+             If the socket file already exists and StreamLocalBindUnlink is
+             not enabled, sshd will be unable to forward the port to the Unix-
+             domain socket file.  This option is only used for port forwarding
+             to a Unix-domain socket file.
+
+             The argument must be ``yes'' or ``no''.  The default is ``no''.
+
      StrictModes
              Specifies whether sshd(8) should check file modes and ownership
              of the user's files and home directory before accepting login.
@@ -832,4 +903,4 @@ AUTHORS
      versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
      for privilege separation.
 
-OpenBSD 5.5                    February 27, 2014                   OpenBSD 5.5
+OpenBSD 5.6                      July 28, 2014                     OpenBSD 5.6
diff --git a/sshd_config.5 b/sshd_config.5
index ce71efe3c..fd44abe75 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $
-.Dd $Mdocdate: February 27 2014 $
+.\" $OpenBSD: sshd_config.5,v 1.176 2014/07/28 15:40:08 schwarze Exp $
+.Dd $Mdocdate: July 28 2014 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -140,6 +140,26 @@ The default is
 Note that disabling TCP forwarding does not improve security unless
 users are also denied shell access, as they can always install their
 own forwarders.
+.It Cm AllowStreamLocalForwarding
+Specifies whether StreamLocal (Unix-domain socket) forwarding is permitted.
+The available options are
+.Dq yes
+or
+.Dq all
+to allow StreamLocal forwarding,
+.Dq no
+to prevent all StreamLocal forwarding,
+.Dq local
+to allow local (from the perspective of
+.Xr ssh 1 )
+forwarding only or
+.Dq remote
+to allow remote forwarding only.
+The default is
+.Dq yes .
+Note that disabling StreamLocal forwarding does not improve security unless
+users are also denied shell access, as they can always install their
+own forwarders.
 .It Cm AllowUsers
 This keyword can be followed by a list of user name patterns, separated
 by spaces.
@@ -283,7 +303,7 @@ This option is only available for protocol version 2.
 By default, no banner is displayed.
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
-PAM or though authentication styles supported in
+PAM or through authentication styles supported in
 .Xr login.conf 5 )
 The default is
 .Dq yes .
@@ -324,9 +344,9 @@ For file transfer sessions using
 .Dq sftp ,
 no additional configuration of the environment is necessary if the
 in-process sftp server is used,
-though sessions which use logging do require
+though sessions which use logging may require
 .Pa /dev/log
-inside the chroot directory (see
+inside the chroot directory on some operating systems (see
 .Xr sftp-server 8
 for details).
 .Pp
@@ -337,30 +357,44 @@ Specifies the ciphers allowed for protocol version 2.
 Multiple ciphers must be comma-separated.
 The supported ciphers are:
 .Pp
-.Dq 3des-cbc ,
-.Dq aes128-cbc ,
-.Dq aes192-cbc ,
-.Dq aes256-cbc ,
-.Dq aes128-ctr ,
-.Dq aes192-ctr ,
-.Dq aes256-ctr ,
-.Dq aes128-gcm@openssh.com ,
-.Dq aes256-gcm@openssh.com ,
-.Dq arcfour128 ,
-.Dq arcfour256 ,
-.Dq arcfour ,
-.Dq blowfish-cbc ,
-.Dq cast128-cbc ,
-and
-.Dq chacha20-poly1305@openssh.com .
+.Bl -item -compact -offset indent
+.It
+3des-cbc
+.It
+aes128-cbc
+.It
+aes192-cbc
+.It
+aes256-cbc
+.It
+aes128-ctr
+.It
+aes192-ctr
+.It
+aes256-ctr
+.It
+aes128-gcm@openssh.com
+.It
+aes256-gcm@openssh.com
+.It
+arcfour
+.It
+arcfour128
+.It
+arcfour256
+.It
+blowfish-cbc
+.It
+cast128-cbc
+.It
+chacha20-poly1305@openssh.com
+.El
 .Pp
 The default is:
-.Bd -literal -offset 3n
-aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,
+.Bd -literal -offset indent
+aes128-ctr,aes192-ctr,aes256-ctr,
 aes128-gcm@openssh.com,aes256-gcm@openssh.com,
-chacha20-poly1305@openssh.com,
-aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,
-aes256-cbc,arcfour
+chacha20-poly1305@openssh.com
 .Ed
 .Pp
 The list of available ciphers may also be obtained using the
@@ -672,14 +706,33 @@ The default is
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-The default is
+The supported algorithms are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+curve25519-sha256@libssh.org
+.It
+diffie-hellman-group1-sha1
+.It
+diffie-hellman-group14-sha1
+.It
+diffie-hellman-group-exchange-sha1
+.It
+diffie-hellman-group-exchange-sha256
+.It
+ecdh-sha2-nistp256
+.It
+ecdh-sha2-nistp384
+.It
+ecdh-sha2-nistp521
+.El
+.Pp
+The default is:
 .Bd -literal -offset indent
 curve25519-sha256@libssh.org,
 ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
 diffie-hellman-group-exchange-sha256,
-diffie-hellman-group-exchange-sha1,
-diffie-hellman-group14-sha1,
-diffie-hellman-group1-sha1
+diffie-hellman-group14-sha1
 .Ed
 .It Cm KeyRegenerationInterval
 In protocol version 1, the ephemeral server key is automatically regenerated
@@ -751,16 +804,53 @@ The algorithms that contain
 .Dq -etm
 calculate the MAC after encryption (encrypt-then-mac).
 These are considered safer and their use recommended.
+The supported MACs are:
+.Pp
+.Bl -item -compact -offset indent
+.It
+hmac-md5
+.It
+hmac-md5-96
+.It
+hmac-ripemd160
+.It
+hmac-sha1
+.It
+hmac-sha1-96
+.It
+hmac-sha2-256
+.It
+hmac-sha2-512
+.It
+umac-64@openssh.com
+.It
+umac-128@openssh.com
+.It
+hmac-md5-etm@openssh.com
+.It
+hmac-md5-96-etm@openssh.com
+.It
+hmac-ripemd160-etm@openssh.com
+.It
+hmac-sha1-etm@openssh.com
+.It
+hmac-sha1-96-etm@openssh.com
+.It
+hmac-sha2-256-etm@openssh.com
+.It
+hmac-sha2-512-etm@openssh.com
+.It
+umac-64-etm@openssh.com
+.It
+umac-128-etm@openssh.com
+.El
+.Pp
 The default is:
 .Bd -literal -offset indent
-hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,
 umac-64-etm@openssh.com,umac-128-etm@openssh.com,
 hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,
-hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,
-hmac-md5-96-etm@openssh.com,
-hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
-hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
-hmac-sha1-96,hmac-md5-96
+umac-64@openssh.com,umac-128@openssh.com,
+hmac-sha2-256,hmac-sha2-512
 .Ed
 .It Cm Match
 Introduces a conditional block.
@@ -842,6 +932,7 @@ Available keywords are
 .Cm PermitRootLogin ,
 .Cm PermitTTY ,
 .Cm PermitTunnel ,
+.Cm PermitUserRC ,
 .Cm PubkeyAuthentication ,
 .Cm RekeyLimit ,
 .Cm RhostsRSAAuthentication ,
@@ -990,6 +1081,12 @@ The default is
 Enabling environment processing may enable users to bypass access
 restrictions in some configurations using mechanisms such as
 .Ev LD_PRELOAD .
+.It Cm PermitUserRC
+Specifies whether any
+.Pa ~/.ssh/rc
+file is executed.
+The default is
+.Dq yes .
 .It Cm PidFile
 Specifies the file that contains the process ID of the
 SSH daemon.
@@ -1094,6 +1191,33 @@ This option applies to protocol version 1 only.
 .It Cm ServerKeyBits
 Defines the number of bits in the ephemeral protocol version 1 server key.
 The minimum value is 512, and the default is 1024.
+.It Cm StreamLocalBindMask
+Sets the octal file creation mode mask
+.Pq umask
+used when creating a Unix-domain socket file for local or remote
+port forwarding.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The default value is 0177, which creates a Unix-domain socket file that is
+readable and writable only by the owner.
+Note that not all operating systems honor the file mode on Unix-domain
+socket files.
+.It Cm StreamLocalBindUnlink
+Specifies whether to remove an existing Unix-domain socket file for local
+or remote port forwarding before creating a new one.
+If the socket file already exists and
+.Cm StreamLocalBindUnlink
+is not enabled,
+.Nm sshd
+will be unable to forward the port to the Unix-domain socket file.
+This option is only used for port forwarding to a Unix-domain socket file.
+.Pp
+The argument must be
+.Dq yes
+or
+.Dq no .
+The default is
+.Dq no .
 .It Cm StrictModes
 Specifies whether
 .Xr sshd 8
diff --git a/ssherr.c b/ssherr.c
new file mode 100644
index 000000000..49fbb71de
--- /dev/null
+++ b/ssherr.c
@@ -0,0 +1,131 @@
+/*      $OpenBSD: ssherr.c,v 1.1 2014/04/30 05:29:56 djm Exp $  */
+/*
+ * Copyright (c) 2011 Damien Miller
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <errno.h>
+#include <string.h>
+#include "ssherr.h"
+
+const char *
+ssh_err(int n)
+{
+        switch (n) {
+        case SSH_ERR_SUCCESS:
+                return "success";
+        case SSH_ERR_INTERNAL_ERROR:
+                return "unexpected internal error";
+        case SSH_ERR_ALLOC_FAIL:
+                return "memory allocation failed";
+        case SSH_ERR_MESSAGE_INCOMPLETE:
+                return "incomplete message";
+        case SSH_ERR_INVALID_FORMAT:
+                return "invalid format";
+        case SSH_ERR_BIGNUM_IS_NEGATIVE:
+                return "bignum is negative";
+        case SSH_ERR_STRING_TOO_LARGE:
+                return "string is too large";
+        case SSH_ERR_BIGNUM_TOO_LARGE:
+                return "bignum is too large";
+        case SSH_ERR_ECPOINT_TOO_LARGE:
+                return "elliptic curve point is too large";
+        case SSH_ERR_NO_BUFFER_SPACE:
+                return "insufficient buffer space";
+        case SSH_ERR_INVALID_ARGUMENT:
+                return "invalid argument";
+        case SSH_ERR_KEY_BITS_MISMATCH:
+                return "key bits do not match";
+        case SSH_ERR_EC_CURVE_INVALID:
+                return "invalid elliptic curve";
+        case SSH_ERR_KEY_TYPE_MISMATCH:
+                return "key type does not match";
+        case SSH_ERR_KEY_TYPE_UNKNOWN:
+                return "unknown or unsupported key type";
+        case SSH_ERR_EC_CURVE_MISMATCH:
+                return "elliptic curve does not match";
+        case SSH_ERR_EXPECTED_CERT:
+                return "plain key provided where certificate required";
+        case SSH_ERR_KEY_LACKS_CERTBLOB:
+                return "key lacks certificate data";
+        case SSH_ERR_KEY_CERT_UNKNOWN_TYPE:
+                return "unknown/unsupported certificate type";
+        case SSH_ERR_KEY_CERT_INVALID_SIGN_KEY:
+                return "invalid certificate signing key";
+        case SSH_ERR_KEY_INVALID_EC_VALUE:
+                return "invalid elliptic curve value";
+        case SSH_ERR_SIGNATURE_INVALID:
+                return "incorrect signature";
+        case SSH_ERR_LIBCRYPTO_ERROR:
+                return "error in libcrypto";  /* XXX fetch and return */
+        case SSH_ERR_UNEXPECTED_TRAILING_DATA:
+                return "unexpected bytes remain after decoding";
+        case SSH_ERR_SYSTEM_ERROR:
+                return strerror(errno);
+        case SSH_ERR_KEY_CERT_INVALID:
+                return "invalid certificate";
+        case SSH_ERR_AGENT_COMMUNICATION:
+                return "communication with agent failed";
+        case SSH_ERR_AGENT_FAILURE:
+                return "agent refused operation";
+        case SSH_ERR_DH_GEX_OUT_OF_RANGE:
+                return "DH GEX group out of range";
+        case SSH_ERR_DISCONNECTED:
+                return "disconnected";
+        case SSH_ERR_MAC_INVALID:
+                return "message authentication code incorrect";
+        case SSH_ERR_NO_CIPHER_ALG_MATCH:
+                return "no matching cipher found";
+        case SSH_ERR_NO_MAC_ALG_MATCH:
+                return "no matching MAC found";
+        case SSH_ERR_NO_COMPRESS_ALG_MATCH:
+                return "no matching compression method found";
+        case SSH_ERR_NO_KEX_ALG_MATCH:
+                return "no matching key exchange method found";
+        case SSH_ERR_NO_HOSTKEY_ALG_MATCH:
+                return "no matching host key type found";
+        case SSH_ERR_PROTOCOL_MISMATCH:
+                return "protocol version mismatch";
+        case SSH_ERR_NO_PROTOCOL_VERSION:
+                return "could not read protocol version";
+        case SSH_ERR_NO_HOSTKEY_LOADED:
+                return "could not load host key";
+        case SSH_ERR_NEED_REKEY:
+                return "rekeying not supported by peer";
+        case SSH_ERR_PASSPHRASE_TOO_SHORT:
+                return "passphrase is too short (minimum four characters)";
+        case SSH_ERR_FILE_CHANGED:
+                return "file changed while reading";
+        case SSH_ERR_KEY_UNKNOWN_CIPHER:
+                return "key encrypted using unsupported cipher";
+        case SSH_ERR_KEY_WRONG_PASSPHRASE:
+                return "incorrect passphrase supplied to decrypt private key";
+        case SSH_ERR_KEY_BAD_PERMISSIONS:
+                return "bad permissions";
+        case SSH_ERR_KEY_CERT_MISMATCH:
+                return "certificate does not match key";
+        case SSH_ERR_KEY_NOT_FOUND:
+                return "key not found";
+        case SSH_ERR_AGENT_NOT_PRESENT:
+                return "agent not present";
+        case SSH_ERR_AGENT_NO_IDENTITIES:
+                return "agent contains no identities";
+        case SSH_ERR_KRL_BAD_MAGIC:
+                return "KRL file has invalid magic number";
+        case SSH_ERR_KEY_REVOKED:
+                return "Key is revoked";
+        default:
+                return "unknown error";
+        }
+}
diff --git a/ssherr.h b/ssherr.h
new file mode 100644
index 000000000..106f786ea
--- /dev/null
+++ b/ssherr.h
@@ -0,0 +1,80 @@
+/*      $OpenBSD: ssherr.h,v 1.1 2014/04/30 05:29:56 djm Exp $  */
+/*
+ * Copyright (c) 2011 Damien Miller
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _SSHERR_H
+#define _SSHERR_H
+
+/* XXX are these too granular? not granular enough? I can't decide - djm */
+
+/* Error codes */
+#define SSH_ERR_SUCCESS                         0
+#define SSH_ERR_INTERNAL_ERROR                  -1
+#define SSH_ERR_ALLOC_FAIL                      -2
+#define SSH_ERR_MESSAGE_INCOMPLETE              -3
+#define SSH_ERR_INVALID_FORMAT                  -4
+#define SSH_ERR_BIGNUM_IS_NEGATIVE              -5
+#define SSH_ERR_STRING_TOO_LARGE                -6
+#define SSH_ERR_BIGNUM_TOO_LARGE                -7
+#define SSH_ERR_ECPOINT_TOO_LARGE               -8
+#define SSH_ERR_NO_BUFFER_SPACE                 -9
+#define SSH_ERR_INVALID_ARGUMENT                -10
+#define SSH_ERR_KEY_BITS_MISMATCH               -11
+#define SSH_ERR_EC_CURVE_INVALID                -12
+#define SSH_ERR_KEY_TYPE_MISMATCH               -13
+#define SSH_ERR_KEY_TYPE_UNKNOWN                -14 /* XXX UNSUPPORTED? */
+#define SSH_ERR_EC_CURVE_MISMATCH               -15
+#define SSH_ERR_EXPECTED_CERT                   -16
+#define SSH_ERR_KEY_LACKS_CERTBLOB              -17
+#define SSH_ERR_KEY_CERT_UNKNOWN_TYPE           -18
+#define SSH_ERR_KEY_CERT_INVALID_SIGN_KEY       -19
+#define SSH_ERR_KEY_INVALID_EC_VALUE            -20
+#define SSH_ERR_SIGNATURE_INVALID               -21
+#define SSH_ERR_LIBCRYPTO_ERROR                 -22
+#define SSH_ERR_UNEXPECTED_TRAILING_DATA        -23
+#define SSH_ERR_SYSTEM_ERROR                    -24
+#define SSH_ERR_KEY_CERT_INVALID                -25
+#define SSH_ERR_AGENT_COMMUNICATION             -26
+#define SSH_ERR_AGENT_FAILURE                   -27
+#define SSH_ERR_DH_GEX_OUT_OF_RANGE             -28
+#define SSH_ERR_DISCONNECTED                    -29
+#define SSH_ERR_MAC_INVALID                     -30
+#define SSH_ERR_NO_CIPHER_ALG_MATCH             -31
+#define SSH_ERR_NO_MAC_ALG_MATCH                -32
+#define SSH_ERR_NO_COMPRESS_ALG_MATCH           -33
+#define SSH_ERR_NO_KEX_ALG_MATCH                -34
+#define SSH_ERR_NO_HOSTKEY_ALG_MATCH            -35
+#define SSH_ERR_NO_HOSTKEY_LOADED               -36
+#define SSH_ERR_PROTOCOL_MISMATCH               -37
+#define SSH_ERR_NO_PROTOCOL_VERSION             -38
+#define SSH_ERR_NEED_REKEY                      -39
+#define SSH_ERR_PASSPHRASE_TOO_SHORT            -40
+#define SSH_ERR_FILE_CHANGED                    -41
+#define SSH_ERR_KEY_UNKNOWN_CIPHER              -42
+#define SSH_ERR_KEY_WRONG_PASSPHRASE            -43
+#define SSH_ERR_KEY_BAD_PERMISSIONS             -44
+#define SSH_ERR_KEY_CERT_MISMATCH               -45
+#define SSH_ERR_KEY_NOT_FOUND                   -46
+#define SSH_ERR_AGENT_NOT_PRESENT               -47
+#define SSH_ERR_AGENT_NO_IDENTITIES             -48
+#define SSH_ERR_BUFFER_READ_ONLY                -49
+#define SSH_ERR_KRL_BAD_MAGIC                   -50
+#define SSH_ERR_KEY_REVOKED                     -51
+
+/* Translate a numeric error code to a human-readable error string */
+const char *ssh_err(int n);
+
+#endif /* _SSHERR_H */
diff --git a/sshkey.c b/sshkey.c
new file mode 100644
index 000000000..fdd0c8a89
--- /dev/null
+++ b/sshkey.c
@@ -0,0 +1,3856 @@
+/* $OpenBSD: sshkey.c,v 1.3 2014/07/03 01:45:38 djm Exp $ */
+/*
+ * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
+ * Copyright (c) 2008 Alexander von Gernler.  All rights reserved.
+ * Copyright (c) 2010,2011 Damien Miller.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+#include "includes.h"
+
+#include <sys/param.h>
+#include <sys/types.h>
+
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+
+#include "crypto_api.h"
+
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#ifdef HAVE_UTIL_H
+#include <util.h>
+#endif /* HAVE_UTIL_H */
+
+#include "ssh2.h"
+#include "ssherr.h"
+#include "misc.h"
+#include "sshbuf.h"
+#include "rsa.h"
+#include "cipher.h"
+#include "digest.h"
+#define SSHKEY_INTERNAL
+#include "sshkey.h"
+
+/* openssh private key file format */
+#define MARK_BEGIN              "-----BEGIN OPENSSH PRIVATE KEY-----\n"
+#define MARK_END                "-----END OPENSSH PRIVATE KEY-----\n"
+#define MARK_BEGIN_LEN          (sizeof(MARK_BEGIN) - 1)
+#define MARK_END_LEN            (sizeof(MARK_END) - 1)
+#define KDFNAME                 "bcrypt"
+#define AUTH_MAGIC              "openssh-key-v1"
+#define SALT_LEN                16
+#define DEFAULT_CIPHERNAME      "aes256-cbc"
+#define DEFAULT_ROUNDS          16
+
+/* Version identification string for SSH v1 identity files. */
+#define LEGACY_BEGIN            "SSH PRIVATE KEY FILE FORMAT 1.1\n"
+
+static int sshkey_from_blob_internal(const u_char *blob, size_t blen,
+    struct sshkey **keyp, int allow_cert);
+
+/* Supported key types */
+struct keytype {
+        const char *name;
+        const char *shortname;
+        int type;
+        int nid;
+        int cert;
+};
+static const struct keytype keytypes[] = {
+        { "ssh-ed25519", "ED25519", KEY_ED25519, 0, 0 },
+        { "ssh-ed25519-cert-v01@openssh.com", "ED25519-CERT",
+            KEY_ED25519_CERT, 0, 1 },
+#ifdef WITH_OPENSSL
+        { NULL, "RSA1", KEY_RSA1, 0, 0 },
+        { "ssh-rsa", "RSA", KEY_RSA, 0, 0 },
+        { "ssh-dss", "DSA", KEY_DSA, 0, 0 },
+# ifdef OPENSSL_HAS_ECC
+        { "ecdsa-sha2-nistp256", "ECDSA", KEY_ECDSA, NID_X9_62_prime256v1, 0 },
+        { "ecdsa-sha2-nistp384", "ECDSA", KEY_ECDSA, NID_secp384r1, 0 },
+#  ifdef OPENSSL_HAS_NISTP521
+        { "ecdsa-sha2-nistp521", "ECDSA", KEY_ECDSA, NID_secp521r1, 0 },
+#  endif /* OPENSSL_HAS_NISTP521 */
+# endif /* OPENSSL_HAS_ECC */
+        { "ssh-rsa-cert-v01@openssh.com", "RSA-CERT", KEY_RSA_CERT, 0, 1 },
+        { "ssh-dss-cert-v01@openssh.com", "DSA-CERT", KEY_DSA_CERT, 0, 1 },
+# ifdef OPENSSL_HAS_ECC
+        { "ecdsa-sha2-nistp256-cert-v01@openssh.com", "ECDSA-CERT",
+            KEY_ECDSA_CERT, NID_X9_62_prime256v1, 1 },
+        { "ecdsa-sha2-nistp384-cert-v01@openssh.com", "ECDSA-CERT",
+            KEY_ECDSA_CERT, NID_secp384r1, 1 },
+#  ifdef OPENSSL_HAS_NISTP521
+        { "ecdsa-sha2-nistp521-cert-v01@openssh.com", "ECDSA-CERT",
+            KEY_ECDSA_CERT, NID_secp521r1, 1 },
+#  endif /* OPENSSL_HAS_NISTP521 */
+# endif /* OPENSSL_HAS_ECC */
+        { "ssh-rsa-cert-v00@openssh.com", "RSA-CERT-V00",
+            KEY_RSA_CERT_V00, 0, 1 },
+        { "ssh-dss-cert-v00@openssh.com", "DSA-CERT-V00",
+            KEY_DSA_CERT_V00, 0, 1 },
+#endif /* WITH_OPENSSL */
+        { NULL, NULL, -1, -1, 0 }
+};
+
+const char *
+sshkey_type(const struct sshkey *k)
+{
+        const struct keytype *kt;
+
+        for (kt = keytypes; kt->type != -1; kt++) {
+                if (kt->type == k->type)
+                        return kt->shortname;
+        }
+        return "unknown";
+}
+
+static const char *
+sshkey_ssh_name_from_type_nid(int type, int nid)
+{
+        const struct keytype *kt;
+
+        for (kt = keytypes; kt->type != -1; kt++) {
+                if (kt->type == type && (kt->nid == 0 || kt->nid == nid))
+                        return kt->name;
+        }
+        return "ssh-unknown";
+}
+
+int
+sshkey_type_is_cert(int type)
+{
+        const struct keytype *kt;
+
+        for (kt = keytypes; kt->type != -1; kt++) {
+                if (kt->type == type)
+                        return kt->cert;
+        }
+        return 0;
+}
+
+const char *
+sshkey_ssh_name(const struct sshkey *k)
+{
+        return sshkey_ssh_name_from_type_nid(k->type, k->ecdsa_nid);
+}
+
+const char *
+sshkey_ssh_name_plain(const struct sshkey *k)
+{
+        return sshkey_ssh_name_from_type_nid(sshkey_type_plain(k->type),
+            k->ecdsa_nid);
+}
+
+int
+sshkey_type_from_name(const char *name)
+{
+        const struct keytype *kt;
+
+        for (kt = keytypes; kt->type != -1; kt++) {
+                /* Only allow shortname matches for plain key types */
+                if ((kt->name != NULL && strcmp(name, kt->name) == 0) ||
+                    (!kt->cert && strcasecmp(kt->shortname, name) == 0))
+                        return kt->type;
+        }
+        return KEY_UNSPEC;
+}
+
+int
+sshkey_ecdsa_nid_from_name(const char *name)
+{
+        const struct keytype *kt;
+
+        for (kt = keytypes; kt->type != -1; kt++) {
+                if (kt->type != KEY_ECDSA && kt->type != KEY_ECDSA_CERT)
+                        continue;
+                if (kt->name != NULL && strcmp(name, kt->name) == 0)
+                        return kt->nid;
+        }
+        return -1;
+}
+
+char *
+key_alg_list(int certs_only, int plain_only)
+{
+        char *tmp, *ret = NULL;
+        size_t nlen, rlen = 0;
+        const struct keytype *kt;
+
+        for (kt = keytypes; kt->type != -1; kt++) {
+                if (kt->name == NULL)
+                        continue;
+                if ((certs_only && !kt->cert) || (plain_only && kt->cert))
+                        continue;
+                if (ret != NULL)
+                        ret[rlen++] = '\n';
+                nlen = strlen(kt->name);
+                if ((tmp = realloc(ret, rlen + nlen + 2)) == NULL) {
+                        free(ret);
+                        return NULL;
+                }
+                ret = tmp;
+                memcpy(ret + rlen, kt->name, nlen + 1);
+                rlen += nlen;
+        }
+        return ret;
+}
+
+int
+sshkey_names_valid2(const char *names)
+{
+        char *s, *cp, *p;
+
+        if (names == NULL || strcmp(names, "") == 0)
+                return 0;
+        if ((s = cp = strdup(names)) == NULL)
+                return 0;
+        for ((p = strsep(&cp, ",")); p && *p != '\0';
+            (p = strsep(&cp, ","))) {
+                switch (sshkey_type_from_name(p)) {
+                case KEY_RSA1:
+                case KEY_UNSPEC:
+                        free(s);
+                        return 0;
+                }
+        }
+        free(s);
+        return 1;
+}
+
+u_int
+sshkey_size(const struct sshkey *k)
+{
+        switch (k->type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA1:
+        case KEY_RSA:
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+                return BN_num_bits(k->rsa->n);
+        case KEY_DSA:
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+                return BN_num_bits(k->dsa->p);
+        case KEY_ECDSA:
+        case KEY_ECDSA_CERT:
+                return sshkey_curve_nid_to_bits(k->ecdsa_nid);
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+        case KEY_ED25519_CERT:
+                return 256;     /* XXX */
+        }
+        return 0;
+}
+
+int
+sshkey_cert_is_legacy(const struct sshkey *k)
+{
+        switch (k->type) {
+        case KEY_DSA_CERT_V00:
+        case KEY_RSA_CERT_V00:
+                return 1;
+        default:
+                return 0;
+        }
+}
+
+static int
+sshkey_type_is_valid_ca(int type)
+{
+        switch (type) {
+        case KEY_RSA:
+        case KEY_DSA:
+        case KEY_ECDSA:
+        case KEY_ED25519:
+                return 1;
+        default:
+                return 0;
+        }
+}
+
+int
+sshkey_is_cert(const struct sshkey *k)
+{
+        if (k == NULL)
+                return 0;
+        return sshkey_type_is_cert(k->type);
+}
+
+/* Return the cert-less equivalent to a certified key type */
+int
+sshkey_type_plain(int type)
+{
+        switch (type) {
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+                return KEY_RSA;
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+                return KEY_DSA;
+        case KEY_ECDSA_CERT:
+                return KEY_ECDSA;
+        case KEY_ED25519_CERT:
+                return KEY_ED25519;
+        default:
+                return type;
+        }
+}
+
+#ifdef WITH_OPENSSL
+/* XXX: these are really begging for a table-driven approach */
+int
+sshkey_curve_name_to_nid(const char *name)
+{
+        if (strcmp(name, "nistp256") == 0)
+                return NID_X9_62_prime256v1;
+        else if (strcmp(name, "nistp384") == 0)
+                return NID_secp384r1;
+# ifdef OPENSSL_HAS_NISTP521
+        else if (strcmp(name, "nistp521") == 0)
+                return NID_secp521r1;
+# endif /* OPENSSL_HAS_NISTP521 */
+        else
+                return -1;
+}
+
+u_int
+sshkey_curve_nid_to_bits(int nid)
+{
+        switch (nid) {
+        case NID_X9_62_prime256v1:
+                return 256;
+        case NID_secp384r1:
+                return 384;
+# ifdef OPENSSL_HAS_NISTP521
+        case NID_secp521r1:
+                return 521;
+# endif /* OPENSSL_HAS_NISTP521 */
+        default:
+                return 0;
+        }
+}
+
+int
+sshkey_ecdsa_bits_to_nid(int bits)
+{
+        switch (bits) {
+        case 256:
+                return NID_X9_62_prime256v1;
+        case 384:
+                return NID_secp384r1;
+# ifdef OPENSSL_HAS_NISTP521
+        case 521:
+                return NID_secp521r1;
+# endif /* OPENSSL_HAS_NISTP521 */
+        default:
+                return -1;
+        }
+}
+
+const char *
+sshkey_curve_nid_to_name(int nid)
+{
+        switch (nid) {
+        case NID_X9_62_prime256v1:
+                return "nistp256";
+        case NID_secp384r1:
+                return "nistp384";
+# ifdef OPENSSL_HAS_NISTP521
+        case NID_secp521r1:
+                return "nistp521";
+# endif /* OPENSSL_HAS_NISTP521 */
+        default:
+                return NULL;
+        }
+}
+
+int
+sshkey_ec_nid_to_hash_alg(int nid)
+{
+        int kbits = sshkey_curve_nid_to_bits(nid);
+
+        if (kbits <= 0)
+                return -1;
+
+        /* RFC5656 section 6.2.1 */
+        if (kbits <= 256)
+                return SSH_DIGEST_SHA256;
+        else if (kbits <= 384)
+                return SSH_DIGEST_SHA384;
+        else
+                return SSH_DIGEST_SHA512;
+}
+#endif /* WITH_OPENSSL */
+
+static void
+cert_free(struct sshkey_cert *cert)
+{
+        u_int i;
+
+        if (cert == NULL)
+                return;
+        if (cert->certblob != NULL)
+                sshbuf_free(cert->certblob);
+        if (cert->critical != NULL)
+                sshbuf_free(cert->critical);
+        if (cert->extensions != NULL)
+                sshbuf_free(cert->extensions);
+        if (cert->key_id != NULL)
+                free(cert->key_id);
+        for (i = 0; i < cert->nprincipals; i++)
+                free(cert->principals[i]);
+        if (cert->principals != NULL)
+                free(cert->principals);
+        if (cert->signature_key != NULL)
+                sshkey_free(cert->signature_key);
+        explicit_bzero(cert, sizeof(*cert));
+        free(cert);
+}
+
+static struct sshkey_cert *
+cert_new(void)
+{
+        struct sshkey_cert *cert;
+
+        if ((cert = calloc(1, sizeof(*cert))) == NULL)
+                return NULL;
+        if ((cert->certblob = sshbuf_new()) == NULL ||
+            (cert->critical = sshbuf_new()) == NULL ||
+            (cert->extensions = sshbuf_new()) == NULL) {
+                cert_free(cert);
+                return NULL;
+        }
+        cert->key_id = NULL;
+        cert->principals = NULL;
+        cert->signature_key = NULL;
+        return cert;
+}
+
+struct sshkey *
+sshkey_new(int type)
+{
+        struct sshkey *k;
+#ifdef WITH_OPENSSL
+        RSA *rsa;
+        DSA *dsa;
+#endif /* WITH_OPENSSL */
+
+        if ((k = calloc(1, sizeof(*k))) == NULL)
+                return NULL;
+        k->type = type;
+        k->ecdsa = NULL;
+        k->ecdsa_nid = -1;
+        k->dsa = NULL;
+        k->rsa = NULL;
+        k->cert = NULL;
+        k->ed25519_sk = NULL;
+        k->ed25519_pk = NULL;
+        switch (k->type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA1:
+        case KEY_RSA:
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+                if ((rsa = RSA_new()) == NULL ||
+                    (rsa->n = BN_new()) == NULL ||
+                    (rsa->e = BN_new()) == NULL) {
+                        if (rsa != NULL)
+                                RSA_free(rsa);
+                        free(k);
+                        return NULL;
+                }
+                k->rsa = rsa;
+                break;
+        case KEY_DSA:
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+                if ((dsa = DSA_new()) == NULL ||
+                    (dsa->p = BN_new()) == NULL ||
+                    (dsa->q = BN_new()) == NULL ||
+                    (dsa->g = BN_new()) == NULL ||
+                    (dsa->pub_key = BN_new()) == NULL) {
+                        if (dsa != NULL)
+                                DSA_free(dsa);
+                        free(k);
+                        return NULL;
+                }
+                k->dsa = dsa;
+                break;
+        case KEY_ECDSA:
+        case KEY_ECDSA_CERT:
+                /* Cannot do anything until we know the group */
+                break;
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+        case KEY_ED25519_CERT:
+                /* no need to prealloc */
+                break;
+        case KEY_UNSPEC:
+                break;
+        default:
+                free(k);
+                return NULL;
+                break;
+        }
+
+        if (sshkey_is_cert(k)) {
+                if ((k->cert = cert_new()) == NULL) {
+                        sshkey_free(k);
+                        return NULL;
+                }
+        }
+
+        return k;
+}
+
+int
+sshkey_add_private(struct sshkey *k)
+{
+        switch (k->type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA1:
+        case KEY_RSA:
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+#define bn_maybe_alloc_failed(p) (p == NULL && (p = BN_new()) == NULL)
+                if (bn_maybe_alloc_failed(k->rsa->d) ||
+                    bn_maybe_alloc_failed(k->rsa->iqmp) ||
+                    bn_maybe_alloc_failed(k->rsa->q) ||
+                    bn_maybe_alloc_failed(k->rsa->p) ||
+                    bn_maybe_alloc_failed(k->rsa->dmq1) ||
+                    bn_maybe_alloc_failed(k->rsa->dmp1))
+                        return SSH_ERR_ALLOC_FAIL;
+                break;
+        case KEY_DSA:
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+                if (bn_maybe_alloc_failed(k->dsa->priv_key))
+                        return SSH_ERR_ALLOC_FAIL;
+                break;
+#undef bn_maybe_alloc_failed
+        case KEY_ECDSA:
+        case KEY_ECDSA_CERT:
+                /* Cannot do anything until we know the group */
+                break;
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+        case KEY_ED25519_CERT:
+                /* no need to prealloc */
+                break;
+        case KEY_UNSPEC:
+                break;
+        default:
+                return SSH_ERR_INVALID_ARGUMENT;
+        }
+        return 0;
+}
+
+struct sshkey *
+sshkey_new_private(int type)
+{
+        struct sshkey *k = sshkey_new(type);
+
+        if (k == NULL)
+                return NULL;
+        if (sshkey_add_private(k) != 0) {
+                sshkey_free(k);
+                return NULL;
+        }
+        return k;
+}
+
+void
+sshkey_free(struct sshkey *k)
+{
+        if (k == NULL)
+                return;
+        switch (k->type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA1:
+        case KEY_RSA:
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+                if (k->rsa != NULL)
+                        RSA_free(k->rsa);
+                k->rsa = NULL;
+                break;
+        case KEY_DSA:
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+                if (k->dsa != NULL)
+                        DSA_free(k->dsa);
+                k->dsa = NULL;
+                break;
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA:
+        case KEY_ECDSA_CERT:
+                if (k->ecdsa != NULL)
+                        EC_KEY_free(k->ecdsa);
+                k->ecdsa = NULL;
+                break;
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+        case KEY_ED25519_CERT:
+                if (k->ed25519_pk) {
+                        explicit_bzero(k->ed25519_pk, ED25519_PK_SZ);
+                        free(k->ed25519_pk);
+                        k->ed25519_pk = NULL;
+                }
+                if (k->ed25519_sk) {
+                        explicit_bzero(k->ed25519_sk, ED25519_SK_SZ);
+                        free(k->ed25519_sk);
+                        k->ed25519_sk = NULL;
+                }
+                break;
+        case KEY_UNSPEC:
+                break;
+        default:
+                break;
+        }
+        if (sshkey_is_cert(k))
+                cert_free(k->cert);
+        explicit_bzero(k, sizeof(*k));
+        free(k);
+}
+
+static int
+cert_compare(struct sshkey_cert *a, struct sshkey_cert *b)
+{
+        if (a == NULL && b == NULL)
+                return 1;
+        if (a == NULL || b == NULL)
+                return 0;
+        if (sshbuf_len(a->certblob) != sshbuf_len(b->certblob))
+                return 0;
+        if (timingsafe_bcmp(sshbuf_ptr(a->certblob), sshbuf_ptr(b->certblob),
+            sshbuf_len(a->certblob)) != 0)
+                return 0;
+        return 1;
+}
+
+/*
+ * Compare public portions of key only, allowing comparisons between
+ * certificates and plain keys too.
+ */
+int
+sshkey_equal_public(const struct sshkey *a, const struct sshkey *b)
+{
+#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
+        BN_CTX *bnctx;
+#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
+
+        if (a == NULL || b == NULL ||
+            sshkey_type_plain(a->type) != sshkey_type_plain(b->type))
+                return 0;
+
+        switch (a->type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA1:
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+        case KEY_RSA:
+                return a->rsa != NULL && b->rsa != NULL &&
+                    BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
+                    BN_cmp(a->rsa->n, b->rsa->n) == 0;
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+        case KEY_DSA:
+                return a->dsa != NULL && b->dsa != NULL &&
+                    BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
+                    BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
+                    BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
+                    BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA_CERT:
+        case KEY_ECDSA:
+                if (a->ecdsa == NULL || b->ecdsa == NULL ||
+                    EC_KEY_get0_public_key(a->ecdsa) == NULL ||
+                    EC_KEY_get0_public_key(b->ecdsa) == NULL)
+                        return 0;
+                if ((bnctx = BN_CTX_new()) == NULL)
+                        return 0;
+                if (EC_GROUP_cmp(EC_KEY_get0_group(a->ecdsa),
+                    EC_KEY_get0_group(b->ecdsa), bnctx) != 0 ||
+                    EC_POINT_cmp(EC_KEY_get0_group(a->ecdsa),
+                    EC_KEY_get0_public_key(a->ecdsa),
+                    EC_KEY_get0_public_key(b->ecdsa), bnctx) != 0) {
+                        BN_CTX_free(bnctx);
+                        return 0;
+                }
+                BN_CTX_free(bnctx);
+                return 1;
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+        case KEY_ED25519_CERT:
+                return a->ed25519_pk != NULL && b->ed25519_pk != NULL &&
+                    memcmp(a->ed25519_pk, b->ed25519_pk, ED25519_PK_SZ) == 0;
+        default:
+                return 0;
+        }
+        /* NOTREACHED */
+}
+
+int
+sshkey_equal(const struct sshkey *a, const struct sshkey *b)
+{
+        if (a == NULL || b == NULL || a->type != b->type)
+                return 0;
+        if (sshkey_is_cert(a)) {
+                if (!cert_compare(a->cert, b->cert))
+                        return 0;
+        }
+        return sshkey_equal_public(a, b);
+}
+
+static int
+to_blob_buf(const struct sshkey *key, struct sshbuf *b, int force_plain)
+{
+        int type, ret = SSH_ERR_INTERNAL_ERROR;
+        const char *typename;
+
+        if (key == NULL)
+                return SSH_ERR_INVALID_ARGUMENT;
+
+        type = force_plain ? sshkey_type_plain(key->type) : key->type;
+        typename = sshkey_ssh_name_from_type_nid(type, key->ecdsa_nid);
+
+        switch (type) {
+#ifdef WITH_OPENSSL
+        case KEY_DSA_CERT_V00:
+        case KEY_RSA_CERT_V00:
+        case KEY_DSA_CERT:
+        case KEY_ECDSA_CERT:
+        case KEY_RSA_CERT:
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519_CERT:
+                /* Use the existing blob */
+                /* XXX modified flag? */
+                if ((ret = sshbuf_putb(b, key->cert->certblob)) != 0)
+                        return ret;
+                break;
+#ifdef WITH_OPENSSL
+        case KEY_DSA:
+                if (key->dsa == NULL)
+                        return SSH_ERR_INVALID_ARGUMENT;
+                if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
+                    (ret = sshbuf_put_bignum2(b, key->dsa->p)) != 0 ||
+                    (ret = sshbuf_put_bignum2(b, key->dsa->q)) != 0 ||
+                    (ret = sshbuf_put_bignum2(b, key->dsa->g)) != 0 ||
+                    (ret = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0)
+                        return ret;
+                break;
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA:
+                if (key->ecdsa == NULL)
+                        return SSH_ERR_INVALID_ARGUMENT;
+                if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
+                    (ret = sshbuf_put_cstring(b,
+                    sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
+                    (ret = sshbuf_put_eckey(b, key->ecdsa)) != 0)
+                        return ret;
+                break;
+# endif
+        case KEY_RSA:
+                if (key->rsa == NULL)
+                        return SSH_ERR_INVALID_ARGUMENT;
+                if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
+                    (ret = sshbuf_put_bignum2(b, key->rsa->e)) != 0 ||
+                    (ret = sshbuf_put_bignum2(b, key->rsa->n)) != 0)
+                        return ret;
+                break;
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+                if (key->ed25519_pk == NULL)
+                        return SSH_ERR_INVALID_ARGUMENT;
+                if ((ret = sshbuf_put_cstring(b, typename)) != 0 ||
+                    (ret = sshbuf_put_string(b,
+                    key->ed25519_pk, ED25519_PK_SZ)) != 0)
+                        return ret;
+                break;
+        default:
+                return SSH_ERR_KEY_TYPE_UNKNOWN;
+        }
+        return 0;
+}
+
+int
+sshkey_to_blob_buf(const struct sshkey *key, struct sshbuf *b)
+{
+        return to_blob_buf(key, b, 0);
+}
+
+int
+sshkey_plain_to_blob_buf(const struct sshkey *key, struct sshbuf *b)
+{
+        return to_blob_buf(key, b, 1);
+}
+
+static int
+to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp, int force_plain)
+{
+        int ret = SSH_ERR_INTERNAL_ERROR;
+        size_t len;
+        struct sshbuf *b = NULL;
+
+        if (lenp != NULL)
+                *lenp = 0;
+        if (blobp != NULL)
+                *blobp = NULL;
+        if ((b = sshbuf_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((ret = to_blob_buf(key, b, force_plain)) != 0)
+                goto out;
+        len = sshbuf_len(b);
+        if (lenp != NULL)
+                *lenp = len;
+        if (blobp != NULL) {
+                if ((*blobp = malloc(len)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                memcpy(*blobp, sshbuf_ptr(b), len);
+        }
+        ret = 0;
+ out:
+        sshbuf_free(b);
+        return ret;
+}
+
+int
+sshkey_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
+{
+        return to_blob(key, blobp, lenp, 0);
+}
+
+int
+sshkey_plain_to_blob(const struct sshkey *key, u_char **blobp, size_t *lenp)
+{
+        return to_blob(key, blobp, lenp, 1);
+}
+
+int
+sshkey_fingerprint_raw(const struct sshkey *k, enum sshkey_fp_type dgst_type,
+    u_char **retp, size_t *lenp)
+{
+        u_char *blob = NULL, *ret = NULL;
+        size_t blob_len = 0;
+        int hash_alg = -1, r = SSH_ERR_INTERNAL_ERROR;
+
+        if (retp != NULL)
+                *retp = NULL;
+        if (lenp != NULL)
+                *lenp = 0;
+
+        switch (dgst_type) {
+        case SSH_FP_MD5:
+                hash_alg = SSH_DIGEST_MD5;
+                break;
+        case SSH_FP_SHA1:
+                hash_alg = SSH_DIGEST_SHA1;
+                break;
+        case SSH_FP_SHA256:
+                hash_alg = SSH_DIGEST_SHA256;
+                break;
+        default:
+                r = SSH_ERR_INVALID_ARGUMENT;
+                goto out;
+        }
+
+        if (k->type == KEY_RSA1) {
+#ifdef WITH_OPENSSL
+                int nlen = BN_num_bytes(k->rsa->n);
+                int elen = BN_num_bytes(k->rsa->e);
+
+                blob_len = nlen + elen;
+                if (nlen >= INT_MAX - elen ||
+                    (blob = malloc(blob_len)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                BN_bn2bin(k->rsa->n, blob);
+                BN_bn2bin(k->rsa->e, blob + nlen);
+#endif /* WITH_OPENSSL */
+        } else if ((r = to_blob(k, &blob, &blob_len, 1)) != 0)
+                goto out;
+        if ((ret = calloc(1, SSH_DIGEST_MAX_LENGTH)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if ((r = ssh_digest_memory(hash_alg, blob, blob_len,
+            ret, SSH_DIGEST_MAX_LENGTH)) != 0)
+                goto out;
+        /* success */
+        if (retp != NULL) {
+                *retp = ret;
+                ret = NULL;
+        }
+        if (lenp != NULL)
+                *lenp = ssh_digest_bytes(hash_alg);
+        r = 0;
+ out:
+        free(ret);
+        if (blob != NULL) {
+                explicit_bzero(blob, blob_len);
+                free(blob);
+        }
+        return r;
+}
+
+static char *
+fingerprint_hex(u_char *dgst_raw, size_t dgst_raw_len)
+{
+        char *retval;
+        size_t i;
+
+        if ((retval = calloc(1, dgst_raw_len * 3 + 1)) == NULL)
+                return NULL;
+        for (i = 0; i < dgst_raw_len; i++) {
+                char hex[4];
+                snprintf(hex, sizeof(hex), "%02x:", dgst_raw[i]);
+                strlcat(retval, hex, dgst_raw_len * 3 + 1);
+        }
+
+        /* Remove the trailing ':' character */
+        retval[(dgst_raw_len * 3) - 1] = '\0';
+        return retval;
+}
+
+static char *
+fingerprint_bubblebabble(u_char *dgst_raw, size_t dgst_raw_len)
+{
+        char vowels[] = { 'a', 'e', 'i', 'o', 'u', 'y' };
+        char consonants[] = { 'b', 'c', 'd', 'f', 'g', 'h', 'k', 'l', 'm',
+            'n', 'p', 'r', 's', 't', 'v', 'z', 'x' };
+        u_int i, j = 0, rounds, seed = 1;
+        char *retval;
+
+        rounds = (dgst_raw_len / 2) + 1;
+        if ((retval = calloc(rounds, 6)) == NULL)
+                return NULL;
+        retval[j++] = 'x';
+        for (i = 0; i < rounds; i++) {
+                u_int idx0, idx1, idx2, idx3, idx4;
+                if ((i + 1 < rounds) || (dgst_raw_len % 2 != 0)) {
+                        idx0 = (((((u_int)(dgst_raw[2 * i])) >> 6) & 3) +
+                            seed) % 6;
+                        idx1 = (((u_int)(dgst_raw[2 * i])) >> 2) & 15;
+                        idx2 = ((((u_int)(dgst_raw[2 * i])) & 3) +
+                            (seed / 6)) % 6;
+                        retval[j++] = vowels[idx0];
+                        retval[j++] = consonants[idx1];
+                        retval[j++] = vowels[idx2];
+                        if ((i + 1) < rounds) {
+                                idx3 = (((u_int)(dgst_raw[(2 * i) + 1])) >> 4) & 15;
+                                idx4 = (((u_int)(dgst_raw[(2 * i) + 1]))) & 15;
+                                retval[j++] = consonants[idx3];
+                                retval[j++] = '-';
+                                retval[j++] = consonants[idx4];
+                                seed = ((seed * 5) +
+                                    ((((u_int)(dgst_raw[2 * i])) * 7) +
+                                    ((u_int)(dgst_raw[(2 * i) + 1])))) % 36;
+                        }
+                } else {
+                        idx0 = seed % 6;
+                        idx1 = 16;
+                        idx2 = seed / 6;
+                        retval[j++] = vowels[idx0];
+                        retval[j++] = consonants[idx1];
+                        retval[j++] = vowels[idx2];
+                }
+        }
+        retval[j++] = 'x';
+        retval[j++] = '\0';
+        return retval;
+}
+
+/*
+ * Draw an ASCII-Art representing the fingerprint so human brain can
+ * profit from its built-in pattern recognition ability.
+ * This technique is called "random art" and can be found in some
+ * scientific publications like this original paper:
+ *
+ * "Hash Visualization: a New Technique to improve Real-World Security",
+ * Perrig A. and Song D., 1999, International Workshop on Cryptographic
+ * Techniques and E-Commerce (CrypTEC '99)
+ * sparrow.ece.cmu.edu/~adrian/projects/validation/validation.pdf
+ *
+ * The subject came up in a talk by Dan Kaminsky, too.
+ *
+ * If you see the picture is different, the key is different.
+ * If the picture looks the same, you still know nothing.
+ *
+ * The algorithm used here is a worm crawling over a discrete plane,
+ * leaving a trace (augmenting the field) everywhere it goes.
+ * Movement is taken from dgst_raw 2bit-wise.  Bumping into walls
+ * makes the respective movement vector be ignored for this turn.
+ * Graphs are not unambiguous, because circles in graphs can be
+ * walked in either direction.
+ */
+
+/*
+ * Field sizes for the random art.  Have to be odd, so the starting point
+ * can be in the exact middle of the picture, and FLDBASE should be >=8 .
+ * Else pictures would be too dense, and drawing the frame would
+ * fail, too, because the key type would not fit in anymore.
+ */
+#define FLDBASE         8
+#define FLDSIZE_Y       (FLDBASE + 1)
+#define FLDSIZE_X       (FLDBASE * 2 + 1)
+static char *
+fingerprint_randomart(u_char *dgst_raw, size_t dgst_raw_len,
+    const struct sshkey *k)
+{
+        /*
+         * Chars to be used after each other every time the worm
+         * intersects with itself.  Matter of taste.
+         */
+        char    *augmentation_string = " .o+=*BOX@%&#/^SE";
+        char    *retval, *p, title[FLDSIZE_X];
+        u_char   field[FLDSIZE_X][FLDSIZE_Y];
+        size_t   i, tlen;
+        u_int    b;
+        int      x, y, r;
+        size_t   len = strlen(augmentation_string) - 1;
+
+        if ((retval = calloc((FLDSIZE_X + 3), (FLDSIZE_Y + 2))) == NULL)
+                return NULL;
+
+        /* initialize field */
+        memset(field, 0, FLDSIZE_X * FLDSIZE_Y * sizeof(char));
+        x = FLDSIZE_X / 2;
+        y = FLDSIZE_Y / 2;
+
+        /* process raw key */
+        for (i = 0; i < dgst_raw_len; i++) {
+                int input;
+                /* each byte conveys four 2-bit move commands */
+                input = dgst_raw[i];
+                for (b = 0; b < 4; b++) {
+                        /* evaluate 2 bit, rest is shifted later */
+                        x += (input & 0x1) ? 1 : -1;
+                        y += (input & 0x2) ? 1 : -1;
+
+                        /* assure we are still in bounds */
+                        x = MAX(x, 0);
+                        y = MAX(y, 0);
+                        x = MIN(x, FLDSIZE_X - 1);
+                        y = MIN(y, FLDSIZE_Y - 1);
+
+                        /* augment the field */
+                        if (field[x][y] < len - 2)
+                                field[x][y]++;
+                        input = input >> 2;
+                }
+        }
+
+        /* mark starting point and end point*/
+        field[FLDSIZE_X / 2][FLDSIZE_Y / 2] = len - 1;
+        field[x][y] = len;
+
+        /* assemble title */
+        r = snprintf(title, sizeof(title), "[%s %u]",
+                sshkey_type(k), sshkey_size(k));
+        /* If [type size] won't fit, then try [type]; fits "[ED25519-CERT]" */
+        if (r < 0 || r > (int)sizeof(title))
+                snprintf(title, sizeof(title), "[%s]", sshkey_type(k));
+        tlen = strlen(title);
+
+        /* output upper border */
+        p = retval;
+        *p++ = '+';
+        for (i = 0; i < (FLDSIZE_X - tlen) / 2; i++)
+                *p++ = '-';
+        memcpy(p, title, tlen);
+        p += tlen;
+        for (i = p - retval - 1; i < FLDSIZE_X; i++)
+                *p++ = '-';
+        *p++ = '+';
+        *p++ = '\n';
+
+        /* output content */
+        for (y = 0; y < FLDSIZE_Y; y++) {
+                *p++ = '|';
+                for (x = 0; x < FLDSIZE_X; x++)
+                        *p++ = augmentation_string[MIN(field[x][y], len)];
+                *p++ = '|';
+                *p++ = '\n';
+        }
+
+        /* output lower border */
+        *p++ = '+';
+        for (i = 0; i < FLDSIZE_X; i++)
+                *p++ = '-';
+        *p++ = '+';
+
+        return retval;
+}
+
+char *
+sshkey_fingerprint(const struct sshkey *k, enum sshkey_fp_type dgst_type,
+    enum sshkey_fp_rep dgst_rep)
+{
+        char *retval = NULL;
+        u_char *dgst_raw;
+        size_t dgst_raw_len;
+
+        if (sshkey_fingerprint_raw(k, dgst_type, &dgst_raw, &dgst_raw_len) != 0)
+                return NULL;
+        switch (dgst_rep) {
+        case SSH_FP_HEX:
+                retval = fingerprint_hex(dgst_raw, dgst_raw_len);
+                break;
+        case SSH_FP_BUBBLEBABBLE:
+                retval = fingerprint_bubblebabble(dgst_raw, dgst_raw_len);
+                break;
+        case SSH_FP_RANDOMART:
+                retval = fingerprint_randomart(dgst_raw, dgst_raw_len, k);
+                break;
+        default:
+                explicit_bzero(dgst_raw, dgst_raw_len);
+                free(dgst_raw);
+                return NULL;
+        }
+        explicit_bzero(dgst_raw, dgst_raw_len);
+        free(dgst_raw);
+        return retval;
+}
+
+#ifdef WITH_SSH1
+/*
+ * Reads a multiple-precision integer in decimal from the buffer, and advances
+ * the pointer.  The integer must already be initialized.  This function is
+ * permitted to modify the buffer.  This leaves *cpp to point just beyond the
+ * last processed character.
+ */
+static int
+read_decimal_bignum(char **cpp, BIGNUM *v)
+{
+        char *cp;
+        size_t e;
+        int skip = 1;   /* skip white space */
+
+        cp = *cpp;
+        while (*cp == ' ' || *cp == '\t')
+                cp++;
+        e = strspn(cp, "0123456789");
+        if (e == 0)
+                return SSH_ERR_INVALID_FORMAT;
+        if (e > SSHBUF_MAX_BIGNUM * 3)
+                return SSH_ERR_BIGNUM_TOO_LARGE;
+        if (cp[e] == '\0')
+                skip = 0;
+        else if (index(" \t\r\n", cp[e]) == NULL)
+                return SSH_ERR_INVALID_FORMAT;
+        cp[e] = '\0';
+        if (BN_dec2bn(&v, cp) <= 0)
+                return SSH_ERR_INVALID_FORMAT;
+        *cpp = cp + e + skip;
+        return 0;
+}
+#endif /* WITH_SSH1 */
+
+/* returns 0 ok, and < 0 error */
+int
+sshkey_read(struct sshkey *ret, char **cpp)
+{
+        struct sshkey *k;
+        int retval = SSH_ERR_INVALID_FORMAT;
+        char *cp, *space;
+        int r, type, curve_nid = -1;
+        struct sshbuf *blob;
+#ifdef WITH_SSH1
+        char *ep;
+        u_long bits;
+#endif /* WITH_SSH1 */
+
+        cp = *cpp;
+
+        switch (ret->type) {
+        case KEY_RSA1:
+#ifdef WITH_SSH1
+                /* Get number of bits. */
+                bits = strtoul(cp, &ep, 10);
+                if (*cp == '\0' || index(" \t\r\n", *ep) == NULL ||
+                    bits == 0 || bits > SSHBUF_MAX_BIGNUM * 8)
+                        return SSH_ERR_INVALID_FORMAT;  /* Bad bit count... */
+                /* Get public exponent, public modulus. */
+                if ((r = read_decimal_bignum(&ep, ret->rsa->e)) < 0)
+                        return r;
+                if ((r = read_decimal_bignum(&ep, ret->rsa->n)) < 0)
+                        return r;
+                *cpp = ep;
+                /* validate the claimed number of bits */
+                if (BN_num_bits(ret->rsa->n) != (int)bits)
+                        return SSH_ERR_KEY_BITS_MISMATCH;
+                retval = 0;
+#endif /* WITH_SSH1 */
+                break;
+        case KEY_UNSPEC:
+        case KEY_RSA:
+        case KEY_DSA:
+        case KEY_ECDSA:
+        case KEY_ED25519:
+        case KEY_DSA_CERT_V00:
+        case KEY_RSA_CERT_V00:
+        case KEY_DSA_CERT:
+        case KEY_ECDSA_CERT:
+        case KEY_RSA_CERT:
+        case KEY_ED25519_CERT:
+                space = strchr(cp, ' ');
+                if (space == NULL)
+                        return SSH_ERR_INVALID_FORMAT;
+                *space = '\0';
+                type = sshkey_type_from_name(cp);
+                if (sshkey_type_plain(type) == KEY_ECDSA &&
+                    (curve_nid = sshkey_ecdsa_nid_from_name(cp)) == -1)
+                        return SSH_ERR_EC_CURVE_INVALID;
+                *space = ' ';
+                if (type == KEY_UNSPEC)
+                        return SSH_ERR_INVALID_FORMAT;
+                cp = space+1;
+                if (*cp == '\0')
+                        return SSH_ERR_INVALID_FORMAT;
+                if (ret->type == KEY_UNSPEC) {
+                        ret->type = type;
+                } else if (ret->type != type)
+                        return SSH_ERR_KEY_TYPE_MISMATCH;
+                if ((blob = sshbuf_new()) == NULL)
+                        return SSH_ERR_ALLOC_FAIL;
+                /* trim comment */
+                space = strchr(cp, ' ');
+                if (space)
+                        *space = '\0';
+                if ((r = sshbuf_b64tod(blob, cp)) != 0) {
+                        sshbuf_free(blob);
+                        return r;
+                }
+                if ((r = sshkey_from_blob(sshbuf_ptr(blob),
+                    sshbuf_len(blob), &k)) != 0) {
+                        sshbuf_free(blob);
+                        return r;
+                }
+                sshbuf_free(blob);
+                if (k->type != type) {
+                        sshkey_free(k);
+                        return SSH_ERR_KEY_TYPE_MISMATCH;
+                }
+                if (sshkey_type_plain(type) == KEY_ECDSA &&
+                    curve_nid != k->ecdsa_nid) {
+                        sshkey_free(k);
+                        return SSH_ERR_EC_CURVE_MISMATCH;
+                }
+/*XXXX*/
+                if (sshkey_is_cert(ret)) {
+                        if (!sshkey_is_cert(k)) {
+                                sshkey_free(k);
+                                return SSH_ERR_EXPECTED_CERT;
+                        }
+                        if (ret->cert != NULL)
+                                cert_free(ret->cert);
+                        ret->cert = k->cert;
+                        k->cert = NULL;
+                }
+#ifdef WITH_OPENSSL
+                if (sshkey_type_plain(ret->type) == KEY_RSA) {
+                        if (ret->rsa != NULL)
+                                RSA_free(ret->rsa);
+                        ret->rsa = k->rsa;
+                        k->rsa = NULL;
+#ifdef DEBUG_PK
+                        RSA_print_fp(stderr, ret->rsa, 8);
+#endif
+                }
+                if (sshkey_type_plain(ret->type) == KEY_DSA) {
+                        if (ret->dsa != NULL)
+                                DSA_free(ret->dsa);
+                        ret->dsa = k->dsa;
+                        k->dsa = NULL;
+#ifdef DEBUG_PK
+                        DSA_print_fp(stderr, ret->dsa, 8);
+#endif
+                }
+# ifdef OPENSSL_HAS_ECC
+                if (sshkey_type_plain(ret->type) == KEY_ECDSA) {
+                        if (ret->ecdsa != NULL)
+                                EC_KEY_free(ret->ecdsa);
+                        ret->ecdsa = k->ecdsa;
+                        ret->ecdsa_nid = k->ecdsa_nid;
+                        k->ecdsa = NULL;
+                        k->ecdsa_nid = -1;
+#ifdef DEBUG_PK
+                        sshkey_dump_ec_key(ret->ecdsa);
+#endif
+                }
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+                if (sshkey_type_plain(ret->type) == KEY_ED25519) {
+                        free(ret->ed25519_pk);
+                        ret->ed25519_pk = k->ed25519_pk;
+                        k->ed25519_pk = NULL;
+#ifdef DEBUG_PK
+                        /* XXX */
+#endif
+                }
+                retval = 0;
+/*XXXX*/
+                sshkey_free(k);
+                if (retval != 0)
+                        break;
+                /* advance cp: skip whitespace and data */
+                while (*cp == ' ' || *cp == '\t')
+                        cp++;
+                while (*cp != '\0' && *cp != ' ' && *cp != '\t')
+                        cp++;
+                *cpp = cp;
+                break;
+        default:
+                return SSH_ERR_INVALID_ARGUMENT;
+        }
+        return retval;
+}
+
+int
+sshkey_write(const struct sshkey *key, FILE *f)
+{
+        int ret = SSH_ERR_INTERNAL_ERROR;
+        struct sshbuf *b = NULL, *bb = NULL;
+        char *uu = NULL;
+#ifdef WITH_SSH1
+        u_int bits = 0;
+        char *dec_e = NULL, *dec_n = NULL;
+#endif /* WITH_SSH1 */
+
+        if (sshkey_is_cert(key)) {
+                if (key->cert == NULL)
+                        return SSH_ERR_EXPECTED_CERT;
+                if (sshbuf_len(key->cert->certblob) == 0)
+                        return SSH_ERR_KEY_LACKS_CERTBLOB;
+        }
+        if ((b = sshbuf_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        switch (key->type) {
+#ifdef WITH_SSH1
+        case KEY_RSA1:
+                if (key->rsa == NULL || key->rsa->e == NULL ||
+                    key->rsa->n == NULL) {
+                        ret = SSH_ERR_INVALID_ARGUMENT;
+                        goto out;
+                }
+                if ((dec_e = BN_bn2dec(key->rsa->e)) == NULL ||
+                    (dec_n = BN_bn2dec(key->rsa->n)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                /* size of modulus 'n' */
+                if ((bits = BN_num_bits(key->rsa->n)) <= 0) {
+                        ret = SSH_ERR_INVALID_ARGUMENT;
+                        goto out;
+                }
+                if ((ret = sshbuf_putf(b, "%u %s %s", bits, dec_e, dec_n)) != 0)
+                        goto out;
+#endif /* WITH_SSH1 */
+                break;
+#ifdef WITH_OPENSSL
+        case KEY_DSA:
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+        case KEY_ECDSA:
+        case KEY_ECDSA_CERT:
+        case KEY_RSA:
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+        case KEY_ED25519_CERT:
+                if ((bb = sshbuf_new()) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                if ((ret = sshkey_to_blob_buf(key, bb)) != 0)
+                        goto out;
+                if ((uu = sshbuf_dtob64(bb)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                if ((ret = sshbuf_putf(b, "%s ", sshkey_ssh_name(key))) != 0)
+                        goto out;
+                if ((ret = sshbuf_put(b, uu, strlen(uu))) != 0)
+                        goto out;
+                break;
+        default:
+                ret = SSH_ERR_KEY_TYPE_UNKNOWN;
+                goto out;
+        }
+        if (fwrite(sshbuf_ptr(b), sshbuf_len(b), 1, f) != 1) {
+                if (feof(f))
+                        errno = EPIPE;
+                ret = SSH_ERR_SYSTEM_ERROR;
+                goto out;
+        }
+        ret = 0;
+ out:
+        if (b != NULL)
+                sshbuf_free(b);
+        if (bb != NULL)
+                sshbuf_free(bb);
+        if (uu != NULL)
+                free(uu);
+#ifdef WITH_SSH1
+        if (dec_e != NULL)
+                OPENSSL_free(dec_e);
+        if (dec_n != NULL)
+                OPENSSL_free(dec_n);
+#endif /* WITH_SSH1 */
+        return ret;
+}
+
+const char *
+sshkey_cert_type(const struct sshkey *k)
+{
+        switch (k->cert->type) {
+        case SSH2_CERT_TYPE_USER:
+                return "user";
+        case SSH2_CERT_TYPE_HOST:
+                return "host";
+        default:
+                return "unknown";
+        }
+}
+
+#ifdef WITH_OPENSSL
+static int
+rsa_generate_private_key(u_int bits, RSA **rsap)
+{
+        RSA *private = NULL;
+        BIGNUM *f4 = NULL;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+
+        if (rsap == NULL ||
+            bits < SSH_RSA_MINIMUM_MODULUS_SIZE ||
+            bits > SSHBUF_MAX_BIGNUM * 8)
+                return SSH_ERR_INVALID_ARGUMENT;
+        *rsap = NULL;
+        if ((private = RSA_new()) == NULL || (f4 = BN_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if (!BN_set_word(f4, RSA_F4) ||
+            !RSA_generate_key_ex(private, bits, f4, NULL)) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        *rsap = private;
+        private = NULL;
+        ret = 0;
+ out:
+        if (private != NULL)
+                RSA_free(private);
+        if (f4 != NULL)
+                BN_free(f4);
+        return ret;
+}
+
+static int
+dsa_generate_private_key(u_int bits, DSA **dsap)
+{
+        DSA *private;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+
+        if (dsap == NULL || bits != 1024)
+                return SSH_ERR_INVALID_ARGUMENT;
+        if ((private = DSA_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        *dsap = NULL;
+        if (!DSA_generate_parameters_ex(private, bits, NULL, 0, NULL,
+            NULL, NULL) || !DSA_generate_key(private)) {
+                DSA_free(private);
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        *dsap = private;
+        private = NULL;
+        ret = 0;
+ out:
+        if (private != NULL)
+                DSA_free(private);
+        return ret;
+}
+
+# ifdef OPENSSL_HAS_ECC
+int
+sshkey_ecdsa_key_to_nid(EC_KEY *k)
+{
+        EC_GROUP *eg;
+        int nids[] = {
+                NID_X9_62_prime256v1,
+                NID_secp384r1,
+#  ifdef OPENSSL_HAS_NISTP521
+                NID_secp521r1,
+#  endif /* OPENSSL_HAS_NISTP521 */
+                -1
+        };
+        int nid;
+        u_int i;
+        BN_CTX *bnctx;
+        const EC_GROUP *g = EC_KEY_get0_group(k);
+
+        /*
+         * The group may be stored in a ASN.1 encoded private key in one of two
+         * ways: as a "named group", which is reconstituted by ASN.1 object ID
+         * or explicit group parameters encoded into the key blob. Only the
+         * "named group" case sets the group NID for us, but we can figure
+         * it out for the other case by comparing against all the groups that
+         * are supported.
+         */
+        if ((nid = EC_GROUP_get_curve_name(g)) > 0)
+                return nid;
+        if ((bnctx = BN_CTX_new()) == NULL)
+                return -1;
+        for (i = 0; nids[i] != -1; i++) {
+                if ((eg = EC_GROUP_new_by_curve_name(nids[i])) == NULL) {
+                        BN_CTX_free(bnctx);
+                        return -1;
+                }
+                if (EC_GROUP_cmp(g, eg, bnctx) == 0)
+                        break;
+                EC_GROUP_free(eg);
+        }
+        BN_CTX_free(bnctx);
+        if (nids[i] != -1) {
+                /* Use the group with the NID attached */
+                EC_GROUP_set_asn1_flag(eg, OPENSSL_EC_NAMED_CURVE);
+                if (EC_KEY_set_group(k, eg) != 1) {
+                        EC_GROUP_free(eg);
+                        return -1;
+                }
+        }
+        return nids[i];
+}
+
+static int
+ecdsa_generate_private_key(u_int bits, int *nid, EC_KEY **ecdsap)
+{
+        EC_KEY *private;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+
+        if (nid == NULL || ecdsap == NULL ||
+            (*nid = sshkey_ecdsa_bits_to_nid(bits)) == -1)
+                return SSH_ERR_INVALID_ARGUMENT;
+        *ecdsap = NULL;
+        if ((private = EC_KEY_new_by_curve_name(*nid)) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if (EC_KEY_generate_key(private) != 1) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        EC_KEY_set_asn1_flag(private, OPENSSL_EC_NAMED_CURVE);
+        *ecdsap = private;
+        private = NULL;
+        ret = 0;
+ out:
+        if (private != NULL)
+                EC_KEY_free(private);
+        return ret;
+}
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+
+int
+sshkey_generate(int type, u_int bits, struct sshkey **keyp)
+{
+        struct sshkey *k;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+
+        if (keyp == NULL)
+                return SSH_ERR_INVALID_ARGUMENT;
+        *keyp = NULL;
+        if ((k = sshkey_new(KEY_UNSPEC)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        switch (type) {
+        case KEY_ED25519:
+                if ((k->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL ||
+                    (k->ed25519_sk = malloc(ED25519_SK_SZ)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        break;
+                }
+                crypto_sign_ed25519_keypair(k->ed25519_pk, k->ed25519_sk);
+                ret = 0;
+                break;
+#ifdef WITH_OPENSSL
+        case KEY_DSA:
+                ret = dsa_generate_private_key(bits, &k->dsa);
+                break;
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA:
+                ret = ecdsa_generate_private_key(bits, &k->ecdsa_nid,
+                    &k->ecdsa);
+                break;
+# endif /* OPENSSL_HAS_ECC */
+        case KEY_RSA:
+        case KEY_RSA1:
+                ret = rsa_generate_private_key(bits, &k->rsa);
+                break;
+#endif /* WITH_OPENSSL */
+        default:
+                ret = SSH_ERR_INVALID_ARGUMENT;
+        }
+        if (ret == 0) {
+                k->type = type;
+                *keyp = k;
+        } else
+                sshkey_free(k);
+        return ret;
+}
+
+int
+sshkey_cert_copy(const struct sshkey *from_key, struct sshkey *to_key)
+{
+        u_int i;
+        const struct sshkey_cert *from;
+        struct sshkey_cert *to;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+
+        if (to_key->cert != NULL) {
+                cert_free(to_key->cert);
+                to_key->cert = NULL;
+        }
+
+        if ((from = from_key->cert) == NULL)
+                return SSH_ERR_INVALID_ARGUMENT;
+
+        if ((to = to_key->cert = cert_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+
+        if ((ret = sshbuf_putb(to->certblob, from->certblob)) != 0 ||
+            (ret = sshbuf_putb(to->critical, from->critical)) != 0 ||
+            (ret = sshbuf_putb(to->extensions, from->extensions) != 0))
+                return ret;
+
+        to->serial = from->serial;
+        to->type = from->type;
+        if (from->key_id == NULL)
+                to->key_id = NULL;
+        else if ((to->key_id = strdup(from->key_id)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        to->valid_after = from->valid_after;
+        to->valid_before = from->valid_before;
+        if (from->signature_key == NULL)
+                to->signature_key = NULL;
+        else if ((ret = sshkey_from_private(from->signature_key,
+            &to->signature_key)) != 0)
+                return ret;
+
+        if (from->nprincipals > SSHKEY_CERT_MAX_PRINCIPALS)
+                return SSH_ERR_INVALID_ARGUMENT;
+        if (from->nprincipals > 0) {
+                if ((to->principals = calloc(from->nprincipals,
+                    sizeof(*to->principals))) == NULL)
+                        return SSH_ERR_ALLOC_FAIL;
+                for (i = 0; i < from->nprincipals; i++) {
+                        to->principals[i] = strdup(from->principals[i]);
+                        if (to->principals[i] == NULL) {
+                                to->nprincipals = i;
+                                return SSH_ERR_ALLOC_FAIL;
+                        }
+                }
+        }
+        to->nprincipals = from->nprincipals;
+        return 0;
+}
+
+int
+sshkey_from_private(const struct sshkey *k, struct sshkey **pkp)
+{
+        struct sshkey *n = NULL;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+
+        if (pkp != NULL)
+                *pkp = NULL;
+
+        switch (k->type) {
+#ifdef WITH_OPENSSL
+        case KEY_DSA:
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+                if ((n = sshkey_new(k->type)) == NULL)
+                        return SSH_ERR_ALLOC_FAIL;
+                if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
+                    (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
+                    (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
+                    (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL)) {
+                        sshkey_free(n);
+                        return SSH_ERR_ALLOC_FAIL;
+                }
+                break;
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA:
+        case KEY_ECDSA_CERT:
+                if ((n = sshkey_new(k->type)) == NULL)
+                        return SSH_ERR_ALLOC_FAIL;
+                n->ecdsa_nid = k->ecdsa_nid;
+                n->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
+                if (n->ecdsa == NULL) {
+                        sshkey_free(n);
+                        return SSH_ERR_ALLOC_FAIL;
+                }
+                if (EC_KEY_set_public_key(n->ecdsa,
+                    EC_KEY_get0_public_key(k->ecdsa)) != 1) {
+                        sshkey_free(n);
+                        return SSH_ERR_LIBCRYPTO_ERROR;
+                }
+                break;
+# endif /* OPENSSL_HAS_ECC */
+        case KEY_RSA:
+        case KEY_RSA1:
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+                if ((n = sshkey_new(k->type)) == NULL)
+                        return SSH_ERR_ALLOC_FAIL;
+                if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
+                    (BN_copy(n->rsa->e, k->rsa->e) == NULL)) {
+                        sshkey_free(n);
+                        return SSH_ERR_ALLOC_FAIL;
+                }
+                break;
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+        case KEY_ED25519_CERT:
+                if ((n = sshkey_new(k->type)) == NULL)
+                        return SSH_ERR_ALLOC_FAIL;
+                if (k->ed25519_pk != NULL) {
+                        if ((n->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
+                                sshkey_free(n);
+                                return SSH_ERR_ALLOC_FAIL;
+                        }
+                        memcpy(n->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
+                }
+                break;
+        default:
+                return SSH_ERR_KEY_TYPE_UNKNOWN;
+        }
+        if (sshkey_is_cert(k)) {
+                if ((ret = sshkey_cert_copy(k, n)) != 0) {
+                        sshkey_free(n);
+                        return ret;
+                }
+        }
+        *pkp = n;
+        return 0;
+}
+
+static int
+cert_parse(struct sshbuf *b, struct sshkey *key, const u_char *blob,
+    size_t blen)
+{
+        u_char *principals = NULL, *critical = NULL, *exts = NULL;
+        u_char *sig_key = NULL, *sig = NULL;
+        size_t signed_len, plen, clen, sklen, slen, kidlen, elen;
+        struct sshbuf *tmp;
+        char *principal;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+        int v00 = sshkey_cert_is_legacy(key);
+        char **oprincipals;
+
+        if ((tmp = sshbuf_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+
+        /* Copy the entire key blob for verification and later serialisation */
+        if ((ret = sshbuf_put(key->cert->certblob, blob, blen)) != 0)
+                return ret;
+
+        elen = 0; /* Not touched for v00 certs */
+        principals = exts = critical = sig_key = sig = NULL;
+        if ((!v00 && (ret = sshbuf_get_u64(b, &key->cert->serial)) != 0) ||
+            (ret = sshbuf_get_u32(b, &key->cert->type)) != 0 ||
+            (ret = sshbuf_get_cstring(b, &key->cert->key_id, &kidlen)) != 0 ||
+            (ret = sshbuf_get_string(b, &principals, &plen)) != 0 ||
+            (ret = sshbuf_get_u64(b, &key->cert->valid_after)) != 0 ||
+            (ret = sshbuf_get_u64(b, &key->cert->valid_before)) != 0 ||
+            (ret = sshbuf_get_string(b, &critical, &clen)) != 0 ||
+            (!v00 && (ret = sshbuf_get_string(b, &exts, &elen)) != 0) ||
+            (v00 && (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0) ||
+            (ret = sshbuf_get_string_direct(b, NULL, NULL)) != 0 ||
+            (ret = sshbuf_get_string(b, &sig_key, &sklen)) != 0) {
+                /* XXX debug print error for ret */
+                ret = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+
+        /* Signature is left in the buffer so we can calculate this length */
+        signed_len = sshbuf_len(key->cert->certblob) - sshbuf_len(b);
+
+        if ((ret = sshbuf_get_string(b, &sig, &slen)) != 0) {
+                ret = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+
+        if (key->cert->type != SSH2_CERT_TYPE_USER &&
+            key->cert->type != SSH2_CERT_TYPE_HOST) {
+                ret = SSH_ERR_KEY_CERT_UNKNOWN_TYPE;
+                goto out;
+        }
+
+        if ((ret = sshbuf_put(tmp, principals, plen)) != 0)
+                goto out;
+        while (sshbuf_len(tmp) > 0) {
+                if (key->cert->nprincipals >= SSHKEY_CERT_MAX_PRINCIPALS) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                if ((ret = sshbuf_get_cstring(tmp, &principal, &plen)) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                oprincipals = key->cert->principals;
+                key->cert->principals = realloc(key->cert->principals,
+                    (key->cert->nprincipals + 1) *
+                    sizeof(*key->cert->principals));
+                if (key->cert->principals == NULL) {
+                        free(principal);
+                        key->cert->principals = oprincipals;
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                key->cert->principals[key->cert->nprincipals++] = principal;
+        }
+
+        sshbuf_reset(tmp);
+
+        if ((ret = sshbuf_put(key->cert->critical, critical, clen)) != 0 ||
+            (ret = sshbuf_put(tmp, critical, clen)) != 0)
+                goto out;
+
+        /* validate structure */
+        while (sshbuf_len(tmp) != 0) {
+                if ((ret = sshbuf_get_string_direct(tmp, NULL, NULL)) != 0 ||
+                    (ret = sshbuf_get_string_direct(tmp, NULL, NULL)) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+        }
+        sshbuf_reset(tmp);
+
+        if ((ret = sshbuf_put(key->cert->extensions, exts, elen)) != 0 ||
+            (ret = sshbuf_put(tmp, exts, elen)) != 0)
+                goto out;
+
+        /* validate structure */
+        while (sshbuf_len(tmp) != 0) {
+                if ((ret = sshbuf_get_string_direct(tmp, NULL, NULL)) != 0 ||
+                    (ret = sshbuf_get_string_direct(tmp, NULL, NULL)) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+        }
+        sshbuf_reset(tmp);
+
+        if (sshkey_from_blob_internal(sig_key, sklen,
+            &key->cert->signature_key, 0) != 0) {
+                ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
+                goto out;
+        }
+        if (!sshkey_type_is_valid_ca(key->cert->signature_key->type)) {
+                ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
+                goto out;
+        }
+
+        if ((ret = sshkey_verify(key->cert->signature_key, sig, slen,
+            sshbuf_ptr(key->cert->certblob), signed_len, 0)) != 0)
+                goto out;
+        ret = 0;
+
+ out:
+        sshbuf_free(tmp);
+        free(principals);
+        free(critical);
+        free(exts);
+        free(sig_key);
+        free(sig);
+        return ret;
+}
+
+static int
+sshkey_from_blob_internal(const u_char *blob, size_t blen,
+    struct sshkey **keyp, int allow_cert)
+{
+        struct sshbuf *b = NULL;
+        int type, nid = -1, ret = SSH_ERR_INTERNAL_ERROR;
+        char *ktype = NULL, *curve = NULL;
+        struct sshkey *key = NULL;
+        size_t len;
+        u_char *pk = NULL;
+#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
+        EC_POINT *q = NULL;
+#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
+
+#ifdef DEBUG_PK /* XXX */
+        dump_base64(stderr, blob, blen);
+#endif
+        *keyp = NULL;
+        if ((b = sshbuf_from(blob, blen)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if (sshbuf_get_cstring(b, &ktype, NULL) != 0) {
+                ret = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+
+        type = sshkey_type_from_name(ktype);
+        if (sshkey_type_plain(type) == KEY_ECDSA)
+                nid = sshkey_ecdsa_nid_from_name(ktype);
+        if (!allow_cert && sshkey_type_is_cert(type)) {
+                ret = SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
+                goto out;
+        }
+        switch (type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA_CERT:
+                if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                /* FALLTHROUGH */
+        case KEY_RSA:
+        case KEY_RSA_CERT_V00:
+                if ((key = sshkey_new(type)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                if (sshbuf_get_bignum2(b, key->rsa->e) == -1 ||
+                    sshbuf_get_bignum2(b, key->rsa->n) == -1) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+#ifdef DEBUG_PK
+                RSA_print_fp(stderr, key->rsa, 8);
+#endif
+                break;
+        case KEY_DSA_CERT:
+                if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                /* FALLTHROUGH */
+        case KEY_DSA:
+        case KEY_DSA_CERT_V00:
+                if ((key = sshkey_new(type)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                if (sshbuf_get_bignum2(b, key->dsa->p) == -1 ||
+                    sshbuf_get_bignum2(b, key->dsa->q) == -1 ||
+                    sshbuf_get_bignum2(b, key->dsa->g) == -1 ||
+                    sshbuf_get_bignum2(b, key->dsa->pub_key) == -1) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+#ifdef DEBUG_PK
+                DSA_print_fp(stderr, key->dsa, 8);
+#endif
+                break;
+        case KEY_ECDSA_CERT:
+                if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                /* FALLTHROUGH */
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA:
+                if ((key = sshkey_new(type)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                key->ecdsa_nid = nid;
+                if (sshbuf_get_cstring(b, &curve, NULL) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                if (key->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
+                        ret = SSH_ERR_EC_CURVE_MISMATCH;
+                        goto out;
+                }
+                if (key->ecdsa != NULL)
+                        EC_KEY_free(key->ecdsa);
+                if ((key->ecdsa = EC_KEY_new_by_curve_name(key->ecdsa_nid))
+                    == NULL) {
+                        ret = SSH_ERR_EC_CURVE_INVALID;
+                        goto out;
+                }
+                if ((q = EC_POINT_new(EC_KEY_get0_group(key->ecdsa))) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                if (sshbuf_get_ec(b, q, EC_KEY_get0_group(key->ecdsa)) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                if (sshkey_ec_validate_public(EC_KEY_get0_group(key->ecdsa),
+                    q) != 0) {
+                        ret = SSH_ERR_KEY_INVALID_EC_VALUE;
+                        goto out;
+                }
+                if (EC_KEY_set_public_key(key->ecdsa, q) != 1) {
+                        /* XXX assume it is a allocation error */
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+#ifdef DEBUG_PK
+                sshkey_dump_ec_point(EC_KEY_get0_group(key->ecdsa), q);
+#endif
+                break;
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519_CERT:
+                if (sshbuf_get_string_direct(b, NULL, NULL) != 0) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                /* FALLTHROUGH */
+        case KEY_ED25519:
+                if ((ret = sshbuf_get_string(b, &pk, &len)) != 0)
+                        goto out;
+                if (len != ED25519_PK_SZ) {
+                        ret = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                if ((key = sshkey_new(type)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                key->ed25519_pk = pk;
+                pk = NULL;
+                break;
+        case KEY_UNSPEC:
+                if ((key = sshkey_new(type)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                break;
+        default:
+                ret = SSH_ERR_KEY_TYPE_UNKNOWN;
+                goto out;
+        }
+
+        /* Parse certificate potion */
+        if (sshkey_is_cert(key) &&
+           (ret = cert_parse(b, key, blob, blen)) != 0)
+                goto out;
+
+        if (key != NULL && sshbuf_len(b) != 0) {
+                ret = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+        ret = 0;
+        *keyp = key;
+        key = NULL;
+ out:
+        sshbuf_free(b);
+        sshkey_free(key);
+        free(ktype);
+        free(curve);
+        free(pk);
+#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
+        if (q != NULL)
+                EC_POINT_free(q);
+#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
+        return ret;
+}
+
+int
+sshkey_from_blob(const u_char *blob, size_t blen, struct sshkey **keyp)
+{
+        return sshkey_from_blob_internal(blob, blen, keyp, 1);
+}
+
+int
+sshkey_sign(const struct sshkey *key,
+    u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat)
+{
+        if (sigp != NULL)
+                *sigp = NULL;
+        if (lenp != NULL)
+                *lenp = 0;
+        if (datalen > SSH_KEY_MAX_SIGN_DATA_SIZE)
+                return SSH_ERR_INVALID_ARGUMENT;
+        switch (key->type) {
+#ifdef WITH_OPENSSL
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+        case KEY_DSA:
+                return ssh_dss_sign(key, sigp, lenp, data, datalen, compat);
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA_CERT:
+        case KEY_ECDSA:
+                return ssh_ecdsa_sign(key, sigp, lenp, data, datalen, compat);
+# endif /* OPENSSL_HAS_ECC */
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+        case KEY_RSA:
+                return ssh_rsa_sign(key, sigp, lenp, data, datalen, compat);
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+        case KEY_ED25519_CERT:
+                return ssh_ed25519_sign(key, sigp, lenp, data, datalen, compat);
+        default:
+                return SSH_ERR_KEY_TYPE_UNKNOWN;
+        }
+}
+
+/*
+ * ssh_key_verify returns 0 for a correct signature  and < 0 on error.
+ */
+int
+sshkey_verify(const struct sshkey *key,
+    const u_char *sig, size_t siglen,
+    const u_char *data, size_t dlen, u_int compat)
+{
+        if (siglen == 0)
+                return -1;
+
+        if (dlen > SSH_KEY_MAX_SIGN_DATA_SIZE)
+                return SSH_ERR_INVALID_ARGUMENT;
+        switch (key->type) {
+#ifdef WITH_OPENSSL
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+        case KEY_DSA:
+                return ssh_dss_verify(key, sig, siglen, data, dlen, compat);
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA_CERT:
+        case KEY_ECDSA:
+                return ssh_ecdsa_verify(key, sig, siglen, data, dlen, compat);
+# endif /* OPENSSL_HAS_ECC */
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+        case KEY_RSA:
+                return ssh_rsa_verify(key, sig, siglen, data, dlen, compat);
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+        case KEY_ED25519_CERT:
+                return ssh_ed25519_verify(key, sig, siglen, data, dlen, compat);
+        default:
+                return SSH_ERR_KEY_TYPE_UNKNOWN;
+        }
+}
+
+/* Converts a private to a public key */
+int
+sshkey_demote(const struct sshkey *k, struct sshkey **dkp)
+{
+        struct sshkey *pk;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+
+        if (dkp != NULL)
+                *dkp = NULL;
+
+        if ((pk = calloc(1, sizeof(*pk))) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        pk->type = k->type;
+        pk->flags = k->flags;
+        pk->ecdsa_nid = k->ecdsa_nid;
+        pk->dsa = NULL;
+        pk->ecdsa = NULL;
+        pk->rsa = NULL;
+        pk->ed25519_pk = NULL;
+        pk->ed25519_sk = NULL;
+
+        switch (k->type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+                if ((ret = sshkey_cert_copy(k, pk)) != 0)
+                        goto fail;
+                /* FALLTHROUGH */
+        case KEY_RSA1:
+        case KEY_RSA:
+                if ((pk->rsa = RSA_new()) == NULL ||
+                    (pk->rsa->e = BN_dup(k->rsa->e)) == NULL ||
+                    (pk->rsa->n = BN_dup(k->rsa->n)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto fail;
+                        }
+                break;
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+                if ((ret = sshkey_cert_copy(k, pk)) != 0)
+                        goto fail;
+                /* FALLTHROUGH */
+        case KEY_DSA:
+                if ((pk->dsa = DSA_new()) == NULL ||
+                    (pk->dsa->p = BN_dup(k->dsa->p)) == NULL ||
+                    (pk->dsa->q = BN_dup(k->dsa->q)) == NULL ||
+                    (pk->dsa->g = BN_dup(k->dsa->g)) == NULL ||
+                    (pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto fail;
+                }
+                break;
+        case KEY_ECDSA_CERT:
+                if ((ret = sshkey_cert_copy(k, pk)) != 0)
+                        goto fail;
+                /* FALLTHROUGH */
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA:
+                pk->ecdsa = EC_KEY_new_by_curve_name(pk->ecdsa_nid);
+                if (pk->ecdsa == NULL) {
+                        ret = SSH_ERR_ALLOC_FAIL;
+                        goto fail;
+                }
+                if (EC_KEY_set_public_key(pk->ecdsa,
+                    EC_KEY_get0_public_key(k->ecdsa)) != 1) {
+                        ret = SSH_ERR_LIBCRYPTO_ERROR;
+                        goto fail;
+                }
+                break;
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519_CERT:
+                if ((ret = sshkey_cert_copy(k, pk)) != 0)
+                        goto fail;
+                /* FALLTHROUGH */
+        case KEY_ED25519:
+                if (k->ed25519_pk != NULL) {
+                        if ((pk->ed25519_pk = malloc(ED25519_PK_SZ)) == NULL) {
+                                ret = SSH_ERR_ALLOC_FAIL;
+                                goto fail;
+                        }
+                        memcpy(pk->ed25519_pk, k->ed25519_pk, ED25519_PK_SZ);
+                }
+                break;
+        default:
+                ret = SSH_ERR_KEY_TYPE_UNKNOWN;
+ fail:
+                sshkey_free(pk);
+                return ret;
+        }
+        *dkp = pk;
+        return 0;
+}
+
+/* Convert a plain key to their _CERT equivalent */
+int
+sshkey_to_certified(struct sshkey *k, int legacy)
+{
+        int newtype;
+
+        switch (k->type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA:
+                newtype = legacy ? KEY_RSA_CERT_V00 : KEY_RSA_CERT;
+                break;
+        case KEY_DSA:
+                newtype = legacy ? KEY_DSA_CERT_V00 : KEY_DSA_CERT;
+                break;
+        case KEY_ECDSA:
+                if (legacy)
+                        return SSH_ERR_INVALID_ARGUMENT;
+                newtype = KEY_ECDSA_CERT;
+                break;
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+                if (legacy)
+                        return SSH_ERR_INVALID_ARGUMENT;
+                newtype = KEY_ED25519_CERT;
+                break;
+        default:
+                return SSH_ERR_INVALID_ARGUMENT;
+        }
+        if ((k->cert = cert_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        k->type = newtype;
+        return 0;
+}
+
+/* Convert a certificate to its raw key equivalent */
+int
+sshkey_drop_cert(struct sshkey *k)
+{
+        if (!sshkey_type_is_cert(k->type))
+                return SSH_ERR_KEY_TYPE_UNKNOWN;
+        cert_free(k->cert);
+        k->cert = NULL;
+        k->type = sshkey_type_plain(k->type);
+        return 0;
+}
+
+/* Sign a certified key, (re-)generating the signed certblob. */
+int
+sshkey_certify(struct sshkey *k, struct sshkey *ca)
+{
+        struct sshbuf *principals = NULL;
+        u_char *ca_blob = NULL, *sig_blob = NULL, nonce[32];
+        size_t i, ca_len, sig_len;
+        int ret = SSH_ERR_INTERNAL_ERROR;
+        struct sshbuf *cert;
+
+        if (k == NULL || k->cert == NULL ||
+            k->cert->certblob == NULL || ca == NULL)
+                return SSH_ERR_INVALID_ARGUMENT;
+        if (!sshkey_is_cert(k))
+                return SSH_ERR_KEY_TYPE_UNKNOWN;
+        if (!sshkey_type_is_valid_ca(ca->type))
+                return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
+
+        if ((ret = sshkey_to_blob(ca, &ca_blob, &ca_len)) != 0)
+                return SSH_ERR_KEY_CERT_INVALID_SIGN_KEY;
+
+        cert = k->cert->certblob; /* for readability */
+        sshbuf_reset(cert);
+        if ((ret = sshbuf_put_cstring(cert, sshkey_ssh_name(k))) != 0)
+                goto out;
+
+        /* -v01 certs put nonce first */
+        arc4random_buf(&nonce, sizeof(nonce));
+        if (!sshkey_cert_is_legacy(k)) {
+                if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
+                        goto out;
+        }
+
+        /* XXX this substantially duplicates to_blob(); refactor */
+        switch (k->type) {
+#ifdef WITH_OPENSSL
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+                if ((ret = sshbuf_put_bignum2(cert, k->dsa->p)) != 0 ||
+                    (ret = sshbuf_put_bignum2(cert, k->dsa->q)) != 0 ||
+                    (ret = sshbuf_put_bignum2(cert, k->dsa->g)) != 0 ||
+                    (ret = sshbuf_put_bignum2(cert, k->dsa->pub_key)) != 0)
+                        goto out;
+                break;
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA_CERT:
+                if ((ret = sshbuf_put_cstring(cert,
+                    sshkey_curve_nid_to_name(k->ecdsa_nid))) != 0 ||
+                    (ret = sshbuf_put_ec(cert,
+                    EC_KEY_get0_public_key(k->ecdsa),
+                    EC_KEY_get0_group(k->ecdsa))) != 0)
+                        goto out;
+                break;
+# endif /* OPENSSL_HAS_ECC */
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+                if ((ret = sshbuf_put_bignum2(cert, k->rsa->e)) != 0 ||
+                    (ret = sshbuf_put_bignum2(cert, k->rsa->n)) != 0)
+                        goto out;
+                break;
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519_CERT:
+                if ((ret = sshbuf_put_string(cert,
+                    k->ed25519_pk, ED25519_PK_SZ)) != 0)
+                        goto out;
+                break;
+        default:
+                ret = SSH_ERR_INVALID_ARGUMENT;
+        }
+
+        /* -v01 certs have a serial number next */
+        if (!sshkey_cert_is_legacy(k)) {
+                if ((ret = sshbuf_put_u64(cert, k->cert->serial)) != 0)
+                        goto out;
+        }
+
+        if ((ret = sshbuf_put_u32(cert, k->cert->type)) != 0 ||
+            (ret = sshbuf_put_cstring(cert, k->cert->key_id)) != 0)
+                goto out;
+
+        if ((principals = sshbuf_new()) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        for (i = 0; i < k->cert->nprincipals; i++) {
+                if ((ret = sshbuf_put_cstring(principals,
+                    k->cert->principals[i])) != 0)
+                        goto out;
+        }
+        if ((ret = sshbuf_put_stringb(cert, principals)) != 0 ||
+            (ret = sshbuf_put_u64(cert, k->cert->valid_after)) != 0 ||
+            (ret = sshbuf_put_u64(cert, k->cert->valid_before)) != 0 ||
+            (ret = sshbuf_put_stringb(cert, k->cert->critical)) != 0)
+                goto out;
+
+        /* -v01 certs have non-critical options here */
+        if (!sshkey_cert_is_legacy(k)) {
+                if ((ret = sshbuf_put_stringb(cert, k->cert->extensions)) != 0)
+                        goto out;
+        }
+
+        /* -v00 certs put the nonce at the end */
+        if (sshkey_cert_is_legacy(k)) {
+                if ((ret = sshbuf_put_string(cert, nonce, sizeof(nonce))) != 0)
+                        goto out;
+        }
+
+        if ((ret = sshbuf_put_string(cert, NULL, 0)) != 0 || /* Reserved */
+            (ret = sshbuf_put_string(cert, ca_blob, ca_len)) != 0)
+                goto out;
+
+        /* Sign the whole mess */
+        if ((ret = sshkey_sign(ca, &sig_blob, &sig_len, sshbuf_ptr(cert),
+            sshbuf_len(cert), 0)) != 0)
+                goto out;
+
+        /* Append signature and we are done */
+        if ((ret = sshbuf_put_string(cert, sig_blob, sig_len)) != 0)
+                goto out;
+        ret = 0;
+ out:
+        if (ret != 0)
+                sshbuf_reset(cert);
+        if (sig_blob != NULL)
+                free(sig_blob);
+        if (ca_blob != NULL)
+                free(ca_blob);
+        if (principals != NULL)
+                sshbuf_free(principals);
+        return ret;
+}
+
+int
+sshkey_cert_check_authority(const struct sshkey *k,
+    int want_host, int require_principal,
+    const char *name, const char **reason)
+{
+        u_int i, principal_matches;
+        time_t now = time(NULL);
+
+        if (reason != NULL)
+                *reason = NULL;
+
+        if (want_host) {
+                if (k->cert->type != SSH2_CERT_TYPE_HOST) {
+                        *reason = "Certificate invalid: not a host certificate";
+                        return SSH_ERR_KEY_CERT_INVALID;
+                }
+        } else {
+                if (k->cert->type != SSH2_CERT_TYPE_USER) {
+                        *reason = "Certificate invalid: not a user certificate";
+                        return SSH_ERR_KEY_CERT_INVALID;
+                }
+        }
+        if (now < 0) {
+                /* yikes - system clock before epoch! */
+                *reason = "Certificate invalid: not yet valid";
+                return SSH_ERR_KEY_CERT_INVALID;
+        }
+        if ((u_int64_t)now < k->cert->valid_after) {
+                *reason = "Certificate invalid: not yet valid";
+                return SSH_ERR_KEY_CERT_INVALID;
+        }
+        if ((u_int64_t)now >= k->cert->valid_before) {
+                *reason = "Certificate invalid: expired";
+                return SSH_ERR_KEY_CERT_INVALID;
+        }
+        if (k->cert->nprincipals == 0) {
+                if (require_principal) {
+                        *reason = "Certificate lacks principal list";
+                        return SSH_ERR_KEY_CERT_INVALID;
+                }
+        } else if (name != NULL) {
+                principal_matches = 0;
+                for (i = 0; i < k->cert->nprincipals; i++) {
+                        if (strcmp(name, k->cert->principals[i]) == 0) {
+                                principal_matches = 1;
+                                break;
+                        }
+                }
+                if (!principal_matches) {
+                        *reason = "Certificate invalid: name is not a listed "
+                            "principal";
+                        return SSH_ERR_KEY_CERT_INVALID;
+                }
+        }
+        return 0;
+}
+
+int
+sshkey_private_serialize(const struct sshkey *key, struct sshbuf *b)
+{
+        int r = SSH_ERR_INTERNAL_ERROR;
+
+        if ((r = sshbuf_put_cstring(b, sshkey_ssh_name(key))) != 0)
+                goto out;
+        switch (key->type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA:
+                if ((r = sshbuf_put_bignum2(b, key->rsa->n)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->rsa->e)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
+                        goto out;
+                break;
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
+                        r = SSH_ERR_INVALID_ARGUMENT;
+                        goto out;
+                }
+                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->rsa->d)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->rsa->iqmp)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->rsa->p)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->rsa->q)) != 0)
+                        goto out;
+                break;
+        case KEY_DSA:
+                if ((r = sshbuf_put_bignum2(b, key->dsa->p)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->dsa->q)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->dsa->g)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->dsa->pub_key)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
+                        goto out;
+                break;
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
+                        r = SSH_ERR_INVALID_ARGUMENT;
+                        goto out;
+                }
+                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
+                    (r = sshbuf_put_bignum2(b, key->dsa->priv_key)) != 0)
+                        goto out;
+                break;
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA:
+                if ((r = sshbuf_put_cstring(b,
+                    sshkey_curve_nid_to_name(key->ecdsa_nid))) != 0 ||
+                    (r = sshbuf_put_eckey(b, key->ecdsa)) != 0 ||
+                    (r = sshbuf_put_bignum2(b,
+                    EC_KEY_get0_private_key(key->ecdsa))) != 0)
+                        goto out;
+                break;
+        case KEY_ECDSA_CERT:
+                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
+                        r = SSH_ERR_INVALID_ARGUMENT;
+                        goto out;
+                }
+                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
+                    (r = sshbuf_put_bignum2(b,
+                    EC_KEY_get0_private_key(key->ecdsa))) != 0)
+                        goto out;
+                break;
+# endif /* OPENSSL_HAS_ECC */
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+                if ((r = sshbuf_put_string(b, key->ed25519_pk,
+                    ED25519_PK_SZ)) != 0 ||
+                    (r = sshbuf_put_string(b, key->ed25519_sk,
+                    ED25519_SK_SZ)) != 0)
+                        goto out;
+                break;
+        case KEY_ED25519_CERT:
+                if (key->cert == NULL || sshbuf_len(key->cert->certblob) == 0) {
+                        r = SSH_ERR_INVALID_ARGUMENT;
+                        goto out;
+                }
+                if ((r = sshbuf_put_stringb(b, key->cert->certblob)) != 0 ||
+                    (r = sshbuf_put_string(b, key->ed25519_pk,
+                    ED25519_PK_SZ)) != 0 ||
+                    (r = sshbuf_put_string(b, key->ed25519_sk,
+                    ED25519_SK_SZ)) != 0)
+                        goto out;
+                break;
+        default:
+                r = SSH_ERR_INVALID_ARGUMENT;
+                goto out;
+        }
+        /* success */
+        r = 0;
+ out:
+        return r;
+}
+
+int
+sshkey_private_deserialize(struct sshbuf *buf, struct sshkey **kp)
+{
+        char *tname = NULL, *curve = NULL;
+        struct sshkey *k = NULL;
+        const u_char *cert;
+        size_t len, pklen = 0, sklen = 0;
+        int type, r = SSH_ERR_INTERNAL_ERROR;
+        u_char *ed25519_pk = NULL, *ed25519_sk = NULL;
+#ifdef WITH_OPENSSL
+        BIGNUM *exponent = NULL;
+#endif /* WITH_OPENSSL */
+
+        if (kp != NULL)
+                *kp = NULL;
+        if ((r = sshbuf_get_cstring(buf, &tname, NULL)) != 0)
+                goto out;
+        type = sshkey_type_from_name(tname);
+        switch (type) {
+#ifdef WITH_OPENSSL
+        case KEY_DSA:
+                if ((k = sshkey_new_private(type)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                if ((r = sshbuf_get_bignum2(buf, k->dsa->p)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->dsa->q)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->dsa->g)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->dsa->pub_key)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
+                        goto out;
+                break;
+        case KEY_DSA_CERT_V00:
+        case KEY_DSA_CERT:
+                if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 ||
+                    (r = sshkey_from_blob(cert, len, &k)) != 0 ||
+                    (r = sshkey_add_private(k)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->dsa->priv_key)) != 0)
+                        goto out;
+                break;
+# ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA:
+                if ((k = sshkey_new_private(type)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                if ((k->ecdsa_nid = sshkey_ecdsa_nid_from_name(tname)) == -1) {
+                        r = SSH_ERR_INVALID_ARGUMENT;
+                        goto out;
+                }
+                if ((r = sshbuf_get_cstring(buf, &curve, NULL)) != 0)
+                        goto out;
+                if (k->ecdsa_nid != sshkey_curve_name_to_nid(curve)) {
+                        r = SSH_ERR_EC_CURVE_MISMATCH;
+                        goto out;
+                }
+                k->ecdsa = EC_KEY_new_by_curve_name(k->ecdsa_nid);
+                if (k->ecdsa  == NULL || (exponent = BN_new()) == NULL) {
+                        r = SSH_ERR_LIBCRYPTO_ERROR;
+                        goto out;
+                }
+                if ((r = sshbuf_get_eckey(buf, k->ecdsa)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, exponent)))
+                        goto out;
+                if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
+                        r = SSH_ERR_LIBCRYPTO_ERROR;
+                        goto out;
+                }
+                if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
+                    EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
+                    (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
+                        goto out;
+                break;
+        case KEY_ECDSA_CERT:
+                if ((exponent = BN_new()) == NULL) {
+                        r = SSH_ERR_LIBCRYPTO_ERROR;
+                        goto out;
+                }
+                if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 ||
+                    (r = sshkey_from_blob(cert, len, &k)) != 0 ||
+                    (r = sshkey_add_private(k)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, exponent)) != 0)
+                        goto out;
+                if (EC_KEY_set_private_key(k->ecdsa, exponent) != 1) {
+                        r = SSH_ERR_LIBCRYPTO_ERROR;
+                        goto out;
+                }
+                if ((r = sshkey_ec_validate_public(EC_KEY_get0_group(k->ecdsa),
+                    EC_KEY_get0_public_key(k->ecdsa)) != 0) ||
+                    (r = sshkey_ec_validate_private(k->ecdsa)) != 0)
+                        goto out;
+                break;
+# endif /* OPENSSL_HAS_ECC */
+        case KEY_RSA:
+                if ((k = sshkey_new_private(type)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                if ((r = sshbuf_get_bignum2(buf, k->rsa->n)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->rsa->e)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->rsa->d)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->rsa->iqmp)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->rsa->p)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->rsa->q)) != 0 ||
+                    (r = rsa_generate_additional_parameters(k->rsa)) != 0)
+                        goto out;
+                break;
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+                if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 ||
+                    (r = sshkey_from_blob(cert, len, &k)) != 0 ||
+                    (r = sshkey_add_private(k)) != 0 ||
+                    (r = sshbuf_get_bignum2(buf, k->rsa->d) != 0) ||
+                    (r = sshbuf_get_bignum2(buf, k->rsa->iqmp) != 0) ||
+                    (r = sshbuf_get_bignum2(buf, k->rsa->p) != 0) ||
+                    (r = sshbuf_get_bignum2(buf, k->rsa->q) != 0) ||
+                    (r = rsa_generate_additional_parameters(k->rsa)) != 0)
+                        goto out;
+                break;
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+                if ((k = sshkey_new_private(type)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                if ((r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
+                    (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
+                        goto out;
+                if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
+                        r = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                k->ed25519_pk = ed25519_pk;
+                k->ed25519_sk = ed25519_sk;
+                ed25519_pk = ed25519_sk = NULL;
+                break;
+        case KEY_ED25519_CERT:
+                if ((r = sshbuf_get_string_direct(buf, &cert, &len)) != 0 ||
+                    (r = sshkey_from_blob(cert, len, &k)) != 0 ||
+                    (r = sshkey_add_private(k)) != 0 ||
+                    (r = sshbuf_get_string(buf, &ed25519_pk, &pklen)) != 0 ||
+                    (r = sshbuf_get_string(buf, &ed25519_sk, &sklen)) != 0)
+                        goto out;
+                if (pklen != ED25519_PK_SZ || sklen != ED25519_SK_SZ) {
+                        r = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                k->ed25519_pk = ed25519_pk;
+                k->ed25519_sk = ed25519_sk;
+                ed25519_pk = ed25519_sk = NULL;
+                break;
+        default:
+                r = SSH_ERR_KEY_TYPE_UNKNOWN;
+                goto out;
+        }
+#ifdef WITH_OPENSSL
+        /* enable blinding */
+        switch (k->type) {
+        case KEY_RSA:
+        case KEY_RSA_CERT_V00:
+        case KEY_RSA_CERT:
+        case KEY_RSA1:
+                if (RSA_blinding_on(k->rsa, NULL) != 1) {
+                        r = SSH_ERR_LIBCRYPTO_ERROR;
+                        goto out;
+                }
+                break;
+        }
+#endif /* WITH_OPENSSL */
+        /* success */
+        r = 0;
+        if (kp != NULL) {
+                *kp = k;
+                k = NULL;
+        }
+ out:
+        free(tname);
+        free(curve);
+#ifdef WITH_OPENSSL
+        if (exponent != NULL)
+                BN_clear_free(exponent);
+#endif /* WITH_OPENSSL */
+        sshkey_free(k);
+        if (ed25519_pk != NULL) {
+                explicit_bzero(ed25519_pk, pklen);
+                free(ed25519_pk);
+        }
+        if (ed25519_sk != NULL) {
+                explicit_bzero(ed25519_sk, sklen);
+                free(ed25519_sk);
+        }
+        return r;
+}
+
+#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
+int
+sshkey_ec_validate_public(const EC_GROUP *group, const EC_POINT *public)
+{
+        BN_CTX *bnctx;
+        EC_POINT *nq = NULL;
+        BIGNUM *order, *x, *y, *tmp;
+        int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
+
+        if ((bnctx = BN_CTX_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        BN_CTX_start(bnctx);
+
+        /*
+         * We shouldn't ever hit this case because bignum_get_ecpoint()
+         * refuses to load GF2m points.
+         */
+        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
+            NID_X9_62_prime_field)
+                goto out;
+
+        /* Q != infinity */
+        if (EC_POINT_is_at_infinity(group, public))
+                goto out;
+
+        if ((x = BN_CTX_get(bnctx)) == NULL ||
+            (y = BN_CTX_get(bnctx)) == NULL ||
+            (order = BN_CTX_get(bnctx)) == NULL ||
+            (tmp = BN_CTX_get(bnctx)) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+        /* log2(x) > log2(order)/2, log2(y) > log2(order)/2 */
+        if (EC_GROUP_get_order(group, order, bnctx) != 1 ||
+            EC_POINT_get_affine_coordinates_GFp(group, public,
+            x, y, bnctx) != 1) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        if (BN_num_bits(x) <= BN_num_bits(order) / 2 ||
+            BN_num_bits(y) <= BN_num_bits(order) / 2)
+                goto out;
+
+        /* nQ == infinity (n == order of subgroup) */
+        if ((nq = EC_POINT_new(group)) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if (EC_POINT_mul(group, nq, NULL, public, order, bnctx) != 1) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        if (EC_POINT_is_at_infinity(group, nq) != 1)
+                goto out;
+
+        /* x < order - 1, y < order - 1 */
+        if (!BN_sub(tmp, order, BN_value_one())) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        if (BN_cmp(x, tmp) >= 0 || BN_cmp(y, tmp) >= 0)
+                goto out;
+        ret = 0;
+ out:
+        BN_CTX_free(bnctx);
+        if (nq != NULL)
+                EC_POINT_free(nq);
+        return ret;
+}
+
+int
+sshkey_ec_validate_private(const EC_KEY *key)
+{
+        BN_CTX *bnctx;
+        BIGNUM *order, *tmp;
+        int ret = SSH_ERR_KEY_INVALID_EC_VALUE;
+
+        if ((bnctx = BN_CTX_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        BN_CTX_start(bnctx);
+
+        if ((order = BN_CTX_get(bnctx)) == NULL ||
+            (tmp = BN_CTX_get(bnctx)) == NULL) {
+                ret = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+        /* log2(private) > log2(order)/2 */
+        if (EC_GROUP_get_order(EC_KEY_get0_group(key), order, bnctx) != 1) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        if (BN_num_bits(EC_KEY_get0_private_key(key)) <=
+            BN_num_bits(order) / 2)
+                goto out;
+
+        /* private < order - 1 */
+        if (!BN_sub(tmp, order, BN_value_one())) {
+                ret = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        if (BN_cmp(EC_KEY_get0_private_key(key), tmp) >= 0)
+                goto out;
+        ret = 0;
+ out:
+        BN_CTX_free(bnctx);
+        return ret;
+}
+
+void
+sshkey_dump_ec_point(const EC_GROUP *group, const EC_POINT *point)
+{
+        BIGNUM *x, *y;
+        BN_CTX *bnctx;
+
+        if (point == NULL) {
+                fputs("point=(NULL)\n", stderr);
+                return;
+        }
+        if ((bnctx = BN_CTX_new()) == NULL) {
+                fprintf(stderr, "%s: BN_CTX_new failed\n", __func__);
+                return;
+        }
+        BN_CTX_start(bnctx);
+        if ((x = BN_CTX_get(bnctx)) == NULL ||
+            (y = BN_CTX_get(bnctx)) == NULL) {
+                fprintf(stderr, "%s: BN_CTX_get failed\n", __func__);
+                return;
+        }
+        if (EC_METHOD_get_field_type(EC_GROUP_method_of(group)) !=
+            NID_X9_62_prime_field) {
+                fprintf(stderr, "%s: group is not a prime field\n", __func__);
+                return;
+        }
+        if (EC_POINT_get_affine_coordinates_GFp(group, point, x, y,
+            bnctx) != 1) {
+                fprintf(stderr, "%s: EC_POINT_get_affine_coordinates_GFp\n",
+                    __func__);
+                return;
+        }
+        fputs("x=", stderr);
+        BN_print_fp(stderr, x);
+        fputs("\ny=", stderr);
+        BN_print_fp(stderr, y);
+        fputs("\n", stderr);
+        BN_CTX_free(bnctx);
+}
+
+void
+sshkey_dump_ec_key(const EC_KEY *key)
+{
+        const BIGNUM *exponent;
+
+        sshkey_dump_ec_point(EC_KEY_get0_group(key),
+            EC_KEY_get0_public_key(key));
+        fputs("exponent=", stderr);
+        if ((exponent = EC_KEY_get0_private_key(key)) == NULL)
+                fputs("(NULL)", stderr);
+        else
+                BN_print_fp(stderr, EC_KEY_get0_private_key(key));
+        fputs("\n", stderr);
+}
+#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
+
+static int
+sshkey_private_to_blob2(const struct sshkey *prv, struct sshbuf *blob,
+    const char *passphrase, const char *comment, const char *ciphername,
+    int rounds)
+{
+        u_char *cp, *b64 = NULL, *key = NULL, *pubkeyblob = NULL;
+        u_char salt[SALT_LEN];
+        size_t i, pubkeylen, keylen, ivlen, blocksize, authlen;
+        u_int check;
+        int r = SSH_ERR_INTERNAL_ERROR;
+        struct sshcipher_ctx ciphercontext;
+        const struct sshcipher *cipher;
+        const char *kdfname = KDFNAME;
+        struct sshbuf *encoded = NULL, *encrypted = NULL, *kdf = NULL;
+
+        memset(&ciphercontext, 0, sizeof(ciphercontext));
+
+        if (rounds <= 0)
+                rounds = DEFAULT_ROUNDS;
+        if (passphrase == NULL || !strlen(passphrase)) {
+                ciphername = "none";
+                kdfname = "none";
+        } else if (ciphername == NULL)
+                ciphername = DEFAULT_CIPHERNAME;
+        else if (cipher_number(ciphername) != SSH_CIPHER_SSH2) {
+                r = SSH_ERR_INVALID_ARGUMENT;
+                goto out;
+        }
+        if ((cipher = cipher_by_name(ciphername)) == NULL) {
+                r = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+        }
+
+        if ((kdf = sshbuf_new()) == NULL ||
+            (encoded = sshbuf_new()) == NULL ||
+            (encrypted = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        blocksize = cipher_blocksize(cipher);
+        keylen = cipher_keylen(cipher);
+        ivlen = cipher_ivlen(cipher);
+        authlen = cipher_authlen(cipher);
+        if ((key = calloc(1, keylen + ivlen)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if (strcmp(kdfname, "bcrypt") == 0) {
+                arc4random_buf(salt, SALT_LEN);
+                if (bcrypt_pbkdf(passphrase, strlen(passphrase),
+                    salt, SALT_LEN, key, keylen + ivlen, rounds) < 0) {
+                        r = SSH_ERR_INVALID_ARGUMENT;
+                        goto out;
+                }
+                if ((r = sshbuf_put_string(kdf, salt, SALT_LEN)) != 0 ||
+                    (r = sshbuf_put_u32(kdf, rounds)) != 0)
+                        goto out;
+        } else if (strcmp(kdfname, "none") != 0) {
+                /* Unsupported KDF type */
+                r = SSH_ERR_KEY_UNKNOWN_CIPHER;
+                goto out;
+        }
+        if ((r = cipher_init(&ciphercontext, cipher, key, keylen,
+            key + keylen, ivlen, 1)) != 0)
+                goto out;
+
+        if ((r = sshbuf_put(encoded, AUTH_MAGIC, sizeof(AUTH_MAGIC))) != 0 ||
+            (r = sshbuf_put_cstring(encoded, ciphername)) != 0 ||
+            (r = sshbuf_put_cstring(encoded, kdfname)) != 0 ||
+            (r = sshbuf_put_stringb(encoded, kdf)) != 0 ||
+            (r = sshbuf_put_u32(encoded, 1)) != 0 ||    /* number of keys */
+            (r = sshkey_to_blob(prv, &pubkeyblob, &pubkeylen)) != 0 ||
+            (r = sshbuf_put_string(encoded, pubkeyblob, pubkeylen)) != 0)
+                goto out;
+
+        /* set up the buffer that will be encrypted */
+
+        /* Random check bytes */
+        check = arc4random();
+        if ((r = sshbuf_put_u32(encrypted, check)) != 0 ||
+            (r = sshbuf_put_u32(encrypted, check)) != 0)
+                goto out;
+
+        /* append private key and comment*/
+        if ((r = sshkey_private_serialize(prv, encrypted)) != 0 ||
+            (r = sshbuf_put_cstring(encrypted, comment)) != 0)
+                goto out;
+
+        /* padding */
+        i = 0;
+        while (sshbuf_len(encrypted) % blocksize) {
+                if ((r = sshbuf_put_u8(encrypted, ++i & 0xff)) != 0)
+                        goto out;
+        }
+
+        /* length in destination buffer */
+        if ((r = sshbuf_put_u32(encoded, sshbuf_len(encrypted))) != 0)
+                goto out;
+
+        /* encrypt */
+        if ((r = sshbuf_reserve(encoded,
+            sshbuf_len(encrypted) + authlen, &cp)) != 0)
+                goto out;
+        if ((r = cipher_crypt(&ciphercontext, 0, cp,
+            sshbuf_ptr(encrypted), sshbuf_len(encrypted), 0, authlen)) != 0)
+                goto out;
+
+        /* uuencode */
+        if ((b64 = sshbuf_dtob64(encoded)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+        sshbuf_reset(blob);
+        if ((r = sshbuf_put(blob, MARK_BEGIN, MARK_BEGIN_LEN)) != 0)
+                goto out;
+        for (i = 0; i < strlen(b64); i++) {
+                if ((r = sshbuf_put_u8(blob, b64[i])) != 0)
+                        goto out;
+                /* insert line breaks */
+                if (i % 70 == 69 && (r = sshbuf_put_u8(blob, '\n')) != 0)
+                        goto out;
+        }
+        if (i % 70 != 69 && (r = sshbuf_put_u8(blob, '\n')) != 0)
+                goto out;
+        if ((r = sshbuf_put(blob, MARK_END, MARK_END_LEN)) != 0)
+                goto out;
+
+        /* success */
+        r = 0;
+
+ out:
+        sshbuf_free(kdf);
+        sshbuf_free(encoded);
+        sshbuf_free(encrypted);
+        cipher_cleanup(&ciphercontext);
+        explicit_bzero(salt, sizeof(salt));
+        if (key != NULL) {
+                explicit_bzero(key, keylen + ivlen);
+                free(key);
+        }
+        if (pubkeyblob != NULL) {
+                explicit_bzero(pubkeyblob, pubkeylen);
+                free(pubkeyblob);
+        }
+        if (b64 != NULL) {
+                explicit_bzero(b64, strlen(b64));
+                free(b64);
+        }
+        return r;
+}
+
+static int
+sshkey_parse_private2(struct sshbuf *blob, int type, const char *passphrase,
+    struct sshkey **keyp, char **commentp)
+{
+        char *comment = NULL, *ciphername = NULL, *kdfname = NULL;
+        const struct sshcipher *cipher = NULL;
+        const u_char *cp;
+        int r = SSH_ERR_INTERNAL_ERROR;
+        size_t encoded_len;
+        size_t i, keylen = 0, ivlen = 0, slen = 0;
+        struct sshbuf *encoded = NULL, *decoded = NULL;
+        struct sshbuf *kdf = NULL, *decrypted = NULL;
+        struct sshcipher_ctx ciphercontext;
+        struct sshkey *k = NULL;
+        u_char *key = NULL, *salt = NULL, *dp, pad, last;
+        u_int blocksize, rounds, nkeys, encrypted_len, check1, check2;
+
+        memset(&ciphercontext, 0, sizeof(ciphercontext));
+        if (keyp != NULL)
+                *keyp = NULL;
+        if (commentp != NULL)
+                *commentp = NULL;
+
+        if ((encoded = sshbuf_new()) == NULL ||
+            (decoded = sshbuf_new()) == NULL ||
+            (decrypted = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+        /* check preamble */
+        cp = sshbuf_ptr(blob);
+        encoded_len = sshbuf_len(blob);
+        if (encoded_len < (MARK_BEGIN_LEN + MARK_END_LEN) ||
+            memcmp(cp, MARK_BEGIN, MARK_BEGIN_LEN) != 0) {
+                r = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+        cp += MARK_BEGIN_LEN;
+        encoded_len -= MARK_BEGIN_LEN;
+
+        /* Look for end marker, removing whitespace as we go */
+        while (encoded_len > 0) {
+                if (*cp != '\n' && *cp != '\r') {
+                        if ((r = sshbuf_put_u8(encoded, *cp)) != 0)
+                                goto out;
+                }
+                last = *cp;
+                encoded_len--;
+                cp++;
+                if (last == '\n') {
+                        if (encoded_len >= MARK_END_LEN &&
+                            memcmp(cp, MARK_END, MARK_END_LEN) == 0) {
+                                /* \0 terminate */
+                                if ((r = sshbuf_put_u8(encoded, 0)) != 0)
+                                        goto out;
+                                break;
+                        }
+                }
+        }
+        if (encoded_len == 0) {
+                r = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+
+        /* decode base64 */
+        if ((r = sshbuf_b64tod(decoded, sshbuf_ptr(encoded))) != 0)
+                goto out;
+
+        /* check magic */
+        if (sshbuf_len(decoded) < sizeof(AUTH_MAGIC) ||
+            memcmp(sshbuf_ptr(decoded), AUTH_MAGIC, sizeof(AUTH_MAGIC))) {
+                r = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+        /* parse public portion of key */
+        if ((r = sshbuf_consume(decoded, sizeof(AUTH_MAGIC))) != 0 ||
+            (r = sshbuf_get_cstring(decoded, &ciphername, NULL)) != 0 ||
+            (r = sshbuf_get_cstring(decoded, &kdfname, NULL)) != 0 ||
+            (r = sshbuf_froms(decoded, &kdf)) != 0 ||
+            (r = sshbuf_get_u32(decoded, &nkeys)) != 0 ||
+            (r = sshbuf_skip_string(decoded)) != 0 || /* pubkey */
+            (r = sshbuf_get_u32(decoded, &encrypted_len)) != 0)
+                goto out;
+
+        if ((cipher = cipher_by_name(ciphername)) == NULL) {
+                r = SSH_ERR_KEY_UNKNOWN_CIPHER;
+                goto out;
+        }
+        if ((passphrase == NULL || strlen(passphrase) == 0) &&
+            strcmp(ciphername, "none") != 0) {
+                /* passphrase required */
+                r = SSH_ERR_KEY_WRONG_PASSPHRASE;
+                goto out;
+        }
+        if (strcmp(kdfname, "none") != 0 && strcmp(kdfname, "bcrypt") != 0) {
+                r = SSH_ERR_KEY_UNKNOWN_CIPHER;
+                goto out;
+        }
+        if (!strcmp(kdfname, "none") && strcmp(ciphername, "none") != 0) {
+                r = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+        if (nkeys != 1) {
+                /* XXX only one key supported */
+                r = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+
+        /* check size of encrypted key blob */
+        blocksize = cipher_blocksize(cipher);
+        if (encrypted_len < blocksize || (encrypted_len % blocksize) != 0) {
+                r = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+
+        /* setup key */
+        keylen = cipher_keylen(cipher);
+        ivlen = cipher_ivlen(cipher);
+        if ((key = calloc(1, keylen + ivlen)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if (strcmp(kdfname, "bcrypt") == 0) {
+                if ((r = sshbuf_get_string(kdf, &salt, &slen)) != 0 ||
+                    (r = sshbuf_get_u32(kdf, &rounds)) != 0)
+                        goto out;
+                if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, slen,
+                    key, keylen + ivlen, rounds) < 0) {
+                        r = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+        }
+
+        /* decrypt private portion of key */
+        if ((r = sshbuf_reserve(decrypted, encrypted_len, &dp)) != 0 ||
+            (r = cipher_init(&ciphercontext, cipher, key, keylen,
+            key + keylen, ivlen, 0)) != 0)
+                goto out;
+        if ((r = cipher_crypt(&ciphercontext, 0, dp, sshbuf_ptr(decoded),
+            sshbuf_len(decoded), 0, cipher_authlen(cipher))) != 0) {
+                /* an integrity error here indicates an incorrect passphrase */
+                if (r == SSH_ERR_MAC_INVALID)
+                        r = SSH_ERR_KEY_WRONG_PASSPHRASE;
+                goto out;
+        }
+        if ((r = sshbuf_consume(decoded, encrypted_len)) != 0)
+                goto out;
+        /* there should be no trailing data */
+        if (sshbuf_len(decoded) != 0) {
+                r = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+
+        /* check check bytes */
+        if ((r = sshbuf_get_u32(decrypted, &check1)) != 0 ||
+            (r = sshbuf_get_u32(decrypted, &check2)) != 0)
+                goto out;
+        if (check1 != check2) {
+                r = SSH_ERR_KEY_WRONG_PASSPHRASE;
+                goto out;
+        }
+
+        /* Load the private key and comment */
+        if ((r = sshkey_private_deserialize(decrypted, &k)) != 0 ||
+            (r = sshbuf_get_cstring(decrypted, &comment, NULL)) != 0)
+                goto out;
+
+        /* Check deterministic padding */
+        i = 0;
+        while (sshbuf_len(decrypted)) {
+                if ((r = sshbuf_get_u8(decrypted, &pad)) != 0)
+                        goto out;
+                if (pad != (++i & 0xff)) {
+                        r = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+        }
+
+        /* XXX decode pubkey and check against private */
+
+        /* success */
+        r = 0;
+        if (keyp != NULL) {
+                *keyp = k;
+                k = NULL;
+        }
+        if (commentp != NULL) {
+                *commentp = comment;
+                comment = NULL;
+        }
+ out:
+        pad = 0;
+        cipher_cleanup(&ciphercontext);
+        free(ciphername);
+        free(kdfname);
+        free(comment);
+        if (salt != NULL) {
+                explicit_bzero(salt, slen);
+                free(salt);
+        }
+        if (key != NULL) {
+                explicit_bzero(key, keylen + ivlen);
+                free(key);
+        }
+        sshbuf_free(encoded);
+        sshbuf_free(decoded);
+        sshbuf_free(kdf);
+        sshbuf_free(decrypted);
+        sshkey_free(k);
+        return r;
+}
+
+#if WITH_SSH1
+/*
+ * Serialises the authentication (private) key to a blob, encrypting it with
+ * passphrase.  The identification of the blob (lowest 64 bits of n) will
+ * precede the key to provide identification of the key without needing a
+ * passphrase.
+ */
+static int
+sshkey_private_rsa1_to_blob(struct sshkey *key, struct sshbuf *blob,
+    const char *passphrase, const char *comment)
+{
+        struct sshbuf *buffer = NULL, *encrypted = NULL;
+        u_char buf[8];
+        int r, cipher_num;
+        struct sshcipher_ctx ciphercontext;
+        const struct sshcipher *cipher;
+        u_char *cp;
+
+        /*
+         * If the passphrase is empty, use SSH_CIPHER_NONE to ease converting
+         * to another cipher; otherwise use SSH_AUTHFILE_CIPHER.
+         */
+        cipher_num = (strcmp(passphrase, "") == 0) ?
+            SSH_CIPHER_NONE : SSH_CIPHER_3DES;
+        if ((cipher = cipher_by_number(cipher_num)) == NULL)
+                return SSH_ERR_INTERNAL_ERROR;
+
+        /* This buffer is used to build the secret part of the private key. */
+        if ((buffer = sshbuf_new()) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+
+        /* Put checkbytes for checking passphrase validity. */
+        if ((r = sshbuf_reserve(buffer, 4, &cp)) != 0)
+                goto out;
+        arc4random_buf(cp, 2);
+        memcpy(cp + 2, cp, 2);
+
+        /*
+         * Store the private key (n and e will not be stored because they
+         * will be stored in plain text, and storing them also in encrypted
+         * format would just give known plaintext).
+         * Note: q and p are stored in reverse order to SSL.
+         */
+        if ((r = sshbuf_put_bignum1(buffer, key->rsa->d)) != 0 ||
+            (r = sshbuf_put_bignum1(buffer, key->rsa->iqmp)) != 0 ||
+            (r = sshbuf_put_bignum1(buffer, key->rsa->q)) != 0 ||
+            (r = sshbuf_put_bignum1(buffer, key->rsa->p)) != 0)
+                goto out;
+
+        /* Pad the part to be encrypted to a size that is a multiple of 8. */
+        explicit_bzero(buf, 8);
+        if ((r = sshbuf_put(buffer, buf, 8 - (sshbuf_len(buffer) % 8))) != 0)
+                goto out;
+
+        /* This buffer will be used to contain the data in the file. */
+        if ((encrypted = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+        /* First store keyfile id string. */
+        if ((r = sshbuf_put(encrypted, LEGACY_BEGIN,
+            sizeof(LEGACY_BEGIN))) != 0)
+                goto out;
+
+        /* Store cipher type and "reserved" field. */
+        if ((r = sshbuf_put_u8(encrypted, cipher_num)) != 0 ||
+            (r = sshbuf_put_u32(encrypted, 0)) != 0)
+                goto out;
+
+        /* Store public key.  This will be in plain text. */
+        if ((r = sshbuf_put_u32(encrypted, BN_num_bits(key->rsa->n))) != 0 ||
+            (r = sshbuf_put_bignum1(encrypted, key->rsa->n) != 0) ||
+            (r = sshbuf_put_bignum1(encrypted, key->rsa->e) != 0) ||
+            (r = sshbuf_put_cstring(encrypted, comment) != 0))
+                goto out;
+
+        /* Allocate space for the private part of the key in the buffer. */
+        if ((r = sshbuf_reserve(encrypted, sshbuf_len(buffer), &cp)) != 0)
+                goto out;
+
+        if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
+            CIPHER_ENCRYPT)) != 0)
+                goto out;
+        if ((r = cipher_crypt(&ciphercontext, 0, cp,
+            sshbuf_ptr(buffer), sshbuf_len(buffer), 0, 0)) != 0)
+                goto out;
+        if ((r = cipher_cleanup(&ciphercontext)) != 0)
+                goto out;
+
+        r = sshbuf_putb(blob, encrypted);
+
+ out:
+        explicit_bzero(&ciphercontext, sizeof(ciphercontext));
+        explicit_bzero(buf, sizeof(buf));
+        if (buffer != NULL)
+                sshbuf_free(buffer);
+        if (encrypted != NULL)
+                sshbuf_free(encrypted);
+
+        return r;
+}
+#endif /* WITH_SSH1 */
+
+#ifdef WITH_OPENSSL
+/* convert SSH v2 key in OpenSSL PEM format */
+static int
+sshkey_private_pem_to_blob(struct sshkey *key, struct sshbuf *blob,
+    const char *_passphrase, const char *comment)
+{
+        int success, r;
+        int blen, len = strlen(_passphrase);
+        u_char *passphrase = (len > 0) ? (u_char *)_passphrase : NULL;
+#if (OPENSSL_VERSION_NUMBER < 0x00907000L)
+        const EVP_CIPHER *cipher = (len > 0) ? EVP_des_ede3_cbc() : NULL;
+#else
+        const EVP_CIPHER *cipher = (len > 0) ? EVP_aes_128_cbc() : NULL;
+#endif
+        const u_char *bptr;
+        BIO *bio = NULL;
+
+        if (len > 0 && len <= 4)
+                return SSH_ERR_PASSPHRASE_TOO_SHORT;
+        if ((bio = BIO_new(BIO_s_mem())) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+
+        switch (key->type) {
+        case KEY_DSA:
+                success = PEM_write_bio_DSAPrivateKey(bio, key->dsa,
+                    cipher, passphrase, len, NULL, NULL);
+                break;
+#ifdef OPENSSL_HAS_ECC
+        case KEY_ECDSA:
+                success = PEM_write_bio_ECPrivateKey(bio, key->ecdsa,
+                    cipher, passphrase, len, NULL, NULL);
+                break;
+#endif
+        case KEY_RSA:
+                success = PEM_write_bio_RSAPrivateKey(bio, key->rsa,
+                    cipher, passphrase, len, NULL, NULL);
+                break;
+        default:
+                success = 0;
+                break;
+        }
+        if (success == 0) {
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        if ((blen = BIO_get_mem_data(bio, &bptr)) <= 0) {
+                r = SSH_ERR_INTERNAL_ERROR;
+                goto out;
+        }
+        if ((r = sshbuf_put(blob, bptr, blen)) != 0)
+                goto out;
+        r = 0;
+ out:
+        BIO_free(bio);
+        return r;
+}
+#endif /* WITH_OPENSSL */
+
+/* Serialise "key" to buffer "blob" */
+int
+sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
+    const char *passphrase, const char *comment,
+    int force_new_format, const char *new_format_cipher, int new_format_rounds)
+{
+        switch (key->type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA1:
+                return sshkey_private_rsa1_to_blob(key, blob,
+                    passphrase, comment);
+        case KEY_DSA:
+        case KEY_ECDSA:
+        case KEY_RSA:
+                if (force_new_format) {
+                        return sshkey_private_to_blob2(key, blob, passphrase,
+                            comment, new_format_cipher, new_format_rounds);
+                }
+                return sshkey_private_pem_to_blob(key, blob,
+                    passphrase, comment);
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+                return sshkey_private_to_blob2(key, blob, passphrase,
+                    comment, new_format_cipher, new_format_rounds);
+        default:
+                return SSH_ERR_KEY_TYPE_UNKNOWN;
+        }
+}
+
+#ifdef WITH_SSH1
+/*
+ * Parse the public, unencrypted portion of a RSA1 key.
+ */
+int
+sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob,
+    struct sshkey **keyp, char **commentp)
+{
+        int r;
+        struct sshkey *pub = NULL;
+        struct sshbuf *copy = NULL;
+
+        if (keyp != NULL)
+                *keyp = NULL;
+        if (commentp != NULL)
+                *commentp = NULL;
+
+        /* Check that it is at least big enough to contain the ID string. */
+        if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN))
+                return SSH_ERR_INVALID_FORMAT;
+
+        /*
+         * Make sure it begins with the id string.  Consume the id string
+         * from the buffer.
+         */
+        if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0)
+                return SSH_ERR_INVALID_FORMAT;
+        /* Make a working copy of the keyblob and skip past the magic */
+        if ((copy = sshbuf_fromb(blob)) == NULL)
+                return SSH_ERR_ALLOC_FAIL;
+        if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0)
+                goto out;
+
+        /* Skip cipher type, reserved data and key bits. */
+        if ((r = sshbuf_get_u8(copy, NULL)) != 0 ||     /* cipher type */
+            (r = sshbuf_get_u32(copy, NULL)) != 0 ||    /* reserved */
+            (r = sshbuf_get_u32(copy, NULL)) != 0)      /* key bits */
+                goto out;
+
+        /* Read the public key from the buffer. */
+        if ((pub = sshkey_new(KEY_RSA1)) == NULL ||
+            (r = sshbuf_get_bignum1(copy, pub->rsa->n)) != 0 ||
+            (r = sshbuf_get_bignum1(copy, pub->rsa->e)) != 0)
+                goto out;
+
+        /* Finally, the comment */
+        if ((r = sshbuf_get_string(copy, (u_char**)commentp, NULL)) != 0)
+                goto out;
+
+        /* The encrypted private part is not parsed by this function. */
+
+        r = 0;
+        if (keyp != NULL)
+                *keyp = pub;
+        else
+                sshkey_free(pub);
+        pub = NULL;
+
+ out:
+        if (copy != NULL)
+                sshbuf_free(copy);
+        if (pub != NULL)
+                sshkey_free(pub);
+        return r;
+}
+
+static int
+sshkey_parse_private_rsa1(struct sshbuf *blob, const char *passphrase,
+    struct sshkey **keyp, char **commentp)
+{
+        int r;
+        u_int16_t check1, check2;
+        u_int8_t cipher_type;
+        struct sshbuf *decrypted = NULL, *copy = NULL;
+        u_char *cp;
+        char *comment = NULL;
+        struct sshcipher_ctx ciphercontext;
+        const struct sshcipher *cipher;
+        struct sshkey *prv = NULL;
+
+        *keyp = NULL;
+        if (commentp != NULL)
+                *commentp = NULL;
+
+        /* Check that it is at least big enough to contain the ID string. */
+        if (sshbuf_len(blob) < sizeof(LEGACY_BEGIN))
+                return SSH_ERR_INVALID_FORMAT;
+
+        /*
+         * Make sure it begins with the id string.  Consume the id string
+         * from the buffer.
+         */
+        if (memcmp(sshbuf_ptr(blob), LEGACY_BEGIN, sizeof(LEGACY_BEGIN)) != 0)
+                return SSH_ERR_INVALID_FORMAT;
+
+        if ((prv = sshkey_new_private(KEY_RSA1)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if ((copy = sshbuf_fromb(blob)) == NULL ||
+            (decrypted = sshbuf_new()) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        if ((r = sshbuf_consume(copy, sizeof(LEGACY_BEGIN))) != 0)
+                goto out;
+
+        /* Read cipher type. */
+        if ((r = sshbuf_get_u8(copy, &cipher_type)) != 0 ||
+            (r = sshbuf_get_u32(copy, NULL)) != 0)      /* reserved */
+                goto out;
+
+        /* Read the public key and comment from the buffer. */
+        if ((r = sshbuf_get_u32(copy, NULL)) != 0 ||    /* key bits */
+            (r = sshbuf_get_bignum1(copy, prv->rsa->n)) != 0 ||
+            (r = sshbuf_get_bignum1(copy, prv->rsa->e)) != 0 ||
+            (r = sshbuf_get_cstring(copy, &comment, NULL)) != 0)
+                goto out;
+
+        /* Check that it is a supported cipher. */
+        cipher = cipher_by_number(cipher_type);
+        if (cipher == NULL) {
+                r = SSH_ERR_KEY_UNKNOWN_CIPHER;
+                goto out;
+        }
+        /* Initialize space for decrypted data. */
+        if ((r = sshbuf_reserve(decrypted, sshbuf_len(copy), &cp)) != 0)
+                goto out;
+
+        /* Rest of the buffer is encrypted.  Decrypt it using the passphrase. */
+        if ((r = cipher_set_key_string(&ciphercontext, cipher, passphrase,
+            CIPHER_DECRYPT)) != 0)
+                goto out;
+        if ((r = cipher_crypt(&ciphercontext, 0, cp,
+            sshbuf_ptr(copy), sshbuf_len(copy), 0, 0)) != 0) {
+                cipher_cleanup(&ciphercontext);
+                goto out;
+        }
+        if ((r = cipher_cleanup(&ciphercontext)) != 0)
+                goto out;
+
+        if ((r = sshbuf_get_u16(decrypted, &check1)) != 0 ||
+            (r = sshbuf_get_u16(decrypted, &check2)) != 0)
+                goto out;
+        if (check1 != check2) {
+                r = SSH_ERR_KEY_WRONG_PASSPHRASE;
+                goto out;
+        }
+
+        /* Read the rest of the private key. */
+        if ((r = sshbuf_get_bignum1(decrypted, prv->rsa->d)) != 0 ||
+            (r = sshbuf_get_bignum1(decrypted, prv->rsa->iqmp)) != 0 ||
+            (r = sshbuf_get_bignum1(decrypted, prv->rsa->q)) != 0 ||
+            (r = sshbuf_get_bignum1(decrypted, prv->rsa->p)) != 0)
+                goto out;
+
+        /* calculate p-1 and q-1 */
+        if ((r = rsa_generate_additional_parameters(prv->rsa)) != 0)
+                goto out;
+
+        /* enable blinding */
+        if (RSA_blinding_on(prv->rsa, NULL) != 1) {
+                r = SSH_ERR_LIBCRYPTO_ERROR;
+                goto out;
+        }
+        r = 0;
+        *keyp = prv;
+        prv = NULL;
+        if (commentp != NULL) {
+                *commentp = comment;
+                comment = NULL;
+        }
+ out:
+        explicit_bzero(&ciphercontext, sizeof(ciphercontext));
+        if (comment != NULL)
+                free(comment);
+        if (prv != NULL)
+                sshkey_free(prv);
+        if (copy != NULL)
+                sshbuf_free(copy);
+        if (decrypted != NULL)
+                sshbuf_free(decrypted);
+        return r;
+}
+#endif /* WITH_SSH1 */
+
+#ifdef WITH_OPENSSL
+/* XXX make private once ssh-keysign.c fixed */
+int
+sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
+    const char *passphrase, struct sshkey **keyp, char **commentp)
+{
+        EVP_PKEY *pk = NULL;
+        struct sshkey *prv = NULL;
+        char *name = "<no key>";
+        BIO *bio = NULL;
+        int r;
+
+        *keyp = NULL;
+        if (commentp != NULL)
+                *commentp = NULL;
+
+        if ((bio = BIO_new(BIO_s_mem())) == NULL || sshbuf_len(blob) > INT_MAX)
+                return SSH_ERR_ALLOC_FAIL;
+        if (BIO_write(bio, sshbuf_ptr(blob), sshbuf_len(blob)) !=
+            (int)sshbuf_len(blob)) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+
+        if ((pk = PEM_read_bio_PrivateKey(bio, NULL, NULL,
+            (char *)passphrase)) == NULL) {
+                r = SSH_ERR_KEY_WRONG_PASSPHRASE;
+                goto out;
+        }
+        if (pk->type == EVP_PKEY_RSA &&
+            (type == KEY_UNSPEC || type == KEY_RSA)) {
+                if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                prv->rsa = EVP_PKEY_get1_RSA(pk);
+                prv->type = KEY_RSA;
+                name = "rsa w/o comment";
+#ifdef DEBUG_PK
+                RSA_print_fp(stderr, prv->rsa, 8);
+#endif
+                if (RSA_blinding_on(prv->rsa, NULL) != 1) {
+                        r = SSH_ERR_LIBCRYPTO_ERROR;
+                        goto out;
+                }
+        } else if (pk->type == EVP_PKEY_DSA &&
+            (type == KEY_UNSPEC || type == KEY_DSA)) {
+                if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                prv->dsa = EVP_PKEY_get1_DSA(pk);
+                prv->type = KEY_DSA;
+                name = "dsa w/o comment";
+#ifdef DEBUG_PK
+                DSA_print_fp(stderr, prv->dsa, 8);
+#endif
+#ifdef OPENSSL_HAS_ECC
+        } else if (pk->type == EVP_PKEY_EC &&
+            (type == KEY_UNSPEC || type == KEY_ECDSA)) {
+                if ((prv = sshkey_new(KEY_UNSPEC)) == NULL) {
+                        r = SSH_ERR_ALLOC_FAIL;
+                        goto out;
+                }
+                prv->ecdsa = EVP_PKEY_get1_EC_KEY(pk);
+                prv->type = KEY_ECDSA;
+                prv->ecdsa_nid = sshkey_ecdsa_key_to_nid(prv->ecdsa);
+                if (prv->ecdsa_nid == -1 ||
+                    sshkey_curve_nid_to_name(prv->ecdsa_nid) == NULL ||
+                    sshkey_ec_validate_public(EC_KEY_get0_group(prv->ecdsa),
+                    EC_KEY_get0_public_key(prv->ecdsa)) != 0 ||
+                    sshkey_ec_validate_private(prv->ecdsa) != 0) {
+                        r = SSH_ERR_INVALID_FORMAT;
+                        goto out;
+                }
+                name = "ecdsa w/o comment";
+# ifdef DEBUG_PK
+                if (prv != NULL && prv->ecdsa != NULL)
+                        sshkey_dump_ec_key(prv->ecdsa);
+# endif
+#endif /* OPENSSL_HAS_ECC */
+        } else {
+                r = SSH_ERR_INVALID_FORMAT;
+                goto out;
+        }
+        if (commentp != NULL &&
+            (*commentp = strdup(name)) == NULL) {
+                r = SSH_ERR_ALLOC_FAIL;
+                goto out;
+        }
+        r = 0;
+        *keyp = prv;
+        prv = NULL;
+ out:
+        BIO_free(bio);
+        if (pk != NULL)
+                EVP_PKEY_free(pk);
+        if (prv != NULL)
+                sshkey_free(prv);
+        return r;
+}
+#endif /* WITH_OPENSSL */
+
+int
+sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
+    const char *passphrase, struct sshkey **keyp, char **commentp)
+{
+        int r;
+
+        *keyp = NULL;
+        if (commentp != NULL)
+                *commentp = NULL;
+
+        switch (type) {
+#ifdef WITH_OPENSSL
+        case KEY_RSA1:
+                return sshkey_parse_private_rsa1(blob, passphrase,
+                    keyp, commentp);
+        case KEY_DSA:
+        case KEY_ECDSA:
+        case KEY_RSA:
+                return sshkey_parse_private_pem_fileblob(blob, type, passphrase,
+                    keyp, commentp);
+#endif /* WITH_OPENSSL */
+        case KEY_ED25519:
+                return sshkey_parse_private2(blob, type, passphrase,
+                    keyp, commentp);
+        case KEY_UNSPEC:
+                if ((r = sshkey_parse_private2(blob, type, passphrase, keyp,
+                    commentp)) == 0)
+                        return 0;
+#ifdef WITH_OPENSSL
+                return sshkey_parse_private_pem_fileblob(blob, type, passphrase,
+                    keyp, commentp);
+#else
+                return SSH_ERR_INVALID_FORMAT;
+#endif /* WITH_OPENSSL */
+        default:
+                return SSH_ERR_KEY_TYPE_UNKNOWN;
+        }
+}
+
+int
+sshkey_parse_private_fileblob(struct sshbuf *buffer, const char *passphrase,
+    const char *filename, struct sshkey **keyp, char **commentp)
+{
+        int r;
+
+        if (keyp != NULL)
+                *keyp = NULL;
+        if (commentp != NULL)
+                *commentp = NULL;
+
+#ifdef WITH_SSH1
+        /* it's a SSH v1 key if the public key part is readable */
+        if ((r = sshkey_parse_public_rsa1_fileblob(buffer, NULL, NULL)) == 0) {
+                return sshkey_parse_private_fileblob_type(buffer, KEY_RSA1,
+                    passphrase, keyp, commentp);
+        }
+#endif /* WITH_SSH1 */
+        if ((r = sshkey_parse_private_fileblob_type(buffer, KEY_UNSPEC,
+            passphrase, keyp, commentp)) == 0)
+                return 0;
+        return r;
+}
diff --git a/sshkey.h b/sshkey.h
new file mode 100644
index 000000000..450b30c1f
--- /dev/null
+++ b/sshkey.h
@@ -0,0 +1,232 @@
+/* $OpenBSD: sshkey.h,v 1.1 2014/06/24 01:16:58 djm Exp $ */
+
+/*
+ * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+#ifndef SSHKEY_H
+#define SSHKEY_H
+
+#include <sys/types.h>
+
+#ifdef WITH_OPENSSL
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+# ifdef OPENSSL_HAS_ECC
+#  include <openssl/ec.h>
+# else /* OPENSSL_HAS_ECC */
+#  define EC_KEY        void
+#  define EC_GROUP      void
+#  define EC_POINT      void
+# endif /* OPENSSL_HAS_ECC */
+#else /* WITH_OPENSSL */
+# define RSA            void
+# define DSA            void
+# define EC_KEY         void
+# define EC_GROUP       void
+# define EC_POINT       void
+#endif /* WITH_OPENSSL */
+
+#define SSH_RSA_MINIMUM_MODULUS_SIZE    768
+#define SSH_KEY_MAX_SIGN_DATA_SIZE      (1 << 20)
+
+struct sshbuf;
+
+/* Key types */
+enum sshkey_types {
+        KEY_RSA1,
+        KEY_RSA,
+        KEY_DSA,
+        KEY_ECDSA,
+        KEY_ED25519,
+        KEY_RSA_CERT,
+        KEY_DSA_CERT,
+        KEY_ECDSA_CERT,
+        KEY_ED25519_CERT,
+        KEY_RSA_CERT_V00,
+        KEY_DSA_CERT_V00,
+        KEY_UNSPEC
+};
+
+/* Fingerprint hash algorithms */
+enum sshkey_fp_type {
+        SSH_FP_SHA1,
+        SSH_FP_MD5,
+        SSH_FP_SHA256
+};
+
+/* Fingerprint representation formats */
+enum sshkey_fp_rep {
+        SSH_FP_HEX,
+        SSH_FP_BUBBLEBABBLE,
+        SSH_FP_RANDOMART
+};
+
+/* key is stored in external hardware */
+#define SSHKEY_FLAG_EXT         0x0001
+
+#define SSHKEY_CERT_MAX_PRINCIPALS      256
+/* XXX opaquify? */
+struct sshkey_cert {
+        struct sshbuf   *certblob; /* Kept around for use on wire */
+        u_int            type; /* SSH2_CERT_TYPE_USER or SSH2_CERT_TYPE_HOST */
+        u_int64_t        serial;
+        char            *key_id;
+        u_int            nprincipals;
+        char            **principals;
+        u_int64_t        valid_after, valid_before;
+        struct sshbuf   *critical;
+        struct sshbuf   *extensions;
+        struct sshkey   *signature_key;
+};
+
+/* XXX opaquify? */
+struct sshkey {
+        int      type;
+        int      flags;
+        RSA     *rsa;
+        DSA     *dsa;
+        int      ecdsa_nid;     /* NID of curve */
+        EC_KEY  *ecdsa;
+        u_char  *ed25519_sk;
+        u_char  *ed25519_pk;
+        struct sshkey_cert *cert;
+};
+
+#define ED25519_SK_SZ   crypto_sign_ed25519_SECRETKEYBYTES
+#define ED25519_PK_SZ   crypto_sign_ed25519_PUBLICKEYBYTES
+
+struct sshkey   *sshkey_new(int);
+int              sshkey_add_private(struct sshkey *);
+struct sshkey   *sshkey_new_private(int);
+void             sshkey_free(struct sshkey *);
+int              sshkey_demote(const struct sshkey *, struct sshkey **);
+int              sshkey_equal_public(const struct sshkey *,
+    const struct sshkey *);
+int              sshkey_equal(const struct sshkey *, const struct sshkey *);
+char            *sshkey_fingerprint(const struct sshkey *,
+    enum sshkey_fp_type, enum sshkey_fp_rep);
+int              sshkey_fingerprint_raw(const struct sshkey *k,
+    enum sshkey_fp_type dgst_type, u_char **retp, size_t *lenp);
+const char      *sshkey_type(const struct sshkey *);
+const char      *sshkey_cert_type(const struct sshkey *);
+int              sshkey_write(const struct sshkey *, FILE *);
+int              sshkey_read(struct sshkey *, char **);
+u_int            sshkey_size(const struct sshkey *);
+
+int              sshkey_generate(int type, u_int bits, struct sshkey **keyp);
+int              sshkey_from_private(const struct sshkey *, struct sshkey **);
+int      sshkey_type_from_name(const char *);
+int      sshkey_is_cert(const struct sshkey *);
+int      sshkey_type_is_cert(int);
+int      sshkey_type_plain(int);
+int      sshkey_to_certified(struct sshkey *, int);
+int      sshkey_drop_cert(struct sshkey *);
+int      sshkey_certify(struct sshkey *, struct sshkey *);
+int      sshkey_cert_copy(const struct sshkey *, struct sshkey *);
+int      sshkey_cert_check_authority(const struct sshkey *, int, int,
+    const char *, const char **);
+int      sshkey_cert_is_legacy(const struct sshkey *);
+
+int              sshkey_ecdsa_nid_from_name(const char *);
+int              sshkey_curve_name_to_nid(const char *);
+const char *     sshkey_curve_nid_to_name(int);
+u_int            sshkey_curve_nid_to_bits(int);
+int              sshkey_ecdsa_bits_to_nid(int);
+int              sshkey_ecdsa_key_to_nid(EC_KEY *);
+int              sshkey_ec_nid_to_hash_alg(int nid);
+int              sshkey_ec_validate_public(const EC_GROUP *, const EC_POINT *);
+int              sshkey_ec_validate_private(const EC_KEY *);
+const char      *sshkey_ssh_name(const struct sshkey *);
+const char      *sshkey_ssh_name_plain(const struct sshkey *);
+int              sshkey_names_valid2(const char *);
+char            *key_alg_list(int, int);
+
+int      sshkey_from_blob(const u_char *, size_t, struct sshkey **);
+int      sshkey_to_blob_buf(const struct sshkey *, struct sshbuf *);
+int      sshkey_to_blob(const struct sshkey *, u_char **, size_t *);
+int      sshkey_plain_to_blob_buf(const struct sshkey *, struct sshbuf *);
+int      sshkey_plain_to_blob(const struct sshkey *, u_char **, size_t *);
+
+int      sshkey_sign(const struct sshkey *, u_char **, size_t *,
+    const u_char *, size_t, u_int);
+int      sshkey_verify(const struct sshkey *, const u_char *, size_t,
+    const u_char *, size_t, u_int);
+
+/* for debug */
+void    sshkey_dump_ec_point(const EC_GROUP *, const EC_POINT *);
+void    sshkey_dump_ec_key(const EC_KEY *);
+
+/* private key parsing and serialisation */
+int     sshkey_private_serialize(const struct sshkey *key, struct sshbuf *buf);
+int     sshkey_private_deserialize(struct sshbuf *buf,  struct sshkey **keyp);
+
+/* private key file format parsing and serialisation */
+int     sshkey_private_to_fileblob(struct sshkey *key, struct sshbuf *blob,
+    const char *passphrase, const char *comment,
+    int force_new_format, const char *new_format_cipher, int new_format_rounds);
+int     sshkey_parse_public_rsa1_fileblob(struct sshbuf *blob,
+    struct sshkey **keyp, char **commentp);
+int     sshkey_parse_private_pem_fileblob(struct sshbuf *blob, int type,
+    const char *passphrase, struct sshkey **keyp, char **commentp);
+int     sshkey_parse_private_fileblob(struct sshbuf *buffer,
+    const char *passphrase, const char *filename, struct sshkey **keyp,
+    char **commentp);
+int     sshkey_parse_private_fileblob_type(struct sshbuf *blob, int type,
+    const char *passphrase, struct sshkey **keyp, char **commentp);
+
+#ifdef SSHKEY_INTERNAL
+int ssh_rsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat);
+int ssh_rsa_verify(const struct sshkey *key,
+    const u_char *signature, size_t signaturelen,
+    const u_char *data, size_t datalen, u_int compat);
+int ssh_dss_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat);
+int ssh_dss_verify(const struct sshkey *key,
+    const u_char *signature, size_t signaturelen,
+    const u_char *data, size_t datalen, u_int compat);
+int ssh_ecdsa_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat);
+int ssh_ecdsa_verify(const struct sshkey *key,
+    const u_char *signature, size_t signaturelen,
+    const u_char *data, size_t datalen, u_int compat);
+int ssh_ed25519_sign(const struct sshkey *key, u_char **sigp, size_t *lenp,
+    const u_char *data, size_t datalen, u_int compat);
+int ssh_ed25519_verify(const struct sshkey *key,
+    const u_char *signature, size_t signaturelen,
+    const u_char *data, size_t datalen, u_int compat);
+#endif
+
+#if !defined(WITH_OPENSSL)
+# undef RSA
+# undef DSA
+# undef EC_KEY
+# undef EC_GROUP
+# undef EC_POINT
+#elif !defined(OPENSSL_HAS_ECC)
+# undef EC_KEY
+# undef EC_GROUP
+# undef EC_POINT
+#endif
+
+#endif /* SSHKEY_H */
diff --git a/sshlogin.c b/sshlogin.c
index e79ca9b47..7b951c844 100644
--- a/sshlogin.c
+++ b/sshlogin.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshlogin.c,v 1.28 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: sshlogin.c,v 1.29 2014/07/15 15:54:14 millert Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -58,6 +58,7 @@
 #include "loginrec.h"
 #include "log.h"
 #include "buffer.h"
+#include "misc.h"
 #include "servconf.h"
 
 extern Buffer loginmsg;
diff --git a/sshpty.c b/sshpty.c
index bbbc0fefe..a2059b76d 100644
--- a/sshpty.c
+++ b/sshpty.c
@@ -99,9 +99,6 @@ void
 pty_make_controlling_tty(int *ttyfd, const char *tty)
 {
         int fd;
-#ifdef USE_VHANGUP
-        void *old;
-#endif /* USE_VHANGUP */
 
 #ifdef _UNICOS
         if (setsid() < 0)
@@ -157,21 +154,11 @@ pty_make_controlling_tty(int *ttyfd, const char *tty)
         if (setpgrp(0,0) < 0)
                 error("SETPGRP %s",strerror(errno));
 #endif /* NEED_SETPGRP */
-#ifdef USE_VHANGUP
-        old = signal(SIGHUP, SIG_IGN);
-        vhangup();
-        signal(SIGHUP, old);
-#endif /* USE_VHANGUP */
         fd = open(tty, O_RDWR);
         if (fd < 0) {
                 error("%.100s: %.100s", tty, strerror(errno));
         } else {
-#ifdef USE_VHANGUP
-                close(*ttyfd);
-                *ttyfd = fd;
-#else /* USE_VHANGUP */
                 close(fd);
-#endif /* USE_VHANGUP */
         }
         /* Verify that we now have a controlling tty. */
         fd = open(_PATH_TTY, O_WRONLY);
diff --git a/umac.c b/umac.c
index 0c62145fa..6eb55b26e 100644
--- a/umac.c
+++ b/umac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: umac.c,v 1.8 2013/11/08 00:39:15 djm Exp $ */
+/* $OpenBSD: umac.c,v 1.11 2014/07/22 07:13:42 guenther Exp $ */
 /* -----------------------------------------------------------------------
  * 
  * umac.c -- C Implementation UMAC Message Authentication
@@ -73,13 +73,15 @@
 
 #include "includes.h"
 #include <sys/types.h>
-
-#include "xmalloc.h"
-#include "umac.h"
 #include <string.h>
+#include <stdio.h>
 #include <stdlib.h>
 #include <stddef.h>
 
+#include "xmalloc.h"
+#include "umac.h"
+#include "misc.h"
+
 /* ---------------------------------------------------------------------- */
 /* --- Primitive Data Types ---                                           */
 /* ---------------------------------------------------------------------- */
@@ -131,41 +133,17 @@ typedef unsigned int	UWORD;  /* Register */
 /* --- Endian Conversion --- Forcing assembly on some platforms           */
 /* ---------------------------------------------------------------------- */
 
-#if HAVE_SWAP32
-#define LOAD_UINT32_REVERSED(p)         (swap32(*(const UINT32 *)(p)))
-#define STORE_UINT32_REVERSED(p,v)      (*(UINT32 *)(p) = swap32(v))
-#else /* HAVE_SWAP32 */
-
-static UINT32 LOAD_UINT32_REVERSED(const void *ptr)
-{
-    UINT32 temp = *(const UINT32 *)ptr;
-    temp = (temp >> 24) | ((temp & 0x00FF0000) >> 8 )
-         | ((temp & 0x0000FF00) << 8 ) | (temp << 24);
-    return (UINT32)temp;
-}
-
-# if (__LITTLE_ENDIAN__)
-static void STORE_UINT32_REVERSED(void *ptr, UINT32 x)
-{
-    UINT32 i = (UINT32)x;
-    *(UINT32 *)ptr = (i >> 24) | ((i & 0x00FF0000) >> 8 )
-                   | ((i & 0x0000FF00) << 8 ) | (i << 24);
-}
-# endif /* __LITTLE_ENDIAN */
-#endif /* HAVE_SWAP32 */
-
-/* The following definitions use the above reversal-primitives to do the right
- * thing on endian specific load and stores.
- */
-
 #if (__LITTLE_ENDIAN__)
-#define LOAD_UINT32_LITTLE(ptr)     (*(const UINT32 *)(ptr))
-#define STORE_UINT32_BIG(ptr,x)     STORE_UINT32_REVERSED(ptr,x)
+#define LOAD_UINT32_REVERSED(p)         get_u32(p)
+#define STORE_UINT32_REVERSED(p,v)      put_u32(p,v)
 #else
-#define LOAD_UINT32_LITTLE(ptr)     LOAD_UINT32_REVERSED(ptr)
-#define STORE_UINT32_BIG(ptr,x)     (*(UINT32 *)(ptr) = (UINT32)(x))
+#define LOAD_UINT32_REVERSED(p)         get_u32_le(p)
+#define STORE_UINT32_REVERSED(p,v)      put_u32_le(p,v)
 #endif
 
+#define LOAD_UINT32_LITTLE(p)           (get_u32_le(p))
+#define STORE_UINT32_BIG(p,v)           put_u32(p, v)
+
 /* ---------------------------------------------------------------------- */
 /* ---------------------------------------------------------------------- */
 /* ----- Begin KDF & PDF Section ---------------------------------------- */
@@ -176,6 +154,7 @@ static void STORE_UINT32_REVERSED(void *ptr, UINT32 x)
 #define AES_BLOCK_LEN  16
 
 /* OpenSSL's AES */
+#ifdef WITH_OPENSSL
 #include "openbsd-compat/openssl-compat.h"
 #ifndef USE_BUILTIN_RIJNDAEL
 # include <openssl/aes.h>
@@ -185,6 +164,16 @@ typedef AES_KEY aes_int_key[1];
   AES_encrypt((u_char *)(in),(u_char *)(out),(AES_KEY *)int_key)
 #define aes_key_setup(key,int_key)                      \
   AES_set_encrypt_key((const u_char *)(key),UMAC_KEY_LEN*8,int_key)
+#else
+#include "rijndael.h"
+#define AES_ROUNDS ((UMAC_KEY_LEN / 4) + 6)
+typedef UINT8 aes_int_key[AES_ROUNDS+1][4][4];  /* AES internal */
+#define aes_encryption(in,out,int_key) \
+  rijndaelEncrypt((u32 *)(int_key), AES_ROUNDS, (u8 *)(in), (u8 *)(out))
+#define aes_key_setup(key,int_key) \
+  rijndaelKeySetupEnc((u32 *)(int_key), (const unsigned char *)(key), \
+  UMAC_KEY_LEN*8)
+#endif
 
 /* The user-supplied UMAC key is stretched using AES in a counter
  * mode to supply all random bits needed by UMAC. The kdf function takes
diff --git a/version.h b/version.h
index a1579ace1..cc8a079a9 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
-/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
+/* $OpenBSD: version.h,v 1.71 2014/04/18 23:52:25 djm Exp $ */
 
-#define SSH_VERSION     "OpenSSH_6.6"
+#define SSH_VERSION     "OpenSSH_6.7"
 
 #define SSH_PORTABLE    "p1"
 #define SSH_RELEASE     SSH_VERSION SSH_PORTABLE