153 files changed, 1756 insertions, 3447 deletions

diff --git a/ChangeLog b/ChangeLog
index c0dab651b..38de846ff 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,224 @@
+20140313
+ - (djm) Release OpenSSH 6.6
+
+20140304
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/03/03 22:22:30
+     [session.c]
+     ignore enviornment variables with embedded '=' or '\0' characters;
+     spotted by Jann Horn; ok deraadt@
+
+20140301
+ - (djm) [regress/Makefile] Disable dhgex regress test; it breaks when
+   no moduli file exists at the expected location.
+
+20140228
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/02/27 00:41:49
+     [bufbn.c]
+     fix unsigned overflow that could lead to reading a short ssh protocol
+     1 bignum value; found by Ben Hawkes; ok deraadt@
+   - djm@cvs.openbsd.org 2014/02/27 08:25:09
+     [bufbn.c]
+     off by one in range check
+   - djm@cvs.openbsd.org 2014/02/27 22:47:07
+     [sshd_config.5]
+     bz#2184 clarify behaviour of a keyword that appears in multiple
+     matching Match blocks; ok dtucker@
+   - djm@cvs.openbsd.org 2014/02/27 22:57:40
+     [version.h]
+     openssh-6.6
+   - dtucker@cvs.openbsd.org 2014/01/19 23:43:02
+     [regress/sftp-chroot.sh]
+     Don't use -q on sftp as it suppresses logging, instead redirect the
+     output to the regress logfile.
+   - dtucker@cvs.openbsd.org 2014/01/20 00:00:30
+     [sregress/ftp-chroot.sh]
+     append to rather than truncating the log file
+   - dtucker@cvs.openbsd.org 2014/01/25 04:35:32
+     [regress/Makefile regress/dhgex.sh]
+     Add a test for DH GEX sizes
+   - djm@cvs.openbsd.org 2014/01/26 10:22:10
+     [regress/cert-hostkey.sh]
+     automatically generate revoked keys from listed keys rather than
+     manually specifying each type; from portable
+     (Id sync only)
+   - djm@cvs.openbsd.org 2014/01/26 10:49:17
+     [scp-ssh-wrapper.sh scp.sh]
+     make sure $SCP is tested on the remote end rather than whichever one
+     happens to be in $PATH; from portable
+     (Id sync only)
+   - djm@cvs.openbsd.org 2014/02/27 20:04:16
+     [login-timeout.sh]
+     remove any existing LoginGraceTime from sshd_config before adding
+     a specific one for the test back in
+   - djm@cvs.openbsd.org 2014/02/27 21:21:25
+     [agent-ptrace.sh agent.sh]
+     keep return values that are printed in error messages;
+     from portable
+     (Id sync only)
+ - (djm) [README contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
+   [contrib/suse/openssh.spec] Crank version numbers
+ - (djm) [regress/host-expand.sh] Add RCS Id
+
+20140227
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/02/26 20:18:37
+     [ssh.c]
+     bz#2205: avoid early hostname lookups unless canonicalisation is enabled;
+     ok dtucker@ markus@
+   - djm@cvs.openbsd.org 2014/02/26 20:28:44
+     [auth2-gss.c gss-serv.c ssh-gss.h sshd.c]
+     bz#2107 - cache OIDs of supported GSSAPI mechanisms before privsep
+     sandboxing, as running this code in the sandbox can cause violations;
+     ok markus@
+   - djm@cvs.openbsd.org 2014/02/26 20:29:29
+     [channels.c]
+     don't assume that the socks4 username is \0 terminated;
+     spotted by Ben Hawkes; ok markus@
+   - markus@cvs.openbsd.org 2014/02/26 21:53:37
+     [sshd.c]
+     ssh_gssapi_prepare_supported_oids needs GSSAPI
+
+20140224
+ - OpenBSD CVS Sync
+   - djm@cvs.openbsd.org 2014/02/07 06:55:54
+     [cipher.c mac.c]
+     remove some logging that makes ssh debugging output very verbose;
+     ok markus
+   - djm@cvs.openbsd.org 2014/02/15 23:05:36
+     [channels.c]
+     avoid spurious "getsockname failed: Bad file descriptor" errors in ssh -W;
+     bz#2200, debian#738692 via Colin Watson; ok dtucker@
+   - djm@cvs.openbsd.org 2014/02/22 01:32:19
+     [readconf.c]
+     when processing Match blocks, skip 'exec' clauses if previous predicates
+     failed to match; ok markus@
+   - djm@cvs.openbsd.org 2014/02/23 20:03:42
+     [ssh-ed25519.c]
+     check for unsigned overflow; not reachable in OpenSSH but others might
+     copy our code...
+   - djm@cvs.openbsd.org 2014/02/23 20:11:36
+     [readconf.c readconf.h ssh.c ssh_config.5]
+     reparse ssh_config and ~/.ssh/config if hostname canonicalisation changes
+     the hostname. This allows users to write configurations that always
+     refer to canonical hostnames, e.g.
+     
+     CanonicalizeHostname yes
+     CanonicalDomains int.example.org example.org
+     CanonicalizeFallbackLocal no
+     
+     Host *.int.example.org
+         Compression off
+     Host *.example.org
+         User djm
+     
+     ok markus@
+
+20140213
+ - (dtucker) [configure.ac openbsd-compat/openssl-compat.{c,h}]  Add compat
+   code for older OpenSSL versions that don't have EVP_MD_CTX_copy_ex.
+
+20140207
+ - OpenBSD CVS Sync
+   - naddy@cvs.openbsd.org 2014/02/05 20:13:25
+     [ssh-keygen.1 ssh-keygen.c]
+     tweak synopsis: calling ssh-keygen without any arguments is fine; ok jmc@
+     while here, fix ordering in usage(); requested by jmc@
+   - djm@cvs.openbsd.org 2014/02/06 22:21:01
+     [sshconnect.c]
+     in ssh_create_socket(), only do the getaddrinfo for BindAddress when
+     BindAddress is actually specified. Fixes regression in 6.5 for
+     UsePrivilegedPort=yes; patch from Corinna Vinschen
+
+20140206
+ - (dtucker) [openbsd-compat/bsd-poll.c] Don't bother checking for non-NULL
+   before freeing since free(NULL) is a no-op.  ok djm.
+ - (djm) [sandbox-seccomp-filter.c] Not all Linux architectures define
+   __NR_shutdown; some go via the socketcall(2) multiplexer.
+
+20140205
+ - (djm) [sandbox-capsicum.c] Don't fatal if Capsicum is offered by
+   headers/libc but not supported by the kernel. Patch from Loganaden
+   Velvindron @ AfriNIC
+
+20140204
+ - OpenBSD CVS Sync
+   - markus@cvs.openbsd.org 2014/01/27 18:58:14
+     [Makefile.in digest.c digest.h hostfile.c kex.h mac.c hmac.c hmac.h]
+     replace openssl HMAC with an implementation based on our ssh_digest_*
+     ok and feedback djm@
+   - markus@cvs.openbsd.org 2014/01/27 19:18:54
+     [auth-rsa.c cipher.c ssh-agent.c sshconnect1.c sshd.c]
+     replace openssl MD5 with our ssh_digest_*; ok djm@
+   - markus@cvs.openbsd.org 2014/01/27 20:13:46
+     [digest.c digest-openssl.c digest-libc.c Makefile.in]
+     rename digest.c to digest-openssl.c and add libc variant; ok djm@
+   - jmc@cvs.openbsd.org 2014/01/28 14:13:39
+     [ssh-keyscan.1]
+     kill some bad Pa;
+     From: Jan Stary
+   - djm@cvs.openbsd.org 2014/01/29 00:19:26
+     [sshd.c]
+     use kill(0, ...) instead of killpg(0, ...); on most operating systems
+     they are equivalent, but SUSv2 describes the latter as having undefined
+     behaviour; from portable; ok dtucker
+     (Id sync only; change is already in portable)
+   - djm@cvs.openbsd.org 2014/01/29 06:18:35
+     [Makefile.in auth.h auth2-jpake.c auth2.c jpake.c jpake.h monitor.c]
+     [monitor.h monitor_wrap.c monitor_wrap.h readconf.c readconf.h]
+     [schnorr.c schnorr.h servconf.c servconf.h ssh2.h sshconnect2.c]
+     remove experimental, never-enabled JPAKE code; ok markus@
+   - jmc@cvs.openbsd.org 2014/01/29 14:04:51
+     [sshd_config.5]
+     document kbdinteractiveauthentication;
+     requested From: Ross L Richardson
+     
+     dtucker/markus helped explain its workings;
+   - djm@cvs.openbsd.org 2014/01/30 22:26:14
+     [sandbox-systrace.c]
+     allow shutdown(2) syscall in sandbox - it may be called by packet_close()
+     from portable
+     (Id sync only; change is already in portable)
+   - tedu@cvs.openbsd.org 2014/01/31 16:39:19
+     [auth2-chall.c authfd.c authfile.c bufaux.c bufec.c canohost.c]
+     [channels.c cipher-chachapoly.c clientloop.c configure.ac hostfile.c]
+     [kexc25519.c krl.c monitor.c sandbox-systrace.c session.c]
+     [sftp-client.c ssh-keygen.c ssh.c sshconnect2.c sshd.c sshlogin.c]
+     [openbsd-compat/explicit_bzero.c openbsd-compat/openbsd-compat.h]
+     replace most bzero with explicit_bzero, except a few that cna be memset
+     ok djm dtucker
+   - djm@cvs.openbsd.org 2014/02/02 03:44:32
+     [auth1.c auth2-chall.c auth2-passwd.c authfile.c bufaux.c bufbn.c]
+     [buffer.c cipher-3des1.c cipher.c clientloop.c gss-serv.c kex.c]
+     [kexdhc.c kexdhs.c kexecdhc.c kexgexc.c kexecdhs.c kexgexs.c key.c]
+     [monitor.c monitor_wrap.c packet.c readpass.c rsa.c serverloop.c]
+     [ssh-add.c ssh-agent.c ssh-dss.c ssh-ecdsa.c ssh-ed25519.c]
+     [ssh-keygen.c ssh-rsa.c sshconnect.c sshconnect1.c sshconnect2.c]
+     [sshd.c]
+     convert memset of potentially-private data to explicit_bzero()
+   - djm@cvs.openbsd.org 2014/02/03 23:28:00
+     [ssh-ecdsa.c]
+     fix memory leak; ECDSA_SIG_new() allocates 'r' and 's' for us, unlike
+     DSA_SIG_new. Reported by Batz Spear; ok markus@
+   - djm@cvs.openbsd.org 2014/02/02 03:44:31
+     [digest-libc.c digest-openssl.c]
+     convert memset of potentially-private data to explicit_bzero()
+   - djm@cvs.openbsd.org 2014/02/04 00:24:29
+     [ssh.c]
+     delay lowercasing of hostname until right before hostname
+     canonicalisation to unbreak case-sensitive matching of ssh_config;
+     reported by Ike Devolder; ok markus@
+ - (djm) [openbsd-compat/Makefile.in] Add missing explicit_bzero.o
+ - (djm) [regress/setuid-allowed.c] Missing string.h for strerror()
+
+20140131
+ - (djm) [sandbox-seccomp-filter.c sandbox-systrace.c] Allow shutdown(2)
+   syscall from sandboxes; it may be called by packet_close.
+ - (dtucker) [readconf.c] Include <arpa/inet.h> for the hton macros.  Fixes
+   build with HP-UX's compiler.  Patch from Kevin Brott.
+ - (tim) [Makefile.in] build regress/setuid-allow.
+
 20140130
  - (djm) [configure.ac] Only check for width-specified integer types
    in headers that actually exist. patch from Tom G. Christensen;
@@ -2663,3 +2884,4 @@
    [contrib/suse/openssh.spec] Update for release 6.0
  - (djm) [README] Update URL to release notes.
  - (djm) Release openssh-6.0
+
diff --git a/Makefile.in b/Makefile.in
index b7de26f2e..7d192bb7c 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.352 2014/01/27 06:35:04 dtucker Exp $
+# $Id: Makefile.in,v 1.356 2014/02/04 00:12:56 djm Exp $
 
 # uncomment if you run a non bourne compatable shell. Ie. csh
 #SHELL = @SH@
@@ -74,9 +74,9 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
         kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
         kexgssc.o \
         msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
-        jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
+        ssh-pkcs11.o krl.o smult_curve25519_ref.o \
         kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
-        ssh-ed25519.o digest.o \
+        ssh-ed25519.o digest-openssl.o hmac.o \
         sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
@@ -89,7 +89,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
         auth.o auth1.o auth2.o auth-options.o session.o \
         auth-chall.o auth2-chall.o groupaccess.o \
         auth-skey.o auth-bsdauth.o auth2-hostbased.o auth2-kbdint.o \
-        auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
+        auth2-none.o auth2-passwd.o auth2-pubkey.o \
         monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
         kexc25519s.o auth-krb5.o \
         auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
@@ -411,7 +411,7 @@ regress/setuid-allowed$(EXEEXT): $(srcdir)/regress/setuid-allowed.c
         $(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
         $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
-tests interop-tests:    $(TARGETS) regress/modpipe$(EXEEXT)
+tests interop-tests:    $(TARGETS) regress/modpipe$(EXEEXT) regress/setuid-allowed$(EXEEXT)
         BUILDDIR=`pwd`; \
         TEST_SHELL="@TEST_SHELL@"; \
         TEST_SSH_SCP="$${BUILDDIR}/scp"; \
diff --git a/README b/README
index 8da9759ef..368dca59c 100644
--- a/README
+++ b/README
@@ -1,4 +1,4 @@
-See http://www.openssh.com/txt/release-6.5 for the release notes.
+See http://www.openssh.com/txt/release-6.6 for the release notes.
 
 - A Japanese translation of this document and of the OpenSSH FAQ is
 - available at http://www.unixuser.org/~haruyama/security/openssh/index.html
@@ -62,4 +62,4 @@ References -
 [6] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
 [7] http://www.openssh.com/faq.html
 
-$Id: README,v 1.85 2014/01/16 07:51:45 djm Exp $
+$Id: README,v 1.86 2014/02/27 23:03:53 djm Exp $
diff --git a/auth-rsa.c b/auth-rsa.c
index 4624c1597..260ce2f98 100644
--- a/auth-rsa.c
+++ b/auth-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth-rsa.c,v 1.85 2013/07/12 00:19:58 djm Exp $ */
+/* $OpenBSD: auth-rsa.c,v 1.86 2014/01/27 19:18:54 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -20,7 +20,6 @@
 #include <sys/stat.h>
 
 #include <openssl/rsa.h>
-#include <openssl/md5.h>
 
 #include <pwd.h>
 #include <stdio.h>
@@ -48,6 +47,8 @@
 #include "ssh.h"
 #include "misc.h"
 
+#include "digest.h"
+
 /* import */
 extern ServerOptions options;
 
@@ -91,12 +92,13 @@ int
 auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
 {
         u_char buf[32], mdbuf[16];
-        MD5_CTX md;
+        struct ssh_digest_ctx *md;
         int len;
 
         /* don't allow short keys */
         if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-                error("auth_rsa_verify_response: RSA modulus too small: %d < minimum %d bits",
+                error("%s: RSA modulus too small: %d < minimum %d bits",
+                    __func__,
                     BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
                 return (0);
         }
@@ -104,13 +106,15 @@ auth_rsa_verify_response(Key *key, BIGNUM *challenge, u_char response[16])
         /* The response is MD5 of decrypted challenge plus session id. */
         len = BN_num_bytes(challenge);
         if (len <= 0 || len > 32)
-                fatal("auth_rsa_verify_response: bad challenge length %d", len);
+                fatal("%s: bad challenge length %d", __func__, len);
         memset(buf, 0, 32);
         BN_bn2bin(challenge, buf + 32 - len);
-        MD5_Init(&md);
-        MD5_Update(&md, buf, 32);
-        MD5_Update(&md, session_id, 16);
-        MD5_Final(mdbuf, &md);
+        if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
+            ssh_digest_update(md, buf, 32) < 0 ||
+            ssh_digest_update(md, session_id, 16) < 0 ||
+            ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
+                fatal("%s: md5 failed", __func__);
+        ssh_digest_free(md);
 
         /* Verify that the response is the original challenge. */
         if (timingsafe_bcmp(response, mdbuf, 16) != 0) {
diff --git a/auth.h b/auth.h
index 5b6824f71..79e4ea53a 100644
--- a/auth.h
+++ b/auth.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.h,v 1.76 2013/07/19 07:37:48 markus Exp $ */
+/* $OpenBSD: auth.h,v 1.77 2014/01/29 06:18:35 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -62,7 +62,6 @@ struct Authctxt {
         char            *role;
         void            *kbdintctxt;
         char            *info;          /* Extra info for next auth_log */
-        void            *jpake_ctx;
 #ifdef BSD_AUTH
         auth_session_t  *as;
 #endif
@@ -176,9 +175,6 @@ int	bsdauth_respond(void *, u_int, char **);
 int     skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int     skey_respond(void *, u_int, char **);
 
-void    auth2_jpake_get_pwdata(Authctxt *, BIGNUM **, char **, char **);
-void    auth2_jpake_stop(Authctxt *);
-
 int     allowed_user(struct passwd *);
 struct passwd * getpwnamallow(const char *user);
 
diff --git a/auth1.c b/auth1.c
index 2803a3c97..c70739080 100644
--- a/auth1.c
+++ b/auth1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth1.c,v 1.79 2013/05/19 02:42:42 djm Exp $ */
+/* $OpenBSD: auth1.c,v 1.80 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -129,7 +129,7 @@ auth1_process_password(Authctxt *authctxt)
         /* Try authentication with the password. */
         authenticated = PRIVSEP(auth_password(authctxt, password));
 
-        memset(password, 0, dlen);
+        explicit_bzero(password, dlen);
         free(password);
 
         return (authenticated);
@@ -222,7 +222,7 @@ auth1_process_tis_response(Authctxt *authctxt)
         response = packet_get_string(&dlen);
         packet_check_eom();
         authenticated = verify_response(authctxt, response);
-        memset(response, 'r', dlen);
+        explicit_bzero(response, dlen);
         free(response);
 
         return (authenticated);
diff --git a/auth2-chall.c b/auth2-chall.c
index 031c2828c..980250a91 100644
--- a/auth2-chall.c
+++ b/auth2-chall.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-chall.c,v 1.39 2013/11/08 00:39:14 djm Exp $ */
+/* $OpenBSD: auth2-chall.c,v 1.41 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2001 Per Allansson.  All rights reserved.
@@ -148,7 +148,7 @@ kbdint_free(KbdintAuthctxt *kbdintctxt)
         if (kbdintctxt->device)
                 kbdint_reset_device(kbdintctxt);
         free(kbdintctxt->devices);
-        bzero(kbdintctxt, sizeof(*kbdintctxt));
+        explicit_bzero(kbdintctxt, sizeof(*kbdintctxt));
         free(kbdintctxt);
 }
 /* get next device */
@@ -312,7 +312,7 @@ input_userauth_info_response(int type, u_int32_t seq, void *ctxt)
         res = kbdintctxt->device->respond(kbdintctxt->ctxt, nresp, response);
 
         for (i = 0; i < nresp; i++) {
-                memset(response[i], 'r', strlen(response[i]));
+                explicit_bzero(response[i], strlen(response[i]));
                 free(response[i]);
         }
         free(response);
diff --git a/auth2-gss.c b/auth2-gss.c
index b8db8204f..3ff2d726b 100644
--- a/auth2-gss.c
+++ b/auth2-gss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@@ -96,7 +96,6 @@ userauth_gssapi(Authctxt *authctxt)
         gss_OID_desc goid = {0, NULL};
         Gssctxt *ctxt = NULL;
         int mechs;
-        gss_OID_set supported;
         int present;
         OM_uint32 ms;
         u_int len;
@@ -111,7 +110,6 @@ userauth_gssapi(Authctxt *authctxt)
                 return (0);
         }
 
-        ssh_gssapi_supported_oids(&supported);
         do {
                 mechs--;
 
@@ -124,15 +122,12 @@ userauth_gssapi(Authctxt *authctxt)
                     doid[1] == len - 2) {
                         goid.elements = doid + 2;
                         goid.length   = len - 2;
-                        gss_test_oid_set_member(&ms, &goid, supported,
-                            &present);
+                        ssh_gssapi_test_oid_supported(&ms, &goid, &present);
                 } else {
                         logit("Badly formed OID received");
                 }
         } while (mechs > 0 && !present);
 
-        gss_release_oid_set(&ms, &supported);
-
         if (!present) {
                 free(doid);
                 authctxt->server_caused_failure = 1;
diff --git a/auth2-jpake.c b/auth2-jpake.c
deleted file mode 100644
index 78a6b8817..000000000
--- a/auth2-jpake.c
+++ /dev/null
@@ -1,563 +0,0 @@
-/* $OpenBSD: auth2-jpake.c,v 1.6 2013/05/17 00:13:13 djm Exp $ */
-/*
- * Copyright (c) 2008 Damien Miller.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Server side of zero-knowledge password auth using J-PAKE protocol
- * as described in:
- *
- * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
- * 16th Workshop on Security Protocols, Cambridge, April 2008
- *
- * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
- */
-
-#ifdef JPAKE
-
-#include <sys/types.h>
-#include <sys/param.h>
-
-#include <pwd.h>
-#include <stdio.h>
-#include <string.h>
-#include <login_cap.h>
-
-#include <openssl/bn.h>
-#include <openssl/evp.h>
-
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "buffer.h"
-#include "packet.h"
-#include "dispatch.h"
-#include "log.h"
-#include "servconf.h"
-#include "auth-options.h"
-#include "canohost.h"
-#ifdef GSSAPI
-#include "ssh-gss.h"
-#endif
-#include "monitor_wrap.h"
-
-#include "schnorr.h"
-#include "jpake.h"
-
-/*
- * XXX options->permit_empty_passwd (at the moment, they will be refused
- * anyway because they will mismatch on fake salt.
- */
-
-/* Dispatch handlers */
-static void input_userauth_jpake_client_step1(int, u_int32_t, void *);
-static void input_userauth_jpake_client_step2(int, u_int32_t, void *);
-static void input_userauth_jpake_client_confirm(int, u_int32_t, void *);
-
-static int auth2_jpake_start(Authctxt *);
-
-/* import */
-extern ServerOptions options;
-extern u_char *session_id2;
-extern u_int session_id2_len;
-
-/*
- * Attempt J-PAKE authentication.
- */
-static int
-userauth_jpake(Authctxt *authctxt)
-{
-        int authenticated = 0;
-
-        packet_check_eom();
-
-        debug("jpake-01@openssh.com requested");
-
-        if (authctxt->user != NULL) {
-                if (authctxt->jpake_ctx == NULL)
-                        authctxt->jpake_ctx = jpake_new();
-                if (options.zero_knowledge_password_authentication)
-                        authenticated = auth2_jpake_start(authctxt);
-        }
-
-        return authenticated;
-}
-
-Authmethod method_jpake = {
-        "jpake-01@openssh.com",
-        userauth_jpake,
-        &options.zero_knowledge_password_authentication
-};
-
-/* Clear context and callbacks */
-void
-auth2_jpake_stop(Authctxt *authctxt)
-{
-        /* unregister callbacks */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL);
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL);
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL);
-        if (authctxt->jpake_ctx != NULL) {
-                jpake_free(authctxt->jpake_ctx);
-                authctxt->jpake_ctx = NULL;
-        }
-}
-
-/* Returns 1 if 'c' is a valid crypt(3) salt character, 0 otherwise */
-static int
-valid_crypt_salt(int c)
-{
-        if (c >= 'A' && c <= 'Z')
-                return 1;
-        if (c >= 'a' && c <= 'z')
-                return 1;
-        if (c >= '.' && c <= '9')
-                return 1;
-        return 0;
-}
-
-/*
- * Derive fake salt as H(username || first_private_host_key)
- * This provides relatively stable fake salts for non-existent
- * users and avoids the jpake method becoming an account validity
- * oracle.
- */
-static void
-derive_rawsalt(const char *username, u_char *rawsalt, u_int len)
-{
-        u_char *digest;
-        u_int digest_len;
-        Buffer b;
-        Key *k;
-
-        buffer_init(&b);
-        buffer_put_cstring(&b, username);
-        if ((k = get_hostkey_by_index(0)) == NULL ||
-            (k->flags & KEY_FLAG_EXT))
-                fatal("%s: no hostkeys", __func__);
-        switch (k->type) {
-        case KEY_RSA1:
-        case KEY_RSA:
-                if (k->rsa->p == NULL || k->rsa->q == NULL)
-                        fatal("%s: RSA key missing p and/or q", __func__);
-                buffer_put_bignum2(&b, k->rsa->p);
-                buffer_put_bignum2(&b, k->rsa->q);
-                break;
-        case KEY_DSA:
-                if (k->dsa->priv_key == NULL)
-                        fatal("%s: DSA key missing priv_key", __func__);
-                buffer_put_bignum2(&b, k->dsa->priv_key);
-                break;
-        case KEY_ECDSA:
-                if (EC_KEY_get0_private_key(k->ecdsa) == NULL)
-                        fatal("%s: ECDSA key missing priv_key", __func__);
-                buffer_put_bignum2(&b, EC_KEY_get0_private_key(k->ecdsa));
-                break;
-        default:
-                fatal("%s: unknown key type %d", __func__, k->type);
-        }
-        if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
-            &digest, &digest_len) != 0)
-                fatal("%s: hash_buffer", __func__);
-        buffer_free(&b);
-        if (len > digest_len)
-                fatal("%s: not enough bytes for rawsalt (want %u have %u)",
-                    __func__, len, digest_len);
-        memcpy(rawsalt, digest, len);
-        bzero(digest, digest_len);
-        free(digest);
-}
-
-/* ASCII an integer [0, 64) for inclusion in a password/salt */
-static char
-pw_encode64(u_int i64)
-{
-        const u_char e64[] =
-            "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
-        return e64[i64 % 64];
-}
-
-/* Generate ASCII salt bytes for user */
-static char *
-makesalt(u_int want, const char *user)
-{
-        u_char rawsalt[32];
-        static char ret[33];
-        u_int i;
-
-        if (want > sizeof(ret) - 1)
-                fatal("%s: want %u", __func__, want);
-
-        derive_rawsalt(user, rawsalt, sizeof(rawsalt));
-        bzero(ret, sizeof(ret));
-        for (i = 0; i < want; i++)
-                ret[i] = pw_encode64(rawsalt[i]);
-        bzero(rawsalt, sizeof(rawsalt));
-
-        return ret;
-}
-
-/*
- * Select the system's default password hashing scheme and generate
- * a stable fake salt under it for use by a non-existent account.
- * Prevents jpake method being used to infer the validity of accounts.
- */
-static void
-fake_salt_and_scheme(Authctxt *authctxt, char **salt, char **scheme)
-{
-        char *rounds_s, *style;
-        long long rounds;
-        login_cap_t *lc;
-
-
-        if ((lc = login_getclass(authctxt->pw->pw_class)) == NULL &&
-            (lc = login_getclass(NULL)) == NULL)
-                fatal("%s: login_getclass failed", __func__);
-        style = login_getcapstr(lc, "localcipher", NULL, NULL);
-        if (style == NULL)
-                style = xstrdup("blowfish,6");
-        login_close(lc);
-        
-        if ((rounds_s = strchr(style, ',')) != NULL)
-                *rounds_s++ = '\0';
-        rounds = strtonum(rounds_s, 1, 1<<31, NULL);
-        
-        if (strcmp(style, "md5") == 0) {
-                xasprintf(salt, "$1$%s$", makesalt(8, authctxt->user));
-                *scheme = xstrdup("md5");
-        } else if (strcmp(style, "old") == 0) {
-                *salt = xstrdup(makesalt(2, authctxt->user));
-                *scheme = xstrdup("crypt");
-        } else if (strcmp(style, "newsalt") == 0) {
-                rounds = MAX(rounds, 7250);
-                rounds = MIN(rounds, (1<<24) - 1);
-                xasprintf(salt, "_%c%c%c%c%s",
-                    pw_encode64(rounds), pw_encode64(rounds >> 6),
-                    pw_encode64(rounds >> 12), pw_encode64(rounds >> 18),
-                    makesalt(4, authctxt->user));
-                *scheme = xstrdup("crypt-extended");
-        } else {
-                /* Default to blowfish */
-                rounds = MAX(rounds, 3);
-                rounds = MIN(rounds, 31);
-                xasprintf(salt, "$2a$%02lld$%s", rounds,
-                    makesalt(22, authctxt->user));
-                *scheme = xstrdup("bcrypt");
-        }
-        free(style);
-        debug3("%s: fake %s salt for user %s: %s",
-            __func__, *scheme, authctxt->user, *salt);
-}
-
-/*
- * Fetch password hashing scheme, password salt and derive shared secret
- * for user. If user does not exist, a fake but stable and user-unique
- * salt will be returned.
- */
-void
-auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
-    char **hash_scheme, char **salt)
-{
-        char *cp;
-        u_char *secret;
-        u_int secret_len, salt_len;
-
-#ifdef JPAKE_DEBUG
-        debug3("%s: valid %d pw %.5s...", __func__,
-            authctxt->valid, authctxt->pw->pw_passwd);
-#endif
-
-        *salt = NULL;
-        *hash_scheme = NULL;
-        if (authctxt->valid) {
-                if (strncmp(authctxt->pw->pw_passwd, "$2$", 3) == 0 &&
-                    strlen(authctxt->pw->pw_passwd) > 28) {
-                        /*
-                         * old-variant bcrypt:
-                         *     "$2$", 2 digit rounds, "$", 22 bytes salt
-                         */
-                        salt_len = 3 + 2 + 1 + 22 + 1;
-                        *salt = xmalloc(salt_len);
-                        strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
-                        *hash_scheme = xstrdup("bcrypt");
-                } else if (strncmp(authctxt->pw->pw_passwd, "$2a$", 4) == 0 &&
-                    strlen(authctxt->pw->pw_passwd) > 29) {
-                        /*
-                         * current-variant bcrypt:
-                         *     "$2a$", 2 digit rounds, "$", 22 bytes salt
-                         */
-                        salt_len = 4 + 2 + 1 + 22 + 1;
-                        *salt = xmalloc(salt_len);
-                        strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
-                        *hash_scheme = xstrdup("bcrypt");
-                } else if (strncmp(authctxt->pw->pw_passwd, "$1$", 3) == 0 &&
-                    strlen(authctxt->pw->pw_passwd) > 5) {
-                        /*
-                         * md5crypt:
-                         *     "$1$", salt until "$"
-                         */
-                        cp = strchr(authctxt->pw->pw_passwd + 3, '$');
-                        if (cp != NULL) {
-                                salt_len = (cp - authctxt->pw->pw_passwd) + 1;
-                                *salt = xmalloc(salt_len);
-                                strlcpy(*salt, authctxt->pw->pw_passwd,
-                                    salt_len);
-                                *hash_scheme = xstrdup("md5crypt");
-                        }
-                } else if (strncmp(authctxt->pw->pw_passwd, "_", 1) == 0 &&
-                    strlen(authctxt->pw->pw_passwd) > 9) {
-                        /*
-                         * BSDI extended crypt:
-                         *     "_", 4 digits count, 4 chars salt
-                         */
-                        salt_len = 1 + 4 + 4 + 1;
-                        *salt = xmalloc(salt_len);
-                        strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
-                        *hash_scheme = xstrdup("crypt-extended");
-                } else if (strlen(authctxt->pw->pw_passwd) == 13  &&
-                    valid_crypt_salt(authctxt->pw->pw_passwd[0]) &&
-                    valid_crypt_salt(authctxt->pw->pw_passwd[1])) {
-                        /*
-                         * traditional crypt:
-                         *     2 chars salt
-                         */
-                        salt_len = 2 + 1;
-                        *salt = xmalloc(salt_len);
-                        strlcpy(*salt, authctxt->pw->pw_passwd, salt_len);
-                        *hash_scheme = xstrdup("crypt");
-                }
-                if (*salt == NULL) {
-                        debug("%s: unrecognised crypt scheme for user %s",
-                            __func__, authctxt->pw->pw_name);
-                }
-        }
-        if (*salt == NULL)
-                fake_salt_and_scheme(authctxt, salt, hash_scheme);
-
-        if (hash_buffer(authctxt->pw->pw_passwd,
-            strlen(authctxt->pw->pw_passwd), EVP_sha256(),
-            &secret, &secret_len) != 0)
-                fatal("%s: hash_buffer", __func__);
-        if ((*s = BN_bin2bn(secret, secret_len, NULL)) == NULL)
-                fatal("%s: BN_bin2bn (secret)", __func__);
-#ifdef JPAKE_DEBUG
-        debug3("%s: salt = %s (len %u)", __func__,
-            *salt, (u_int)strlen(*salt));
-        debug3("%s: scheme = %s", __func__, *hash_scheme);
-        JPAKE_DEBUG_BN((*s, "%s: s = ", __func__));
-#endif
-        bzero(secret, secret_len);
-        free(secret);
-}
-
-/*
- * Begin authentication attempt.
- * Note, sets authctxt->postponed while in subprotocol
- */
-static int
-auth2_jpake_start(Authctxt *authctxt)
-{
-        struct jpake_ctx *pctx = authctxt->jpake_ctx;
-        u_char *x3_proof, *x4_proof;
-        u_int x3_proof_len, x4_proof_len;
-        char *salt, *hash_scheme;
-
-        debug("%s: start", __func__);
-
-        PRIVSEP(jpake_step1(pctx->grp,
-            &pctx->server_id, &pctx->server_id_len,
-            &pctx->x3, &pctx->x4, &pctx->g_x3, &pctx->g_x4,
-            &x3_proof, &x3_proof_len,
-            &x4_proof, &x4_proof_len));
-
-        PRIVSEP(auth2_jpake_get_pwdata(authctxt, &pctx->s,
-            &hash_scheme, &salt));
-
-        if (!use_privsep)
-                JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
-
-        packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1);
-        packet_put_cstring(hash_scheme);
-        packet_put_cstring(salt);
-        packet_put_string(pctx->server_id, pctx->server_id_len);
-        packet_put_bignum2(pctx->g_x3);
-        packet_put_bignum2(pctx->g_x4);
-        packet_put_string(x3_proof, x3_proof_len);
-        packet_put_string(x4_proof, x4_proof_len);
-        packet_send();
-        packet_write_wait();
-
-        bzero(hash_scheme, strlen(hash_scheme));
-        bzero(salt, strlen(salt));
-        free(hash_scheme);
-        free(salt);
-        bzero(x3_proof, x3_proof_len);
-        bzero(x4_proof, x4_proof_len);
-        free(x3_proof);
-        free(x4_proof);
-
-        /* Expect step 1 packet from peer */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1,
-            input_userauth_jpake_client_step1);
-
-        authctxt->postponed = 1;
-        return 0;
-}
-
-/* ARGSUSED */
-static void
-input_userauth_jpake_client_step1(int type, u_int32_t seq, void *ctxt)
-{
-        Authctxt *authctxt = ctxt;
-        struct jpake_ctx *pctx = authctxt->jpake_ctx;
-        u_char *x1_proof, *x2_proof, *x4_s_proof;
-        u_int x1_proof_len, x2_proof_len, x4_s_proof_len;
-
-        /* Disable this message */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1, NULL);
-
-        /* Fetch step 1 values */
-        if ((pctx->g_x1 = BN_new()) == NULL ||
-            (pctx->g_x2 = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-        pctx->client_id = packet_get_string(&pctx->client_id_len);
-        packet_get_bignum2(pctx->g_x1);
-        packet_get_bignum2(pctx->g_x2);
-        x1_proof = packet_get_string(&x1_proof_len);
-        x2_proof = packet_get_string(&x2_proof_len);
-        packet_check_eom();
-
-        if (!use_privsep)
-                JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
-
-        PRIVSEP(jpake_step2(pctx->grp, pctx->s, pctx->g_x3,
-            pctx->g_x1, pctx->g_x2, pctx->x4,
-            pctx->client_id, pctx->client_id_len,
-            pctx->server_id, pctx->server_id_len,
-            x1_proof, x1_proof_len,
-            x2_proof, x2_proof_len,
-            &pctx->b,
-            &x4_s_proof, &x4_s_proof_len));
-
-        bzero(x1_proof, x1_proof_len);
-        bzero(x2_proof, x2_proof_len);
-        free(x1_proof);
-        free(x2_proof);
-
-        if (!use_privsep)
-                JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
-
-        /* Send values for step 2 */
-        packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2);
-        packet_put_bignum2(pctx->b);
-        packet_put_string(x4_s_proof, x4_s_proof_len);
-        packet_send();
-        packet_write_wait();
-
-        bzero(x4_s_proof, x4_s_proof_len);
-        free(x4_s_proof);
-
-        /* Expect step 2 packet from peer */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2,
-            input_userauth_jpake_client_step2);
-}
-
-/* ARGSUSED */
-static void
-input_userauth_jpake_client_step2(int type, u_int32_t seq, void *ctxt)
-{
-        Authctxt *authctxt = ctxt;
-        struct jpake_ctx *pctx = authctxt->jpake_ctx;
-        u_char *x2_s_proof;
-        u_int x2_s_proof_len;
-
-        /* Disable this message */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2, NULL);
-
-        if ((pctx->a = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-
-        /* Fetch step 2 values */
-        packet_get_bignum2(pctx->a);
-        x2_s_proof = packet_get_string(&x2_s_proof_len);
-        packet_check_eom();
-
-        if (!use_privsep)
-                JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
-
-        /* Derive shared key and calculate confirmation hash */
-        PRIVSEP(jpake_key_confirm(pctx->grp, pctx->s, pctx->a,
-            pctx->x4, pctx->g_x3, pctx->g_x4, pctx->g_x1, pctx->g_x2,
-            pctx->server_id, pctx->server_id_len,
-            pctx->client_id, pctx->client_id_len,
-            session_id2, session_id2_len,
-            x2_s_proof, x2_s_proof_len,
-            &pctx->k,
-            &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len));
-
-        bzero(x2_s_proof, x2_s_proof_len);
-        free(x2_s_proof);
-
-        if (!use_privsep)
-                JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
-
-        /* Send key confirmation proof */
-        packet_start(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM);
-        packet_put_string(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
-        packet_send();
-        packet_write_wait();
-
-        /* Expect confirmation from peer */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM,
-            input_userauth_jpake_client_confirm);
-}
-
-/* ARGSUSED */
-static void
-input_userauth_jpake_client_confirm(int type, u_int32_t seq, void *ctxt)
-{
-        Authctxt *authctxt = ctxt;
-        struct jpake_ctx *pctx = authctxt->jpake_ctx;
-        int authenticated = 0;
-
-        /* Disable this message */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM, NULL);
-
-        pctx->h_k_cid_sessid = packet_get_string(&pctx->h_k_cid_sessid_len);
-        packet_check_eom();
-
-        if (!use_privsep)
-                JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
-
-        /* Verify expected confirmation hash */
-        if (PRIVSEP(jpake_check_confirm(pctx->k,
-            pctx->client_id, pctx->client_id_len,
-            session_id2, session_id2_len,
-            pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len)) == 1)
-                authenticated = authctxt->valid ? 1 : 0;
-        else
-                debug("%s: confirmation mismatch", __func__);
-                
-        /* done */
-        authctxt->postponed = 0;
-        jpake_free(authctxt->jpake_ctx);
-        authctxt->jpake_ctx = NULL;
-        userauth_finish(authctxt, authenticated, method_jpake.name, NULL);
-}
-
-#endif /* JPAKE */
-
diff --git a/auth2-passwd.c b/auth2-passwd.c
index 21bc5047d..707680cd0 100644
--- a/auth2-passwd.c
+++ b/auth2-passwd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2-passwd.c,v 1.10 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: auth2-passwd.c,v 1.11 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -59,7 +59,7 @@ userauth_passwd(Authctxt *authctxt)
         if (change) {
                 /* discard new password from packet */
                 newpass = packet_get_string(&newlen);
-                memset(newpass, 0, newlen);
+                explicit_bzero(newpass, newlen);
                 free(newpass);
         }
         packet_check_eom();
@@ -68,7 +68,7 @@ userauth_passwd(Authctxt *authctxt)
                 logit("password change not supported");
         else if (PRIVSEP(auth_password(authctxt, password)) == 1)
                 authenticated = 1;
-        memset(password, 0, len);
+        explicit_bzero(password, len);
         free(password);
         return authenticated;
 }
diff --git a/auth2.c b/auth2.c
index b55bbcd95..70f29250d 100644
--- a/auth2.c
+++ b/auth2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth2.c,v 1.129 2013/05/19 02:42:42 djm Exp $ */
+/* $OpenBSD: auth2.c,v 1.130 2014/01/29 06:18:35 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -72,9 +72,6 @@ extern Authmethod method_hostbased;
 extern Authmethod method_gsskeyex;
 extern Authmethod method_gssapi;
 #endif
-#ifdef JPAKE
-extern Authmethod method_jpake;
-#endif
 
 Authmethod *authmethods[] = {
         &method_none,
@@ -83,9 +80,6 @@ Authmethod *authmethods[] = {
         &method_gsskeyex,
         &method_gssapi,
 #endif
-#ifdef JPAKE
-        &method_jpake,
-#endif
         &method_passwd,
         &method_kbdint,
         &method_hostbased,
@@ -278,9 +272,6 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
         }
         /* reset state */
         auth2_challenge_stop(authctxt);
-#ifdef JPAKE
-        auth2_jpake_stop(authctxt);
-#endif
 
 #ifdef GSSAPI
         /* XXX move to auth2_gssapi_stop() */
diff --git a/authfd.c b/authfd.c
index f9636903a..cea3f97b4 100644
--- a/authfd.c
+++ b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.91 2013/12/29 04:29:25 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.92 2014/01/31 16:39:19 tedu Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -102,7 +102,7 @@ ssh_get_authentication_socket(void)
         if (!authsocket)
                 return -1;
 
-        bzero(&sunaddr, sizeof(sunaddr));
+        memset(&sunaddr, 0, sizeof(sunaddr));
         sunaddr.sun_family = AF_UNIX;
         strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
 
diff --git a/authfile.c b/authfile.c
index 7eccbb2c9..d7eaa9dec 100644
--- a/authfile.c
+++ b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.101 2013/12/29 04:35:50 djm Exp $ */
+/* $OpenBSD: authfile.c,v 1.103 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -131,7 +131,7 @@ key_private_to_blob2(Key *prv, Buffer *blob, const char *passphrase,
                 buffer_put_int(&kdf, rounds);
         }
         cipher_init(&ctx, c, key, keylen, key + keylen , ivlen, 1);
-        memset(key, 0, keylen + ivlen);
+        explicit_bzero(key, keylen + ivlen);
         free(key);
 
         buffer_init(&encoded);
@@ -143,7 +143,7 @@ key_private_to_blob2(Key *prv, Buffer *blob, const char *passphrase,
         key_to_blob(prv, &cp, &len);                    /* public key */
         buffer_put_string(&encoded, cp, len);
 
-        memset(cp, 0, len);
+        explicit_bzero(cp, len);
         free(cp);
 
         buffer_free(&kdf);
@@ -409,7 +409,7 @@ key_parse_private2(Buffer *blob, int type, const char *passphrase,
         free(salt);
         free(comment);
         if (key)
-                memset(key, 0, keylen + ivlen);
+                explicit_bzero(key, keylen + ivlen);
         free(key);
         buffer_free(&encoded);
         buffer_free(&copy);
@@ -496,10 +496,10 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase,
             buffer_ptr(&buffer), buffer_len(&buffer), 0, 0) != 0)
                 fatal("%s: cipher_crypt failed", __func__);
         cipher_cleanup(&ciphercontext);
-        memset(&ciphercontext, 0, sizeof(ciphercontext));
+        explicit_bzero(&ciphercontext, sizeof(ciphercontext));
 
         /* Destroy temporary data. */
-        memset(buf, 0, sizeof(buf));
+        explicit_bzero(buf, sizeof(buf));
         buffer_free(&buffer);
 
         buffer_append(blob, buffer_ptr(&encrypted), buffer_len(&encrypted));
@@ -703,17 +703,17 @@ key_load_file(int fd, const char *filename, Buffer *blob)
                             __func__, filename == NULL ? "" : filename,
                             filename == NULL ? "" : " ", strerror(errno));
                         buffer_clear(blob);
-                        bzero(buf, sizeof(buf));
+                        explicit_bzero(buf, sizeof(buf));
                         return 0;
                 }
                 buffer_append(blob, buf, len);
                 if (buffer_len(blob) > MAX_KEY_FILE_SIZE) {
                         buffer_clear(blob);
-                        bzero(buf, sizeof(buf));
+                        explicit_bzero(buf, sizeof(buf));
                         goto toobig;
                 }
         }
-        bzero(buf, sizeof(buf));
+        explicit_bzero(buf, sizeof(buf));
         if ((st.st_mode & (S_IFSOCK|S_IFCHR|S_IFIFO)) == 0 &&
             st.st_size != buffer_len(blob)) {
                 debug("%s: key file %.200s%schanged size while reading",
@@ -831,7 +831,7 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
             buffer_ptr(&copy), buffer_len(&copy), 0, 0) != 0)
                 fatal("%s: cipher_crypt failed", __func__);
         cipher_cleanup(&ciphercontext);
-        memset(&ciphercontext, 0, sizeof(ciphercontext));
+        explicit_bzero(&ciphercontext, sizeof(ciphercontext));
         buffer_free(&copy);
 
         check1 = buffer_get_char(&decrypted);
diff --git a/bufaux.c b/bufaux.c
index 9401fe1d0..e24b5fc0a 100644
--- a/bufaux.c
+++ b/bufaux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bufaux.c,v 1.54 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: bufaux.c,v 1.56 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -216,7 +216,7 @@ buffer_get_cstring_ret(Buffer *buffer, u_int *length_ptr)
                 if (cp == ret + length - 1)
                         error("buffer_get_cstring_ret: string contains \\0");
                 else {
-                        bzero(ret, length);
+                        explicit_bzero(ret, length);
                         free(ret);
                         return NULL;
                 }
@@ -346,7 +346,7 @@ buffer_get_bignum2_as_string_ret(Buffer *buffer, u_int *length_ptr)
         }
         ret = xmalloc(len);
         memcpy(ret, p, len);
-        memset(p, '\0', len);
+        explicit_bzero(p, len);
         free(bin);
         return ret;
 }
@@ -383,7 +383,7 @@ buffer_put_bignum2_from_string(Buffer *buffer, const u_char *s, u_int l)
         }
         memcpy(p, s, l);
         buffer_put_string(buffer, buf, l + pad);
-        memset(buf, '\0', l + pad);
+        explicit_bzero(buf, l + pad);
         free(buf);
 }
 
diff --git a/bufbn.c b/bufbn.c
index 2ebc80a27..1d2e01266 100644
--- a/bufbn.c
+++ b/bufbn.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bufbn.c,v 1.8 2013/11/08 11:15:19 dtucker Exp $*/
+/* $OpenBSD: bufbn.c,v 1.11 2014/02/27 08:25:09 djm Exp $*/
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -80,7 +80,7 @@ buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
         /* Store the binary data. */
         buffer_append(buffer, buf, oi);
 
-        memset(buf, 0, bin_size);
+        explicit_bzero(buf, bin_size);
         free(buf);
 
         return (0);
@@ -108,6 +108,11 @@ buffer_get_bignum_ret(Buffer *buffer, BIGNUM *value)
                 return (-1);
         }
         bits = get_u16(buf);
+        if (bits > 65535-7) {
+                error("buffer_get_bignum_ret: cannot handle BN of size %d",
+                    bits);
+                return (-1);
+        }
         /* Compute the number of binary bytes that follow. */
         bytes = (bits + 7) / 8;
         if (bytes > 8 * 1024) {
@@ -173,7 +178,7 @@ buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
         }
         hasnohigh = (buf[1] & 0x80) ? 0 : 1;
         buffer_put_string(buffer, buf+hasnohigh, bytes-hasnohigh);
-        memset(buf, 0, bytes);
+        explicit_bzero(buf, bytes);
         free(buf);
         return (0);
 }
diff --git a/bufec.c b/bufec.c
index 6c0048978..89482b906 100644
--- a/bufec.c
+++ b/bufec.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bufec.c,v 1.2 2013/05/17 00:13:13 djm Exp $ */
+/* $OpenBSD: bufec.c,v 1.3 2014/01/31 16:39:19 tedu Exp $ */
 /*
  * Copyright (c) 2010 Damien Miller <djm@mindrot.org>
  *
@@ -77,7 +77,7 @@ buffer_put_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
         ret = 0;
  out:
         if (buf != NULL) {
-                bzero(buf, len);
+                explicit_bzero(buf, len);
                 free(buf);
         }
         BN_CTX_free(bnctx);
@@ -130,7 +130,7 @@ buffer_get_ecpoint_ret(Buffer *buffer, const EC_GROUP *curve,
         ret = 0;
  out:
         BN_CTX_free(bnctx);
-        bzero(buf, len);
+        explicit_bzero(buf, len);
         free(buf);
         return ret;
 }
diff --git a/buffer.c b/buffer.c
index 9e7c40a5a..d240f6753 100644
--- a/buffer.c
+++ b/buffer.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: buffer.c,v 1.34 2013/11/08 11:15:19 dtucker Exp $ */
+/* $OpenBSD: buffer.c,v 1.35 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -49,7 +49,7 @@ void
 buffer_free(Buffer *buffer)
 {
         if (buffer->alloc > 0) {
-                memset(buffer->buf, 0, buffer->alloc);
+                explicit_bzero(buffer->buf, buffer->alloc);
                 buffer->alloc = 0;
                 free(buffer->buf);
         }
diff --git a/canohost.c b/canohost.c
index a19a60cda..a61a8c94d 100644
--- a/canohost.c
+++ b/canohost.c
@@ -192,7 +192,7 @@ ipv64_normalise_mapped(struct sockaddr_storage *addr, socklen_t *len)
         memcpy(&inaddr, ((char *)&a6->sin6_addr) + 12, sizeof(inaddr));
         port = a6->sin6_port;
 
-        bzero(a4, sizeof(*a4));
+        memset(a4, 0, sizeof(*a4));
 
         a4->sin_family = AF_INET;
         *len = sizeof(*a4);
diff --git a/channels.c b/channels.c
index 8e66265a3..9efe89c9c 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.328 2013/12/19 01:04:36 djm Exp $ */
+/* $OpenBSD: channels.c,v 1.331 2014/02/26 20:29:29 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -423,7 +423,7 @@ channel_free(Channel *c)
                 if (cc->abandon_cb != NULL)
                         cc->abandon_cb(c, cc->ctx);
                 TAILQ_REMOVE(&c->status_confirms, cc, entry);
-                bzero(cc, sizeof(*cc));
+                explicit_bzero(cc, sizeof(*cc));
                 free(cc);
         }
         if (c->filter_cleanup != NULL && c->filter_ctx != NULL)
@@ -1072,6 +1072,9 @@ channel_decode_socks4(Channel *c, fd_set *readset, fd_set *writeset)
         buffer_get(&c->input, (char *)&s4_req.dest_addr, 4);
         have = buffer_len(&c->input);
         p = buffer_ptr(&c->input);
+        if (memchr(p, '\0', have) == NULL)
+                fatal("channel %d: decode socks4: user not nul terminated",
+                    c->self);
         len = strlen(p);
         debug2("channel %d: decode socks4: user %s/%d", c->self, p, len);
         len++;                                  /* trailing '\0' */
@@ -2671,7 +2674,7 @@ channel_input_status_confirm(int type, u_int32_t seq, void *ctxt)
                 return;
         cc->cb(type, c, cc->ctx);
         TAILQ_REMOVE(&c->status_confirms, cc, entry);
-        bzero(cc, sizeof(*cc));
+        explicit_bzero(cc, sizeof(*cc));
         free(cc);
 }
 
@@ -3304,9 +3307,7 @@ channel_connect_ctx_free(struct channel_connect *cctx)
         free(cctx->host);
         if (cctx->aitop)
                 freeaddrinfo(cctx->aitop);
-        bzero(cctx, sizeof(*cctx));
-        cctx->host = NULL;
-        cctx->ai = cctx->aitop = NULL;
+        memset(cctx, 0, sizeof(*cctx));
 }
 
 /* Return CONNECTING channel to remote host, port */
diff --git a/cipher-3des1.c b/cipher-3des1.c
index 56fc77786..b2823592b 100644
--- a/cipher-3des1.c
+++ b/cipher-3des1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher-3des1.c,v 1.9 2013/11/08 00:39:15 djm Exp $ */
+/* $OpenBSD: cipher-3des1.c,v 1.10 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2003 Markus Friedl.  All rights reserved.
  *
@@ -93,7 +93,7 @@ ssh1_3des_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
         if (EVP_CipherInit(&c->k1, EVP_des_cbc(), k1, NULL, enc) == 0 ||
             EVP_CipherInit(&c->k2, EVP_des_cbc(), k2, NULL, !enc) == 0 ||
             EVP_CipherInit(&c->k3, EVP_des_cbc(), k3, NULL, enc) == 0) {
-                memset(c, 0, sizeof(*c));
+                explicit_bzero(c, sizeof(*c));
                 free(c);
                 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
                 return (0);
@@ -134,7 +134,7 @@ ssh1_3des_cleanup(EVP_CIPHER_CTX *ctx)
                 EVP_CIPHER_CTX_cleanup(&c->k1);
                 EVP_CIPHER_CTX_cleanup(&c->k2);
                 EVP_CIPHER_CTX_cleanup(&c->k3);
-                memset(c, 0, sizeof(*c));
+                explicit_bzero(c, sizeof(*c));
                 free(c);
                 EVP_CIPHER_CTX_set_app_data(ctx, NULL);
         }
diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c
index 91b0830fd..251b94ec8 100644
--- a/cipher-chachapoly.c
+++ b/cipher-chachapoly.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: cipher-chachapoly.c,v 1.3 2013/12/15 21:42:35 djm Exp $ */
+/* $OpenBSD: cipher-chachapoly.c,v 1.4 2014/01/31 16:39:19 tedu Exp $ */
 
 #include "includes.h"
 
@@ -58,7 +58,7 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
          * Run ChaCha20 once to generate the Poly1305 key. The IV is the
          * packet sequence number.
          */
-        bzero(poly_key, sizeof(poly_key));
+        memset(poly_key, 0, sizeof(poly_key));
         put_u64(seqbuf, seqnr);
         chacha_ivsetup(&ctx->main_ctx, seqbuf, NULL);
         chacha_encrypt_bytes(&ctx->main_ctx,
@@ -90,9 +90,9 @@ chachapoly_crypt(struct chachapoly_ctx *ctx, u_int seqnr, u_char *dest,
         r = 0;
 
  out:
-        bzero(expected_tag, sizeof(expected_tag));
-        bzero(seqbuf, sizeof(seqbuf));
-        bzero(poly_key, sizeof(poly_key));
+        explicit_bzero(expected_tag, sizeof(expected_tag));
+        explicit_bzero(seqbuf, sizeof(seqbuf));
+        explicit_bzero(poly_key, sizeof(poly_key));
         return r;
 }
 
diff --git a/cipher.c b/cipher.c
index 2476e6539..53d9b4fb7 100644
--- a/cipher.c
+++ b/cipher.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: cipher.c,v 1.94 2014/01/25 10:12:50 dtucker Exp $ */
+/* $OpenBSD: cipher.c,v 1.97 2014/02/07 06:55:54 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -39,8 +39,6 @@
 
 #include <sys/types.h>
 
-#include <openssl/md5.h>
-
 #include <string.h>
 #include <stdarg.h>
 #include <stdio.h>
@@ -49,6 +47,8 @@
 #include "log.h"
 #include "misc.h"
 #include "cipher.h"
+#include "buffer.h"
+#include "digest.h"
 
 /* compatibility with old or broken OpenSSL versions */
 #include "openbsd-compat/openssl-compat.h"
@@ -228,8 +228,6 @@ ciphers_valid(const char *names)
                         debug("bad cipher %s [%s]", p, names);
                         free(cipher_list);
                         return 0;
-                } else {
-                        debug3("cipher ok: %s [%s]", p, names);
                 }
         }
         debug3("ciphers ok: [%s]", names);
@@ -337,7 +335,7 @@ cipher_init(CipherContext *cc, const Cipher *cipher,
                 if (EVP_Cipher(&cc->evp, discard, junk,
                     cipher->discard_len) == 0)
                         fatal("evp_crypt: EVP_Cipher failed during discard");
-                memset(discard, 0, cipher->discard_len);
+                explicit_bzero(discard, cipher->discard_len);
                 free(junk);
                 free(discard);
         }
@@ -422,7 +420,7 @@ void
 cipher_cleanup(CipherContext *cc)
 {
         if ((cc->cipher->flags & CFLAG_CHACHAPOLY) != 0)
-                memset(&cc->cp_ctx, 0, sizeof(cc->cp_ctx));
+                explicit_bzero(&cc->cp_ctx, sizeof(cc->cp_ctx));
         else if (EVP_CIPHER_CTX_cleanup(&cc->evp) == 0)
                 error("cipher_cleanup: EVP_CIPHER_CTX_cleanup failed");
 }
@@ -436,17 +434,15 @@ void
 cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
     const char *passphrase, int do_encrypt)
 {
-        MD5_CTX md;
         u_char digest[16];
 
-        MD5_Init(&md);
-        MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
-        MD5_Final(digest, &md);
+        if (ssh_digest_memory(SSH_DIGEST_MD5, passphrase, strlen(passphrase),
+            digest, sizeof(digest)) < 0)
+                fatal("%s: md5 failed", __func__);
 
         cipher_init(cc, cipher, digest, 16, NULL, 0, do_encrypt);
 
-        memset(digest, 0, sizeof(digest));
-        memset(&md, 0, sizeof(md));
+        explicit_bzero(digest, sizeof(digest));
 }
 
 /*
diff --git a/clientloop.c b/clientloop.c
index 30097cdfe..4bc5b57d2 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.256 2013/11/20 20:54:10 deraadt Exp $ */
+/* $OpenBSD: clientloop.c,v 1.258 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -553,7 +553,7 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
                 gc->cb(type, seq, gc->ctx);
         if (--gc->ref_count <= 0) {
                 TAILQ_REMOVE(&global_confirms, gc, entry);
-                bzero(gc, sizeof(*gc));
+                explicit_bzero(gc, sizeof(*gc));
                 free(gc);
         }
 
@@ -885,7 +885,7 @@ process_cmdline(void)
         int cancel_port, ok;
         Forward fwd;
 
-        bzero(&fwd, sizeof(fwd));
+        memset(&fwd, 0, sizeof(fwd));
         fwd.listen_host = fwd.connect_host = NULL;
 
         leave_raw_mode(options.request_tty == REQUEST_TTY_FORCE);
@@ -1781,7 +1781,7 @@ client_input_stdout_data(int type, u_int32_t seq, void *ctxt)
         char *data = packet_get_string(&data_len);
         packet_check_eom();
         buffer_append(&stdout_buffer, data, data_len);
-        memset(data, 0, data_len);
+        explicit_bzero(data, data_len);
         free(data);
 }
 static void
@@ -1791,7 +1791,7 @@ client_input_stderr_data(int type, u_int32_t seq, void *ctxt)
         char *data = packet_get_string(&data_len);
         packet_check_eom();
         buffer_append(&stderr_buffer, data, data_len);
-        memset(data, 0, data_len);
+        explicit_bzero(data, data_len);
         free(data);
 }
 static void
diff --git a/config.h.in b/config.h.in
index 906e5497f..6bc422c3e 100644
--- a/config.h.in
+++ b/config.h.in
@@ -414,6 +414,9 @@
 /* Define to 1 if you have the `EVP_MD_CTX_cleanup' function. */
 #undef HAVE_EVP_MD_CTX_CLEANUP
 
+/* Define to 1 if you have the `EVP_MD_CTX_copy_ex' function. */
+#undef HAVE_EVP_MD_CTX_COPY_EX
+
 /* Define to 1 if you have the `EVP_MD_CTX_init' function. */
 #undef HAVE_EVP_MD_CTX_INIT
 
@@ -423,6 +426,9 @@
 /* Define if you have ut_exit in utmp.h */
 #undef HAVE_EXIT_IN_UTMP
 
+/* Define to 1 if you have the `explicit_bzero' function. */
+#undef HAVE_EXPLICIT_BZERO
+
 /* Define to 1 if you have the `fchmod' function. */
 #undef HAVE_FCHMOD
 
diff --git a/configure b/configure
index 57b68e256..e2f12cdff 100755
--- a/configure
+++ b/configure
@@ -1,5 +1,5 @@
 #! /bin/sh
-# From configure.ac Revision: 1.568 .
+# From configure.ac Revision: 1.571 .
 # Guess values for system-dependent variables and create Makefiles.
 # Generated by GNU Autoconf 2.68 for OpenSSH Portable.
 #
@@ -7666,7 +7666,7 @@ $as_echo "#define BROKEN_STRNVIS 1" >>confdefs.h
         # and will crash if they cannot be opened.
 
 $as_echo "#define SANDBOX_SKIP_RLIMIT_NOFILE 1" >>confdefs.h
-],
+
         ;;
 *-*-bsdi*)
         $as_echo "#define SETEUID_BREAKS_SETUID 1" >>confdefs.h
@@ -10425,6 +10425,7 @@ for ac_func in  \
         closefrom \
         dirfd \
         endgrent \
+        explicit_bzero \
         fchmod \
         fchown \
         freeaddrinfo \
@@ -12172,6 +12173,7 @@ for ac_func in  \
         EVP_DigestFinal_ex \
         EVP_MD_CTX_init \
         EVP_MD_CTX_cleanup \
+        EVP_MD_CTX_copy_ex \
         HMAC_CTX_init \
         RSA_generate_key_ex \
         RSA_get_default_method \
diff --git a/configure.ac b/configure.ac
index e2289cd37..86692714b 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.568 2014/01/30 00:26:46 djm Exp $
+# $Id: configure.ac,v 1.571 2014/02/21 17:09:34 tim Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -15,7 +15,7 @@
 # OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 
 AC_INIT([OpenSSH], [Portable], [openssh-unix-dev@mindrot.org])
-AC_REVISION($Revision: 1.568 $)
+AC_REVISION($Revision: 1.571 $)
 AC_CONFIG_SRCDIR([ssh.c])
 AC_LANG([C])
 
@@ -809,7 +809,7 @@ mips-sony-bsd|mips-sony-newsos4)
         # Preauth crypto occasionally uses file descriptors for crypto offload
         # and will crash if they cannot be opened.
         AC_DEFINE([SANDBOX_SKIP_RLIMIT_NOFILE], [1],
-            [define if setrlimit RLIMIT_NOFILE breaks things])],
+            [define if setrlimit RLIMIT_NOFILE breaks things])
         ;;
 *-*-bsdi*)
         AC_DEFINE([SETEUID_BREAKS_SETUID])
@@ -1673,6 +1673,7 @@ AC_CHECK_FUNCS([ \
         closefrom \
         dirfd \
         endgrent \
+        explicit_bzero \
         fchmod \
         fchown \
         freeaddrinfo \
@@ -2453,6 +2454,7 @@ AC_CHECK_FUNCS([ \
         EVP_DigestFinal_ex \
         EVP_MD_CTX_init \
         EVP_MD_CTX_cleanup \
+        EVP_MD_CTX_copy_ex \
         HMAC_CTX_init \
         RSA_generate_key_ex \
         RSA_get_default_method \
diff --git a/contrib/caldera/openssh.spec b/contrib/caldera/openssh.spec
index 3c417bb8f..0061fe933 100644
--- a/contrib/caldera/openssh.spec
+++ b/contrib/caldera/openssh.spec
@@ -16,7 +16,7 @@
 
 #old cvs stuff.  please update before use.  may be deprecated.
 %define use_stable      1
-%define version         6.5p1
+%define version         6.6p1
 %if %{use_stable}
   %define cvs           %{nil}
   %define release       1
@@ -363,4 +363,4 @@ fi
 * Mon Jan 01 1998 ...
 Template Version: 1.31
 
-$Id: openssh.spec,v 1.82 2014/01/16 07:51:10 djm Exp $
+$Id: openssh.spec,v 1.83 2014/02/27 23:03:55 djm Exp $
diff --git a/contrib/redhat/openssh.spec b/contrib/redhat/openssh.spec
index d47cf3862..96401c6ee 100644
--- a/contrib/redhat/openssh.spec
+++ b/contrib/redhat/openssh.spec
@@ -1,4 +1,4 @@
-%define ver 6.5p1
+%define ver 6.6p1
 %define rel 1
 
 # OpenSSH privilege separation requires a user & group ID
diff --git a/contrib/suse/openssh.spec b/contrib/suse/openssh.spec
index 6693fe2bc..0515d6d7c 100644
--- a/contrib/suse/openssh.spec
+++ b/contrib/suse/openssh.spec
@@ -13,7 +13,7 @@
 
 Summary:        OpenSSH, a free Secure Shell (SSH) protocol implementation
 Name:           openssh
-Version:        6.5p1
+Version:        6.6p1
 URL:            http://www.openssh.com/
 Release:        1
 Source0:        openssh-%{version}.tar.gz
diff --git a/debian/.git-dpm b/debian/.git-dpm
index 3deb8d58e..cd9486a07 100644
--- a/debian/.git-dpm
+++ b/debian/.git-dpm
@@ -1,7 +1,7 @@
 # see git-dpm(1) from git-dpm package
-6dbd954a28d3fc2631f1c0b42c23452e1e493e6f
-6dbd954a28d3fc2631f1c0b42c23452e1e493e6f
-9a975a9faed7c4f334e8c8490db3e77e102f2b21
+9cbb60f5e4932634db04c330c88abc49cc5567bd
+9cbb60f5e4932634db04c330c88abc49cc5567bd
+796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7
 796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7
 openssh_6.6p1.orig.tar.gz
 b850fd1af704942d9b3c2eff7ef6b3a59b6a6b6e
diff --git a/debian/changelog b/debian/changelog
index 7bc3c6046..eccc51410 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,9 +1,10 @@
-openssh (1:6.5p1-7) UNRELEASED; urgency=medium
+openssh (1:6.6p1-1) UNRELEASED; urgency=medium
 
   * Apply various warning-suppression and regression-test fixes to
     gssapi.patch from Damien Miller.
+  * New upstream release (http://www.openssh.com/txt/release-6.6).
 
- -- Colin Watson <cjwatson@debian.org>  Wed, 19 Mar 2014 16:40:52 +0000
+ -- Colin Watson <cjwatson@debian.org>  Thu, 20 Mar 2014 00:32:46 +0000
 
 openssh (1:6.5p1-6) unstable; urgency=medium
 
diff --git a/debian/patches/auth-log-verbosity.patch b/debian/patches/auth-log-verbosity.patch
index 3de03e861..8d26d7b6f 100644
--- a/debian/patches/auth-log-verbosity.patch
+++ b/debian/patches/auth-log-verbosity.patch
@@ -1,4 +1,4 @@
-From 72aaec921b802c4f1dd73cac0fb21f149e443fc5 Mon Sep 17 00:00:00 2001
+From 283322f493ee7dc75511f6cf9e9b88e536de0874 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:02 +0000
 Subject: Quieten logs when multiple from= restrictions are used
@@ -91,10 +91,10 @@ index 7455c94..a3f0a02 100644
  void   auth_clear_options(void);
  int    auth_cert_options(Key *, struct passwd *);
 diff --git a/auth-rsa.c b/auth-rsa.c
-index 545aa49..4624c15 100644
+index 5dad6c3..260ce2f 100644
 --- a/auth-rsa.c
 +++ b/auth-rsa.c
-@@ -174,6 +174,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
+@@ -178,6 +178,8 @@ rsa_key_allowed_in_file(struct passwd *pw, char *file,
         if ((f = auth_openkeyfile(file, pw, options.strict_modes)) == NULL)
                 return 0;
  
diff --git a/debian/patches/authorized-keys-man-symlink.patch b/debian/patches/authorized-keys-man-symlink.patch
index 39e63e33b..74bfb46e6 100644
--- a/debian/patches/authorized-keys-man-symlink.patch
+++ b/debian/patches/authorized-keys-man-symlink.patch
@@ -1,4 +1,4 @@
-From 6384f890f732a0967590e37ad402ace6505799ea Mon Sep 17 00:00:00 2001
+From 71448da5ce75ba50bcb10dbbd3b8c7633f633e8f Mon Sep 17 00:00:00 2001
 From: Tomas Pospisek <tpo_deb@sourcepole.ch>
 Date: Sun, 9 Feb 2014 16:10:07 +0000
 Subject: Install authorized_keys(5) as a symlink to sshd(8)
@@ -13,7 +13,7 @@ Patch-Name: authorized-keys-man-symlink.patch
  1 file changed, 1 insertion(+)
 
 diff --git a/Makefile.in b/Makefile.in
-index 598d55a..5cf8100 100644
+index 3d96c05..feee0b2 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -287,6 +287,7 @@ install-files:
diff --git a/debian/patches/consolekit.patch b/debian/patches/consolekit.patch
index 7492daca8..e3ff4d7e4 100644
--- a/debian/patches/consolekit.patch
+++ b/debian/patches/consolekit.patch
@@ -1,10 +1,10 @@
-From f4858fd1a10d1621e5e3ad5f2400dd17d156ced7 Mon Sep 17 00:00:00 2001
+From 7a26d16efb4ee303c8d66ee82caf9d0686f4a074 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:57 +0000
 Subject: Add support for registering ConsoleKit sessions on login
 
 Bug: https://bugzilla.mindrot.org/show_bug.cgi?id=1450
-Last-Updated: 2013-09-14
+Last-Updated: 2014-03-20
 
 Patch-Name: consolekit.patch
 ---
@@ -13,18 +13,18 @@ Patch-Name: consolekit.patch
  configure.ac   |  25 ++++++
  consolekit.c   | 240 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
  consolekit.h   |  24 ++++++
- monitor.c      |  43 +++++++++++
+ monitor.c      |  42 ++++++++++
  monitor.h      |   2 +
- monitor_wrap.c |  31 ++++++++
+ monitor_wrap.c |  30 ++++++++
  monitor_wrap.h |   4 +
  session.c      |  13 ++++
  session.h      |   6 ++
- 11 files changed, 522 insertions(+), 1 deletion(-)
+ 11 files changed, 520 insertions(+), 1 deletion(-)
  create mode 100644 consolekit.c
  create mode 100644 consolekit.h
 
 diff --git a/Makefile.in b/Makefile.in
-index 35c6fd6..598d55a 100644
+index ee1d2c3..3d96c05 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -97,7 +97,8 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
@@ -38,7 +38,7 @@ index 35c6fd6..598d55a 100644
  MANPAGES       = moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
  MANPAGES_IN    = moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
 diff --git a/configure b/configure
-index 5a9db2d..57b68e2 100755
+index b6b5b6d..e2f12cd 100755
 --- a/configure
 +++ b/configure
 @@ -740,6 +740,7 @@ with_privsep_user
@@ -57,7 +57,7 @@ index 5a9db2d..57b68e2 100755
    --with-privsep-path=xxx Path for privilege separation chroot (default=/var/empty)
    --with-xauth=PATH       Specify path to xauth program
    --with-maildir=/path/to/mail    Specify your system mail directory
-@@ -17215,6 +17217,135 @@ fi
+@@ -17217,6 +17219,135 @@ fi
  
  
  
@@ -193,7 +193,7 @@ index 5a9db2d..57b68e2 100755
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -19744,6 +19875,7 @@ echo "              MD5 password support: $MD5_MSG"
+@@ -19746,6 +19877,7 @@ echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
@@ -202,10 +202,10 @@ index 5a9db2d..57b68e2 100755
  echo "           Translate v4 in v6 hack: $IPV4_IN6_HACK_MSG"
  echo "                  BSD Auth support: $BSD_AUTH_MSG"
 diff --git a/configure.ac b/configure.ac
-index 90eebf5..e2289cd 100644
+index d235fb0..8669271 100644
 --- a/configure.ac
 +++ b/configure.ac
-@@ -4070,6 +4070,30 @@ AC_ARG_WITH([kerberos5],
+@@ -4072,6 +4072,30 @@ AC_ARG_WITH([kerberos5],
  AC_SUBST([GSSLIBS])
  AC_SUBST([K5LIBS])
  
@@ -236,7 +236,7 @@ index 90eebf5..e2289cd 100644
  # Looking for programs, paths and files
  
  PRIVSEP_PATH=/var/empty
-@@ -4871,6 +4895,7 @@ echo "              MD5 password support: $MD5_MSG"
+@@ -4873,6 +4897,7 @@ echo "              MD5 password support: $MD5_MSG"
  echo "                   libedit support: $LIBEDIT_MSG"
  echo "  Solaris process contract support: $SPC_MSG"
  echo "           Solaris project support: $SP_MSG"
@@ -521,11 +521,11 @@ index 0000000..8ce3716
 +
 +#endif /* USE_CONSOLEKIT */
 diff --git a/monitor.c b/monitor.c
-index 88f472e..8ffea4f 100644
+index 11eac63..7c105e6 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -98,6 +98,9 @@
- #include "jpake.h"
+@@ -97,6 +97,9 @@
+ #include "ssh2.h"
  #include "roaming.h"
  #include "authfd.h"
 +#ifdef USE_CONSOLEKIT
@@ -534,7 +534,7 @@ index 88f472e..8ffea4f 100644
  
  #ifdef GSSAPI
  static Gssctxt *gsscontext = NULL;
-@@ -193,6 +196,10 @@ int mm_answer_audit_command(int, Buffer *);
+@@ -187,6 +190,10 @@ int mm_answer_audit_command(int, Buffer *);
  
  static int monitor_read_log(struct monitor *);
  
@@ -545,7 +545,7 @@ index 88f472e..8ffea4f 100644
  static Authctxt *authctxt;
  static BIGNUM *ssh1_challenge = NULL;  /* used for ssh1 rsa auth */
  
-@@ -285,6 +292,9 @@ struct mon_table mon_dispatch_postauth20[] = {
+@@ -272,6 +279,9 @@ struct mon_table mon_dispatch_postauth20[] = {
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT, mm_answer_audit_command},
  #endif
@@ -555,7 +555,7 @@ index 88f472e..8ffea4f 100644
      {0, 0, NULL}
  };
  
-@@ -327,6 +337,9 @@ struct mon_table mon_dispatch_postauth15[] = {
+@@ -314,6 +324,9 @@ struct mon_table mon_dispatch_postauth15[] = {
      {MONITOR_REQ_AUDIT_EVENT, MON_PERMIT, mm_answer_audit_event},
      {MONITOR_REQ_AUDIT_COMMAND, MON_PERMIT|MON_ONCE, mm_answer_audit_command},
  #endif
@@ -565,7 +565,7 @@ index 88f472e..8ffea4f 100644
      {0, 0, NULL}
  };
  
-@@ -514,6 +527,9 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -492,6 +505,9 @@ monitor_child_postauth(struct monitor *pmonitor)
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_PTYCLEANUP, 1);
         }
@@ -575,11 +575,10 @@ index 88f472e..8ffea4f 100644
  
         for (;;)
                 monitor_read(pmonitor, mon_dispatch, NULL);
-@@ -2493,3 +2509,30 @@ mm_answer_jpake_check_confirm(int sock, Buffer *m)
- }
+@@ -2269,3 +2285,29 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
+ 
+ #endif /* GSSAPI */
  
- #endif /* JPAKE */
-+
 +#ifdef USE_CONSOLEKIT
 +int
 +mm_answer_consolekit_register(int sock, Buffer *m)
@@ -607,10 +606,10 @@ index 88f472e..8ffea4f 100644
 +}
 +#endif /* USE_CONSOLEKIT */
 diff --git a/monitor.h b/monitor.h
-index 3c13706..cd83428 100644
+index 4d5e8fa..10ba59e 100644
 --- a/monitor.h
 +++ b/monitor.h
-@@ -75,6 +75,8 @@ enum monitor_reqtype {
+@@ -70,6 +70,8 @@ enum monitor_reqtype {
  
         MONITOR_REQ_AUTHROLE = 154,
  
@@ -620,14 +619,13 @@ index 3c13706..cd83428 100644
  
  struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 69bc324..670b62d 100644
+index f75dc9d..a8fb07b 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1516,3 +1516,34 @@ mm_jpake_check_confirm(const BIGNUM *k,
-        return success;
- }
- #endif /* JPAKE */
-+
+@@ -1353,3 +1353,33 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
+ 
+ #endif /* GSSAPI */
+ 
 +#ifdef USE_CONSOLEKIT
 +char *
 +mm_consolekit_register(Session *s, const char *display)
@@ -659,10 +657,10 @@ index 69bc324..670b62d 100644
 +}
 +#endif /* USE_CONSOLEKIT */
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 4d12e29..360fb9f 100644
+index 9c2ee49..00e93fe 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
-@@ -131,4 +131,8 @@ void *mm_zalloc(struct mm_master *, u_int, u_int);
+@@ -111,4 +111,8 @@ void *mm_zalloc(struct mm_master *, u_int, u_int);
  void mm_zfree(struct mm_master *, void *);
  void mm_init_compression(struct mm_master *);
  
@@ -672,7 +670,7 @@ index 4d12e29..360fb9f 100644
 +
  #endif /* _MM_WRAP_H_ */
 diff --git a/session.c b/session.c
-index 5ddd82a..14df226 100644
+index 6848df4..9d43fc3 100644
 --- a/session.c
 +++ b/session.c
 @@ -92,6 +92,7 @@
@@ -683,7 +681,7 @@ index 5ddd82a..14df226 100644
  
  #if defined(KRB5) && defined(USE_AFS)
  #include <kafs.h>
-@@ -1155,6 +1156,9 @@ do_setup_env(Session *s, const char *shell)
+@@ -1160,6 +1161,9 @@ do_setup_env(Session *s, const char *shell)
  #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
         char *path = NULL;
  #endif
@@ -693,7 +691,7 @@ index 5ddd82a..14df226 100644
  
         /* Initialize the environment. */
         envsize = 100;
-@@ -1299,6 +1303,11 @@ do_setup_env(Session *s, const char *shell)
+@@ -1304,6 +1308,11 @@ do_setup_env(Session *s, const char *shell)
                 child_set_env(&env, &envsize, "KRB5CCNAME",
                     s->authctxt->krb5_ccname);
  #endif
@@ -705,7 +703,7 @@ index 5ddd82a..14df226 100644
  #ifdef USE_PAM
         /*
          * Pull in any environment variables that may have
-@@ -2348,6 +2357,10 @@ session_pty_cleanup2(Session *s)
+@@ -2353,6 +2362,10 @@ session_pty_cleanup2(Session *s)
  
         debug("session_pty_cleanup: session %d release %s", s->self, s->tty);
  
diff --git a/debian/patches/debian-banner.patch b/debian/patches/debian-banner.patch
index 39cab81e7..49219cf93 100644
--- a/debian/patches/debian-banner.patch
+++ b/debian/patches/debian-banner.patch
@@ -1,4 +1,4 @@
-From 75e44c43679e8b888b7ef55ce7abe432eb57ef1c Mon Sep 17 00:00:00 2001
+From 9fcad888f4dbf0ecc0c7e87b6ef0f8d88d7ac3ec Mon Sep 17 00:00:00 2001
 From: Kees Cook <kees@debian.org>
 Date: Sun, 9 Feb 2014 16:10:06 +0000
 Subject: Add DebianBanner server configuration option
@@ -19,10 +19,10 @@ Patch-Name: debian-banner.patch
  4 files changed, 18 insertions(+), 1 deletion(-)
 
 diff --git a/servconf.c b/servconf.c
-index 65f71ad..63ff4ff 100644
+index 90de888..37fd2de 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions *options)
+@@ -156,6 +156,7 @@ initialize_server_options(ServerOptions *options)
         options->ip_qos_interactive = -1;
         options->ip_qos_bulk = -1;
         options->version_addendum = NULL;
@@ -30,7 +30,7 @@ index 65f71ad..63ff4ff 100644
  }
  
  void
-@@ -312,6 +313,8 @@ fill_default_server_options(ServerOptions *options)
+@@ -309,6 +310,8 @@ fill_default_server_options(ServerOptions *options)
                 options->ip_qos_bulk = IPTOS_THROUGHPUT;
         if (options->version_addendum == NULL)
                 options->version_addendum = xstrdup("");
@@ -39,7 +39,7 @@ index 65f71ad..63ff4ff 100644
         /* Turn privilege separation on by default */
         if (use_privsep == -1)
                 use_privsep = PRIVSEP_NOSANDBOX;
-@@ -362,6 +365,7 @@ typedef enum {
+@@ -359,6 +362,7 @@ typedef enum {
         sKexAlgorithms, sIPQoS, sVersionAddendum,
         sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
         sAuthenticationMethods, sHostKeyAgent,
@@ -47,7 +47,7 @@ index 65f71ad..63ff4ff 100644
         sDeprecated, sUnsupported
  } ServerOpCodes;
  
-@@ -504,6 +508,7 @@ static struct {
+@@ -496,6 +500,7 @@ static struct {
         { "authorizedkeyscommanduser", sAuthorizedKeysCommandUser, SSHCFG_ALL },
         { "versionaddendum", sVersionAddendum, SSHCFG_GLOBAL },
         { "authenticationmethods", sAuthenticationMethods, SSHCFG_ALL },
@@ -55,7 +55,7 @@ index 65f71ad..63ff4ff 100644
         { NULL, sBadOption, 0 }
  };
  
-@@ -1666,6 +1671,10 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1654,6 +1659,10 @@ process_server_config_line(ServerOptions *options, char *line,
                 }
                 return 0;
  
@@ -67,10 +67,10 @@ index 65f71ad..63ff4ff 100644
                 logit("%s line %d: Deprecated option %s",
                     filename, linenum, arg);
 diff --git a/servconf.h b/servconf.h
-index eba76ee..98d68ce 100644
+index c922eb5..dcd1c2a 100644
 --- a/servconf.h
 +++ b/servconf.h
-@@ -188,6 +188,8 @@ typedef struct {
+@@ -186,6 +186,8 @@ typedef struct {
  
         u_int   num_auth_methods;
         char   *auth_methods[MAX_AUTH_METHODS];
@@ -80,7 +80,7 @@ index eba76ee..98d68ce 100644
  
  /* Information about the incoming connection as used by Match */
 diff --git a/sshd.c b/sshd.c
-index 82168a1..c49a877 100644
+index af9b8f1..665c0b9 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -440,7 +440,8 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -94,7 +94,7 @@ index 82168a1..c49a877 100644
             options.version_addendum, newline);
  
 diff --git a/sshd_config.5 b/sshd_config.5
-index 39643de..bdca797 100644
+index 2164d58..8f078f6 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -413,6 +413,11 @@ or
diff --git a/debian/patches/debian-config.patch b/debian/patches/debian-config.patch
index 77be015fa..9bb0c6520 100644
--- a/debian/patches/debian-config.patch
+++ b/debian/patches/debian-config.patch
@@ -1,4 +1,4 @@
-From 54a7935863c3e6b3f08f620b3bd75571bb90470c Mon Sep 17 00:00:00 2001
+From 9cbb60f5e4932634db04c330c88abc49cc5567bd Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:18 +0000
 Subject: Various Debian-specific configuration changes
@@ -34,10 +34,10 @@ Patch-Name: debian-config.patch
  5 files changed, 51 insertions(+), 3 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index 273552d..6ac8bea 100644
+index 32c4b42..5429fc2 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -1618,7 +1618,7 @@ fill_default_options(Options * options)
+@@ -1640,7 +1640,7 @@ fill_default_options(Options * options)
         if (options->forward_x11 == -1)
                 options->forward_x11 = 0;
         if (options->forward_x11_trusted == -1)
@@ -71,7 +71,7 @@ index 228e5ab..c9386aa 100644
 +    GSSAPIAuthentication yes
 +    GSSAPIDelegateCredentials no
 diff --git a/ssh_config.5 b/ssh_config.5
-index 85f306c..cc91a5c 100644
+index 1d500e9..22e6372 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -71,6 +71,22 @@ Since the first obtained value for each parameter is used, more
@@ -97,7 +97,7 @@ index 85f306c..cc91a5c 100644
  The configuration file has the following format:
  .Pp
  Empty lines and lines starting with
-@@ -648,7 +664,8 @@ token used for the session will be set to expire after 20 minutes.
+@@ -654,7 +670,8 @@ token used for the session will be set to expire after 20 minutes.
  Remote clients will be refused access after this time.
  .Pp
  The default is
@@ -120,7 +120,7 @@ index d9b8594..4db32f5 100644
  #StrictModes yes
  #MaxAuthTries 6
 diff --git a/sshd_config.5 b/sshd_config.5
-index 9fa6086..496530b 100644
+index 908e0bb..90fd3f4 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -57,6 +57,31 @@ Arguments may optionally be enclosed in double quotes
diff --git a/debian/patches/dnssec-sshfp.patch b/debian/patches/dnssec-sshfp.patch
index 3d33a91f9..bc89c50fc 100644
--- a/debian/patches/dnssec-sshfp.patch
+++ b/debian/patches/dnssec-sshfp.patch
@@ -1,4 +1,4 @@
-From 231608bce9f439366bc2d2c7537f48920f3dd852 Mon Sep 17 00:00:00 2001
+From 912129ba92bea401d8cdeadc7aa7084fbf7625a1 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:01 +0000
 Subject: Force use of DNSSEC even if "options edns0" isn't in resolv.conf
diff --git a/debian/patches/doc-hash-tab-completion.patch b/debian/patches/doc-hash-tab-completion.patch
index df957fca2..16c40b05f 100644
--- a/debian/patches/doc-hash-tab-completion.patch
+++ b/debian/patches/doc-hash-tab-completion.patch
@@ -1,4 +1,4 @@
-From 465d1a333520edbd2f0fac77c76e06bdd1d94cb9 Mon Sep 17 00:00:00 2001
+From 1d108ef62050b4368e24e1efada16ec88c177fb8 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:11 +0000
 Subject: Document that HashKnownHosts may break tab-completion
@@ -13,10 +13,10 @@ Patch-Name: doc-hash-tab-completion.patch
  1 file changed, 3 insertions(+)
 
 diff --git a/ssh_config.5 b/ssh_config.5
-index 3c6b9d4..85f306c 100644
+index 4bf7cbb..1d500e9 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -734,6 +734,9 @@ Note that existing names and addresses in known hosts files
+@@ -740,6 +740,9 @@ Note that existing names and addresses in known hosts files
  will not be converted automatically,
  but may be manually hashed using
  .Xr ssh-keygen 1 .
diff --git a/debian/patches/doc-upstart.patch b/debian/patches/doc-upstart.patch
index a09ac77e4..da8fc7ed4 100644
--- a/debian/patches/doc-upstart.patch
+++ b/debian/patches/doc-upstart.patch
@@ -1,4 +1,4 @@
-From faf2466c7933f1c4225c8a8ceb503e24e4228ab9 Mon Sep 17 00:00:00 2001
+From 111de26347496af3f6ed04849fd29bc4bf1c2cea Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:12 +0000
 Subject: Refer to ssh's Upstart job as well as its init script
diff --git a/debian/patches/fix-case-sensitive-matching.patch b/debian/patches/fix-case-sensitive-matching.patch
deleted file mode 100644
index c721b5a0a..000000000
--- a/debian/patches/fix-case-sensitive-matching.patch
+++ /dev/null
@@ -1,41 +0,0 @@
-From efb58a7258484c31c702f9093b7a726da9eab682 Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Tue, 4 Feb 2014 11:26:04 +1100
-Subject: Unbreak case-sensitive matching of ssh_config
-
-   - djm@cvs.openbsd.org 2014/02/04 00:24:29
-     [ssh.c]
-     delay lowercasing of hostname until right before hostname
-     canonicalisation to unbreak case-sensitive matching of ssh_config;
-     reported by Ike Devolder; ok markus@
-
-Origin: backport, https://anongit.mindrot.org/openssh.git/commit/?id=d56b44d2dfa093883a5c4e91be3f72d99946b170
-Bug-Debian: http://bugs.debian.org/738619
-Forwarded: not-needed
-Last-Update: 2014-02-11
-
-Patch-Name: fix-case-sensitive-matching.patch
----
- ssh.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/ssh.c b/ssh.c
-index 0cea713..5d5d4de 100644
---- a/ssh.c
-+++ b/ssh.c
-@@ -780,7 +780,6 @@ main(int ac, char **av)
-        if (!host)
-                usage();
- 
--       lowercase(host);
-        host_arg = xstrdup(host);
- 
-        OpenSSL_add_all_algorithms();
-@@ -914,6 +913,7 @@ main(int ac, char **av)
-        }
- 
-        /* If canonicalization requested then try to apply it */
-+       lowercase(host);
-        if (options.canonicalize_hostname != SSH_CANONICALISE_NO)
-                addrs = resolve_canonicalize(&host, options.port);
-        /*
diff --git a/debian/patches/getsockname-error.patch b/debian/patches/getsockname-error.patch
deleted file mode 100644
index 300151cab..000000000
--- a/debian/patches/getsockname-error.patch
+++ /dev/null
@@ -1,27 +0,0 @@
-From 6dbd954a28d3fc2631f1c0b42c23452e1e493e6f Mon Sep 17 00:00:00 2001
-From: Damien Miller <djm@mindrot.org>
-Date: Sat, 15 Feb 2014 02:08:20 +0000
-Subject: Skip get_sock_port call for c->sock==-1
-
-Origin: upstream, https://bugzilla.mindrot.org/show_bug.cgi?id=2200
-Bug-Debian: http://bugs.debian.org/738693
-Last-Update: 2014-02-15
-
-Patch-Name: getsockname-error.patch
----
- channels.c | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/channels.c b/channels.c
-index e741f29..8e66265 100644
---- a/channels.c
-+++ b/channels.c
-@@ -1386,7 +1386,7 @@ port_open_helper(Channel *c, char *rtype)
-        int direct;
-        char buf[1024];
-        char *local_ipaddr = get_local_ipaddr(c->sock);
--       int local_port = get_sock_port(c->sock, 1);
-+       int local_port = c->sock == -1 ? 65536 : get_sock_port(c->sock, 1);
-        char *remote_ipaddr = get_peer_ipaddr(c->sock);
-        int remote_port = get_peer_port(c->sock);
- 
diff --git a/debian/patches/gnome-ssh-askpass2-icon.patch b/debian/patches/gnome-ssh-askpass2-icon.patch
index 951284cf5..dab518f65 100644
--- a/debian/patches/gnome-ssh-askpass2-icon.patch
+++ b/debian/patches/gnome-ssh-askpass2-icon.patch
@@ -1,4 +1,4 @@
-From fd8d46990dfe572955a6eda524fcbf9e9efefa75 Mon Sep 17 00:00:00 2001
+From b7df8fdb32f3d33b70ff8733cb0c39417e367534 Mon Sep 17 00:00:00 2001
 From: Vincent Untz <vuntz@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:16 +0000
 Subject: Give the ssh-askpass-gnome window a default icon
diff --git a/debian/patches/gssapi.patch b/debian/patches/gssapi.patch
index 90a21db99..d8439bf03 100644
--- a/debian/patches/gssapi.patch
+++ b/debian/patches/gssapi.patch
@@ -1,4 +1,4 @@
-From 429c595dbaff7f7c2b3a53fe4235211f6d788025 Mon Sep 17 00:00:00 2001
+From 9dfcd1a0e691c1cad34b168e27b3ed31ab6986cd Mon Sep 17 00:00:00 2001
 From: Simon Wilkinson <simon@sxw.org.uk>
 Date: Sun, 9 Feb 2014 16:09:48 +0000
 Subject: GSSAPI key exchange support
@@ -179,7 +179,7 @@ index 0000000..f117a33
 +    (from jbasney AT ncsa.uiuc.edu)
 +    <gssapi-with-mic support is Bugzilla #1008>
 diff --git a/Makefile.in b/Makefile.in
-index a8aa127..35c6fd6 100644
+index 28a8ec4..ee1d2c3 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -72,6 +72,7 @@ LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
@@ -188,10 +188,10 @@ index a8aa127..35c6fd6 100644
         kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 +       kexgssc.o \
         msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
-        jpake.o schnorr.o ssh-pkcs11.o krl.o smult_curve25519_ref.o \
+        ssh-pkcs11.o krl.o smult_curve25519_ref.o \
         kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
 @@ -91,7 +92,7 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
-        auth2-none.o auth2-passwd.o auth2-pubkey.o auth2-jpake.o \
+        auth2-none.o auth2-passwd.o auth2-pubkey.o \
         monitor_mm.o monitor.o monitor_wrap.o kexdhs.o kexgexs.o kexecdhs.o \
         kexc25519s.o auth-krb5.o \
 -       auth2-gss.o gss-serv.o gss-serv-krb5.o \
@@ -251,11 +251,11 @@ index 6c62bdf..69a1a53 100644
         return (krb5_cc_resolve(ctx, ccname, ccache));
  }
 diff --git a/auth2-gss.c b/auth2-gss.c
-index 638d8f8..b8db820 100644
+index c28a705..3ff2d72 100644
 --- a/auth2-gss.c
 +++ b/auth2-gss.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: auth2-gss.c,v 1.20 2013/05/17 00:13:13 djm Exp $ */
+ /* $OpenBSD: auth2-gss.c,v 1.21 2014/02/26 20:28:44 djm Exp $ */
  
  /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -304,7 +304,7 @@ index 638d8f8..b8db820 100644
  /*
   * We only support those mechanisms that we know about (ie ones that we know
   * how to check local user kuserok and the like)
-@@ -240,7 +274,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
+@@ -235,7 +269,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, void *ctxt)
  
         packet_check_eom();
  
@@ -314,7 +314,7 @@ index 638d8f8..b8db820 100644
  
         authctxt->postponed = 0;
         dispatch_set(SSH2_MSG_USERAUTH_GSSAPI_TOKEN, NULL);
-@@ -275,7 +310,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -270,7 +305,8 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
         gssbuf.length = buffer_len(&b);
  
         if (!GSS_ERROR(PRIVSEP(ssh_gssapi_checkmic(gssctxt, &gssbuf, &mic))))
@@ -324,7 +324,7 @@ index 638d8f8..b8db820 100644
         else
                 logit("GSSAPI MIC check failed");
  
-@@ -290,6 +326,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
+@@ -285,6 +321,12 @@ input_gssapi_mic(int type, u_int32_t plen, void *ctxt)
         userauth_finish(authctxt, authenticated, "gssapi-with-mic", NULL);
  }
  
@@ -338,7 +338,7 @@ index 638d8f8..b8db820 100644
         "gssapi-with-mic",
         userauth_gssapi,
 diff --git a/auth2.c b/auth2.c
-index f0cab8c..6ed8f04 100644
+index a5490c0..fbe3e1b 100644
 --- a/auth2.c
 +++ b/auth2.c
 @@ -69,6 +69,7 @@ extern Authmethod method_passwd;
@@ -348,17 +348,17 @@ index f0cab8c..6ed8f04 100644
 +extern Authmethod method_gsskeyex;
  extern Authmethod method_gssapi;
  #endif
- #ifdef JPAKE
-@@ -79,6 +80,7 @@ Authmethod *authmethods[] = {
+ 
+@@ -76,6 +77,7 @@ Authmethod *authmethods[] = {
         &method_none,
         &method_pubkey,
  #ifdef GSSAPI
 +       &method_gsskeyex,
         &method_gssapi,
  #endif
- #ifdef JPAKE
+        &method_passwd,
 diff --git a/clientloop.c b/clientloop.c
-index f30c8b6..cc23e35 100644
+index 59ad3a2..6d8cd7d 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -111,6 +111,10 @@
@@ -389,10 +389,10 @@ index f30c8b6..cc23e35 100644
                                 debug("need rekeying");
                                 xxx_kex->done = 0;
 diff --git a/config.h.in b/config.h.in
-index 075c619..906e549 100644
+index 0401ad1..6bc422c 100644
 --- a/config.h.in
 +++ b/config.h.in
-@@ -1616,6 +1616,9 @@
+@@ -1622,6 +1622,9 @@
  /* Use btmp to log bad logins */
  #undef USE_BTMP
  
@@ -402,7 +402,7 @@ index 075c619..906e549 100644
  /* Use libedit for sftp */
  #undef USE_LIBEDIT
  
-@@ -1631,6 +1634,9 @@
+@@ -1637,6 +1640,9 @@
  /* Use PIPES instead of a socketpair() */
  #undef USE_PIPES
  
@@ -413,7 +413,7 @@ index 075c619..906e549 100644
  #undef USE_SOLARIS_PROCESS_CONTRACTS
  
 diff --git a/configure b/configure
-index 2d714ac..5a9db2d 100755
+index d690393..b6b5b6d 100755
 --- a/configure
 +++ b/configure
 @@ -7170,6 +7170,63 @@ $as_echo "#define SSH_TUN_COMPAT_AF 1" >>confdefs.h
@@ -481,7 +481,7 @@ index 2d714ac..5a9db2d 100755
         ac_fn_c_check_decl "$LINENO" "AU_IPv4" "ac_cv_have_decl_AU_IPv4" "$ac_includes_default"
  if test "x$ac_cv_have_decl_AU_IPv4" = xyes; then :
 diff --git a/configure.ac b/configure.ac
-index dfd32cd..90eebf5 100644
+index 7c6ce08..d235fb0 100644
 --- a/configure.ac
 +++ b/configure.ac
 @@ -584,6 +584,30 @@ main() { if (NSVersionOfRunTimeLibrary("System") >= (60 << 16))
@@ -992,11 +992,11 @@ index 759fa10..e678a27 100644
  
  #endif /* KRB5 */
 diff --git a/gss-serv.c b/gss-serv.c
-index 95348e2..feb1ed7 100644
+index e61b37b..c33463b 100644
 --- a/gss-serv.c
 +++ b/gss-serv.c
 @@ -1,7 +1,7 @@
- /* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
+ /* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
  
  /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@@ -1028,7 +1028,7 @@ index 95348e2..feb1ed7 100644
  
  #ifdef KRB5
  extern ssh_gssapi_mech gssapi_kerberos_mech;
-@@ -81,25 +87,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
+@@ -100,25 +106,32 @@ ssh_gssapi_acquire_cred(Gssctxt *ctx)
         char lname[MAXHOSTNAMELEN];
         gss_OID_set oidset;
  
@@ -1075,7 +1075,7 @@ index 95348e2..feb1ed7 100644
  }
  
  /* Privileged */
-@@ -114,6 +127,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
+@@ -133,6 +146,29 @@ ssh_gssapi_server_ctx(Gssctxt **ctx, gss_OID oid)
  }
  
  /* Unprivileged */
@@ -1105,7 +1105,7 @@ index 95348e2..feb1ed7 100644
  void
  ssh_gssapi_supported_oids(gss_OID_set *oidset)
  {
-@@ -123,7 +159,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
+@@ -142,7 +178,9 @@ ssh_gssapi_supported_oids(gss_OID_set *oidset)
         gss_OID_set supported;
  
         gss_create_empty_oid_set(&min_status, oidset);
@@ -1116,7 +1116,7 @@ index 95348e2..feb1ed7 100644
  
         while (supported_mechs[i]->name != NULL) {
                 if (GSS_ERROR(gss_test_oid_set_member(&min_status,
-@@ -249,8 +287,48 @@ OM_uint32
+@@ -268,8 +306,48 @@ OM_uint32
  ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
  {
         int i = 0;
@@ -1166,7 +1166,7 @@ index 95348e2..feb1ed7 100644
  
         client->mech = NULL;
  
-@@ -265,6 +343,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+@@ -284,6 +362,13 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
         if (client->mech == NULL)
                 return GSS_S_FAILURE;
  
@@ -1180,7 +1180,7 @@ index 95348e2..feb1ed7 100644
         if ((ctx->major = gss_display_name(&ctx->minor, ctx->client,
             &client->displayname, NULL))) {
                 ssh_gssapi_error(ctx);
-@@ -282,6 +367,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
+@@ -301,6 +386,8 @@ ssh_gssapi_getclient(Gssctxt *ctx, ssh_gssapi_client *client)
                 return (ctx->major);
         }
  
@@ -1189,7 +1189,7 @@ index 95348e2..feb1ed7 100644
         /* We can't copy this structure, so we just move the pointer to it */
         client->creds = ctx->client_creds;
         ctx->client_creds = GSS_C_NO_CREDENTIAL;
-@@ -329,7 +416,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
+@@ -348,7 +435,7 @@ ssh_gssapi_do_child(char ***envp, u_int *envsizep)
  
  /* Privileged */
  int
@@ -1198,7 +1198,7 @@ index 95348e2..feb1ed7 100644
  {
         OM_uint32 lmin;
  
-@@ -339,9 +426,11 @@ ssh_gssapi_userok(char *user)
+@@ -358,9 +445,11 @@ ssh_gssapi_userok(char *user)
                 return 0;
         }
         if (gssapi_client.mech && gssapi_client.mech->userok)
@@ -1212,7 +1212,7 @@ index 95348e2..feb1ed7 100644
                         /* Destroy delegated credentials if userok fails */
                         gss_release_buffer(&lmin, &gssapi_client.displayname);
                         gss_release_buffer(&lmin, &gssapi_client.exportedname);
-@@ -354,14 +443,90 @@ ssh_gssapi_userok(char *user)
+@@ -374,14 +463,90 @@ ssh_gssapi_userok(char *user)
         return (0);
  }
  
@@ -1310,7 +1310,7 @@ index 95348e2..feb1ed7 100644
  
  #endif
 diff --git a/kex.c b/kex.c
-index 616484b..49d0fc8 100644
+index 74e2b86..d114ee3 100644
 --- a/kex.c
 +++ b/kex.c
 @@ -51,6 +51,10 @@
@@ -1351,7 +1351,7 @@ index 616484b..49d0fc8 100644
  }
  
 diff --git a/kex.h b/kex.h
-index 1aa3ec2..8fbcb2b 100644
+index c85680e..ea698c4 100644
 --- a/kex.h
 +++ b/kex.h
 @@ -76,6 +76,9 @@ enum kex_exchange {
@@ -1364,7 +1364,7 @@ index 1aa3ec2..8fbcb2b 100644
         KEX_MAX
  };
  
-@@ -136,6 +139,12 @@ struct Kex {
+@@ -135,6 +138,12 @@ struct Kex {
         int     flags;
         int     hash_alg;
         int     ec_nid;
@@ -1377,7 +1377,7 @@ index 1aa3ec2..8fbcb2b 100644
         char    *client_version_string;
         char    *server_version_string;
         int     (*verify_host_key)(Key *);
-@@ -168,6 +177,11 @@ void        kexecdh_server(Kex *);
+@@ -167,6 +176,11 @@ void        kexecdh_server(Kex *);
  void    kexc25519_client(Kex *);
  void    kexc25519_server(Kex *);
  
@@ -2023,7 +2023,7 @@ index 0000000..8095259
 +}
 +#endif /* GSSAPI */
 diff --git a/key.c b/key.c
-index 9142338..7ac844c 100644
+index 168e1b7..3d640e7 100644
 --- a/key.c
 +++ b/key.c
 @@ -985,6 +985,7 @@ static const struct keytype keytypes[] = {
@@ -2056,10 +2056,10 @@ index d8ad13d..c8aeba2 100644
  };
  enum fp_type {
 diff --git a/monitor.c b/monitor.c
-index 03baf1e..a777c4c 100644
+index 531c4f9..2918814 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -181,6 +181,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
+@@ -175,6 +175,8 @@ int mm_answer_gss_setup_ctx(int, Buffer *);
  int mm_answer_gss_accept_ctx(int, Buffer *);
  int mm_answer_gss_userok(int, Buffer *);
  int mm_answer_gss_checkmic(int, Buffer *);
@@ -2068,15 +2068,13 @@ index 03baf1e..a777c4c 100644
  #endif
  
  #ifdef SSH_AUDIT_EVENTS
-@@ -253,6 +255,7 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -247,11 +249,18 @@ struct mon_table mon_dispatch_proto20[] = {
      {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
      {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
      {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
 +    {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
  #endif
- #ifdef JPAKE
-     {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-@@ -265,6 +268,12 @@ struct mon_table mon_dispatch_proto20[] = {
+     {0, 0, NULL}
  };
  
  struct mon_table mon_dispatch_postauth20[] = {
@@ -2089,7 +2087,7 @@ index 03baf1e..a777c4c 100644
      {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
      {MONITOR_REQ_SIGN, 0, mm_answer_sign},
      {MONITOR_REQ_PTY, 0, mm_answer_pty},
-@@ -373,6 +382,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
+@@ -360,6 +369,10 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                 /* Permit requests for moduli and signatures */
                 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -2100,7 +2098,7 @@ index 03baf1e..a777c4c 100644
         } else {
                 mon_dispatch = mon_dispatch_proto15;
  
-@@ -487,6 +500,10 @@ monitor_child_postauth(struct monitor *pmonitor)
+@@ -465,6 +478,10 @@ monitor_child_postauth(struct monitor *pmonitor)
                 monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -2111,7 +2109,7 @@ index 03baf1e..a777c4c 100644
         } else {
                 mon_dispatch = mon_dispatch_postauth15;
                 monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1856,6 +1873,13 @@ mm_get_kex(Buffer *m)
+@@ -1834,6 +1851,13 @@ mm_get_kex(Buffer *m)
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
         kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -2125,7 +2123,7 @@ index 03baf1e..a777c4c 100644
         kex->server = 1;
         kex->hostkey_type = buffer_get_int(m);
         kex->kex_type = buffer_get_int(m);
-@@ -2063,6 +2087,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
+@@ -2041,6 +2065,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer *m)
         OM_uint32 major;
         u_int len;
  
@@ -2135,7 +2133,7 @@ index 03baf1e..a777c4c 100644
         goid.elements = buffer_get_string(m, &len);
         goid.length = len;
  
-@@ -2090,6 +2117,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2068,6 +2095,9 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
         OM_uint32 flags = 0; /* GSI needs this */
         u_int len;
  
@@ -2145,7 +2143,7 @@ index 03baf1e..a777c4c 100644
         in.value = buffer_get_string(m, &len);
         in.length = len;
         major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -2107,6 +2137,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
+@@ -2085,6 +2115,7 @@ mm_answer_gss_accept_ctx(int sock, Buffer *m)
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
                 monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -2153,7 +2151,7 @@ index 03baf1e..a777c4c 100644
         }
         return (0);
  }
-@@ -2118,6 +2149,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
+@@ -2096,6 +2127,9 @@ mm_answer_gss_checkmic(int sock, Buffer *m)
         OM_uint32 ret;
         u_int len;
  
@@ -2163,7 +2161,7 @@ index 03baf1e..a777c4c 100644
         gssbuf.value = buffer_get_string(m, &len);
         gssbuf.length = len;
         mic.value = buffer_get_string(m, &len);
-@@ -2144,7 +2178,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2122,7 +2156,11 @@ mm_answer_gss_userok(int sock, Buffer *m)
  {
         int authenticated;
  
@@ -2176,7 +2174,7 @@ index 03baf1e..a777c4c 100644
  
         buffer_clear(m);
         buffer_put_int(m, authenticated);
-@@ -2157,6 +2195,74 @@ mm_answer_gss_userok(int sock, Buffer *m)
+@@ -2135,5 +2173,73 @@ mm_answer_gss_userok(int sock, Buffer *m)
         /* Monitor loop will terminate if authenticated */
         return (authenticated);
  }
@@ -2250,12 +2248,11 @@ index 03baf1e..a777c4c 100644
 +
  #endif /* GSSAPI */
  
- #ifdef JPAKE
 diff --git a/monitor.h b/monitor.h
-index 2caa469..315ef99 100644
+index 5bc41b5..7f32b0c 100644
 --- a/monitor.h
 +++ b/monitor.h
-@@ -70,6 +70,9 @@ enum monitor_reqtype {
+@@ -65,6 +65,9 @@ enum monitor_reqtype {
         MONITOR_REQ_PAM_FREE_CTX = 110, MONITOR_ANS_PAM_FREE_CTX = 111,
         MONITOR_REQ_AUDIT_EVENT = 112, MONITOR_REQ_AUDIT_COMMAND = 113,
  
@@ -2266,10 +2263,10 @@ index 2caa469..315ef99 100644
  
  struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 4ce4696..44019f3 100644
+index 1a47e41..60b987d 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -1273,7 +1273,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
+@@ -1271,7 +1271,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss_buffer_t gssbuf, gss_buffer_t gssmic)
  }
  
  int
@@ -2278,7 +2275,7 @@ index 4ce4696..44019f3 100644
  {
         Buffer m;
         int authenticated = 0;
-@@ -1290,6 +1290,51 @@ mm_ssh_gssapi_userok(char *user)
+@@ -1288,5 +1288,50 @@ mm_ssh_gssapi_userok(char *user)
         debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
         return (authenticated);
  }
@@ -2329,9 +2326,8 @@ index 4ce4696..44019f3 100644
 +
  #endif /* GSSAPI */
  
- #ifdef JPAKE
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index 0c7f2e3..ec9b9b1 100644
+index 18c2501..a4e9d24 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
 @@ -58,8 +58,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(Key *);
@@ -2347,10 +2343,10 @@ index 0c7f2e3..ec9b9b1 100644
  
  #ifdef USE_PAM
 diff --git a/readconf.c b/readconf.c
-index 9c7e73d..cb8bcb2 100644
+index dc884c9..7613ff2 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -140,6 +140,8 @@ typedef enum {
+@@ -141,6 +141,8 @@ typedef enum {
         oClearAllForwardings, oNoHostAuthenticationForLocalhost,
         oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
         oAddressFamily, oGssAuthentication, oGssDelegateCreds,
@@ -2359,7 +2355,7 @@ index 9c7e73d..cb8bcb2 100644
         oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
         oSendEnv, oControlPath, oControlMaster, oControlPersist,
         oHashKnownHosts,
-@@ -182,10 +184,19 @@ static struct {
+@@ -183,10 +185,19 @@ static struct {
         { "afstokenpassing", oUnsupported },
  #if defined(GSSAPI)
         { "gssapiauthentication", oGssAuthentication },
@@ -2379,7 +2375,7 @@ index 9c7e73d..cb8bcb2 100644
  #endif
         { "fallbacktorsh", oDeprecated },
         { "usersh", oDeprecated },
-@@ -839,10 +850,30 @@ parse_time:
+@@ -841,10 +852,30 @@ parse_time:
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2410,7 +2406,7 @@ index 9c7e73d..cb8bcb2 100644
         case oBatchMode:
                 intptr = &options->batch_mode;
                 goto parse_flag;
-@@ -1488,7 +1519,12 @@ initialize_options(Options * options)
+@@ -1497,7 +1528,12 @@ initialize_options(Options * options)
         options->pubkey_authentication = -1;
         options->challenge_response_authentication = -1;
         options->gss_authentication = -1;
@@ -2423,7 +2419,7 @@ index 9c7e73d..cb8bcb2 100644
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->kbd_interactive_devices = NULL;
-@@ -1594,8 +1630,14 @@ fill_default_options(Options * options)
+@@ -1616,8 +1652,14 @@ fill_default_options(Options * options)
                 options->challenge_response_authentication = 1;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2439,7 +2435,7 @@ index 9c7e73d..cb8bcb2 100644
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
 diff --git a/readconf.h b/readconf.h
-index 2d7ea9f..826c676 100644
+index 75e3f8f..5cc97f0 100644
 --- a/readconf.h
 +++ b/readconf.h
 @@ -54,7 +54,12 @@ typedef struct {
@@ -2456,7 +2452,7 @@ index 2d7ea9f..826c676 100644
                                                  * authentication. */
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff --git a/servconf.c b/servconf.c
-index 9bcd05b..29209e4 100644
+index 7ba65d5..0083cf8 100644
 --- a/servconf.c
 +++ b/servconf.c
 @@ -108,7 +108,10 @@ initialize_server_options(ServerOptions *options)
@@ -2470,7 +2466,7 @@ index 9bcd05b..29209e4 100644
         options->password_authentication = -1;
         options->kbd_interactive_authentication = -1;
         options->challenge_response_authentication = -1;
-@@ -245,8 +248,14 @@ fill_default_server_options(ServerOptions *options)
+@@ -244,8 +247,14 @@ fill_default_server_options(ServerOptions *options)
                 options->kerberos_get_afs_token = 0;
         if (options->gss_authentication == -1)
                 options->gss_authentication = 0;
@@ -2485,7 +2481,7 @@ index 9bcd05b..29209e4 100644
         if (options->password_authentication == -1)
                 options->password_authentication = 1;
         if (options->kbd_interactive_authentication == -1)
-@@ -343,7 +352,9 @@ typedef enum {
+@@ -340,7 +349,9 @@ typedef enum {
         sBanner, sUseDNS, sHostbasedAuthentication,
         sHostbasedUsesNameFromPacketOnly, sClientAliveInterval,
         sClientAliveCountMax, sAuthorizedKeysFile,
@@ -2495,8 +2491,8 @@ index 9bcd05b..29209e4 100644
 +       sAcceptEnv, sPermitTunnel,
         sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
         sUsePrivilegeSeparation, sAllowAgentForwarding,
-        sZeroKnowledgePasswordAuthentication, sHostCertificate,
-@@ -410,10 +421,20 @@ static struct {
+        sHostCertificate,
+@@ -407,10 +418,20 @@ static struct {
  #ifdef GSSAPI
         { "gssapiauthentication", sGssAuthentication, SSHCFG_ALL },
         { "gssapicleanupcredentials", sGssCleanupCreds, SSHCFG_GLOBAL },
@@ -2517,7 +2513,7 @@ index 9bcd05b..29209e4 100644
         { "passwordauthentication", sPasswordAuthentication, SSHCFG_ALL },
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
-@@ -1094,10 +1115,22 @@ process_server_config_line(ServerOptions *options, char *line,
+@@ -1086,10 +1107,22 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->gss_authentication;
                 goto parse_flag;
  
@@ -2540,7 +2536,7 @@ index 9bcd05b..29209e4 100644
         case sPasswordAuthentication:
                 intptr = &options->password_authentication;
                 goto parse_flag;
-@@ -2008,7 +2041,10 @@ dump_config(ServerOptions *o)
+@@ -1995,7 +2028,10 @@ dump_config(ServerOptions *o)
  #endif
  #ifdef GSSAPI
         dump_cfg_fmtint(sGssAuthentication, o->gss_authentication);
@@ -2549,10 +2545,10 @@ index 9bcd05b..29209e4 100644
 +       dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
 +       dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
  #endif
- #ifdef JPAKE
-        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
+        dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
+        dump_cfg_fmtint(sKbdInteractiveAuthentication,
 diff --git a/servconf.h b/servconf.h
-index 8812c5a..eba76ee 100644
+index 752d1c5..c922eb5 100644
 --- a/servconf.h
 +++ b/servconf.h
 @@ -112,7 +112,10 @@ typedef struct {
@@ -2567,11 +2563,11 @@ index 8812c5a..eba76ee 100644
                                                  * authentication. */
         int     kbd_interactive_authentication; /* If true, permit */
 diff --git a/ssh-gss.h b/ssh-gss.h
-index 077e13c..885e481 100644
+index a99d7f0..914701b 100644
 --- a/ssh-gss.h
 +++ b/ssh-gss.h
 @@ -1,6 +1,6 @@
- /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
+ /* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
  /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -2634,7 +2630,7 @@ index 077e13c..885e481 100644
  
  int  ssh_gssapi_check_oid(Gssctxt *, void *, size_t);
  void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
-@@ -117,16 +134,32 @@ void ssh_gssapi_build_ctx(Gssctxt **);
+@@ -119,16 +136,32 @@ void ssh_gssapi_build_ctx(Gssctxt **);
  void ssh_gssapi_delete_ctx(Gssctxt **);
  OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
  void ssh_gssapi_buildmic(Buffer *, const char *, const char *, const char *);
@@ -2683,10 +2679,10 @@ index 03a228f..228e5ab 100644
  #   CheckHostIP yes
  #   AddressFamily any
 diff --git a/ssh_config.5 b/ssh_config.5
-index 3cadcd7..49505ae 100644
+index b580392..e7accd6 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -676,11 +676,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
+@@ -682,11 +682,43 @@ Specifies whether user authentication based on GSSAPI is allowed.
  The default is
  .Dq no .
  Note that this option applies to protocol version 2 only.
@@ -2732,10 +2728,10 @@ index 3cadcd7..49505ae 100644
  Indicates that
  .Xr ssh 1
 diff --git a/sshconnect2.c b/sshconnect2.c
-index 8acffc5..21a269d 100644
+index 7f4ff41..66cb035 100644
 --- a/sshconnect2.c
 +++ b/sshconnect2.c
-@@ -160,9 +160,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -158,9 +158,34 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
  {
         Kex *kex;
  
@@ -2770,7 +2766,7 @@ index 8acffc5..21a269d 100644
         if (options.ciphers == (char *)-1) {
                 logit("No valid ciphers for protocol version 2 given, using defaults.");
                 options.ciphers = NULL;
-@@ -198,6 +223,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -196,6 +221,17 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         if (options.kex_algorithms != NULL)
                 myproposal[PROPOSAL_KEX_ALGS] = options.kex_algorithms;
  
@@ -2788,7 +2784,7 @@ index 8acffc5..21a269d 100644
         if (options.rekey_limit || options.rekey_interval)
                 packet_set_rekey_limits((u_int32_t)options.rekey_limit,
                     (time_t)options.rekey_interval);
-@@ -210,10 +246,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
+@@ -208,10 +244,30 @@ ssh_kex2(char *host, struct sockaddr *hostaddr, u_short port)
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_client;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_client;
         kex->kex[KEX_C25519_SHA256] = kexc25519_client;
@@ -2819,7 +2815,7 @@ index 8acffc5..21a269d 100644
         xxx_kex = kex;
  
         dispatch_run(DISPATCH_BLOCK, &kex->done, kex);
-@@ -309,6 +365,7 @@ void        input_gssapi_token(int type, u_int32_t, void *);
+@@ -301,6 +357,7 @@ void        input_gssapi_token(int type, u_int32_t, void *);
  void   input_gssapi_hash(int type, u_int32_t, void *);
  void   input_gssapi_error(int, u_int32_t, void *);
  void   input_gssapi_errtok(int, u_int32_t, void *);
@@ -2827,7 +2823,7 @@ index 8acffc5..21a269d 100644
  #endif
  
  void   userauth(Authctxt *, char *);
-@@ -324,6 +381,11 @@ static char *authmethods_get(void);
+@@ -316,6 +373,11 @@ static char *authmethods_get(void);
  
  Authmethod authmethods[] = {
  #ifdef GSSAPI
@@ -2839,7 +2835,7 @@ index 8acffc5..21a269d 100644
         {"gssapi-with-mic",
                 userauth_gssapi,
                 NULL,
-@@ -627,19 +689,31 @@ userauth_gssapi(Authctxt *authctxt)
+@@ -612,19 +674,31 @@ userauth_gssapi(Authctxt *authctxt)
         static u_int mech = 0;
         OM_uint32 min;
         int ok = 0;
@@ -2873,7 +2869,7 @@ index 8acffc5..21a269d 100644
                         ok = 1; /* Mechanism works */
                 } else {
                         mech++;
-@@ -736,8 +810,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
+@@ -721,8 +795,8 @@ input_gssapi_response(int type, u_int32_t plen, void *ctxt)
  {
         Authctxt *authctxt = ctxt;
         Gssctxt *gssctxt;
@@ -2884,7 +2880,7 @@ index 8acffc5..21a269d 100644
  
         if (authctxt == NULL)
                 fatal("input_gssapi_response: no authentication context");
-@@ -846,6 +920,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
+@@ -831,6 +905,48 @@ input_gssapi_error(int type, u_int32_t plen, void *ctxt)
         free(msg);
         free(lang);
  }
@@ -2934,7 +2930,7 @@ index 8acffc5..21a269d 100644
  
  int
 diff --git a/sshd.c b/sshd.c
-index 25380c9..fe65132 100644
+index 7523de9..d787fea 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -122,6 +122,10 @@
@@ -2948,7 +2944,7 @@ index 25380c9..fe65132 100644
  #ifdef LIBWRAP
  #include <tcpd.h>
  #include <syslog.h>
-@@ -1721,10 +1725,13 @@ main(int ac, char **av)
+@@ -1728,10 +1732,13 @@ main(int ac, char **av)
                 logit("Disabling protocol version 1. Could not load host key");
                 options.protocol &= ~SSH_PROTO_1;
         }
@@ -2962,7 +2958,7 @@ index 25380c9..fe65132 100644
         if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
                 logit("sshd: no hostkeys available -- exiting.");
                 exit(1);
-@@ -2051,6 +2058,60 @@ main(int ac, char **av)
+@@ -2058,6 +2065,60 @@ main(int ac, char **av)
             remote_ip, remote_port,
             get_local_ipaddr(sock_in), get_local_port());
  
@@ -3023,7 +3019,7 @@ index 25380c9..fe65132 100644
         /*
          * We don't want to listen forever unless the other side
          * successfully authenticates itself.  So we set up an alarm which is
-@@ -2456,6 +2517,48 @@ do_ssh2_kex(void)
+@@ -2469,6 +2530,48 @@ do_ssh2_kex(void)
         myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
             list_hostkey_types());
  
@@ -3072,7 +3068,7 @@ index 25380c9..fe65132 100644
         /* start key exchange */
         kex = kex_setup(myproposal);
         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
-@@ -2464,6 +2567,13 @@ do_ssh2_kex(void)
+@@ -2477,6 +2580,13 @@ do_ssh2_kex(void)
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
         kex->kex[KEX_C25519_SHA256] = kexc25519_server;
@@ -3100,7 +3096,7 @@ index e9045bc..d9b8594 100644
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
 diff --git a/sshd_config.5 b/sshd_config.5
-index 3b21ea6..9aa9eba 100644
+index ce71efe..ceed88a 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -493,12 +493,40 @@ Specifies whether user authentication based on GSSAPI is allowed.
diff --git a/debian/patches/helpful-wait-terminate.patch b/debian/patches/helpful-wait-terminate.patch
index 6f28f7db5..e79f4990f 100644
--- a/debian/patches/helpful-wait-terminate.patch
+++ b/debian/patches/helpful-wait-terminate.patch
@@ -1,4 +1,4 @@
-From 29a3d408fe0b8e91aed47ec4ad26d0c0a16e8f65 Mon Sep 17 00:00:00 2001
+From ef912859a4300360164292abe47b5516c8ee4a13 Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:09:56 +0000
 Subject: Mention ~& when waiting for forwarded connections to terminate
@@ -12,7 +12,7 @@ Patch-Name: helpful-wait-terminate.patch
  1 file changed, 1 insertion(+), 1 deletion(-)
 
 diff --git a/serverloop.c b/serverloop.c
-index 5b2f802..d3079d2 100644
+index 2f8e3a0..441d73b 100644
 --- a/serverloop.c
 +++ b/serverloop.c
 @@ -687,7 +687,7 @@ server_loop(pid_t pid, int fdin_arg, int fdout_arg, int fderr_arg)
diff --git a/debian/patches/keepalive-extensions.patch b/debian/patches/keepalive-extensions.patch
index 149821283..680701f3d 100644
--- a/debian/patches/keepalive-extensions.patch
+++ b/debian/patches/keepalive-extensions.patch
@@ -1,4 +1,4 @@
-From 89a797b303eb5ed9edeb122a15b9dedf152cdd02 Mon Sep 17 00:00:00 2001
+From 81540b7886fdc73c7be304706ea33d6d87b5fc81 Mon Sep 17 00:00:00 2001
 From: Richard Kettlewell <rjk@greenend.org.uk>
 Date: Sun, 9 Feb 2014 16:09:52 +0000
 Subject: Various keepalive extensions
@@ -26,10 +26,10 @@ Patch-Name: keepalive-extensions.patch
  3 files changed, 34 insertions(+), 4 deletions(-)
 
 diff --git a/readconf.c b/readconf.c
-index 2a1fe8e..e79e355 100644
+index bcd8cad..6409937 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -150,6 +150,7 @@ typedef enum {
+@@ -151,6 +151,7 @@ typedef enum {
         oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
         oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
         oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -37,7 +37,7 @@ index 2a1fe8e..e79e355 100644
         oIgnoredUnknownOption, oDeprecated, oUnsupported
  } OpCodes;
  
-@@ -279,6 +280,8 @@ static struct {
+@@ -274,6 +275,8 @@ static struct {
         { "canonicalizemaxdots", oCanonicalizeMaxDots },
         { "canonicalizepermittedcnames", oCanonicalizePermittedCNAMEs },
         { "ignoreunknown", oIgnoreUnknown },
@@ -46,7 +46,7 @@ index 2a1fe8e..e79e355 100644
  
         { NULL, oBadOption }
  };
-@@ -1245,6 +1248,8 @@ parse_int:
+@@ -1247,6 +1250,8 @@ parse_int:
                 goto parse_flag;
  
         case oServerAliveInterval:
@@ -55,7 +55,7 @@ index 2a1fe8e..e79e355 100644
                 intptr = &options->server_alive_interval;
                 goto parse_time;
  
-@@ -1724,8 +1729,13 @@ fill_default_options(Options * options)
+@@ -1746,8 +1751,13 @@ fill_default_options(Options * options)
                 options->rekey_interval = 0;
         if (options->verify_host_key_dns == -1)
                 options->verify_host_key_dns = 0;
@@ -72,7 +72,7 @@ index 2a1fe8e..e79e355 100644
                 options->server_alive_count_max = 3;
         if (options->control_master == -1)
 diff --git a/ssh_config.5 b/ssh_config.5
-index 617a312..b3c5dc6 100644
+index 473971e..3172fd4 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
 @@ -205,8 +205,12 @@ Valid arguments are
@@ -89,7 +89,7 @@ index 617a312..b3c5dc6 100644
  The argument must be
  .Dq yes
  or
-@@ -1299,8 +1303,15 @@ from the server,
+@@ -1305,8 +1309,15 @@ from the server,
  will send a message through the encrypted
  channel to request a response from the server.
  The default
@@ -106,7 +106,7 @@ index 617a312..b3c5dc6 100644
  .It Cm StrictHostKeyChecking
  If this flag is set to
  .Dq yes ,
-@@ -1339,6 +1350,12 @@ Specifies whether the system should send TCP keepalive messages to the
+@@ -1345,6 +1356,12 @@ Specifies whether the system should send TCP keepalive messages to the
  other side.
  If they are sent, death of the connection or crash of one
  of the machines will be properly noticed.
@@ -120,10 +120,10 @@ index 617a312..b3c5dc6 100644
  connections will die if the route is down temporarily, and some people
  find it annoying.
 diff --git a/sshd_config.5 b/sshd_config.5
-index 9aa9eba..39643de 100644
+index ceed88a..2164d58 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
-@@ -1168,6 +1168,9 @@ This avoids infinitely hanging sessions.
+@@ -1183,6 +1183,9 @@ This avoids infinitely hanging sessions.
  .Pp
  To disable TCP keepalive messages, the value should be set to
  .Dq no .
diff --git a/debian/patches/lintian-symlink-pickiness.patch b/debian/patches/lintian-symlink-pickiness.patch
index 97f9b0759..09e09ecf8 100644
--- a/debian/patches/lintian-symlink-pickiness.patch
+++ b/debian/patches/lintian-symlink-pickiness.patch
@@ -1,4 +1,4 @@
-From b25d3b37e89fb73b5fa86d19bc22f67f64dd0ad9 Mon Sep 17 00:00:00 2001
+From eb567100ef178f4395c95cc1f37b921e02c3dd5b Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:08 +0000
 Subject: Fix picky lintian errors about slogin symlinks
@@ -15,7 +15,7 @@ Patch-Name: lintian-symlink-pickiness.patch
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/Makefile.in b/Makefile.in
-index 5cf8100..b7de26f 100644
+index feee0b2..7d192bb 100644
 --- a/Makefile.in
 +++ b/Makefile.in
 @@ -293,9 +293,9 @@ install-files:
diff --git a/debian/patches/mention-ssh-keygen-on-keychange.patch b/debian/patches/mention-ssh-keygen-on-keychange.patch
index ab0505834..e00b6c345 100644
--- a/debian/patches/mention-ssh-keygen-on-keychange.patch
+++ b/debian/patches/mention-ssh-keygen-on-keychange.patch
@@ -1,4 +1,4 @@
-From 1ad5769e5d1d878125c48c6bb4a8bea7225940fc Mon Sep 17 00:00:00 2001
+From 8ab8f1465980856291f215c7b7184a4456398fb4 Mon Sep 17 00:00:00 2001
 From: Scott Moser <smoser@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:10:03 +0000
 Subject: Mention ssh-keygen in ssh fingerprint changed warning
@@ -13,10 +13,10 @@ Patch-Name: mention-ssh-keygen-on-keychange.patch
  1 file changed, 6 insertions(+), 1 deletion(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index ef4d9e0..4ff5c73 100644
+index 9e02837..e0a5db9 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -1062,9 +1062,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -1065,9 +1065,12 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                         error("%s. This could either mean that", key_msg);
                         error("DNS SPOOFING is happening or the IP address for the host");
                         error("and its host key have changed at the same time.");
@@ -30,7 +30,7 @@ index ef4d9e0..4ff5c73 100644
                 }
                 /* The host key has changed. */
                 warn_changed_key(host_key);
-@@ -1072,6 +1075,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
+@@ -1075,6 +1078,8 @@ check_host_key(char *hostname, struct sockaddr *hostaddr, u_short port,
                     user_hostfiles[0]);
                 error("Offending %s key in %s:%lu", key_type(host_found->key),
                     host_found->file, host_found->line);
diff --git a/debian/patches/no-openssl-version-check.patch b/debian/patches/no-openssl-version-check.patch
index 590259750..56fa46aac 100644
--- a/debian/patches/no-openssl-version-check.patch
+++ b/debian/patches/no-openssl-version-check.patch
@@ -1,4 +1,4 @@
-From 4edb6872515344a0b137fe835ea7f76dcb0325ad Mon Sep 17 00:00:00 2001
+From 20690ea4b33e8ff81fea287492270df3a7029777 Mon Sep 17 00:00:00 2001
 From: Philip Hands <phil@hands.com>
 Date: Sun, 9 Feb 2014 16:10:14 +0000
 Subject: Disable OpenSSL version check
diff --git a/debian/patches/openbsd-docs.patch b/debian/patches/openbsd-docs.patch
index ea9f290ad..9a34a4182 100644
--- a/debian/patches/openbsd-docs.patch
+++ b/debian/patches/openbsd-docs.patch
@@ -1,4 +1,4 @@
-From ddca9737b50bd2ec15dc166434e312ae2fbd1196 Mon Sep 17 00:00:00 2001
+From ec9bfd62211fdf5a3004ef2045c2eb3baccfd375 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:09 +0000
 Subject: Adjust various OpenBSD-specific references in manual pages
@@ -44,7 +44,7 @@ index ef0de08..149846c 100644
  .Sh SEE ALSO
  .Xr ssh-keygen 1 ,
 diff --git a/ssh-keygen.1 b/ssh-keygen.1
-index 0e0ed98..299ccf8 100644
+index 12e00d4..a71de74 100644
 --- a/ssh-keygen.1
 +++ b/ssh-keygen.1
 @@ -172,9 +172,7 @@ key in
@@ -133,7 +133,7 @@ index e6a900b..b016e90 100644
  .Xr sshd_config 5 ,
  .Xr inetd 8 ,
 diff --git a/sshd_config.5 b/sshd_config.5
-index bdca797..9fa6086 100644
+index 8f078f6..908e0bb 100644
 --- a/sshd_config.5
 +++ b/sshd_config.5
 @@ -283,8 +283,7 @@ This option is only available for protocol version 2.
diff --git a/debian/patches/package-versioning.patch b/debian/patches/package-versioning.patch
index 67e54ccf3..c9c20d1c0 100644
--- a/debian/patches/package-versioning.patch
+++ b/debian/patches/package-versioning.patch
@@ -1,4 +1,4 @@
-From 07b738d2bf93a5e3c57ab242b666a5f58484c7a3 Mon Sep 17 00:00:00 2001
+From 6de70b95f5005447ae23532d4f3ee41a9338479f Mon Sep 17 00:00:00 2001
 From: Matthew Vernon <matthew@debian.org>
 Date: Sun, 9 Feb 2014 16:10:05 +0000
 Subject: Include the Debian version in our identification
@@ -19,10 +19,10 @@ Patch-Name: package-versioning.patch
  3 files changed, 9 insertions(+), 4 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index 4ff5c73..a2fbf9e 100644
+index e0a5db9..87c3770 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
-@@ -517,10 +517,10 @@ send_client_banner(int connection_out, int minor1)
+@@ -520,10 +520,10 @@ send_client_banner(int connection_out, int minor1)
         /* Send our own protocol version identification. */
         if (compat20) {
                 xasprintf(&client_version_string, "SSH-%d.%d-%.100s\r\n",
@@ -36,7 +36,7 @@ index 4ff5c73..a2fbf9e 100644
         if (roaming_atomicio(vwrite, connection_out, client_version_string,
             strlen(client_version_string)) != strlen(client_version_string))
 diff --git a/sshd.c b/sshd.c
-index 0a30101..82168a1 100644
+index e343d90..af9b8f1 100644
 --- a/sshd.c
 +++ b/sshd.c
 @@ -440,7 +440,7 @@ sshd_exchange_identification(int sock_in, int sock_out)
@@ -49,11 +49,11 @@ index 0a30101..82168a1 100644
             options.version_addendum, newline);
  
 diff --git a/version.h b/version.h
-index 83d70c6..0c6ea0f 100644
+index a1579ac..a97c337 100644
 --- a/version.h
 +++ b/version.h
 @@ -3,4 +3,9 @@
- #define SSH_VERSION    "OpenSSH_6.5"
+ #define SSH_VERSION    "OpenSSH_6.6"
  
  #define SSH_PORTABLE   "p1"
 -#define SSH_RELEASE    SSH_VERSION SSH_PORTABLE
diff --git a/debian/patches/quieter-signals.patch b/debian/patches/quieter-signals.patch
index 168b05a34..075b59823 100644
--- a/debian/patches/quieter-signals.patch
+++ b/debian/patches/quieter-signals.patch
@@ -1,4 +1,4 @@
-From 4ba49a8d770618307867a73769ebba62bf553961 Mon Sep 17 00:00:00 2001
+From 9875e47079abff55f8d2c1e958e9d50de6eae7ec Mon Sep 17 00:00:00 2001
 From: Peter Samuelson <peter@p12n.org>
 Date: Sun, 9 Feb 2014 16:09:55 +0000
 Subject: Reduce severity of "Killed by signal %d"
@@ -22,7 +22,7 @@ Patch-Name: quieter-signals.patch
  1 file changed, 4 insertions(+), 2 deletions(-)
 
 diff --git a/clientloop.c b/clientloop.c
-index cd1739f..30097cd 100644
+index 73a800c..4bc5b57 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -1717,8 +1717,10 @@ client_loop(int have_pty, int escape_char_arg, int ssh2_chan_id)
diff --git a/debian/patches/scp-quoting.patch b/debian/patches/scp-quoting.patch
index d4755c6b3..ff037a43a 100644
--- a/debian/patches/scp-quoting.patch
+++ b/debian/patches/scp-quoting.patch
@@ -1,4 +1,4 @@
-From 882d0c4c4403674eebd4ec525fe368ecc2100bfc Mon Sep 17 00:00:00 2001
+From 8ab204ee192e655d5a8f4d599adb3d99eeabedc6 Mon Sep 17 00:00:00 2001
 From: =?UTF-8?q?Nicolas=20Valc=C3=A1rcel?= <nvalcarcel@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:59 +0000
 Subject: Adjust scp quoting in verbose mode
diff --git a/debian/patches/selinux-role.patch b/debian/patches/selinux-role.patch
index 1f924dfad..e0ca12fb0 100644
--- a/debian/patches/selinux-role.patch
+++ b/debian/patches/selinux-role.patch
@@ -1,4 +1,4 @@
-From 7afb9ad9307191397a3ccf3d7cc90dfe474b09e8 Mon Sep 17 00:00:00 2001
+From ae32d626ed3d15cfd7f432358b63c005961921df Mon Sep 17 00:00:00 2001
 From: Manoj Srivastava <srivasta@debian.org>
 Date: Sun, 9 Feb 2014 16:09:49 +0000
 Subject: Handle SELinux authorisation roles
@@ -32,7 +32,7 @@ Patch-Name: selinux-role.patch
  16 files changed, 104 insertions(+), 31 deletions(-)
 
 diff --git a/auth.h b/auth.h
-index 80f0898..5b6824f 100644
+index 124e597..79e4ea5 100644
 --- a/auth.h
 +++ b/auth.h
 @@ -59,6 +59,7 @@ struct Authctxt {
@@ -42,9 +42,9 @@ index 80f0898..5b6824f 100644
 +       char            *role;
         void            *kbdintctxt;
         char            *info;          /* Extra info for next auth_log */
-        void            *jpake_ctx;
+ #ifdef BSD_AUTH
 diff --git a/auth1.c b/auth1.c
-index f1ac598..2803a3c 100644
+index 0f870b3..c707390 100644
 --- a/auth1.c
 +++ b/auth1.c
 @@ -380,7 +380,7 @@ void
@@ -75,10 +75,10 @@ index f1ac598..2803a3c 100644
         /* Verify that the user is a valid user. */
         if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
 diff --git a/auth2.c b/auth2.c
-index 6ed8f04..b55bbcd 100644
+index fbe3e1b..70f2925 100644
 --- a/auth2.c
 +++ b/auth2.c
-@@ -222,7 +222,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -216,7 +216,7 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
  {
         Authctxt *authctxt = ctxt;
         Authmethod *m = NULL;
@@ -87,7 +87,7 @@ index 6ed8f04..b55bbcd 100644
         int authenticated = 0;
  
         if (authctxt == NULL)
-@@ -234,8 +234,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -228,8 +228,13 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
         debug("userauth-request for user %s service %s method %s", user, service, method);
         debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
  
@@ -101,7 +101,7 @@ index 6ed8f04..b55bbcd 100644
  
         if (authctxt->attempt++ == 0) {
                 /* setup auth context */
-@@ -259,8 +264,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
+@@ -253,8 +258,9 @@ input_userauth_request(int type, u_int32_t seq, void *ctxt)
                     use_privsep ? " [net]" : "");
                 authctxt->service = xstrdup(service);
                 authctxt->style = style ? xstrdup(style) : NULL;
@@ -113,10 +113,10 @@ index 6ed8f04..b55bbcd 100644
                 if (auth2_setup_methods_lists(authctxt) != 0)
                         packet_disconnect("no authentication methods enabled");
 diff --git a/monitor.c b/monitor.c
-index a777c4c..88f472e 100644
+index 2918814..11eac63 100644
 --- a/monitor.c
 +++ b/monitor.c
-@@ -146,6 +146,7 @@ int mm_answer_sign(int, Buffer *);
+@@ -145,6 +145,7 @@ int mm_answer_sign(int, Buffer *);
  int mm_answer_pwnamallow(int, Buffer *);
  int mm_answer_auth2_read_banner(int, Buffer *);
  int mm_answer_authserv(int, Buffer *);
@@ -124,7 +124,7 @@ index a777c4c..88f472e 100644
  int mm_answer_authpassword(int, Buffer *);
  int mm_answer_bsdauthquery(int, Buffer *);
  int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -227,6 +228,7 @@ struct mon_table mon_dispatch_proto20[] = {
+@@ -221,6 +222,7 @@ struct mon_table mon_dispatch_proto20[] = {
      {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
      {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
      {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@@ -132,7 +132,7 @@ index a777c4c..88f472e 100644
      {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
      {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
  #ifdef USE_PAM
-@@ -844,6 +846,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
+@@ -822,6 +824,7 @@ mm_answer_pwnamallow(int sock, Buffer *m)
         else {
                 /* Allow service/style information on the auth context */
                 monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@@ -140,7 +140,7 @@ index a777c4c..88f472e 100644
                 monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
         }
  #ifdef USE_PAM
-@@ -874,14 +877,37 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -852,14 +855,37 @@ mm_answer_authserv(int sock, Buffer *m)
  
         authctxt->service = buffer_get_string(m, NULL);
         authctxt->style = buffer_get_string(m, NULL);
@@ -180,7 +180,7 @@ index a777c4c..88f472e 100644
         return (0);
  }
  
-@@ -1486,7 +1512,7 @@ mm_answer_pty(int sock, Buffer *m)
+@@ -1464,7 +1490,7 @@ mm_answer_pty(int sock, Buffer *m)
         res = pty_allocate(&s->ptyfd, &s->ttyfd, s->tty, sizeof(s->tty));
         if (res == 0)
                 goto error;
@@ -190,10 +190,10 @@ index a777c4c..88f472e 100644
         buffer_put_int(m, 1);
         buffer_put_cstring(m, s->tty);
 diff --git a/monitor.h b/monitor.h
-index 315ef99..3c13706 100644
+index 7f32b0c..4d5e8fa 100644
 --- a/monitor.h
 +++ b/monitor.h
-@@ -73,6 +73,8 @@ enum monitor_reqtype {
+@@ -68,6 +68,8 @@ enum monitor_reqtype {
         MONITOR_REQ_GSSSIGN = 150, MONITOR_ANS_GSSSIGN = 151,
         MONITOR_REQ_GSSUPCREDS = 152, MONITOR_ANS_GSSUPCREDS = 153,
  
@@ -203,10 +203,10 @@ index 315ef99..3c13706 100644
  
  struct mm_master;
 diff --git a/monitor_wrap.c b/monitor_wrap.c
-index 44019f3..69bc324 100644
+index 60b987d..f75dc9d 100644
 --- a/monitor_wrap.c
 +++ b/monitor_wrap.c
-@@ -320,10 +320,10 @@ mm_auth2_read_banner(void)
+@@ -318,10 +318,10 @@ mm_auth2_read_banner(void)
         return (banner);
  }
  
@@ -219,7 +219,7 @@ index 44019f3..69bc324 100644
  {
         Buffer m;
  
-@@ -332,12 +332,30 @@ mm_inform_authserv(char *service, char *style)
+@@ -330,12 +330,30 @@ mm_inform_authserv(char *service, char *style)
         buffer_init(&m);
         buffer_put_cstring(&m, service);
         buffer_put_cstring(&m, style ? style : "");
@@ -251,7 +251,7 @@ index 44019f3..69bc324 100644
  int
  mm_auth_password(Authctxt *authctxt, char *password)
 diff --git a/monitor_wrap.h b/monitor_wrap.h
-index ec9b9b1..4d12e29 100644
+index a4e9d24..9c2ee49 100644
 --- a/monitor_wrap.h
 +++ b/monitor_wrap.h
 @@ -41,7 +41,8 @@ void mm_log_handler(LogLevel, const char *, void *);
@@ -396,10 +396,10 @@ index 1c7a45d..436ae7c 100644
  char *platform_krb5_get_principal_name(const char *);
  int platform_sys_dir_uid(uid_t);
 diff --git a/session.c b/session.c
-index 12dd9ab..5ddd82a 100644
+index 2bcf818..6848df4 100644
 --- a/session.c
 +++ b/session.c
-@@ -1497,7 +1497,7 @@ safely_chroot(const char *path, uid_t uid)
+@@ -1502,7 +1502,7 @@ safely_chroot(const char *path, uid_t uid)
  
  /* Set login name, uid, gid, and groups. */
  void
@@ -408,7 +408,7 @@ index 12dd9ab..5ddd82a 100644
  {
         char *chroot_path, *tmp;
  
-@@ -1525,7 +1525,7 @@ do_setusercontext(struct passwd *pw)
+@@ -1530,7 +1530,7 @@ do_setusercontext(struct passwd *pw)
                 endgrent();
  #endif
  
@@ -417,7 +417,7 @@ index 12dd9ab..5ddd82a 100644
  
                 if (options.chroot_directory != NULL &&
                     strcasecmp(options.chroot_directory, "none") != 0) {
-@@ -1674,7 +1674,7 @@ do_child(Session *s, const char *command)
+@@ -1679,7 +1679,7 @@ do_child(Session *s, const char *command)
  
         /* Force a password change */
         if (s->authctxt->force_pwchange) {
@@ -426,7 +426,7 @@ index 12dd9ab..5ddd82a 100644
                 child_close_fds();
                 do_pwchange(s);
                 exit(1);
-@@ -1701,7 +1701,7 @@ do_child(Session *s, const char *command)
+@@ -1706,7 +1706,7 @@ do_child(Session *s, const char *command)
                 /* When PAM is enabled we rely on it to do the nologin check */
                 if (!options.use_pam)
                         do_nologin(pw);
@@ -435,7 +435,7 @@ index 12dd9ab..5ddd82a 100644
                 /*
                  * PAM session modules in do_setusercontext may have
                  * generated messages, so if this in an interactive
-@@ -2112,7 +2112,7 @@ session_pty_req(Session *s)
+@@ -2117,7 +2117,7 @@ session_pty_req(Session *s)
         tty_parse_modes(s->ttyfd, &n_bytes);
  
         if (!use_privsep)
@@ -458,11 +458,11 @@ index 6a2f35e..ef6593c 100644
                        const char *value);
  
 diff --git a/sshd.c b/sshd.c
-index fe65132..0a30101 100644
+index d787fea..e343d90 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -763,7 +763,7 @@ privsep_postauth(Authctxt *authctxt)
-        bzero(rnd, sizeof(rnd));
+@@ -769,7 +769,7 @@ privsep_postauth(Authctxt *authctxt)
+        explicit_bzero(rnd, sizeof(rnd));
  
         /* Drop privileges */
 -       do_setusercontext(authctxt->pw);
diff --git a/debian/patches/series b/debian/patches/series
index 5048e254d..5d21e57d1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -26,5 +26,3 @@ no-openssl-version-check.patch
 gnome-ssh-askpass2-icon.patch
 sigstop.patch
 debian-config.patch
-fix-case-sensitive-matching.patch
-getsockname-error.patch
diff --git a/debian/patches/shell-path.patch b/debian/patches/shell-path.patch
index 71d52e0bc..48c16d2a2 100644
--- a/debian/patches/shell-path.patch
+++ b/debian/patches/shell-path.patch
@@ -1,4 +1,4 @@
-From 43dbfc0c515e0adeddb097a9996dea382cc9e582 Mon Sep 17 00:00:00 2001
+From 6103c29d855e82c098e88ee12f05a6eb41f659ce Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:00 +0000
 Subject: Look for $SHELL on the path for ProxyCommand/LocalCommand
@@ -16,7 +16,7 @@ Patch-Name: shell-path.patch
  1 file changed, 2 insertions(+), 2 deletions(-)
 
 diff --git a/sshconnect.c b/sshconnect.c
-index d21781e..ef4d9e0 100644
+index 573d7a8..9e02837 100644
 --- a/sshconnect.c
 +++ b/sshconnect.c
 @@ -227,7 +227,7 @@ ssh_proxy_connect(const char *host, u_short port, const char *proxy_command)
@@ -28,7 +28,7 @@ index d21781e..ef4d9e0 100644
                 perror(argv[0]);
                 exit(1);
         }
-@@ -1384,7 +1384,7 @@ ssh_local_cmd(const char *args)
+@@ -1387,7 +1387,7 @@ ssh_local_cmd(const char *args)
         if (pid == 0) {
                 signal(SIGPIPE, SIG_DFL);
                 debug3("Executing %s -c \"%s\"", shell, args);
diff --git a/debian/patches/sigstop.patch b/debian/patches/sigstop.patch
index b34dbcda0..ac9eb4794 100644
--- a/debian/patches/sigstop.patch
+++ b/debian/patches/sigstop.patch
@@ -1,4 +1,4 @@
-From b0d3fe663d6a54b1348934946bbf8678b7470d14 Mon Sep 17 00:00:00 2001
+From d9ac4d127f53d92cf3426fba28ff351e5e165ae2 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:17 +0000
 Subject: Support synchronisation with service supervisor using SIGSTOP
@@ -12,10 +12,10 @@ Patch-Name: sigstop.patch
  1 file changed, 4 insertions(+)
 
 diff --git a/sshd.c b/sshd.c
-index c49a877..23e8c2d 100644
+index 665c0b9..ffe360c 100644
 --- a/sshd.c
 +++ b/sshd.c
-@@ -1924,6 +1924,10 @@ main(int ac, char **av)
+@@ -1931,6 +1931,10 @@ main(int ac, char **av)
                         }
                 }
  
diff --git a/debian/patches/ssh-agent-setgid.patch b/debian/patches/ssh-agent-setgid.patch
index 1eedfe297..af23075b3 100644
--- a/debian/patches/ssh-agent-setgid.patch
+++ b/debian/patches/ssh-agent-setgid.patch
@@ -1,4 +1,4 @@
-From 5708dae528688dd06c784773f0e05f5e3739d0e5 Mon Sep 17 00:00:00 2001
+From d53483ab71ac2a9195c8f171da5a5dcf54ec16ec Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:13 +0000
 Subject: Document consequences of ssh-agent being setgid in ssh-agent(1)
diff --git a/debian/patches/ssh-argv0.patch b/debian/patches/ssh-argv0.patch
index 9afa12a88..d456facea 100644
--- a/debian/patches/ssh-argv0.patch
+++ b/debian/patches/ssh-argv0.patch
@@ -1,4 +1,4 @@
-From ce4c3e861126520177b929d3d04e57c0dc9cb70d Mon Sep 17 00:00:00 2001
+From d4ac61d918775f629eff9a389d0f7bb0f8426b48 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:10:10 +0000
 Subject: ssh(1): Refer to ssh-argv0(1)
diff --git a/debian/patches/ssh-vulnkey-compat.patch b/debian/patches/ssh-vulnkey-compat.patch
index 9939dda8c..fa738b084 100644
--- a/debian/patches/ssh-vulnkey-compat.patch
+++ b/debian/patches/ssh-vulnkey-compat.patch
@@ -1,4 +1,4 @@
-From 9ae199bbd2484aed4fd61535221a96f1ae478712 Mon Sep 17 00:00:00 2001
+From d422205e757aaf23e8e0e787f842ef37f6a170a2 Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@ubuntu.com>
 Date: Sun, 9 Feb 2014 16:09:50 +0000
 Subject: Accept obsolete ssh-vulnkey configuration options
@@ -17,10 +17,10 @@ Patch-Name: ssh-vulnkey-compat.patch
  2 files changed, 2 insertions(+)
 
 diff --git a/readconf.c b/readconf.c
-index cb8bcb2..2a1fe8e 100644
+index 7613ff2..bcd8cad 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -171,6 +171,7 @@ static struct {
+@@ -172,6 +172,7 @@ static struct {
         { "passwordauthentication", oPasswordAuthentication },
         { "kbdinteractiveauthentication", oKbdInteractiveAuthentication },
         { "kbdinteractivedevices", oKbdInteractiveDevices },
@@ -29,10 +29,10 @@ index cb8bcb2..2a1fe8e 100644
         { "pubkeyauthentication", oPubkeyAuthentication },
         { "dsaauthentication", oPubkeyAuthentication },             /* alias */
 diff --git a/servconf.c b/servconf.c
-index 29209e4..65f71ad 100644
+index 0083cf8..90de888 100644
 --- a/servconf.c
 +++ b/servconf.c
-@@ -456,6 +456,7 @@ static struct {
+@@ -448,6 +448,7 @@ static struct {
         { "x11uselocalhost", sX11UseLocalhost, SSHCFG_ALL },
         { "xauthlocation", sXAuthLocation, SSHCFG_GLOBAL },
         { "strictmodes", sStrictModes, SSHCFG_GLOBAL },
diff --git a/debian/patches/ssh1-keepalive.patch b/debian/patches/ssh1-keepalive.patch
index 4456498bf..ded7c122a 100644
--- a/debian/patches/ssh1-keepalive.patch
+++ b/debian/patches/ssh1-keepalive.patch
@@ -1,4 +1,4 @@
-From 40a23637b9cb6364c8baeb2c25b1d8115bc740c0 Mon Sep 17 00:00:00 2001
+From 789d58ed3df120c7b80d07fb2d259c216194a29c Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:51 +0000
 Subject: Partial server keep-alive implementation for SSH1
@@ -13,7 +13,7 @@ Patch-Name: ssh1-keepalive.patch
  2 files changed, 19 insertions(+), 11 deletions(-)
 
 diff --git a/clientloop.c b/clientloop.c
-index cc23e35..cd1739f 100644
+index 6d8cd7d..73a800c 100644
 --- a/clientloop.c
 +++ b/clientloop.c
 @@ -563,16 +563,21 @@ client_global_request_reply(int type, u_int32_t seq, void *ctxt)
@@ -57,10 +57,10 @@ index cc23e35..cd1739f 100644
                 server_alive_time = now + options.server_alive_interval;
         }
 diff --git a/ssh_config.5 b/ssh_config.5
-index 49505ae..617a312 100644
+index e7accd6..473971e 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1288,7 +1288,10 @@ If, for example,
+@@ -1294,7 +1294,10 @@ If, for example,
  .Cm ServerAliveCountMax
  is left at the default, if the server becomes unresponsive,
  ssh will disconnect after approximately 45 seconds.
diff --git a/debian/patches/syslog-level-silent.patch b/debian/patches/syslog-level-silent.patch
index 30ba118e8..7cbd3a7e3 100644
--- a/debian/patches/syslog-level-silent.patch
+++ b/debian/patches/syslog-level-silent.patch
@@ -1,4 +1,4 @@
-From 3afa62c176aa4ea42a87372f10f355efa48f582b Mon Sep 17 00:00:00 2001
+From b8ed36cdf2dbebc01e52e83eece4bb1d78607e84 Mon Sep 17 00:00:00 2001
 From: Jonathan David Amery <jdamery@ysolde.ucam.org>
 Date: Sun, 9 Feb 2014 16:09:54 +0000
 Subject: "LogLevel SILENT" compatibility
@@ -33,10 +33,10 @@ index 32e1d2e..53e7b65 100644
         { "FATAL",      SYSLOG_LEVEL_FATAL },
         { "ERROR",      SYSLOG_LEVEL_ERROR },
 diff --git a/ssh.c b/ssh.c
-index 5de8fcf..0cea713 100644
+index 1e6cb90..3e63708 100644
 --- a/ssh.c
 +++ b/ssh.c
-@@ -889,7 +889,7 @@ main(int ac, char **av)
+@@ -965,7 +965,7 @@ main(int ac, char **av)
         /* Do not allocate a tty if stdin is not a tty. */
         if ((!isatty(fileno(stdin)) || stdin_null_flag) &&
             options.request_tty != REQUEST_TTY_FORCE) {
diff --git a/debian/patches/user-group-modes.patch b/debian/patches/user-group-modes.patch
index 5062d7d80..3cdb9d8a1 100644
--- a/debian/patches/user-group-modes.patch
+++ b/debian/patches/user-group-modes.patch
@@ -1,4 +1,4 @@
-From 0879622ccc5a92902c6ffd88391824cfb2d27924 Mon Sep 17 00:00:00 2001
+From 77638f6662ecd8500e1b97e537233b1277ca829f Mon Sep 17 00:00:00 2001
 From: Colin Watson <cjwatson@debian.org>
 Date: Sun, 9 Feb 2014 16:09:58 +0000
 Subject: Allow harmless group-writability
@@ -216,10 +216,10 @@ index 4aab9a9..f99de7f 100644
 -       return 0;
 -}
 diff --git a/readconf.c b/readconf.c
-index e79e355..273552d 100644
+index 6409937..32c4b42 100644
 --- a/readconf.c
 +++ b/readconf.c
-@@ -36,6 +36,8 @@
+@@ -37,6 +37,8 @@
  #include <stdio.h>
  #include <string.h>
  #include <unistd.h>
@@ -228,7 +228,7 @@ index e79e355..273552d 100644
  #ifdef HAVE_UTIL_H
  #include <util.h>
  #endif
-@@ -1475,8 +1477,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
+@@ -1477,8 +1479,7 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
  
                 if (fstat(fileno(f), &sb) == -1)
                         fatal("fstat %s: %s", filename, strerror(errno));
@@ -252,10 +252,10 @@ index 27794e2..ff5e6ac 100644
  .It Pa ~/.ssh/environment
  Contains additional definitions for environment variables; see
 diff --git a/ssh_config.5 b/ssh_config.5
-index b3c5dc6..3c6b9d4 100644
+index 3172fd4..4bf7cbb 100644
 --- a/ssh_config.5
 +++ b/ssh_config.5
-@@ -1523,6 +1523,8 @@ The format of this file is described above.
+@@ -1529,6 +1529,8 @@ The format of this file is described above.
  This file is used by the SSH client.
  Because of the potential for abuse, this file must have strict permissions:
  read/write for the user, and not accessible by others.
diff --git a/digest-libc.c b/digest-libc.c
new file mode 100644
index 000000000..1804b0698
--- /dev/null
+++ b/digest-libc.c
@@ -0,0 +1,238 @@
+/* $OpenBSD: digest-libc.c,v 1.2 2014/02/02 03:44:31 djm Exp $ */
+/*
+ * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
+ * Copyright (c) 2014 Markus Friedl.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <limits.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <md5.h>
+#include <rmd160.h>
+#include <sha1.h>
+#include <sha2.h>
+
+#include "buffer.h"
+#include "digest.h"
+
+typedef void md_init_fn(void *mdctx);
+typedef void md_update_fn(void *mdctx, const u_int8_t *m, size_t mlen);
+typedef void md_final_fn(u_int8_t[], void *mdctx);
+
+struct ssh_digest_ctx {
+        int alg;
+        void *mdctx;
+};
+
+struct ssh_digest {
+        int id;
+        const char *name;
+        size_t block_len;
+        size_t digest_len;
+        size_t ctx_len;
+        md_init_fn *md_init;
+        md_update_fn *md_update;
+        md_final_fn *md_final;
+};
+
+/* NB. Indexed directly by algorithm number */
+const struct ssh_digest digests[SSH_DIGEST_MAX] = {
+        {
+                SSH_DIGEST_MD5,
+                "MD5",
+                MD5_BLOCK_LENGTH,
+                MD5_DIGEST_LENGTH,
+                sizeof(MD5_CTX),
+                (md_init_fn *) MD5Init,
+                (md_update_fn *) MD5Update,
+                (md_final_fn *) MD5Final
+        },
+        {
+                SSH_DIGEST_RIPEMD160,
+                "RIPEMD160",
+                RMD160_BLOCK_LENGTH,
+                RMD160_DIGEST_LENGTH,
+                sizeof(RMD160_CTX),
+                (md_init_fn *) RMD160Init,
+                (md_update_fn *) RMD160Update,
+                (md_final_fn *) RMD160Final
+        },
+        {
+                SSH_DIGEST_SHA1,
+                "SHA1",
+                SHA1_BLOCK_LENGTH,
+                SHA1_DIGEST_LENGTH,
+                sizeof(SHA1_CTX),
+                (md_init_fn *) SHA1Init,
+                (md_update_fn *) SHA1Update,
+                (md_final_fn *) SHA1Final
+        },
+        {
+                SSH_DIGEST_SHA256,
+                "SHA256",
+                SHA256_BLOCK_LENGTH,
+                SHA256_DIGEST_LENGTH,
+                sizeof(SHA2_CTX),
+                (md_init_fn *) SHA256Init,
+                (md_update_fn *) SHA256Update,
+                (md_final_fn *) SHA256Final
+        },
+        {
+                SSH_DIGEST_SHA384,
+                "SHA384",
+                SHA384_BLOCK_LENGTH,
+                SHA384_DIGEST_LENGTH,
+                sizeof(SHA2_CTX),
+                (md_init_fn *) SHA384Init,
+                (md_update_fn *) SHA384Update,
+                (md_final_fn *) SHA384Final
+        },
+        {
+                SSH_DIGEST_SHA512,
+                "SHA512",
+                SHA512_BLOCK_LENGTH,
+                SHA512_DIGEST_LENGTH,
+                sizeof(SHA2_CTX),
+                (md_init_fn *) SHA512Init,
+                (md_update_fn *) SHA512Update,
+                (md_final_fn *) SHA512Final
+        }
+};
+
+static const struct ssh_digest *
+ssh_digest_by_alg(int alg)
+{
+        if (alg < 0 || alg >= SSH_DIGEST_MAX)
+                return NULL;
+        if (digests[alg].id != alg) /* sanity */
+                return NULL;
+        return &(digests[alg]);
+}
+
+size_t
+ssh_digest_bytes(int alg)
+{
+        const struct ssh_digest *digest = ssh_digest_by_alg(alg);
+
+        return digest == NULL ? 0 : digest->digest_len;
+}
+
+size_t
+ssh_digest_blocksize(struct ssh_digest_ctx *ctx)
+{
+        const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);
+
+        return digest == NULL ? 0 : digest->block_len;
+}
+
+struct ssh_digest_ctx *
+ssh_digest_start(int alg)
+{
+        const struct ssh_digest *digest = ssh_digest_by_alg(alg);
+        struct ssh_digest_ctx *ret;
+
+        if (digest == NULL || (ret = calloc(1, sizeof(ret))) == NULL)
+                return NULL;
+        if ((ret->mdctx = calloc(1, digest->ctx_len)) == NULL) {
+                free(ret);
+                return NULL;
+        }
+        ret->alg = alg;
+        digest->md_init(ret->mdctx);
+        return ret;
+}
+
+int
+ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
+{
+        const struct ssh_digest *digest = ssh_digest_by_alg(from->alg);
+
+        if (digest == NULL || from->alg != to->alg)
+                return -1;
+        memcpy(to->mdctx, from->mdctx, digest->ctx_len);
+        return 0;
+}
+
+int
+ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
+{
+        const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);
+
+        if (digest == NULL)
+                return -1;
+        digest->md_update(ctx->mdctx, m, mlen);
+        return 0;
+}
+
+int
+ssh_digest_update_buffer(struct ssh_digest_ctx *ctx, const Buffer *b)
+{
+        return ssh_digest_update(ctx, buffer_ptr(b), buffer_len(b));
+}
+
+int
+ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
+{
+        const struct ssh_digest *digest = ssh_digest_by_alg(ctx->alg);
+
+        if (digest == NULL)
+                return -1;
+        if (dlen > UINT_MAX)
+                return -1;
+        if (dlen < digest->digest_len) /* No truncation allowed */
+                return -1;
+        digest->md_final(d, ctx->mdctx);
+        return 0;
+}
+
+void
+ssh_digest_free(struct ssh_digest_ctx *ctx)
+{
+        const struct ssh_digest *digest;
+
+        if (ctx != NULL) {
+                digest = ssh_digest_by_alg(ctx->alg);
+                if (digest) {
+                        explicit_bzero(ctx->mdctx, digest->ctx_len);
+                        free(ctx->mdctx);
+                        explicit_bzero(ctx, sizeof(*ctx));
+                        free(ctx);
+                }
+        }
+}
+
+int
+ssh_digest_memory(int alg, const void *m, size_t mlen, u_char *d, size_t dlen)
+{
+        struct ssh_digest_ctx *ctx = ssh_digest_start(alg);
+
+        if (ctx == NULL)
+                return -1;
+        if (ssh_digest_update(ctx, m, mlen) != 0 ||
+            ssh_digest_final(ctx, d, dlen) != 0)
+                return -1;
+        ssh_digest_free(ctx);
+        return 0;
+}
+
+int
+ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
+{
+        return ssh_digest_memory(alg, buffer_ptr(b), buffer_len(b), d, dlen);
+}
diff --git a/digest.c b/digest-openssl.c
index a221819eb..863d37d03 100644
--- a/digest.c
+++ b/digest-openssl.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: digest.c,v 1.3 2014/01/20 00:08:48 djm Exp $ */
+/* $OpenBSD: digest-openssl.c,v 1.2 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
  *
@@ -72,6 +72,12 @@ ssh_digest_bytes(int alg)
         return digest == NULL ? 0 : digest->digest_len;
 }
 
+size_t
+ssh_digest_blocksize(struct ssh_digest_ctx *ctx)
+{
+        return EVP_MD_CTX_block_size(&ctx->mdctx);
+}
+
 struct ssh_digest_ctx *
 ssh_digest_start(int alg)
 {
@@ -90,6 +96,15 @@ ssh_digest_start(int alg)
 }
 
 int
+ssh_digest_copy_state(struct ssh_digest_ctx *from, struct ssh_digest_ctx *to)
+{
+        /* we have bcopy-style order while openssl has memcpy-style */
+        if (!EVP_MD_CTX_copy_ex(&to->mdctx, &from->mdctx))
+                return -1;
+        return 0;
+}
+
+int
 ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
 {
         if (EVP_DigestUpdate(&ctx->mdctx, m, mlen) != 1)
@@ -123,9 +138,11 @@ ssh_digest_final(struct ssh_digest_ctx *ctx, u_char *d, size_t dlen)
 void
 ssh_digest_free(struct ssh_digest_ctx *ctx)
 {
-        EVP_MD_CTX_cleanup(&ctx->mdctx);
-        memset(ctx, 0, sizeof(*ctx));
-        free(ctx);
+        if (ctx != NULL) {
+                EVP_MD_CTX_cleanup(&ctx->mdctx);
+                explicit_bzero(ctx, sizeof(*ctx));
+                free(ctx);
+        }
 }
 
 int
diff --git a/digest.h b/digest.h
index faefda3f5..0fb207fca 100644
--- a/digest.h
+++ b/digest.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: digest.h,v 1.1 2014/01/09 23:20:00 djm Exp $ */
+/* $OpenBSD: digest.h,v 1.2 2014/01/27 18:58:14 markus Exp $ */
 /*
  * Copyright (c) 2013 Damien Miller <djm@mindrot.org>
  *
@@ -30,9 +30,18 @@
 #define SSH_DIGEST_SHA512       5
 #define SSH_DIGEST_MAX          6
 
+struct ssh_digest_ctx;
+
 /* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
 size_t ssh_digest_bytes(int alg);
 
+/* Returns the block size of the digest, e.g. for implementing HMAC */
+size_t ssh_digest_blocksize(struct ssh_digest_ctx *ctx);
+
+/* Copies internal state of digest of 'from' to 'to' */
+int ssh_digest_copy_state(struct ssh_digest_ctx *from,
+    struct ssh_digest_ctx *to);
+
 /* One-shot API */
 int ssh_digest_memory(int alg, const void *m, size_t mlen,
     u_char *d, size_t dlen)
@@ -42,7 +51,6 @@ int ssh_digest_buffer(int alg, const Buffer *b, u_char *d, size_t dlen)
         __attribute__((__bounded__(__buffer__, 3, 4)));
 
 /* Update API */
-struct ssh_digest_ctx;
 struct ssh_digest_ctx *ssh_digest_start(int alg);
 int ssh_digest_update(struct ssh_digest_ctx *ctx, const void *m, size_t mlen)
         __attribute__((__bounded__(__buffer__, 2, 3)));
diff --git a/gss-serv.c b/gss-serv.c
index feb1ed763..c33463bdf 100644
--- a/gss-serv.c
+++ b/gss-serv.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: gss-serv.c,v 1.24 2013/07/20 01:55:13 djm Exp $ */
+/* $OpenBSD: gss-serv.c,v 1.26 2014/02/26 20:28:44 djm Exp $ */
 
 /*
  * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -72,6 +72,25 @@ ssh_gssapi_mech* supported_mechs[]= {
         &gssapi_null_mech,
 };
 
+/*
+ * ssh_gssapi_supported_oids() can cause sandbox violations, so prepare the
+ * list of supported mechanisms before privsep is set up.
+ */
+static gss_OID_set supported_oids;
+
+void
+ssh_gssapi_prepare_supported_oids(void)
+{
+        ssh_gssapi_supported_oids(&supported_oids);
+}
+
+OM_uint32
+ssh_gssapi_test_oid_supported(OM_uint32 *ms, gss_OID member, int *present)
+{
+        if (supported_oids == NULL)
+                ssh_gssapi_prepare_supported_oids();
+        return gss_test_oid_set_member(ms, member, supported_oids, present);
+}
 
 /*
  * Acquire credentials for a server running on the current host.
@@ -435,7 +454,8 @@ ssh_gssapi_userok(char *user, struct passwd *pw)
                         gss_release_buffer(&lmin, &gssapi_client.displayname);
                         gss_release_buffer(&lmin, &gssapi_client.exportedname);
                         gss_release_cred(&lmin, &gssapi_client.creds);
-                        memset(&gssapi_client, 0, sizeof(ssh_gssapi_client));
+                        explicit_bzero(&gssapi_client,
+                            sizeof(ssh_gssapi_client));
                         return 0;
                 }
         else
diff --git a/hmac.c b/hmac.c
new file mode 100644
index 000000000..99317b0f9
--- /dev/null
+++ b/hmac.c
@@ -0,0 +1,197 @@
+/* $OpenBSD: hmac.c,v 1.10 2014/01/31 16:39:19 tedu Exp $ */
+/*
+ * Copyright (c) 2014 Markus Friedl.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include "includes.h"
+
+#include <sys/types.h>
+#include <string.h>
+
+#include "buffer.h"
+#include "digest.h"
+#include "hmac.h"
+
+struct ssh_hmac_ctx {
+        int                      alg;
+        struct ssh_digest_ctx   *ictx;
+        struct ssh_digest_ctx   *octx;
+        struct ssh_digest_ctx   *digest;
+        u_char                  *buf;
+        size_t                   buf_len;
+};
+
+size_t
+ssh_hmac_bytes(int alg)
+{
+        return ssh_digest_bytes(alg);
+}
+
+struct ssh_hmac_ctx *
+ssh_hmac_start(int alg)
+{
+        struct ssh_hmac_ctx     *ret;
+
+        if ((ret = calloc(1, sizeof(*ret))) == NULL)
+                return NULL;
+        ret->alg = alg;
+        if ((ret->ictx = ssh_digest_start(alg)) == NULL ||
+            (ret->octx = ssh_digest_start(alg)) == NULL ||
+            (ret->digest = ssh_digest_start(alg)) == NULL)
+                goto fail;
+        ret->buf_len = ssh_digest_blocksize(ret->ictx);
+        if ((ret->buf = calloc(1, ret->buf_len)) == NULL)
+                goto fail;
+        return ret;
+fail:
+        ssh_hmac_free(ret);
+        return NULL;
+}
+
+int
+ssh_hmac_init(struct ssh_hmac_ctx *ctx, const void *key, size_t klen)
+{
+        size_t i;
+
+        /* reset ictx and octx if no is key given */
+        if (key != NULL) {
+                /* truncate long keys */
+                if (klen <= ctx->buf_len)
+                        memcpy(ctx->buf, key, klen);
+                else if (ssh_digest_memory(ctx->alg, key, klen, ctx->buf,
+                    ctx->buf_len) < 0)
+                        return -1;
+                for (i = 0; i < ctx->buf_len; i++)
+                        ctx->buf[i] ^= 0x36;
+                if (ssh_digest_update(ctx->ictx, ctx->buf, ctx->buf_len) < 0)
+                        return -1;
+                for (i = 0; i < ctx->buf_len; i++)
+                        ctx->buf[i] ^= 0x36 ^ 0x5c;
+                if (ssh_digest_update(ctx->octx, ctx->buf, ctx->buf_len) < 0)
+                        return -1;
+                explicit_bzero(ctx->buf, ctx->buf_len);
+        }
+        /* start with ictx */
+        if (ssh_digest_copy_state(ctx->ictx, ctx->digest) < 0)
+                return -1;
+        return 0;
+}
+
+int
+ssh_hmac_update(struct ssh_hmac_ctx *ctx, const void *m, size_t mlen)
+{
+        return ssh_digest_update(ctx->digest, m, mlen);
+}
+
+int
+ssh_hmac_update_buffer(struct ssh_hmac_ctx *ctx, const Buffer *b)
+{
+        return ssh_digest_update_buffer(ctx->digest, b);
+}
+
+int
+ssh_hmac_final(struct ssh_hmac_ctx *ctx, u_char *d, size_t dlen)
+{
+        size_t len;
+
+        len = ssh_digest_bytes(ctx->alg);
+        if (dlen < len ||
+            ssh_digest_final(ctx->digest, ctx->buf, len))
+                return -1;
+        /* switch to octx */
+        if (ssh_digest_copy_state(ctx->octx, ctx->digest) < 0 ||
+            ssh_digest_update(ctx->digest, ctx->buf, len) < 0 ||
+            ssh_digest_final(ctx->digest, d, dlen) < 0)
+                return -1;
+        return 0;
+}
+
+void
+ssh_hmac_free(struct ssh_hmac_ctx *ctx)
+{
+        if (ctx != NULL) {
+                ssh_digest_free(ctx->ictx);
+                ssh_digest_free(ctx->octx);
+                ssh_digest_free(ctx->digest);
+                if (ctx->buf) {
+                        explicit_bzero(ctx->buf, ctx->buf_len);
+                        free(ctx->buf);
+                }
+                explicit_bzero(ctx, sizeof(*ctx));
+                free(ctx);
+        }
+}
+
+#ifdef TEST
+
+/* cc -DTEST hmac.c digest.c buffer.c cleanup.c fatal.c log.c xmalloc.c -lcrypto */
+static void
+hmac_test(void *key, size_t klen, void *m, size_t mlen, u_char *e, size_t elen)
+{
+        struct ssh_hmac_ctx     *ctx;
+        size_t                   i;
+        u_char                   digest[16];
+
+        if ((ctx = ssh_hmac_start(SSH_DIGEST_MD5)) == NULL)
+                printf("ssh_hmac_start failed");
+        if (ssh_hmac_init(ctx, key, klen) < 0 ||
+            ssh_hmac_update(ctx, m, mlen) < 0 ||
+            ssh_hmac_final(ctx, digest, sizeof(digest)) < 0)
+                printf("ssh_hmac_xxx failed");
+        ssh_hmac_free(ctx);
+
+        if (memcmp(e, digest, elen)) {
+                for (i = 0; i < elen; i++)
+                        printf("[%zd] %2.2x %2.2x\n", i, e[i], digest[i]);
+                printf("mismatch\n");
+        } else
+                printf("ok\n");
+}
+
+int
+main(int argc, char **argv)
+{
+        /* try test vectors from RFC 2104 */
+
+        u_char key1[16] = {
+            0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb,
+            0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb, 0xb };
+        u_char *data1 = "Hi There";
+        u_char dig1[16] = {
+            0x92, 0x94, 0x72, 0x7a, 0x36, 0x38, 0xbb, 0x1c,
+            0x13, 0xf4, 0x8e, 0xf8, 0x15, 0x8b, 0xfc, 0x9d };
+
+        u_char *key2 = "Jefe";
+        u_char *data2 = "what do ya want for nothing?";
+        u_char dig2[16] = {
+            0x75, 0x0c, 0x78, 0x3e, 0x6a, 0xb0, 0xb5, 0x03,
+            0xea, 0xa8, 0x6e, 0x31, 0x0a, 0x5d, 0xb7, 0x38 };
+
+        u_char key3[16];
+        u_char data3[50];
+        u_char dig3[16] = {
+            0x56, 0xbe, 0x34, 0x52, 0x1d, 0x14, 0x4c, 0x88,
+            0xdb, 0xb8, 0xc7, 0x33, 0xf0, 0xe8, 0xb3, 0xf6 };
+        memset(key3, 0xaa, sizeof(key3));
+        memset(data3, 0xdd, sizeof(data3));
+
+        hmac_test(key1, sizeof(key1), data1, strlen(data1), dig1, sizeof(dig1));
+        hmac_test(key2, strlen(key2), data2, strlen(data2), dig2, sizeof(dig2));
+        hmac_test(key3, sizeof(key3), data3, sizeof(data3), dig3, sizeof(dig3));
+
+        return 0;
+}
+
+#endif
diff --git a/hmac.h b/hmac.h
new file mode 100644
index 000000000..2374a6955
--- /dev/null
+++ b/hmac.h
@@ -0,0 +1,37 @@
+/* $OpenBSD: hmac.h,v 1.6 2014/01/27 18:58:14 markus Exp $ */
+/*
+ * Copyright (c) 2014 Markus Friedl.  All rights reserved.
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _HMAC_H
+#define _HMAC_H
+
+/* Returns the algorithm's digest length in bytes or 0 for invalid algorithm */
+size_t ssh_hmac_bytes(int alg);
+
+struct ssh_hmac_ctx;
+struct ssh_hmac_ctx *ssh_hmac_start(int alg);
+
+/* Sets the state of the HMAC or resets the state if key == NULL */
+int ssh_hmac_init(struct ssh_hmac_ctx *ctx, const void *key, size_t klen)
+        __attribute__((__bounded__(__buffer__, 2, 3)));
+int ssh_hmac_update(struct ssh_hmac_ctx *ctx, const void *m, size_t mlen)
+        __attribute__((__bounded__(__buffer__, 2, 3)));
+int ssh_hmac_update_buffer(struct ssh_hmac_ctx *ctx, const Buffer *b);
+int ssh_hmac_final(struct ssh_hmac_ctx *ctx, u_char *d, size_t dlen)
+        __attribute__((__bounded__(__buffer__, 2, 3)));
+void ssh_hmac_free(struct ssh_hmac_ctx *ctx);
+
+#endif /* _HMAC_H */
diff --git a/hostfile.c b/hostfile.c
index 2778fb5df..8bc9540b7 100644
--- a/hostfile.c
+++ b/hostfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: hostfile.c,v 1.53 2014/01/09 23:20:00 djm Exp $ */
+/* $OpenBSD: hostfile.c,v 1.55 2014/01/31 16:39:19 tedu Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -42,9 +42,6 @@
 
 #include <netinet/in.h>
 
-#include <openssl/hmac.h>
-#include <openssl/sha.h>
-
 #include <resolv.h>
 #include <stdarg.h>
 #include <stdio.h>
@@ -58,6 +55,7 @@
 #include "log.h"
 #include "misc.h"
 #include "digest.h"
+#include "hmac.h"
 
 struct hostkeys {
         struct hostkey_entry *entries;
@@ -102,9 +100,9 @@ extract_salt(const char *s, u_int l, u_char *salt, size_t salt_len)
                 debug2("extract_salt: salt decode error");
                 return (-1);
         }
-        if (ret != SHA_DIGEST_LENGTH) {
-                debug2("extract_salt: expected salt len %d, got %d",
-                    SHA_DIGEST_LENGTH, ret);
+        if (ret != (int)ssh_hmac_bytes(SSH_DIGEST_SHA1)) {
+                debug2("extract_salt: expected salt len %zd, got %d",
+                    ssh_hmac_bytes(SSH_DIGEST_SHA1), ret);
                 return (-1);
         }
 
@@ -114,14 +112,13 @@ extract_salt(const char *s, u_int l, u_char *salt, size_t salt_len)
 char *
 host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
 {
-        const EVP_MD *md = EVP_sha1();
-        HMAC_CTX mac_ctx;
+        struct ssh_hmac_ctx *ctx;
         u_char salt[256], result[256];
         char uu_salt[512], uu_result[512];
         static char encoded[1024];
         u_int i, len;
 
-        len = EVP_MD_size(md);
+        len = ssh_digest_bytes(SSH_DIGEST_SHA1);
 
         if (name_from_hostfile == NULL) {
                 /* Create new salt */
@@ -134,14 +131,16 @@ host_hash(const char *host, const char *name_from_hostfile, u_int src_len)
                         return (NULL);
         }
 
-        HMAC_Init(&mac_ctx, salt, len, md);
-        HMAC_Update(&mac_ctx, (u_char *)host, strlen(host));
-        HMAC_Final(&mac_ctx, result, NULL);
-        HMAC_cleanup(&mac_ctx);
+        if ((ctx = ssh_hmac_start(SSH_DIGEST_SHA1)) == NULL ||
+            ssh_hmac_init(ctx, salt, len) < 0 ||
+            ssh_hmac_update(ctx, host, strlen(host)) < 0 ||
+            ssh_hmac_final(ctx, result, sizeof(result)))
+                fatal("%s: ssh_hmac failed", __func__);
+        ssh_hmac_free(ctx);
 
         if (__b64_ntop(salt, len, uu_salt, sizeof(uu_salt)) == -1 ||
             __b64_ntop(result, len, uu_result, sizeof(uu_result)) == -1)
-                fatal("host_hash: __b64_ntop failed");
+                fatal("%s: __b64_ntop failed", __func__);
 
         snprintf(encoded, sizeof(encoded), "%s%s%c%s", HASH_MAGIC, uu_salt,
             HASH_DELIM, uu_result);
@@ -334,10 +333,10 @@ free_hostkeys(struct hostkeys *hostkeys)
                 free(hostkeys->entries[i].host);
                 free(hostkeys->entries[i].file);
                 key_free(hostkeys->entries[i].key);
-                bzero(hostkeys->entries + i, sizeof(*hostkeys->entries));
+                explicit_bzero(hostkeys->entries + i, sizeof(*hostkeys->entries));
         }
         free(hostkeys->entries);
-        bzero(hostkeys, sizeof(*hostkeys));
+        explicit_bzero(hostkeys, sizeof(*hostkeys));
         free(hostkeys);
 }
 
diff --git a/jpake.c b/jpake.c
deleted file mode 100644
index 3dd87916a..000000000
--- a/jpake.c
+++ /dev/null
@@ -1,456 +0,0 @@
-/* $OpenBSD: jpake.c,v 1.8 2013/05/17 00:13:13 djm Exp $ */
-/*
- * Copyright (c) 2008 Damien Miller.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Shared components of zero-knowledge password auth using J-PAKE protocol
- * as described in:
- *
- * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
- * 16th Workshop on Security Protocols, Cambridge, April 2008
- *
- * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <stdio.h>
-#include <string.h>
-#include <stdarg.h>
-
-#include <openssl/bn.h>
-#include <openssl/evp.h>
-
-#include "xmalloc.h"
-#include "ssh2.h"
-#include "key.h"
-#include "hostfile.h"
-#include "auth.h"
-#include "buffer.h"
-#include "packet.h"
-#include "dispatch.h"
-#include "log.h"
-#include "misc.h"
-
-#include "jpake.h"
-#include "schnorr.h"
-
-#ifdef JPAKE
-
-/* RFC3526 group 5, 1536 bits */
-#define JPAKE_GROUP_G "2"
-#define JPAKE_GROUP_P \
-        "FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74" \
-        "020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437" \
-        "4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED" \
-        "EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF05" \
-        "98DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB" \
-        "9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF"
-
-struct modp_group *
-jpake_default_group(void)
-{
-        return modp_group_from_g_and_safe_p(JPAKE_GROUP_G, JPAKE_GROUP_P);
-}
-
-struct jpake_ctx *
-jpake_new(void)
-{
-        struct jpake_ctx *ret;
-
-        ret = xcalloc(1, sizeof(*ret));
-
-        ret->grp = jpake_default_group();
-
-        ret->s = ret->k = NULL;
-        ret->x1 = ret->x2 = ret->x3 = ret->x4 = NULL;
-        ret->g_x1 = ret->g_x2 = ret->g_x3 = ret->g_x4 = NULL;
-        ret->a = ret->b = NULL;
-
-        ret->client_id = ret->server_id = NULL;
-        ret->h_k_cid_sessid = ret->h_k_sid_sessid = NULL;
-
-        debug3("%s: alloc %p", __func__, ret);
-
-        return ret;
-}
-
-void
-jpake_free(struct jpake_ctx *pctx)
-{
-        debug3("%s: free %p", __func__, pctx);
-
-#define JPAKE_BN_CLEAR_FREE(v)                  \
-        do {                                    \
-                if ((v) != NULL) {              \
-                        BN_clear_free(v);       \
-                        (v) = NULL;             \
-                }                               \
-        } while (0)
-#define JPAKE_BUF_CLEAR_FREE(v, l)              \
-        do {                                    \
-                if ((v) != NULL) {              \
-                        bzero((v), (l));        \
-                        free(v);                \
-                        (v) = NULL;             \
-                        (l) = 0;                \
-                }                               \
-        } while (0)
-
-        JPAKE_BN_CLEAR_FREE(pctx->s);
-        JPAKE_BN_CLEAR_FREE(pctx->k);
-        JPAKE_BN_CLEAR_FREE(pctx->x1);
-        JPAKE_BN_CLEAR_FREE(pctx->x2);
-        JPAKE_BN_CLEAR_FREE(pctx->x3);
-        JPAKE_BN_CLEAR_FREE(pctx->x4);
-        JPAKE_BN_CLEAR_FREE(pctx->g_x1);
-        JPAKE_BN_CLEAR_FREE(pctx->g_x2);
-        JPAKE_BN_CLEAR_FREE(pctx->g_x3);
-        JPAKE_BN_CLEAR_FREE(pctx->g_x4);
-        JPAKE_BN_CLEAR_FREE(pctx->a);
-        JPAKE_BN_CLEAR_FREE(pctx->b);
-
-        JPAKE_BUF_CLEAR_FREE(pctx->client_id, pctx->client_id_len);
-        JPAKE_BUF_CLEAR_FREE(pctx->server_id, pctx->server_id_len);
-        JPAKE_BUF_CLEAR_FREE(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
-        JPAKE_BUF_CLEAR_FREE(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
-
-#undef JPAKE_BN_CLEAR_FREE
-#undef JPAKE_BUF_CLEAR_FREE
-
-        bzero(pctx, sizeof(*pctx));
-        free(pctx);
-}
-
-/* dump entire jpake_ctx. NB. includes private values! */
-void
-jpake_dump(struct jpake_ctx *pctx, const char *fmt, ...)
-{
-        char *out;
-        va_list args;
-
-        out = NULL;
-        va_start(args, fmt);
-        vasprintf(&out, fmt, args);
-        va_end(args);
-        if (out == NULL)
-                fatal("%s: vasprintf failed", __func__);
-
-        debug3("%s: %s (ctx at %p)", __func__, out, pctx);
-        if (pctx == NULL) {
-                free(out);
-                return;
-        }
-
-#define JPAKE_DUMP_BN(a)        do { \
-                if ((a) != NULL) \
-                        JPAKE_DEBUG_BN(((a), "%s = ", #a)); \
-        } while (0)
-#define JPAKE_DUMP_BUF(a, b)    do { \
-                if ((a) != NULL) \
-                        JPAKE_DEBUG_BUF((a, b, "%s", #a)); \
-        } while (0)
-
-        JPAKE_DUMP_BN(pctx->s);
-        JPAKE_DUMP_BN(pctx->k);
-        JPAKE_DUMP_BN(pctx->x1);
-        JPAKE_DUMP_BN(pctx->x2);
-        JPAKE_DUMP_BN(pctx->x3);
-        JPAKE_DUMP_BN(pctx->x4);
-        JPAKE_DUMP_BN(pctx->g_x1);
-        JPAKE_DUMP_BN(pctx->g_x2);
-        JPAKE_DUMP_BN(pctx->g_x3);
-        JPAKE_DUMP_BN(pctx->g_x4);
-        JPAKE_DUMP_BN(pctx->a);
-        JPAKE_DUMP_BN(pctx->b);
-
-        JPAKE_DUMP_BUF(pctx->client_id, pctx->client_id_len);
-        JPAKE_DUMP_BUF(pctx->server_id, pctx->server_id_len);
-        JPAKE_DUMP_BUF(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
-        JPAKE_DUMP_BUF(pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
-
-        debug3("%s: %s done", __func__, out);
-        free(out);
-}
-
-/* Shared parts of step 1 exchange calculation */
-void
-jpake_step1(struct modp_group *grp,
-    u_char **id, u_int *id_len,
-    BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
-    u_char **priv1_proof, u_int *priv1_proof_len,
-    u_char **priv2_proof, u_int *priv2_proof_len)
-{
-        BN_CTX *bn_ctx;
-
-        if ((bn_ctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new", __func__);
-
-        /* Random nonce to prevent replay */
-        *id = xmalloc(KZP_ID_LEN);
-        *id_len = KZP_ID_LEN;
-        arc4random_buf(*id, *id_len);
-
-        /*
-         * x1/x3 is a random element of Zq
-         * x2/x4 is a random element of Z*q
-         * We also exclude [1] from x1/x3 candidates and [0, 1] from
-         * x2/x4 candiates to avoid possible degeneracy (i.e. g^0, g^1).
-         */
-        if ((*priv1 = bn_rand_range_gt_one(grp->q)) == NULL ||
-            (*priv2 = bn_rand_range_gt_one(grp->q)) == NULL)
-                fatal("%s: bn_rand_range_gt_one", __func__);
-
-        /*
-         * client: g_x1 = g^x1 mod p / server: g_x3 = g^x3 mod p
-         * client: g_x2 = g^x2 mod p / server: g_x4 = g^x4 mod p
-         */
-        if ((*g_priv1 = BN_new()) == NULL ||
-            (*g_priv2 = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-        if (BN_mod_exp(*g_priv1, grp->g, *priv1, grp->p, bn_ctx) == -1)
-                fatal("%s: BN_mod_exp", __func__);
-        if (BN_mod_exp(*g_priv2, grp->g, *priv2, grp->p, bn_ctx) == -1)
-                fatal("%s: BN_mod_exp", __func__);
-
-        /* Generate proofs for holding x1/x3 and x2/x4 */
-        if (schnorr_sign_buf(grp->p, grp->q, grp->g,
-            *priv1, *g_priv1, *id, *id_len,
-            priv1_proof, priv1_proof_len) != 0)
-                fatal("%s: schnorr_sign", __func__);
-        if (schnorr_sign_buf(grp->p, grp->q, grp->g,
-            *priv2, *g_priv2, *id, *id_len,
-            priv2_proof, priv2_proof_len) != 0)
-                fatal("%s: schnorr_sign", __func__);
-
-        BN_CTX_free(bn_ctx);
-}
-
-/* Shared parts of step 2 exchange calculation */
-void
-jpake_step2(struct modp_group *grp, BIGNUM *s,
-    BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
-    const u_char *theirid, u_int theirid_len,
-    const u_char *myid, u_int myid_len,
-    const u_char *theirpub1_proof, u_int theirpub1_proof_len,
-    const u_char *theirpub2_proof, u_int theirpub2_proof_len,
-    BIGNUM **newpub,
-    u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len)
-{
-        BN_CTX *bn_ctx;
-        BIGNUM *tmp, *exponent;
-
-        /* Validate peer's step 1 values */
-        if (BN_cmp(theirpub1, BN_value_one()) <= 0)
-                fatal("%s: theirpub1 <= 1", __func__);
-        if (BN_cmp(theirpub1, grp->p) >= 0)
-                fatal("%s: theirpub1 >= p", __func__);
-        if (BN_cmp(theirpub2, BN_value_one()) <= 0)
-                fatal("%s: theirpub2 <= 1", __func__);
-        if (BN_cmp(theirpub2, grp->p) >= 0)
-                fatal("%s: theirpub2 >= p", __func__);
-
-        if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub1,
-            theirid, theirid_len, theirpub1_proof, theirpub1_proof_len) != 1)
-                fatal("%s: schnorr_verify theirpub1 failed", __func__);
-        if (schnorr_verify_buf(grp->p, grp->q, grp->g, theirpub2,
-            theirid, theirid_len, theirpub2_proof, theirpub2_proof_len) != 1)
-                fatal("%s: schnorr_verify theirpub2 failed", __func__);
-
-        if ((bn_ctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new", __func__);
-
-        if ((*newpub = BN_new()) == NULL ||
-            (tmp = BN_new()) == NULL ||
-            (exponent = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-
-        /*
-         * client: exponent = x2 * s mod p
-         * server: exponent = x4 * s mod p
-         */
-        if (BN_mod_mul(exponent, mypriv2, s, grp->q, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (exponent = mypriv2 * s mod p)",
-                    __func__);
-
-        /*
-         * client: tmp = g^(x1 + x3 + x4) mod p
-         * server: tmp = g^(x1 + x2 + x3) mod p
-         */
-        if (BN_mod_mul(tmp, mypub1, theirpub1, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (tmp = mypub1 * theirpub1 mod p)",
-                    __func__);
-        if (BN_mod_mul(tmp, tmp, theirpub2, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (tmp = tmp * theirpub2 mod p)", __func__);
-
-        /*
-         * client: a = tmp^exponent = g^((x1+x3+x4) * x2 * s) mod p
-         * server: b = tmp^exponent = g^((x1+x2+x3) * x4 * s) mod p
-         */
-        if (BN_mod_exp(*newpub, tmp, exponent, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (newpub = tmp^exponent mod p)", __func__);
-
-        JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
-        JPAKE_DEBUG_BN((exponent, "%s: exponent = ", __func__));
-
-        /* Note the generator here is 'tmp', not g */
-        if (schnorr_sign_buf(grp->p, grp->q, tmp, exponent, *newpub,
-            myid, myid_len,
-            newpub_exponent_proof, newpub_exponent_proof_len) != 0)
-                fatal("%s: schnorr_sign newpub", __func__);
-
-        BN_clear_free(tmp); /* XXX stash for later use? */
-        BN_clear_free(exponent); /* XXX stash for later use? (yes, in conf) */
-
-        BN_CTX_free(bn_ctx);
-}
-
-/* Confirmation hash calculation */
-void
-jpake_confirm_hash(const BIGNUM *k,
-    const u_char *endpoint_id, u_int endpoint_id_len,
-    const u_char *sess_id, u_int sess_id_len,
-    u_char **confirm_hash, u_int *confirm_hash_len)
-{
-        Buffer b;
-
-        /*
-         * Calculate confirmation proof:
-         *     client: H(k || client_id || session_id)
-         *     server: H(k || server_id || session_id)
-         */
-        buffer_init(&b);
-        buffer_put_bignum2(&b, k);
-        buffer_put_string(&b, endpoint_id, endpoint_id_len);
-        buffer_put_string(&b, sess_id, sess_id_len);
-        if (hash_buffer(buffer_ptr(&b), buffer_len(&b), EVP_sha256(),
-            confirm_hash, confirm_hash_len) != 0)
-                fatal("%s: hash_buffer", __func__);
-        buffer_free(&b);
-}
-
-/* Shared parts of key derivation and confirmation calculation */
-void
-jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
-    BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
-    BIGNUM *theirpub1, BIGNUM *theirpub2,
-    const u_char *my_id, u_int my_id_len,
-    const u_char *their_id, u_int their_id_len,
-    const u_char *sess_id, u_int sess_id_len,
-    const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len,
-    BIGNUM **k,
-    u_char **confirm_hash, u_int *confirm_hash_len)
-{
-        BN_CTX *bn_ctx;
-        BIGNUM *tmp;
-
-        if ((bn_ctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new", __func__);
-        if ((tmp = BN_new()) == NULL ||
-            (*k = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-
-        /* Validate step 2 values */
-        if (BN_cmp(step2_val, BN_value_one()) <= 0)
-                fatal("%s: step2_val <= 1", __func__);
-        if (BN_cmp(step2_val, grp->p) >= 0)
-                fatal("%s: step2_val >= p", __func__);
-
-        /*
-         * theirpriv2_s_proof is calculated with a different generator:
-         * tmp = g^(mypriv1+mypriv2+theirpub1) = g^mypub1*g^mypub2*g^theirpub1
-         * Calculate it here so we can check the signature.
-         */
-        if (BN_mod_mul(tmp, mypub1, mypub2, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (tmp = mypub1 * mypub2 mod p)", __func__);
-        if (BN_mod_mul(tmp, tmp, theirpub1, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (tmp = tmp * theirpub1 mod p)", __func__);
-
-        JPAKE_DEBUG_BN((tmp, "%s: tmp = ", __func__));
-
-        if (schnorr_verify_buf(grp->p, grp->q, tmp, step2_val, 
-            their_id, their_id_len,
-            theirpriv2_s_proof, theirpriv2_s_proof_len) != 1)
-                fatal("%s: schnorr_verify theirpriv2_s_proof failed", __func__);
-
-        /*
-         * Derive shared key:
-         *     client: k = (b / g^(x2*x4*s))^x2 = g^((x1+x3)*x2*x4*s)
-         *     server: k = (a / g^(x2*x4*s))^x4 = g^((x1+x3)*x2*x4*s)
-         *
-         * Computed as:
-         *     client: k = (g_x4^(q - (x2 * s)) * b)^x2 mod p
-         *     server: k = (g_x2^(q - (x4 * s)) * b)^x4 mod p
-         */
-        if (BN_mul(tmp, mypriv2, s, bn_ctx) != 1)
-                fatal("%s: BN_mul (tmp = mypriv2 * s)", __func__);
-        if (BN_mod_sub(tmp, grp->q, tmp, grp->q, bn_ctx) != 1)
-                fatal("%s: BN_mod_sub (tmp = q - tmp mod q)", __func__);
-        if (BN_mod_exp(tmp, theirpub2, tmp, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_exp (tmp = theirpub2^tmp) mod p", __func__);
-        if (BN_mod_mul(tmp, tmp, step2_val, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_mul (tmp = tmp * step2_val) mod p", __func__);
-        if (BN_mod_exp(*k, tmp, mypriv2, grp->p, bn_ctx) != 1)
-                fatal("%s: BN_mod_exp (k = tmp^mypriv2) mod p", __func__);
-        
-        BN_CTX_free(bn_ctx);
-        BN_clear_free(tmp);
-
-        jpake_confirm_hash(*k, my_id, my_id_len, sess_id, sess_id_len,
-            confirm_hash, confirm_hash_len);
-}
-
-/*
- * Calculate and check confirmation hash from peer. Returns 1 on success
- * 0 on failure/mismatch.
- */
-int
-jpake_check_confirm(const BIGNUM *k,
-    const u_char *peer_id, u_int peer_id_len,
-    const u_char *sess_id, u_int sess_id_len,
-    const u_char *peer_confirm_hash, u_int peer_confirm_hash_len)
-{
-        u_char *expected_confirm_hash;
-        u_int expected_confirm_hash_len;
-        int success = 0;
-
-        /* Calculate and verify expected confirmation hash */
-        jpake_confirm_hash(k, peer_id, peer_id_len, sess_id, sess_id_len,
-            &expected_confirm_hash, &expected_confirm_hash_len);
-
-        JPAKE_DEBUG_BUF((expected_confirm_hash, expected_confirm_hash_len,
-            "%s: expected confirm hash", __func__));
-        JPAKE_DEBUG_BUF((peer_confirm_hash, peer_confirm_hash_len,
-            "%s: received confirm hash", __func__));
-
-        if (peer_confirm_hash_len != expected_confirm_hash_len)
-                error("%s: confirmation length mismatch (my %u them %u)",
-                    __func__, expected_confirm_hash_len, peer_confirm_hash_len);
-        else if (timingsafe_bcmp(peer_confirm_hash, expected_confirm_hash,
-            expected_confirm_hash_len) == 0)
-                success = 1;
-        bzero(expected_confirm_hash, expected_confirm_hash_len);
-        free(expected_confirm_hash);
-        debug3("%s: success = %d", __func__, success);
-        return success;
-}
-
-/* XXX main() function with tests */
-
-#endif /* JPAKE */
-
diff --git a/jpake.h b/jpake.h
deleted file mode 100644
index a3f2cf025..000000000
--- a/jpake.h
+++ /dev/null
@@ -1,114 +0,0 @@
-/* $OpenBSD: jpake.h,v 1.2 2009/03/05 07:18:19 djm Exp $ */
-/*
- * Copyright (c) 2008 Damien Miller.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef JPAKE_H
-#define JPAKE_H
-
-#include <sys/types.h>
-
-#include <openssl/bn.h>
-
-/* Set JPAKE_DEBUG in CFLAGS for privacy-violating debugging */
-#ifndef JPAKE_DEBUG
-# define JPAKE_DEBUG_BN(a)
-# define JPAKE_DEBUG_BUF(a)
-# define JPAKE_DEBUG_CTX(a)
-#else
-# define JPAKE_DEBUG_BN(a)      debug3_bn a
-# define JPAKE_DEBUG_BUF(a)     debug3_buf a
-# define JPAKE_DEBUG_CTX(a)     jpake_dump a
-#endif /* JPAKE_DEBUG */
-
-#define KZP_ID_LEN      16      /* Length of client and server IDs */
-
-struct jpake_ctx {
-        /* Parameters */
-        struct modp_group *grp;
-
-        /* Private values shared by client and server */
-        BIGNUM *s;                      /* Secret (salted, crypted password) */
-        BIGNUM *k;                      /* Derived key */
-
-        /* Client private values (NULL for server) */
-        BIGNUM *x1;                     /* random in Zq */
-        BIGNUM *x2;                     /* random in Z*q */
-
-        /* Server private values (NULL for server) */
-        BIGNUM *x3;                     /* random in Zq */
-        BIGNUM *x4;                     /* random in Z*q */
-
-        /* Step 1: C->S */
-        u_char *client_id;              /* Anti-replay nonce */
-        u_int client_id_len;
-        BIGNUM *g_x1;                   /* g^x1 */
-        BIGNUM *g_x2;                   /* g^x2 */
-
-        /* Step 1: S->C */
-        u_char *server_id;              /* Anti-replay nonce */
-        u_int server_id_len;
-        BIGNUM *g_x3;                   /* g^x3 */
-        BIGNUM *g_x4;                   /* g^x4 */
-
-        /* Step 2: C->S */
-        BIGNUM *a;                      /* g^((x1+x3+x4)*x2*s) */
-
-        /* Step 2: S->C */
-        BIGNUM *b;                      /* g^((x1+x2+x3)*x4*s) */
-
-        /* Confirmation: C->S */
-        u_char *h_k_cid_sessid;         /* H(k || client_id || session_id) */
-        u_int h_k_cid_sessid_len;
-
-        /* Confirmation: S->C */
-        u_char *h_k_sid_sessid;         /* H(k || server_id || session_id) */
-        u_int h_k_sid_sessid_len;
-};
-
-/* jpake.c */
-struct modp_group *jpake_default_group(void);
-void jpake_dump(struct jpake_ctx *, const char *, ...)
-    __attribute__((__nonnull__ (2)))
-    __attribute__((format(printf, 2, 3)));
-struct jpake_ctx *jpake_new(void);
-void jpake_free(struct jpake_ctx *);
-
-void jpake_step1(struct modp_group *, u_char **, u_int *,
-    BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **,
-    u_char **, u_int *, u_char **, u_int *);
-
-void jpake_step2(struct modp_group *, BIGNUM *,
-    BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
-    const u_char *, u_int, const u_char *, u_int,
-    const u_char *, u_int, const u_char *, u_int,
-    BIGNUM **, u_char **, u_int *);
-
-void jpake_confirm_hash(const BIGNUM *,
-    const u_char *, u_int,
-    const u_char *, u_int,
-    u_char **, u_int *);
-
-void jpake_key_confirm(struct modp_group *, BIGNUM *, BIGNUM *,
-    BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
-    const u_char *, u_int, const u_char *, u_int,
-    const u_char *, u_int, const u_char *, u_int,
-    BIGNUM **, u_char **, u_int *);
-
-int jpake_check_confirm(const BIGNUM *, const u_char *, u_int,
-    const u_char *, u_int, const u_char *, u_int);
-
-#endif /* JPAKE_H */
-
diff --git a/kex.c b/kex.c
index 49d0fc8fd..d114ee3e0 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.97 2014/01/25 20:35:37 markus Exp $ */
+/* $OpenBSD: kex.c,v 1.98 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -682,8 +682,8 @@ derive_ssh1_session_id(BIGNUM *host_modulus, BIGNUM *server_modulus,
                 fatal("%s: ssh_digest_final failed", __func__);
         memcpy(id, obuf, ssh_digest_bytes(SSH_DIGEST_MD5));
 
-        memset(nbuf, 0, sizeof(nbuf));
-        memset(obuf, 0, sizeof(obuf));
+        explicit_bzero(nbuf, sizeof(nbuf));
+        explicit_bzero(obuf, sizeof(obuf));
 }
 
 #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH) || defined(DEBUG_KEXECDH)
diff --git a/kex.h b/kex.h
index 8fbcb2b79..ea698c467 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.61 2014/01/25 10:12:50 dtucker Exp $ */
+/* $OpenBSD: kex.h,v 1.62 2014/01/27 18:58:14 markus Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -108,9 +108,8 @@ struct Mac {
         u_int   key_len;
         int     type;
         int     etm;            /* Encrypt-then-MAC */
-        const EVP_MD    *evp_md;
-        HMAC_CTX        evp_ctx;
-        struct umac_ctx *umac_ctx;
+        struct ssh_hmac_ctx     *hmac_ctx;
+        struct umac_ctx         *umac_ctx;
 };
 struct Comp {
         int     type;
diff --git a/kexc25519.c b/kexc25519.c
index 48ca4aaa2..ee79b4327 100644
--- a/kexc25519.c
+++ b/kexc25519.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexc25519.c,v 1.4 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: kexc25519.c,v 1.5 2014/01/31 16:39:19 tedu Exp $ */
 /*
  * Copyright (c) 2001, 2013 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -70,7 +70,7 @@ kexc25519_shared_key(const u_char key[CURVE25519_SIZE],
 #endif
         buffer_clear(out);
         buffer_put_bignum2_from_string(out, shared_key, CURVE25519_SIZE);
-        memset(shared_key, 0, CURVE25519_SIZE); /* XXX explicit_bzero() */
+        explicit_bzero(shared_key, CURVE25519_SIZE);
 }
 
 void
diff --git a/kexdhc.c b/kexdhc.c
index 78509af21..f7a19fc13 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexdhc.c,v 1.14 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: kexdhc.c,v 1.15 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -124,7 +124,7 @@ kexdh_client(Kex *kex)
                 fatal("kexdh_client: BN_new failed");
         if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
                 fatal("kexdh_client: BN_bin2bn failed");
-        memset(kbuf, 0, klen);
+        explicit_bzero(kbuf, klen);
         free(kbuf);
 
         /* calc and verify H */
diff --git a/kexdhs.c b/kexdhs.c
index d2c7adc96..c3011f741 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexdhs.c,v 1.17 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: kexdhs.c,v 1.18 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -110,7 +110,7 @@ kexdh_server(Kex *kex)
                 fatal("kexdh_server: BN_new failed");
         if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
                 fatal("kexdh_server: BN_bin2bn failed");
-        memset(kbuf, 0, klen);
+        explicit_bzero(kbuf, klen);
         free(kbuf);
 
         key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
diff --git a/kexecdhc.c b/kexecdhc.c
index e3d1cf5f9..2f7629cca 100644
--- a/kexecdhc.c
+++ b/kexecdhc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexecdhc.c,v 1.6 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: kexecdhc.c,v 1.7 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -119,7 +119,7 @@ kexecdh_client(Kex *kex)
                 fatal("%s: BN_new failed", __func__);
         if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
                 fatal("%s: BN_bin2bn failed", __func__);
-        memset(kbuf, 0, klen);
+        explicit_bzero(kbuf, klen);
         free(kbuf);
 
         /* calc and verify H */
diff --git a/kexecdhs.c b/kexecdhs.c
index 6fbb79c9d..2700b7219 100644
--- a/kexecdhs.c
+++ b/kexecdhs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexecdhs.c,v 1.9 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: kexecdhs.c,v 1.10 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -103,7 +103,7 @@ kexecdh_server(Kex *kex)
                 fatal("%s: BN_new failed", __func__);
         if (BN_bin2bn(kbuf, klen, shared_secret) == NULL)
                 fatal("%s: BN_bin2bn failed", __func__);
-        memset(kbuf, 0, klen);
+        explicit_bzero(kbuf, klen);
         free(kbuf);
 
         /* calc H */
diff --git a/kexgexc.c b/kexgexc.c
index 629b5fbbc..355b7ba31 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexc.c,v 1.16 2014/01/25 10:12:50 dtucker Exp $ */
+/* $OpenBSD: kexgexc.c,v 1.17 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -162,7 +162,7 @@ kexgex_client(Kex *kex)
                 fatal("kexgex_client: BN_new failed");
         if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
                 fatal("kexgex_client: BN_bin2bn failed");
-        memset(kbuf, 0, klen);
+        explicit_bzero(kbuf, klen);
         free(kbuf);
 
         if (datafellows & SSH_OLD_DHGEX)
diff --git a/kexgexs.c b/kexgexs.c
index 8773778ed..770ad28a8 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kexgexs.c,v 1.18 2014/01/12 08:13:13 djm Exp $ */
+/* $OpenBSD: kexgexs.c,v 1.19 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2000 Niels Provos.  All rights reserved.
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
@@ -150,7 +150,7 @@ kexgex_server(Kex *kex)
                 fatal("kexgex_server: BN_new failed");
         if (BN_bin2bn(kbuf, kout, shared_secret) == NULL)
                 fatal("kexgex_server: BN_bin2bn failed");
-        memset(kbuf, 0, klen);
+        explicit_bzero(kbuf, klen);
         free(kbuf);
 
         key_to_blob(server_host_public, &server_host_key_blob, &sbloblen);
diff --git a/key.c b/key.c
index 7ac844c66..3d640e79f 100644
--- a/key.c
+++ b/key.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: key.c,v 1.115 2014/01/09 23:20:00 djm Exp $ */
+/* $OpenBSD: key.c,v 1.116 2014/02/02 03:44:31 djm Exp $ */
 /*
  * read_bignum():
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -242,12 +242,12 @@ key_free(Key *k)
         case KEY_ED25519:
         case KEY_ED25519_CERT:
                 if (k->ed25519_pk) {
-                        memset(k->ed25519_pk, 0, ED25519_PK_SZ);
+                        explicit_bzero(k->ed25519_pk, ED25519_PK_SZ);
                         free(k->ed25519_pk);
                         k->ed25519_pk = NULL;
                 }
                 if (k->ed25519_sk) {
-                        memset(k->ed25519_sk, 0, ED25519_SK_SZ);
+                        explicit_bzero(k->ed25519_sk, ED25519_SK_SZ);
                         free(k->ed25519_sk);
                         k->ed25519_sk = NULL;
                 }
@@ -415,7 +415,7 @@ key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
                 if ((ssh_digest_memory(hash_alg, blob, len,
                     retval, SSH_DIGEST_MAX_LENGTH)) != 0)
                         fatal("%s: digest_memory failed", __func__);
-                memset(blob, 0, len);
+                explicit_bzero(blob, len);
                 free(blob);
                 *dgst_raw_length = ssh_digest_bytes(hash_alg);
         } else {
@@ -623,7 +623,7 @@ key_fingerprint(const Key *k, enum fp_type dgst_type, enum fp_rep dgst_rep)
                     dgst_rep);
                 break;
         }
-        memset(dgst_raw, 0, dgst_raw_len);
+        explicit_bzero(dgst_raw, dgst_raw_len);
         free(dgst_raw);
         return retval;
 }
@@ -1745,7 +1745,7 @@ to_blob(const Key *key, u_char **blobp, u_int *lenp, int force_plain)
                 *blobp = xmalloc(len);
                 memcpy(*blobp, buffer_ptr(&b), len);
         }
-        memset(buffer_ptr(&b), 0, len);
+        explicit_bzero(buffer_ptr(&b), len);
         buffer_free(&b);
         return len;
 }
diff --git a/krl.c b/krl.c
index b2d0354f2..3b4cded05 100644
--- a/krl.c
+++ b/krl.c
@@ -14,7 +14,7 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $OpenBSD: krl.c,v 1.13 2013/07/20 22:20:42 djm Exp $ */
+/* $OpenBSD: krl.c,v 1.14 2014/01/31 16:39:19 tedu Exp $ */
 
 #include "includes.h"
 
@@ -238,7 +238,7 @@ insert_serial_range(struct revoked_serial_tree *rt, u_int64_t lo, u_int64_t hi)
         struct revoked_serial rs, *ers, *crs, *irs;
 
         KRL_DBG(("%s: insert %llu:%llu", __func__, lo, hi));
-        bzero(&rs, sizeof(rs));
+        memset(&rs, 0, sizeof(rs));
         rs.lo = lo;
         rs.hi = hi;
         ers = RB_NFIND(revoked_serial_tree, rt, &rs);
@@ -1115,7 +1115,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
         struct revoked_certs *rc;
 
         /* Check explicitly revoked hashes first */
-        bzero(&rb, sizeof(rb));
+        memset(&rb, 0, sizeof(rb));
         if ((rb.blob = key_fingerprint_raw(key, SSH_FP_SHA1, &rb.len)) == NULL)
                 return -1;
         erb = RB_FIND(revoked_blob_tree, &krl->revoked_sha1s, &rb);
@@ -1126,7 +1126,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
         }
 
         /* Next, explicit keys */
-        bzero(&rb, sizeof(rb));
+        memset(&rb, 0, sizeof(rb));
         if (plain_key_blob(key, &rb.blob, &rb.len) != 0)
                 return -1;
         erb = RB_FIND(revoked_blob_tree, &krl->revoked_keys, &rb);
@@ -1147,7 +1147,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
                 return 0; /* No entry for this CA */
 
         /* Check revocation by cert key ID */
-        bzero(&rki, sizeof(rki));
+        memset(&rki, 0, sizeof(rki));
         rki.key_id = key->cert->key_id;
         erki = RB_FIND(revoked_key_id_tree, &rc->revoked_key_ids, &rki);
         if (erki != NULL) {
@@ -1162,7 +1162,7 @@ is_key_revoked(struct ssh_krl *krl, const Key *key)
         if (key_cert_is_legacy(key) || key->cert->serial == 0)
                 return 0;
 
-        bzero(&rs, sizeof(rs));
+        memset(&rs, 0, sizeof(rs));
         rs.lo = rs.hi = key->cert->serial;
         ers = RB_FIND(revoked_serial_tree, &rc->revoked_serials, &rs);
         if (ers != NULL) {
diff --git a/mac.c b/mac.c
index d3a0b935f..097757213 100644
--- a/mac.c
+++ b/mac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mac.c,v 1.26 2014/01/04 17:50:55 tedu Exp $ */
+/* $OpenBSD: mac.c,v 1.28 2014/02/07 06:55:54 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -27,8 +27,6 @@
 
 #include <sys/types.h>
 
-#include <openssl/hmac.h>
-
 #include <stdarg.h>
 #include <string.h>
 #include <signal.h>
@@ -42,18 +40,20 @@
 #include "mac.h"
 #include "misc.h"
 
+#include "digest.h"
+#include "hmac.h"
 #include "umac.h"
 
 #include "openbsd-compat/openssl-compat.h"
 
-#define SSH_EVP         1       /* OpenSSL EVP-based MAC */
+#define SSH_DIGEST      1       /* SSH_DIGEST_XXX */
 #define SSH_UMAC        2       /* UMAC (not integrated with OpenSSL) */
 #define SSH_UMAC128     3
 
 struct macalg {
         char            *name;
         int             type;
-        const EVP_MD *  (*mdfunc)(void);
+        int             alg;
         int             truncatebits;   /* truncate digest if != 0 */
         int             key_len;        /* just for UMAC */
         int             len;            /* just for UMAC */
@@ -62,33 +62,33 @@ struct macalg {
 
 static const struct macalg macs[] = {
         /* Encrypt-and-MAC (encrypt-and-authenticate) variants */
-        { "hmac-sha1",                          SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
-        { "hmac-sha1-96",                       SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
+        { "hmac-sha1",                          SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 0 },
+        { "hmac-sha1-96",                       SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 0 },
 #ifdef HAVE_EVP_SHA256
-        { "hmac-sha2-256",                      SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
-        { "hmac-sha2-512",                      SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
+        { "hmac-sha2-256",                      SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 0 },
+        { "hmac-sha2-512",                      SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 0 },
 #endif
-        { "hmac-md5",                           SSH_EVP, EVP_md5, 0, 0, 0, 0 },
-        { "hmac-md5-96",                        SSH_EVP, EVP_md5, 96, 0, 0, 0 },
-        { "hmac-ripemd160",                     SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 },
-        { "hmac-ripemd160@openssh.com",         SSH_EVP, EVP_ripemd160, 0, 0, 0, 0 },
-        { "umac-64@openssh.com",                SSH_UMAC, NULL, 0, 128, 64, 0 },
-        { "umac-128@openssh.com",               SSH_UMAC128, NULL, 0, 128, 128, 0 },
+        { "hmac-md5",                           SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 0 },
+        { "hmac-md5-96",                        SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 0 },
+        { "hmac-ripemd160",                     SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 },
+        { "hmac-ripemd160@openssh.com",         SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 0 },
+        { "umac-64@openssh.com",                SSH_UMAC, 0, 0, 128, 64, 0 },
+        { "umac-128@openssh.com",               SSH_UMAC128, 0, 0, 128, 128, 0 },
 
         /* Encrypt-then-MAC variants */
-        { "hmac-sha1-etm@openssh.com",          SSH_EVP, EVP_sha1, 0, 0, 0, 1 },
-        { "hmac-sha1-96-etm@openssh.com",       SSH_EVP, EVP_sha1, 96, 0, 0, 1 },
+        { "hmac-sha1-etm@openssh.com",          SSH_DIGEST, SSH_DIGEST_SHA1, 0, 0, 0, 1 },
+        { "hmac-sha1-96-etm@openssh.com",       SSH_DIGEST, SSH_DIGEST_SHA1, 96, 0, 0, 1 },
 #ifdef HAVE_EVP_SHA256
-        { "hmac-sha2-256-etm@openssh.com",      SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
-        { "hmac-sha2-512-etm@openssh.com",      SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
+        { "hmac-sha2-256-etm@openssh.com",      SSH_DIGEST, SSH_DIGEST_SHA256, 0, 0, 0, 1 },
+        { "hmac-sha2-512-etm@openssh.com",      SSH_DIGEST, SSH_DIGEST_SHA512, 0, 0, 0, 1 },
 #endif
-        { "hmac-md5-etm@openssh.com",           SSH_EVP, EVP_md5, 0, 0, 0, 1 },
-        { "hmac-md5-96-etm@openssh.com",        SSH_EVP, EVP_md5, 96, 0, 0, 1 },
-        { "hmac-ripemd160-etm@openssh.com",     SSH_EVP, EVP_ripemd160, 0, 0, 0, 1 },
-        { "umac-64-etm@openssh.com",            SSH_UMAC, NULL, 0, 128, 64, 1 },
-        { "umac-128-etm@openssh.com",           SSH_UMAC128, NULL, 0, 128, 128, 1 },
+        { "hmac-md5-etm@openssh.com",           SSH_DIGEST, SSH_DIGEST_MD5, 0, 0, 0, 1 },
+        { "hmac-md5-96-etm@openssh.com",        SSH_DIGEST, SSH_DIGEST_MD5, 96, 0, 0, 1 },
+        { "hmac-ripemd160-etm@openssh.com",     SSH_DIGEST, SSH_DIGEST_RIPEMD160, 0, 0, 0, 1 },
+        { "umac-64-etm@openssh.com",            SSH_UMAC, 0, 0, 128, 64, 1 },
+        { "umac-128-etm@openssh.com",           SSH_UMAC128, 0, 0, 128, 128, 1 },
 
-        { NULL,                                 0, NULL, 0, 0, 0, 0 }
+        { NULL,                                 0, 0, 0, 0, 0, 0 }
 };
 
 /* Returns a list of supported MACs separated by the specified char. */
@@ -113,14 +113,11 @@ mac_alg_list(char sep)
 static void
 mac_setup_by_alg(Mac *mac, const struct macalg *macalg)
 {
-        int evp_len;
-
         mac->type = macalg->type;
-        if (mac->type == SSH_EVP) {
-                mac->evp_md = macalg->mdfunc();
-                if ((evp_len = EVP_MD_size(mac->evp_md)) <= 0)
-                        fatal("mac %s len %d", mac->name, evp_len);
-                mac->key_len = mac->mac_len = (u_int)evp_len;
+        if (mac->type == SSH_DIGEST) {
+                if ((mac->hmac_ctx = ssh_hmac_start(macalg->alg)) == NULL)
+                        fatal("ssh_hmac_start(alg=%d) failed", macalg->alg);
+                mac->key_len = mac->mac_len = ssh_hmac_bytes(macalg->alg);
         } else {
                 mac->mac_len = macalg->len / 8;
                 mac->key_len = macalg->key_len / 8;
@@ -139,9 +136,10 @@ mac_setup(Mac *mac, char *name)
         for (m = macs; m->name != NULL; m++) {
                 if (strcmp(name, m->name) != 0)
                         continue;
-                if (mac != NULL)
+                if (mac != NULL) {
                         mac_setup_by_alg(mac, m);
-                debug2("mac_setup: found %s", name);
+                        debug2("mac_setup: setup %s", name);
+                }
                 return (0);
         }
         debug2("mac_setup: unknown %s", name);
@@ -152,13 +150,12 @@ int
 mac_init(Mac *mac)
 {
         if (mac->key == NULL)
-                fatal("mac_init: no key");
+                fatal("%s: no key", __func__);
         switch (mac->type) {
-        case SSH_EVP:
-                if (mac->evp_md == NULL)
+        case SSH_DIGEST:
+                if (mac->hmac_ctx == NULL ||
+                    ssh_hmac_init(mac->hmac_ctx, mac->key, mac->key_len) < 0)
                         return -1;
-                HMAC_CTX_init(&mac->evp_ctx);
-                HMAC_Init(&mac->evp_ctx, mac->key, mac->key_len, mac->evp_md);
                 return 0;
         case SSH_UMAC:
                 mac->umac_ctx = umac_new(mac->key);
@@ -185,13 +182,14 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen)
                     mac->mac_len, sizeof(u));
 
         switch (mac->type) {
-        case SSH_EVP:
+        case SSH_DIGEST:
                 put_u32(b, seqno);
                 /* reset HMAC context */
-                HMAC_Init(&mac->evp_ctx, NULL, 0, NULL);
-                HMAC_Update(&mac->evp_ctx, b, sizeof(b));
-                HMAC_Update(&mac->evp_ctx, data, datalen);
-                HMAC_Final(&mac->evp_ctx, u.m, NULL);
+                if (ssh_hmac_init(mac->hmac_ctx, NULL, 0) < 0 ||
+                    ssh_hmac_update(mac->hmac_ctx, b, sizeof(b)) < 0 ||
+                    ssh_hmac_update(mac->hmac_ctx, data, datalen) < 0 ||
+                    ssh_hmac_final(mac->hmac_ctx, u.m, sizeof(u.m)) < 0)
+                        fatal("ssh_hmac failed");
                 break;
         case SSH_UMAC:
                 put_u64(nonce, seqno);
@@ -218,9 +216,9 @@ mac_clear(Mac *mac)
         } else if (mac->type == SSH_UMAC128) {
                 if (mac->umac_ctx != NULL)
                         umac128_delete(mac->umac_ctx);
-        } else if (mac->evp_md != NULL)
-                HMAC_cleanup(&mac->evp_ctx);
-        mac->evp_md = NULL;
+        } else if (mac->hmac_ctx != NULL)
+                ssh_hmac_free(mac->hmac_ctx);
+        mac->hmac_ctx = NULL;
         mac->umac_ctx = NULL;
 }
 
@@ -240,8 +238,6 @@ mac_valid(const char *names)
                         debug("bad mac %s [%s]", p, names);
                         free(maclist);
                         return (0);
-                } else {
-                        debug3("mac ok: %s [%s]", p, names);
                 }
         }
         debug3("macs ok: [%s]", names);
diff --git a/moduli.0 b/moduli.0
index 7dc2cd540..7d678b459 100644
--- a/moduli.0
+++ b/moduli.0
@@ -71,4 +71,4 @@ STANDARDS
      the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006,
      2006.
 
-OpenBSD 5.4                   September 26, 2012                   OpenBSD 5.4
+OpenBSD 5.5                   September 26, 2012                   OpenBSD 5.5
diff --git a/monitor.c b/monitor.c
index 8ffea4f13..7c105e687 100644
--- a/monitor.c
+++ b/monitor.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.c,v 1.128 2013/11/04 11:51:16 markus Exp $ */
+/* $OpenBSD: monitor.c,v 1.131 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -95,7 +95,6 @@
 #include "misc.h"
 #include "compat.h"
 #include "ssh2.h"
-#include "jpake.h"
 #include "roaming.h"
 #include "authfd.h"
 #ifdef USE_CONSOLEKIT
@@ -165,11 +164,6 @@ int mm_answer_rsa_challenge(int, Buffer *);
 int mm_answer_rsa_response(int, Buffer *);
 int mm_answer_sesskey(int, Buffer *);
 int mm_answer_sessid(int, Buffer *);
-int mm_answer_jpake_get_pwdata(int, Buffer *);
-int mm_answer_jpake_step1(int, Buffer *);
-int mm_answer_jpake_step2(int, Buffer *);
-int mm_answer_jpake_key_confirm(int, Buffer *);
-int mm_answer_jpake_check_confirm(int, Buffer *);
 
 #ifdef USE_PAM
 int mm_answer_pam_start(int, Buffer *);
@@ -266,13 +260,6 @@ struct mon_table mon_dispatch_proto20[] = {
     {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
     {MONITOR_REQ_GSSSIGN, MON_ONCE, mm_answer_gss_sign},
 #endif
-#ifdef JPAKE
-    {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-    {MONITOR_REQ_JPAKE_STEP1, MON_ISAUTH, mm_answer_jpake_step1},
-    {MONITOR_REQ_JPAKE_STEP2, MON_ONCE, mm_answer_jpake_step2},
-    {MONITOR_REQ_JPAKE_KEY_CONFIRM, MON_ONCE, mm_answer_jpake_key_confirm},
-    {MONITOR_REQ_JPAKE_CHECK_CONFIRM, MON_AUTH, mm_answer_jpake_check_confirm},
-#endif
     {0, 0, NULL}
 };
 
@@ -455,15 +442,6 @@ monitor_child_preauth(Authctxt *_authctxt, struct monitor *pmonitor)
                         if (!authenticated)
                                 authctxt->failures++;
                 }
-#ifdef JPAKE
-                /* Cleanup JPAKE context after authentication */
-                if (ent->flags & MON_AUTHDECIDE) {
-                        if (authctxt->jpake_ctx != NULL) {
-                                jpake_free(authctxt->jpake_ctx);
-                                authctxt->jpake_ctx = NULL;
-                        }
-                }
-#endif
         }
 
         if (!authctxt->valid)
@@ -601,7 +579,7 @@ monitor_read(struct monitor *pmonitor, struct mon_table *ent,
         struct pollfd pfd[2];
 
         for (;;) {
-                bzero(&pfd, sizeof(pfd));
+                memset(&pfd, 0, sizeof(pfd));
                 pfd[0].fd = pmonitor->m_sendfd;
                 pfd[0].events = POLLIN;
                 pfd[1].fd = pmonitor->m_log_recvfd;
@@ -939,7 +917,7 @@ mm_answer_authpassword(int sock, Buffer *m)
         /* Only authenticate if the context is valid */
         authenticated = options.password_authentication &&
             auth_password(authctxt, passwd);
-        memset(passwd, 0, strlen(passwd));
+        explicit_bzero(passwd, strlen(passwd));
         free(passwd);
 
         buffer_clear(m);
@@ -1881,13 +1859,13 @@ monitor_apply_keystate(struct monitor *pmonitor)
         /* XXX inefficient for large buffers, need: buffer_init_from_string */
         buffer_clear(packet_get_input());
         buffer_append(packet_get_input(), child_state.input, child_state.ilen);
-        memset(child_state.input, 0, child_state.ilen);
+        explicit_bzero(child_state.input, child_state.ilen);
         free(child_state.input);
 
         buffer_clear(packet_get_output());
         buffer_append(packet_get_output(), child_state.output,
                       child_state.olen);
-        memset(child_state.output, 0, child_state.olen);
+        explicit_bzero(child_state.output, child_state.olen);
         free(child_state.output);
 
         /* Roaming */
@@ -2307,209 +2285,6 @@ mm_answer_gss_updatecreds(int socket, Buffer *m) {
 
 #endif /* GSSAPI */
 
-#ifdef JPAKE
-int
-mm_answer_jpake_step1(int sock, Buffer *m)
-{
-        struct jpake_ctx *pctx;
-        u_char *x3_proof, *x4_proof;
-        u_int x3_proof_len, x4_proof_len;
-
-        if (!options.zero_knowledge_password_authentication)
-                fatal("zero_knowledge_password_authentication disabled");
-
-        if (authctxt->jpake_ctx != NULL)
-                fatal("%s: authctxt->jpake_ctx already set (%p)",
-                    __func__, authctxt->jpake_ctx);
-        authctxt->jpake_ctx = pctx = jpake_new();
-
-        jpake_step1(pctx->grp,
-            &pctx->server_id, &pctx->server_id_len,
-            &pctx->x3, &pctx->x4, &pctx->g_x3, &pctx->g_x4,
-            &x3_proof, &x3_proof_len,
-            &x4_proof, &x4_proof_len);
-
-        JPAKE_DEBUG_CTX((pctx, "step1 done in %s", __func__));
-
-        buffer_clear(m);
-
-        buffer_put_string(m, pctx->server_id, pctx->server_id_len);
-        buffer_put_bignum2(m, pctx->g_x3);
-        buffer_put_bignum2(m, pctx->g_x4);
-        buffer_put_string(m, x3_proof, x3_proof_len);
-        buffer_put_string(m, x4_proof, x4_proof_len);
-
-        debug3("%s: sending step1", __func__);
-        mm_request_send(sock, MONITOR_ANS_JPAKE_STEP1, m);
-
-        bzero(x3_proof, x3_proof_len);
-        bzero(x4_proof, x4_proof_len);
-        free(x3_proof);
-        free(x4_proof);
-
-        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_GET_PWDATA, 1);
-        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 0);
-
-        return 0;
-}
-
-int
-mm_answer_jpake_get_pwdata(int sock, Buffer *m)
-{
-        struct jpake_ctx *pctx = authctxt->jpake_ctx;
-        char *hash_scheme, *salt;
-
-        if (pctx == NULL)
-                fatal("%s: pctx == NULL", __func__);
-
-        auth2_jpake_get_pwdata(authctxt, &pctx->s, &hash_scheme, &salt);
-
-        buffer_clear(m);
-        /* pctx->s is sensitive, not returned to slave */
-        buffer_put_cstring(m, hash_scheme);
-        buffer_put_cstring(m, salt);
-
-        debug3("%s: sending pwdata", __func__);
-        mm_request_send(sock, MONITOR_ANS_JPAKE_GET_PWDATA, m);
-
-        bzero(hash_scheme, strlen(hash_scheme));
-        bzero(salt, strlen(salt));
-        free(hash_scheme);
-        free(salt);
-
-        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP2, 1);
-
-        return 0;
-}
-
-int
-mm_answer_jpake_step2(int sock, Buffer *m)
-{
-        struct jpake_ctx *pctx = authctxt->jpake_ctx;
-        u_char *x1_proof, *x2_proof, *x4_s_proof;
-        u_int x1_proof_len, x2_proof_len, x4_s_proof_len;
-
-        if (pctx == NULL)
-                fatal("%s: pctx == NULL", __func__);
-
-        if ((pctx->g_x1 = BN_new()) == NULL ||
-            (pctx->g_x2 = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-        buffer_get_bignum2(m, pctx->g_x1);
-        buffer_get_bignum2(m, pctx->g_x2);
-        pctx->client_id = buffer_get_string(m, &pctx->client_id_len);
-        x1_proof = buffer_get_string(m, &x1_proof_len);
-        x2_proof = buffer_get_string(m, &x2_proof_len);
-
-        jpake_step2(pctx->grp, pctx->s, pctx->g_x3,
-            pctx->g_x1, pctx->g_x2, pctx->x4,
-            pctx->client_id, pctx->client_id_len,
-            pctx->server_id, pctx->server_id_len,
-            x1_proof, x1_proof_len,
-            x2_proof, x2_proof_len,
-            &pctx->b,
-            &x4_s_proof, &x4_s_proof_len);
-
-        JPAKE_DEBUG_CTX((pctx, "step2 done in %s", __func__));
-
-        bzero(x1_proof, x1_proof_len);
-        bzero(x2_proof, x2_proof_len);
-        free(x1_proof);
-        free(x2_proof);
-
-        buffer_clear(m);
-
-        buffer_put_bignum2(m, pctx->b);
-        buffer_put_string(m, x4_s_proof, x4_s_proof_len);
-
-        debug3("%s: sending step2", __func__);
-        mm_request_send(sock, MONITOR_ANS_JPAKE_STEP2, m);
-
-        bzero(x4_s_proof, x4_s_proof_len);
-        free(x4_s_proof);
-
-        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_KEY_CONFIRM, 1);
-
-        return 0;
-}
-
-int
-mm_answer_jpake_key_confirm(int sock, Buffer *m)
-{
-        struct jpake_ctx *pctx = authctxt->jpake_ctx;
-        u_char *x2_s_proof;
-        u_int x2_s_proof_len;
-
-        if (pctx == NULL)
-                fatal("%s: pctx == NULL", __func__);
-
-        if ((pctx->a = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-        buffer_get_bignum2(m, pctx->a);
-        x2_s_proof = buffer_get_string(m, &x2_s_proof_len);
-
-        jpake_key_confirm(pctx->grp, pctx->s, pctx->a,
-            pctx->x4, pctx->g_x3, pctx->g_x4, pctx->g_x1, pctx->g_x2,
-            pctx->server_id, pctx->server_id_len,
-            pctx->client_id, pctx->client_id_len,
-            session_id2, session_id2_len,
-            x2_s_proof, x2_s_proof_len,
-            &pctx->k,
-            &pctx->h_k_sid_sessid, &pctx->h_k_sid_sessid_len);
-
-        JPAKE_DEBUG_CTX((pctx, "key_confirm done in %s", __func__));
-
-        bzero(x2_s_proof, x2_s_proof_len);
-        buffer_clear(m);
-
-        /* pctx->k is sensitive, not sent */
-        buffer_put_string(m, pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len);
-
-        debug3("%s: sending confirmation hash", __func__);
-        mm_request_send(sock, MONITOR_ANS_JPAKE_KEY_CONFIRM, m);
-
-        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_CHECK_CONFIRM, 1);
-
-        return 0;
-}
-
-int
-mm_answer_jpake_check_confirm(int sock, Buffer *m)
-{
-        int authenticated = 0;
-        u_char *peer_confirm_hash;
-        u_int peer_confirm_hash_len;
-        struct jpake_ctx *pctx = authctxt->jpake_ctx;
-
-        if (pctx == NULL)
-                fatal("%s: pctx == NULL", __func__);
-
-        peer_confirm_hash = buffer_get_string(m, &peer_confirm_hash_len);
-
-        authenticated = jpake_check_confirm(pctx->k,
-            pctx->client_id, pctx->client_id_len,
-            session_id2, session_id2_len,
-            peer_confirm_hash, peer_confirm_hash_len) && authctxt->valid;
-
-        JPAKE_DEBUG_CTX((pctx, "check_confirm done in %s", __func__));
-
-        bzero(peer_confirm_hash, peer_confirm_hash_len);
-        free(peer_confirm_hash);
-
-        buffer_clear(m);
-        buffer_put_int(m, authenticated);
-
-        debug3("%s: sending result %d", __func__, authenticated);
-        mm_request_send(sock, MONITOR_ANS_JPAKE_CHECK_CONFIRM, m);
-
-        monitor_permit(mon_dispatch, MONITOR_REQ_JPAKE_STEP1, 1);
-
-        auth_method = "jpake-01@openssh.com";
-        return authenticated;
-}
-
-#endif /* JPAKE */
-
 #ifdef USE_CONSOLEKIT
 int
 mm_answer_consolekit_register(int sock, Buffer *m)
diff --git a/monitor.h b/monitor.h
index cd8342823..10ba59ea9 100644
--- a/monitor.h
+++ b/monitor.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor.h,v 1.17 2012/12/02 20:34:10 djm Exp $ */
+/* $OpenBSD: monitor.h,v 1.18 2014/01/29 06:18:35 djm Exp $ */
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -56,11 +56,6 @@ enum monitor_reqtype {
         MONITOR_REQ_GSSUSEROK = 46, MONITOR_ANS_GSSUSEROK = 47,
         MONITOR_REQ_GSSCHECKMIC = 48, MONITOR_ANS_GSSCHECKMIC = 49,
         MONITOR_REQ_TERM = 50,
-        MONITOR_REQ_JPAKE_STEP1 = 52, MONITOR_ANS_JPAKE_STEP1 = 53,
-        MONITOR_REQ_JPAKE_GET_PWDATA = 54, MONITOR_ANS_JPAKE_GET_PWDATA = 55,
-        MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
-        MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
-        MONITOR_REQ_JPAKE_CHECK_CONFIRM = 60, MONITOR_ANS_JPAKE_CHECK_CONFIRM = 61,
 
         MONITOR_REQ_PAM_START = 100,
         MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
diff --git a/monitor_wrap.c b/monitor_wrap.c
index 670b62dfb..a8fb07b52 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.77 2013/11/06 16:52:11 markus Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.79 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
@@ -71,8 +71,6 @@
 #include "atomicio.h"
 #include "monitor_fdpass.h"
 #include "misc.h"
-#include "schnorr.h"
-#include "jpake.h"
 #include "uuencode.h"
 
 #include "channels.h"
@@ -592,7 +590,7 @@ mm_newkeys_to_blob(int mode, u_char **blobp, u_int *lenp)
                 *blobp = xmalloc(len);
                 memcpy(*blobp, buffer_ptr(&b), len);
         }
-        memset(buffer_ptr(&b), 0, len);
+        explicit_bzero(buffer_ptr(&b), len);
         buffer_free(&b);
         return len;
 }
@@ -636,7 +634,7 @@ mm_send_keystate(struct monitor *monitor)
                 key = xmalloc(keylen+1);        /* add 1 if keylen == 0 */
                 keylen = packet_get_encryption_key(key);
                 buffer_put_string(&m, key, keylen);
-                memset(key, 0, keylen);
+                explicit_bzero(key, keylen);
                 free(key);
 
                 ivlen = packet_get_keyiv_len(MODE_OUT);
@@ -1355,168 +1353,6 @@ mm_ssh_gssapi_update_creds(ssh_gssapi_ccache *store)
 
 #endif /* GSSAPI */
 
-#ifdef JPAKE
-void
-mm_auth2_jpake_get_pwdata(Authctxt *authctxt, BIGNUM **s,
-    char **hash_scheme, char **salt)
-{
-        Buffer m;
-
-        debug3("%s entering", __func__);
-
-        buffer_init(&m);
-        mm_request_send(pmonitor->m_recvfd,
-            MONITOR_REQ_JPAKE_GET_PWDATA, &m);
-
-        debug3("%s: waiting for MONITOR_ANS_JPAKE_GET_PWDATA", __func__);
-        mm_request_receive_expect(pmonitor->m_recvfd,
-            MONITOR_ANS_JPAKE_GET_PWDATA, &m);
-
-        *hash_scheme = buffer_get_string(&m, NULL);
-        *salt = buffer_get_string(&m, NULL);
-
-        buffer_free(&m);
-}
-
-void
-mm_jpake_step1(struct modp_group *grp,
-    u_char **id, u_int *id_len,
-    BIGNUM **priv1, BIGNUM **priv2, BIGNUM **g_priv1, BIGNUM **g_priv2,
-    u_char **priv1_proof, u_int *priv1_proof_len,
-    u_char **priv2_proof, u_int *priv2_proof_len)
-{
-        Buffer m;
-
-        debug3("%s entering", __func__);
-
-        buffer_init(&m);
-        mm_request_send(pmonitor->m_recvfd,
-            MONITOR_REQ_JPAKE_STEP1, &m);
-
-        debug3("%s: waiting for MONITOR_ANS_JPAKE_STEP1", __func__);
-        mm_request_receive_expect(pmonitor->m_recvfd,
-            MONITOR_ANS_JPAKE_STEP1, &m);
-
-        if ((*priv1 = BN_new()) == NULL ||
-            (*priv2 = BN_new()) == NULL ||
-            (*g_priv1 = BN_new()) == NULL ||
-            (*g_priv2 = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-
-        *id = buffer_get_string(&m, id_len);
-        /* priv1 and priv2 are, well, private */
-        buffer_get_bignum2(&m, *g_priv1);
-        buffer_get_bignum2(&m, *g_priv2);
-        *priv1_proof = buffer_get_string(&m, priv1_proof_len);
-        *priv2_proof = buffer_get_string(&m, priv2_proof_len);
-
-        buffer_free(&m);
-}
-
-void
-mm_jpake_step2(struct modp_group *grp, BIGNUM *s,
-    BIGNUM *mypub1, BIGNUM *theirpub1, BIGNUM *theirpub2, BIGNUM *mypriv2,
-    const u_char *theirid, u_int theirid_len,
-    const u_char *myid, u_int myid_len,
-    const u_char *theirpub1_proof, u_int theirpub1_proof_len,
-    const u_char *theirpub2_proof, u_int theirpub2_proof_len,
-    BIGNUM **newpub,
-    u_char **newpub_exponent_proof, u_int *newpub_exponent_proof_len)
-{
-        Buffer m;
-
-        debug3("%s entering", __func__);
-
-        buffer_init(&m);
-        /* monitor already has all bignums except theirpub1, theirpub2 */
-        buffer_put_bignum2(&m, theirpub1);
-        buffer_put_bignum2(&m, theirpub2);
-        /* monitor already knows our id */
-        buffer_put_string(&m, theirid, theirid_len);
-        buffer_put_string(&m, theirpub1_proof, theirpub1_proof_len);
-        buffer_put_string(&m, theirpub2_proof, theirpub2_proof_len);
-
-        mm_request_send(pmonitor->m_recvfd,
-            MONITOR_REQ_JPAKE_STEP2, &m);
-
-        debug3("%s: waiting for MONITOR_ANS_JPAKE_STEP2", __func__);
-        mm_request_receive_expect(pmonitor->m_recvfd,
-            MONITOR_ANS_JPAKE_STEP2, &m);
-
-        if ((*newpub = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-
-        buffer_get_bignum2(&m, *newpub);
-        *newpub_exponent_proof = buffer_get_string(&m,
-            newpub_exponent_proof_len);
-
-        buffer_free(&m);
-}
-
-void
-mm_jpake_key_confirm(struct modp_group *grp, BIGNUM *s, BIGNUM *step2_val,
-    BIGNUM *mypriv2, BIGNUM *mypub1, BIGNUM *mypub2,
-    BIGNUM *theirpub1, BIGNUM *theirpub2,
-    const u_char *my_id, u_int my_id_len,
-    const u_char *their_id, u_int their_id_len,
-    const u_char *sess_id, u_int sess_id_len,
-    const u_char *theirpriv2_s_proof, u_int theirpriv2_s_proof_len,
-    BIGNUM **k,
-    u_char **confirm_hash, u_int *confirm_hash_len)
-{
-        Buffer m;
-
-        debug3("%s entering", __func__);
-
-        buffer_init(&m);
-        /* monitor already has all bignums except step2_val */
-        buffer_put_bignum2(&m, step2_val);
-        /* monitor already knows all the ids */
-        buffer_put_string(&m, theirpriv2_s_proof, theirpriv2_s_proof_len);
-
-        mm_request_send(pmonitor->m_recvfd,
-            MONITOR_REQ_JPAKE_KEY_CONFIRM, &m);
-
-        debug3("%s: waiting for MONITOR_ANS_JPAKE_KEY_CONFIRM", __func__);
-        mm_request_receive_expect(pmonitor->m_recvfd,
-            MONITOR_ANS_JPAKE_KEY_CONFIRM, &m);
-
-        /* 'k' is sensitive and stays in the monitor */
-        *confirm_hash = buffer_get_string(&m, confirm_hash_len);
-
-        buffer_free(&m);
-}
-
-int
-mm_jpake_check_confirm(const BIGNUM *k,
-    const u_char *peer_id, u_int peer_id_len,
-    const u_char *sess_id, u_int sess_id_len,
-    const u_char *peer_confirm_hash, u_int peer_confirm_hash_len)
-{
-        Buffer m;
-        int success = 0;
-
-        debug3("%s entering", __func__);
-
-        buffer_init(&m);
-        /* k is dummy in slave, ignored */
-        /* monitor knows all the ids */
-        buffer_put_string(&m, peer_confirm_hash, peer_confirm_hash_len);
-        mm_request_send(pmonitor->m_recvfd,
-            MONITOR_REQ_JPAKE_CHECK_CONFIRM, &m);
-
-        debug3("%s: waiting for MONITOR_ANS_JPAKE_CHECK_CONFIRM", __func__);
-        mm_request_receive_expect(pmonitor->m_recvfd,
-            MONITOR_ANS_JPAKE_CHECK_CONFIRM, &m);
-
-        success = buffer_get_int(&m);
-        buffer_free(&m);
-
-        debug3("%s: success = %d", __func__, success);
-        return success;
-}
-#endif /* JPAKE */
-
 #ifdef USE_CONSOLEKIT
 char *
 mm_consolekit_register(Session *s, const char *display)
diff --git a/monitor_wrap.h b/monitor_wrap.h
index 360fb9f57..00e93fe9c 100644
--- a/monitor_wrap.h
+++ b/monitor_wrap.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.h,v 1.23 2011/06/17 21:44:31 djm Exp $ */
+/* $OpenBSD: monitor_wrap.h,v 1.24 2014/01/29 06:18:35 djm Exp $ */
 
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
@@ -105,26 +105,6 @@ int mm_bsdauth_respond(void *, u_int, char **);
 int mm_skey_query(void *, char **, char **, u_int *, char ***, u_int **);
 int mm_skey_respond(void *, u_int, char **);
 
-/* jpake */
-struct modp_group;
-void mm_auth2_jpake_get_pwdata(struct Authctxt *, BIGNUM **, char **, char **);
-void mm_jpake_step1(struct modp_group *, u_char **, u_int *,
-    BIGNUM **, BIGNUM **, BIGNUM **, BIGNUM **,
-    u_char **, u_int *, u_char **, u_int *);
-void mm_jpake_step2(struct modp_group *, BIGNUM *,
-    BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
-    const u_char *, u_int, const u_char *, u_int,
-    const u_char *, u_int, const u_char *, u_int,
-    BIGNUM **, u_char **, u_int *);
-void mm_jpake_key_confirm(struct modp_group *, BIGNUM *, BIGNUM *,
-    BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *, BIGNUM *,
-    const u_char *, u_int, const u_char *, u_int,
-    const u_char *, u_int, const u_char *, u_int,
-    BIGNUM **, u_char **, u_int *);
-int mm_jpake_check_confirm(const BIGNUM *,
-    const u_char *, u_int, const u_char *, u_int, const u_char *, u_int);
-
-
 /* zlib allocation hooks */
 
 void *mm_zalloc(struct mm_master *, u_int, u_int);
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 276646fa6..6ecfb93d5 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.54 2013/12/07 01:37:54 djm Exp $
+# $Id: Makefile.in,v 1.55 2014/02/04 00:37:50 djm Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -16,7 +16,7 @@ RANLIB=@RANLIB@
 INSTALL=@INSTALL@
 LDFLAGS=-L. @LDFLAGS@
 
-OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o
+OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
 
 COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
 
diff --git a/openbsd-compat/bsd-poll.c b/openbsd-compat/bsd-poll.c
index c7ef82776..73a852480 100644
--- a/openbsd-compat/bsd-poll.c
+++ b/openbsd-compat/bsd-poll.c
@@ -1,4 +1,4 @@
-/* $Id: bsd-poll.c,v 1.5 2013/11/08 10:12:58 dtucker Exp $ */
+/* $Id: bsd-poll.c,v 1.6 2014/02/05 23:44:13 dtucker Exp $ */
 
 /*
  * Copyright (c) 2004, 2005, 2007 Darren Tucker (dtucker at zip com au).
@@ -109,12 +109,9 @@ poll(struct pollfd *fds, nfds_t nfds, int timeout)
         }
 
 out:
-        if (readfds != NULL)
-                free(readfds);
-        if (writefds != NULL)
-                free(writefds);
-        if (exceptfds != NULL)
-                free(exceptfds);
+        free(readfds);
+        free(writefds);
+        free(exceptfds);
         if (ret == -1)
                 errno = saved_errno;
         return ret;
diff --git a/openbsd-compat/explicit_bzero.c b/openbsd-compat/explicit_bzero.c
new file mode 100644
index 000000000..b106741e5
--- /dev/null
+++ b/openbsd-compat/explicit_bzero.c
@@ -0,0 +1,20 @@
+/* OPENBSD ORIGINAL: lib/libc/string/explicit_bzero.c */
+/*      $OpenBSD: explicit_bzero.c,v 1.1 2014/01/22 21:06:45 tedu Exp $ */
+/*
+ * Public domain.
+ * Written by Ted Unangst
+ */
+
+#include "includes.h"
+
+#ifndef HAVE_EXPLICIT_BZERO
+
+/*
+ * explicit_bzero - don't let the compiler optimize away bzero
+ */
+void
+explicit_bzero(void *p, size_t n)
+{
+        bzero(p, n);
+}
+#endif
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index f34619e4a..bc9888e31 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.60 2013/12/07 00:51:54 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.61 2014/02/04 00:18:23 djm Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -246,6 +246,10 @@ int	bcrypt_pbkdf(const char *, size_t, const u_int8_t *, size_t,
     u_int8_t *, size_t, unsigned int);
 #endif
 
+#ifndef HAVE_EXPLICIT_BZERO
+void explicit_bzero(void *p, size_t n);
+#endif
+
 void *xmmap(size_t size);
 char *xcrypt(const char *password, const char *salt);
 char *shadow_pw(struct passwd *pw);
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 60eac4b17..885c121f2 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.c,v 1.16 2014/01/17 07:00:41 dtucker Exp $ */
+/* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -96,6 +96,14 @@ ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt)
 }
 #endif
 
+#ifndef HAVE_EVP_MD_CTX_COPY_EX
+int
+EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
+{
+        return EVP_MD_CTX_copy(out, in);
+}
+#endif
+
 #ifndef HAVE_BN_IS_PRIME_EX
 int
 BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, void *cb)
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 021ea98f5..276b9706d 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.25 2014/01/17 06:32:31 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -156,6 +156,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, void *);
 int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *);
 # endif
 
+# ifndef EVP_MD_CTX_COPY_EX
+int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *);
+# endif
+
 int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
     unsigned char *, int);
 int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
diff --git a/packet.c b/packet.c
index 6cf7edbb8..54c0558f9 100644
--- a/packet.c
+++ b/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.191 2013/12/06 13:34:54 markus Exp $ */
+/* $OpenBSD: packet.c,v 1.192 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -764,9 +764,9 @@ set_newkeys(int mode)
                 mac  = &active_state->newkeys[mode]->mac;
                 comp = &active_state->newkeys[mode]->comp;
                 mac_clear(mac);
-                memset(enc->iv,  0, enc->iv_len);
-                memset(enc->key, 0, enc->key_len);
-                memset(mac->key, 0, mac->key_len);
+                explicit_bzero(enc->iv,  enc->iv_len);
+                explicit_bzero(enc->key, enc->key_len);
+                explicit_bzero(mac->key, mac->key_len);
                 free(enc->name);
                 free(enc->iv);
                 free(enc->key);
@@ -787,9 +787,9 @@ set_newkeys(int mode)
         cipher_init(cc, enc->cipher, enc->key, enc->key_len,
             enc->iv, enc->iv_len, crypt_type);
         /* Deleting the keys does not gain extra security */
-        /* memset(enc->iv,  0, enc->block_size);
-           memset(enc->key, 0, enc->key_len);
-           memset(mac->key, 0, mac->key_len); */
+        /* explicit_bzero(enc->iv,  enc->block_size);
+           explicit_bzero(enc->key, enc->key_len);
+           explicit_bzero(mac->key, mac->key_len); */
         if ((comp->type == COMP_ZLIB ||
             (comp->type == COMP_DELAYED &&
              active_state->after_authentication)) && comp->enabled == 0) {
@@ -928,7 +928,7 @@ packet_send2_wrapped(void)
                 }
         } else {
                 /* clear padding */
-                memset(cp, 0, padlen);
+                explicit_bzero(cp, padlen);
         }
         /* sizeof (packet_len + pad_len + payload + padding) */
         len = buffer_len(&active_state->outgoing_packet);
diff --git a/readconf.c b/readconf.c
index 6ac8beae0..5429fc2ad 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.215 2013/12/06 13:39:49 markus Exp $ */
+/* $OpenBSD: readconf.c,v 1.218 2014/02/23 20:11:36 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -22,6 +22,7 @@
 #include <netinet/in.h>
 #include <netinet/in_systm.h>
 #include <netinet/ip.h>
+#include <arpa/inet.h>
 
 #include <ctype.h>
 #include <errno.h>
@@ -148,7 +149,7 @@ typedef enum {
         oSendEnv, oControlPath, oControlMaster, oControlPersist,
         oHashKnownHosts,
         oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
-        oVisualHostKey, oUseRoaming, oZeroKnowledgePasswordAuthentication,
+        oVisualHostKey, oUseRoaming,
         oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
         oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
         oCanonicalizeFallbackLocal, oCanonicalizePermittedCNAMEs,
@@ -266,12 +267,6 @@ static struct {
         { "permitlocalcommand", oPermitLocalCommand },
         { "visualhostkey", oVisualHostKey },
         { "useroaming", oUseRoaming },
-#ifdef JPAKE
-        { "zeroknowledgepasswordauthentication",
-            oZeroKnowledgePasswordAuthentication },
-#else
-        { "zeroknowledgepasswordauthentication", oUnsupported },
-#endif
         { "kexalgorithms", oKexAlgorithms },
         { "ipqos", oIPQoS },
         { "requesttty", oRequestTTY },
@@ -559,16 +554,27 @@ match_cfg_line(Options *options, char **condition, struct passwd *pw,
                             "r", ruser,
                             "u", pw->pw_name,
                             (char *)NULL);
-                        r = execute_in_shell(cmd);
-                        if (r == -1) {
-                                fatal("%.200s line %d: match exec '%.100s' "
-                                    "error", filename, linenum, cmd);
-                        } else if (r == 0) {
-                                debug("%.200s line %d: matched "
-                                    "'exec \"%.100s\"' ",
+                        if (result != 1) {
+                                /* skip execution if prior predicate failed */
+                                debug("%.200s line %d: skipped exec \"%.100s\"",
                                     filename, linenum, cmd);
-                        } else
-                                result = 0;
+                        } else {
+                                r = execute_in_shell(cmd);
+                                if (r == -1) {
+                                        fatal("%.200s line %d: match exec "
+                                            "'%.100s' error", filename,
+                                            linenum, cmd);
+                                } else if (r == 0) {
+                                        debug("%.200s line %d: matched "
+                                            "'exec \"%.100s\"'", filename,
+                                            linenum, cmd);
+                                } else {
+                                        debug("%.200s line %d: no match "
+                                            "'exec \"%.100s\"'", filename,
+                                            linenum, cmd);
+                                        result = 0;
+                                }
+                        }
                         free(cmd);
                 } else {
                         error("Unsupported Match attribute %s", attrib);
@@ -820,10 +826,6 @@ parse_time:
                 intptr = &options->password_authentication;
                 goto parse_flag;
 
-        case oZeroKnowledgePasswordAuthentication:
-                intptr = &options->zero_knowledge_password_authentication;
-                goto parse_flag;
-
         case oKbdInteractiveAuthentication:
                 intptr = &options->kbd_interactive_authentication;
                 goto parse_flag;
@@ -1503,6 +1505,13 @@ read_config_file(const char *filename, struct passwd *pw, const char *host,
         return 1;
 }
 
+/* Returns 1 if a string option is unset or set to "none" or 0 otherwise. */
+int
+option_clear_or_none(const char *o)
+{
+        return o == NULL || strcasecmp(o, "none") == 0;
+}
+
 /*
  * Initializes options to special values that indicate that they have not yet
  * been set.  Read_config_file will only set options with this value. Options
@@ -1592,7 +1601,6 @@ initialize_options(Options * options)
         options->permit_local_command = -1;
         options->use_roaming = -1;
         options->visual_host_key = -1;
-        options->zero_knowledge_password_authentication = -1;
         options->ip_qos_interactive = -1;
         options->ip_qos_bulk = -1;
         options->request_tty = -1;
@@ -1606,10 +1614,24 @@ initialize_options(Options * options)
 }
 
 /*
+ * A petite version of fill_default_options() that just fills the options
+ * needed for hostname canonicalization to proceed.
+ */
+void
+fill_default_options_for_canonicalization(Options *options)
+{
+        if (options->canonicalize_max_dots == -1)
+                options->canonicalize_max_dots = 1;
+        if (options->canonicalize_fallback_local == -1)
+                options->canonicalize_fallback_local = 1;
+        if (options->canonicalize_hostname == -1)
+                options->canonicalize_hostname = SSH_CANONICALISE_NO;
+}
+
+/*
  * Called after processing other sources of option data, this fills those
  * options for which no value has been specified with their default values.
  */
-
 void
 fill_default_options(Options * options)
 {
@@ -1759,8 +1781,6 @@ fill_default_options(Options * options)
                 options->use_roaming = 1;
         if (options->visual_host_key == -1)
                 options->visual_host_key = 0;
-        if (options->zero_knowledge_password_authentication == -1)
-                options->zero_knowledge_password_authentication = 0;
         if (options->ip_qos_interactive == -1)
                 options->ip_qos_interactive = IPTOS_LOWDELAY;
         if (options->ip_qos_bulk == -1)
@@ -1777,7 +1797,7 @@ fill_default_options(Options * options)
                 options->canonicalize_hostname = SSH_CANONICALISE_NO;
 #define CLEAR_ON_NONE(v) \
         do { \
-                if (v != NULL && strcasecmp(v, "none") == 0) { \
+                if (option_clear_or_none(v)) { \
                         free(v); \
                         v = NULL; \
                 } \
diff --git a/readconf.h b/readconf.h
index 826c6767b..5cc97f0da 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.99 2013/10/16 22:49:38 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.101 2014/02/23 20:11:36 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -64,7 +64,6 @@ typedef struct {
                                                  * authentication. */
         int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
         char    *kbd_interactive_devices; /* Keyboard-interactive auth devices. */
-        int     zero_knowledge_password_authentication; /* Try jpake */
         int     batch_mode;     /* Batch mode: do not ask for passwords. */
         int     check_host_ip;  /* Also keep track of keys for IP address */
         int     strict_host_key_checking;       /* Strict host key checking. */
@@ -182,12 +181,14 @@ typedef struct {
 
 void     initialize_options(Options *);
 void     fill_default_options(Options *);
+void     fill_default_options_for_canonicalization(Options *);
 int      process_config_line(Options *, struct passwd *, const char *, char *,
     const char *, int, int *, int);
 int      read_config_file(const char *, struct passwd *, const char *,
     Options *, int);
 int      parse_forward(Forward *, const char *, int, int);
 int      default_ssh_port(void);
+int      option_clear_or_none(const char *);
 
 void     add_local_forward(Options *, const Forward *);
 void     add_remote_forward(Options *, const Forward *);
diff --git a/readpass.c b/readpass.c
index e37d31158..869d86425 100644
--- a/readpass.c
+++ b/readpass.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readpass.c,v 1.49 2013/05/17 00:13:14 djm Exp $ */
+/* $OpenBSD: readpass.c,v 1.50 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -99,13 +99,13 @@ ssh_askpass(char *askpass, const char *msg)
                         break;
         signal(SIGCHLD, osigchld);
         if (ret == -1 || !WIFEXITED(status) || WEXITSTATUS(status) != 0) {
-                memset(buf, 0, sizeof(buf));
+                explicit_bzero(buf, sizeof(buf));
                 return NULL;
         }
 
         buf[strcspn(buf, "\r\n")] = '\0';
         pass = xstrdup(buf);
-        memset(buf, 0, sizeof(buf));
+        explicit_bzero(buf, sizeof(buf));
         return pass;
 }
 
@@ -162,7 +162,7 @@ read_passphrase(const char *prompt, int flags)
         }
 
         ret = xstrdup(buf);
-        memset(buf, 'x', sizeof buf);
+        explicit_bzero(buf, sizeof(buf));
         return ret;
 }
 
diff --git a/regress/Makefile b/regress/Makefile
index 0c66b1774..6e3b8d634 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#       $OpenBSD: Makefile,v 1.67 2013/12/06 13:52:46 markus Exp $
+#       $OpenBSD: Makefile,v 1.68 2014/01/25 04:35:32 dtucker Exp $
 
 REGRESS_TARGETS=        t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t-exec
 tests:          $(REGRESS_TARGETS)
@@ -65,6 +65,7 @@ LTESTS= 	connect \
                 forward-control \
                 integrity \
                 krl
+#               dhgex \
 
 INTEROP_TESTS=  putty-transfer putty-ciphers putty-kex conch-ciphers
 #INTEROP_TESTS+=ssh-com ssh-com-client ssh-com-keygen ssh-com-sftp
diff --git a/regress/agent-ptrace.sh b/regress/agent-ptrace.sh
index ae150641f..1912ca8f9 100644
--- a/regress/agent-ptrace.sh
+++ b/regress/agent-ptrace.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: agent-ptrace.sh,v 1.1 2002/12/09 15:38:30 markus Exp $
+#       $OpenBSD: agent-ptrace.sh,v 1.2 2014/02/27 21:21:25 djm Exp $
 #       Placed in the Public Domain.
 
 tid="disallow agent ptrace attach"
diff --git a/regress/agent.sh b/regress/agent.sh
index cf1a45fe0..caad3c88e 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: agent.sh,v 1.9 2013/12/06 13:52:46 markus Exp $
+#       $OpenBSD: agent.sh,v 1.10 2014/02/27 21:21:25 djm Exp $
 #       Placed in the Public Domain.
 
 tid="simple agent test"
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index a1318cd53..1d9e0ed8e 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: cert-hostkey.sh,v 1.8 2013/12/06 13:52:46 markus Exp $
+#       $OpenBSD: cert-hostkey.sh,v 1.9 2014/01/26 10:22:10 djm Exp $
 #       Placed in the Public Domain.
 
 tid="certified host keys"
diff --git a/regress/dhgex.sh b/regress/dhgex.sh
new file mode 100644
index 000000000..4c1a3d83c
--- /dev/null
+++ b/regress/dhgex.sh
@@ -0,0 +1,54 @@
+#       $OpenBSD: dhgex.sh,v 1.1 2014/01/25 04:35:32 dtucker Exp $
+#       Placed in the Public Domain.
+
+tid="dhgex"
+
+LOG=${TEST_SSH_LOGFILE}
+rm -f ${LOG}
+
+kexs=`${SSH} -Q kex | grep diffie-hellman-group-exchange`
+
+ssh_test_dhgex()
+{
+        bits="$1"; shift
+        cipher="$1"; shift
+        kex="$1"; shift
+
+        rm -f ${LOG}
+        opts="-oKexAlgorithms=$kex -oCiphers=$cipher"
+        groupsz="1024<$bits<8192"
+        verbose "$tid bits $bits $kex $cipher"
+        ${SSH} ${opts} $@ -vvv -F ${OBJ}/ssh_proxy somehost true
+        if [ $? -ne 0 ]; then
+                fail "ssh failed ($@)"
+        fi
+        # check what we request
+        grep "SSH2_MSG_KEX_DH_GEX_REQUEST($groupsz) sent" ${LOG} >/dev/null
+        if [ $? != 0 ]; then
+                got=`egrep "SSH2_MSG_KEX_DH_GEX_REQUEST(.*) sent" ${LOG}`
+                fail "$tid unexpected GEX sizes, expected $groupsz, got $got"
+        fi
+        # check what we got (depends on contents of system moduli file)
+        gotbits="`awk '/bits set:/{print $4}' ${LOG} | head -1 | cut -f2 -d/`"
+        if [ "$gotbits" -lt "$bits" ]; then
+                fatal "$tid expected $bits bit group, got $gotbits"
+        fi
+}
+
+check()
+{
+        bits="$1"; shift
+
+        for c in $@; do
+                for k in $kexs; do
+                        ssh_test_dhgex $bits $c $k
+                done
+        done
+}
+
+#check 2048 3des-cbc
+check 3072 `${SSH} -Q cipher | grep 128`
+check 3072 arcfour blowfish-cbc
+check 7680 `${SSH} -Q cipher | grep 192`
+check 8192 `${SSH} -Q cipher | grep 256`
+check 8192 rijndael-cbc@lysator.liu.se chacha20-poly1305@openssh.com
diff --git a/regress/host-expand.sh b/regress/host-expand.sh
index a0188363d..6cc0e6055 100644
--- a/regress/host-expand.sh
+++ b/regress/host-expand.sh
@@ -1,3 +1,4 @@
+#       $OpenBSD: host-expand.sh,v 1.3 2014/02/27 23:17:41 djm Exp $
 #       Placed in the Public Domain.
 
 tid="expand %h and %n"
diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index d73923b9c..d9b48f391 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,9 +1,11 @@
-#       $OpenBSD: login-timeout.sh,v 1.5 2013/05/17 10:23:52 dtucker Exp $
+#       $OpenBSD: login-timeout.sh,v 1.6 2014/02/27 20:04:16 djm Exp $
 #       Placed in the Public Domain.
 
 tid="connect after login grace timeout"
 
 trace "test login grace with privsep"
+cp $OBJ/sshd_config $OBJ/sshd_config.orig
+grep -vi LoginGraceTime $OBJ/sshd_config.orig > $OBJ/sshd_config
 echo "LoginGraceTime 10s" >> $OBJ/sshd_config
 echo "MaxStartups 1" >> $OBJ/sshd_config
 start_sshd
diff --git a/regress/scp-ssh-wrapper.sh b/regress/scp-ssh-wrapper.sh
index c63bc2bc1..59f1ff63e 100644
--- a/regress/scp-ssh-wrapper.sh
+++ b/regress/scp-ssh-wrapper.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-#       $OpenBSD: scp-ssh-wrapper.sh,v 1.2 2005/12/14 04:36:39 dtucker Exp $
+#       $OpenBSD: scp-ssh-wrapper.sh,v 1.3 2014/01/26 10:49:17 djm Exp $
 #       Placed in the Public Domain.
 
 printname () {
diff --git a/regress/scp.sh b/regress/scp.sh
index c2da2a862..57cc77066 100644
--- a/regress/scp.sh
+++ b/regress/scp.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: scp.sh,v 1.9 2013/05/17 10:35:43 dtucker Exp $
+#       $OpenBSD: scp.sh,v 1.10 2014/01/26 10:49:17 djm Exp $
 #       Placed in the Public Domain.
 
 tid="scp"
diff --git a/regress/setuid-allowed.c b/regress/setuid-allowed.c
index 37b7dc8ad..676d2661c 100644
--- a/regress/setuid-allowed.c
+++ b/regress/setuid-allowed.c
@@ -23,6 +23,7 @@
 # include <sys/statvfs.h>
 #endif
 #include <stdio.h>
+#include <string.h>
 #include <errno.h>
 
 void
diff --git a/regress/sftp-chroot.sh b/regress/sftp-chroot.sh
index 03b9bc6d7..23f7456e8 100644
--- a/regress/sftp-chroot.sh
+++ b/regress/sftp-chroot.sh
@@ -1,4 +1,4 @@
-#       $OpenBSD: sftp-chroot.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
+#       $OpenBSD: sftp-chroot.sh,v 1.4 2014/01/20 00:00:30 dtucker Exp $
 #       Placed in the Public Domain.
 
 tid="sftp in chroot"
@@ -18,7 +18,8 @@ $SUDO sh -c "echo mekmitastdigoat > $PRIVDATA" || \
 start_sshd -oChrootDirectory=$CHROOT -oForceCommand="internal-sftp -d /"
 
 verbose "test $tid: get"
-${SFTP} -qS "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY || \
+${SFTP} -S "$SSH" -F $OBJ/ssh_config host:/${FILENAME} $COPY \
+    >>$TEST_REGRESS_LOGFILE 2>&1 || \
         fatal "Fetch ${FILENAME} failed"
 cmp $PRIVDATA $COPY || fail "$PRIVDATA $COPY differ"
 
diff --git a/rsa.c b/rsa.c
index a9ee6b0ed..d0b5bbf5e 100644
--- a/rsa.c
+++ b/rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: rsa.c,v 1.30 2013/05/17 00:13:14 djm Exp $ */
+/* $OpenBSD: rsa.c,v 1.31 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -94,8 +94,8 @@ rsa_public_encrypt(BIGNUM *out, BIGNUM *in, RSA *key)
         if (BN_bin2bn(outbuf, len, out) == NULL)
                 fatal("rsa_public_encrypt: BN_bin2bn failed");
 
-        memset(outbuf, 0, olen);
-        memset(inbuf, 0, ilen);
+        explicit_bzero(outbuf, olen);
+        explicit_bzero(inbuf, ilen);
         free(outbuf);
         free(inbuf);
 }
@@ -120,8 +120,8 @@ rsa_private_decrypt(BIGNUM *out, BIGNUM *in, RSA *key)
                 if (BN_bin2bn(outbuf, len, out) == NULL)
                         fatal("rsa_private_decrypt: BN_bin2bn failed");
         }
-        memset(outbuf, 0, olen);
-        memset(inbuf, 0, ilen);
+        explicit_bzero(outbuf, olen);
+        explicit_bzero(inbuf, ilen);
         free(outbuf);
         free(inbuf);
         return len;
diff --git a/sandbox-capsicum.c b/sandbox-capsicum.c
index ee2a7e79e..655f0d217 100644
--- a/sandbox-capsicum.c
+++ b/sandbox-capsicum.c
@@ -94,10 +94,12 @@ ssh_sandbox_child(struct ssh_sandbox *box)
                 fatal("can't limit stderr: %m");
 
         cap_rights_init(&rights, CAP_READ, CAP_WRITE);
-        if (cap_rights_limit(box->monitor->m_recvfd, &rights) == -1)
+        if (cap_rights_limit(box->monitor->m_recvfd, &rights) < 0 &&
+            errno != ENOSYS)
                 fatal("%s: failed to limit the network socket", __func__);
         cap_rights_init(&rights, CAP_WRITE);
-        if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) == -1)
+        if (cap_rights_limit(box->monitor->m_log_sendfd, &rights) < 0 &&
+            errno != ENOSYS)
                 fatal("%s: failed to limit the logging socket", __func__);
         if (cap_enter() < 0 && errno != ENOSYS)
                 fatal("%s: failed to enter capability mode", __func__);
diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
index 2f73067e1..c0c17c2fc 100644
--- a/sandbox-seccomp-filter.c
+++ b/sandbox-seccomp-filter.c
@@ -98,6 +98,9 @@ static const struct sock_filter preauth_insns[] = {
         SC_ALLOW(read),
         SC_ALLOW(write),
         SC_ALLOW(close),
+#ifdef __NR_shutdown /* not defined on archs that go via socketcall(2) */
+        SC_ALLOW(shutdown),
+#endif
         SC_ALLOW(brk),
         SC_ALLOW(poll),
 #ifdef __NR__newselect
diff --git a/sandbox-systrace.c b/sandbox-systrace.c
index 53fbd47cb..6706c9a80 100644
--- a/sandbox-systrace.c
+++ b/sandbox-systrace.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sandbox-systrace.c,v 1.7 2013/06/01 13:15:52 dtucker Exp $ */
+/* $OpenBSD: sandbox-systrace.c,v 1.9 2014/01/31 16:39:19 tedu Exp $ */
 /*
  * Copyright (c) 2011 Damien Miller <djm@mindrot.org>
  *
@@ -66,6 +66,7 @@ static const struct sandbox_policy preauth_policy[] = {
         { SYS_munmap, SYSTR_POLICY_PERMIT },
         { SYS_read, SYSTR_POLICY_PERMIT },
         { SYS_select, SYSTR_POLICY_PERMIT },
+        { SYS_shutdown, SYSTR_POLICY_PERMIT },
         { SYS_sigprocmask, SYSTR_POLICY_PERMIT },
         { SYS_write, SYSTR_POLICY_PERMIT },
         { -1, -1 }
@@ -141,7 +142,7 @@ ssh_sandbox_parent(struct ssh_sandbox *box, pid_t child_pid,
                     box->systrace_fd, child_pid, strerror(errno));
 
         /* Allocate and assign policy */
-        bzero(&policy, sizeof(policy));
+        memset(&policy, 0, sizeof(policy));
         policy.strp_op = SYSTR_POLICY_NEW;
         policy.strp_maxents = SYS_MAXSYSCALL;
         if (ioctl(box->systrace_fd, STRIOCPOLICY, &policy) == -1)
diff --git a/schnorr.c b/schnorr.c
deleted file mode 100644
index aa3a57770..000000000
--- a/schnorr.c
+++ /dev/null
@@ -1,668 +0,0 @@
-/* $OpenBSD: schnorr.c,v 1.9 2014/01/09 23:20:00 djm Exp $ */
-/*
- * Copyright (c) 2008 Damien Miller.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-/*
- * Implementation of Schnorr signatures / zero-knowledge proofs, based on
- * description in:
- *      
- * F. Hao, P. Ryan, "Password Authenticated Key Exchange by Juggling",
- * 16th Workshop on Security Protocols, Cambridge, April 2008
- *
- * http://grouper.ieee.org/groups/1363/Research/contributions/hao-ryan-2008.pdf
- */
-
-#include "includes.h"
-
-#include <sys/types.h>
-
-#include <string.h>
-#include <stdarg.h>
-#include <stdio.h>
-
-#include <openssl/evp.h>
-#include <openssl/bn.h>
-
-#include "xmalloc.h"
-#include "buffer.h"
-#include "log.h"
-
-#include "schnorr.h"
-#include "digest.h"
-
-#include "openbsd-compat/openssl-compat.h"
-
-/* #define SCHNORR_DEBUG */             /* Privacy-violating debugging */
-/* #define SCHNORR_MAIN */              /* Include main() selftest */
-
-#ifndef SCHNORR_DEBUG
-# define SCHNORR_DEBUG_BN(a)
-# define SCHNORR_DEBUG_BUF(a)
-#else
-# define SCHNORR_DEBUG_BN(a)    debug3_bn a
-# define SCHNORR_DEBUG_BUF(a)   debug3_buf a
-#endif /* SCHNORR_DEBUG */
-
-/*
- * Calculate hash component of Schnorr signature H(g || g^v || g^x || id)
- * using the hash function defined by "hash_alg". Returns signature as
- * bignum or NULL on error.
- */
-static BIGNUM *
-schnorr_hash(const BIGNUM *p, const BIGNUM *q, const BIGNUM *g,
-    int hash_alg, const BIGNUM *g_v, const BIGNUM *g_x,
-    const u_char *id, u_int idlen)
-{
-        u_char *digest;
-        u_int digest_len;
-        BIGNUM *h;
-        Buffer b;
-        int success = -1;
-
-        if ((h = BN_new()) == NULL) {
-                error("%s: BN_new", __func__);
-                return NULL;
-        }
-
-        buffer_init(&b);
-
-        /* h = H(g || p || q || g^v || g^x || id) */
-        buffer_put_bignum2(&b, g);
-        buffer_put_bignum2(&b, p);
-        buffer_put_bignum2(&b, q);
-        buffer_put_bignum2(&b, g_v);
-        buffer_put_bignum2(&b, g_x);
-        buffer_put_string(&b, id, idlen);
-
-        SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
-            "%s: hashblob", __func__));
-        if (hash_buffer(buffer_ptr(&b), buffer_len(&b), hash_alg,
-            &digest, &digest_len) != 0) {
-                error("%s: hash_buffer", __func__);
-                goto out;
-        }
-        if (BN_bin2bn(digest, (int)digest_len, h) == NULL) {
-                error("%s: BN_bin2bn", __func__);
-                goto out;
-        }
-        success = 0;
-        SCHNORR_DEBUG_BN((h, "%s: h = ", __func__));
- out:
-        buffer_free(&b);
-        bzero(digest, digest_len);
-        free(digest);
-        digest_len = 0;
-        if (success == 0)
-                return h;
-        BN_clear_free(h);
-        return NULL;
-}
-
-/*
- * Generate Schnorr signature to prove knowledge of private value 'x' used
- * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
- * using the hash function "hash_alg".
- * 'idlen' bytes from 'id' will be included in the signature hash as an anti-
- * replay salt.
- * 
- * On success, 0 is returned. The signature values are returned as *e_p
- * (g^v mod p) and *r_p (v - xh mod q). The caller must free these values.
- * On failure, -1 is returned.
- */
-int
-schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
-    int hash_alg, const BIGNUM *x, const BIGNUM *g_x,
-    const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p)
-{
-        int success = -1;
-        BIGNUM *h, *tmp, *v, *g_v, *r;
-        BN_CTX *bn_ctx;
-
-        SCHNORR_DEBUG_BN((x, "%s: x = ", __func__));
-        SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
-
-        /* Avoid degenerate cases: g^0 yields a spoofable signature */
-        if (BN_cmp(g_x, BN_value_one()) <= 0) {
-                error("%s: g_x < 1", __func__);
-                return -1;
-        }
-        if (BN_cmp(g_x, grp_p) >= 0) {
-                error("%s: g_x > g", __func__);
-                return -1;
-        }
-
-        h = g_v = r = tmp = v = NULL;
-        if ((bn_ctx = BN_CTX_new()) == NULL) {
-                error("%s: BN_CTX_new", __func__);
-                goto out;
-        }
-        if ((g_v = BN_new()) == NULL ||
-            (r = BN_new()) == NULL ||
-            (tmp = BN_new()) == NULL) {
-                error("%s: BN_new", __func__);
-                goto out;
-        }
-
-        /*
-         * v must be a random element of Zq, so 1 <= v < q
-         * we also exclude v = 1, since g^1 looks dangerous
-         */
-        if ((v = bn_rand_range_gt_one(grp_p)) == NULL) {
-                error("%s: bn_rand_range2", __func__);
-                goto out;
-        }
-        SCHNORR_DEBUG_BN((v, "%s: v = ", __func__));
-
-        /* g_v = g^v mod p */
-        if (BN_mod_exp(g_v, grp_g, v, grp_p, bn_ctx) == -1) {
-                error("%s: BN_mod_exp (g^v mod p)", __func__);
-                goto out;
-        }
-        SCHNORR_DEBUG_BN((g_v, "%s: g_v = ", __func__));
-
-        /* h = H(g || g^v || g^x || id) */
-        if ((h = schnorr_hash(grp_p, grp_q, grp_g, hash_alg, g_v, g_x,
-            id, idlen)) == NULL) {
-                error("%s: schnorr_hash failed", __func__);
-                goto out;
-        }
-
-        /* r = v - xh mod q */
-        if (BN_mod_mul(tmp, x, h, grp_q, bn_ctx) == -1) {
-                error("%s: BN_mod_mul (tmp = xv mod q)", __func__);
-                goto out;
-        }
-        if (BN_mod_sub(r, v, tmp, grp_q, bn_ctx) == -1) {
-                error("%s: BN_mod_mul (r = v - tmp)", __func__);
-                goto out;
-        }
-        SCHNORR_DEBUG_BN((g_v, "%s: e = ", __func__));
-        SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
-
-        *e_p = g_v;
-        *r_p = r;
-
-        success = 0;
- out:
-        BN_CTX_free(bn_ctx);
-        if (h != NULL)
-                BN_clear_free(h);
-        if (v != NULL)
-                BN_clear_free(v);
-        BN_clear_free(tmp);
-
-        return success;
-}
-
-/*
- * Generate Schnorr signature to prove knowledge of private value 'x' used
- * in public exponent g^x, under group defined by 'grp_p', 'grp_q' and 'grp_g'
- * using a SHA256 hash.
- * 'idlen' bytes from 'id' will be included in the signature hash as an anti-
- * replay salt.
- * On success, 0 is returned and *siglen bytes of signature are returned in
- * *sig (caller to free). Returns -1 on failure.
- */
-int
-schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
-    const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
-    u_char **sig, u_int *siglen)
-{
-        Buffer b;
-        BIGNUM *r, *e;
-
-        if (schnorr_sign(grp_p, grp_q, grp_g, SSH_DIGEST_SHA256,
-            x, g_x, id, idlen, &r, &e) != 0)
-                return -1;
-
-        /* Signature is (e, r) */
-        buffer_init(&b);
-        /* XXX sigtype-hash as string? */
-        buffer_put_bignum2(&b, e);
-        buffer_put_bignum2(&b, r);
-        *siglen = buffer_len(&b);
-        *sig = xmalloc(*siglen);
-        memcpy(*sig, buffer_ptr(&b), *siglen);
-        SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
-            "%s: sigblob", __func__));
-        buffer_free(&b);
-
-        BN_clear_free(r);
-        BN_clear_free(e);
-
-        return 0;
-}
-
-/*
- * Verify Schnorr signature { r (v - xh mod q), e (g^v mod p) } against
- * public exponent g_x (g^x) under group defined by 'grp_p', 'grp_q' and
- * 'grp_g' using hash "hash_alg".
- * Signature hash will be salted with 'idlen' bytes from 'id'.
- * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
- */
-int
-schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
-    int hash_alg, const BIGNUM *g_x, const u_char *id, u_int idlen,
-    const BIGNUM *r, const BIGNUM *e)
-{
-        int success = -1;
-        BIGNUM *h = NULL, *g_xh = NULL, *g_r = NULL, *gx_q = NULL;
-        BIGNUM *expected = NULL;
-        BN_CTX *bn_ctx;
-
-        SCHNORR_DEBUG_BN((g_x, "%s: g_x = ", __func__));
-
-        /* Avoid degenerate cases: g^0 yields a spoofable signature */
-        if (BN_cmp(g_x, BN_value_one()) <= 0) {
-                error("%s: g_x <= 1", __func__);
-                return -1;
-        }
-        if (BN_cmp(g_x, grp_p) >= 0) {
-                error("%s: g_x >= p", __func__);
-                return -1;
-        }
-
-        h = g_xh = g_r = expected = NULL;
-        if ((bn_ctx = BN_CTX_new()) == NULL) {
-                error("%s: BN_CTX_new", __func__);
-                goto out;
-        }
-        if ((g_xh = BN_new()) == NULL ||
-            (g_r = BN_new()) == NULL ||
-            (gx_q = BN_new()) == NULL ||
-            (expected = BN_new()) == NULL) {
-                error("%s: BN_new", __func__);
-                goto out;
-        }
-
-        SCHNORR_DEBUG_BN((e, "%s: e = ", __func__));
-        SCHNORR_DEBUG_BN((r, "%s: r = ", __func__));
-
-        /* gx_q = (g^x)^q must === 1 mod p */
-        if (BN_mod_exp(gx_q, g_x, grp_q, grp_p, bn_ctx) == -1) {
-                error("%s: BN_mod_exp (g_x^q mod p)", __func__);
-                goto out;
-        }
-        if (BN_cmp(gx_q, BN_value_one()) != 0) {
-                error("%s: Invalid signature (g^x)^q != 1 mod p", __func__);
-                goto out;
-        }
-
-        SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));
-        /* h = H(g || g^v || g^x || id) */
-        if ((h = schnorr_hash(grp_p, grp_q, grp_g, hash_alg, e, g_x,
-            id, idlen)) == NULL) {
-                error("%s: schnorr_hash failed", __func__);
-                goto out;
-        }
-
-        /* g_xh = (g^x)^h */
-        if (BN_mod_exp(g_xh, g_x, h, grp_p, bn_ctx) == -1) {
-                error("%s: BN_mod_exp (g_x^h mod p)", __func__);
-                goto out;
-        }
-        SCHNORR_DEBUG_BN((g_xh, "%s: g_xh = ", __func__));
-
-        /* g_r = g^r */
-        if (BN_mod_exp(g_r, grp_g, r, grp_p, bn_ctx) == -1) {
-                error("%s: BN_mod_exp (g_x^h mod p)", __func__);
-                goto out;
-        }
-        SCHNORR_DEBUG_BN((g_r, "%s: g_r = ", __func__));
-
-        /* expected = g^r * g_xh */
-        if (BN_mod_mul(expected, g_r, g_xh, grp_p, bn_ctx) == -1) {
-                error("%s: BN_mod_mul (expected = g_r mod p)", __func__);
-                goto out;
-        }
-        SCHNORR_DEBUG_BN((expected, "%s: expected = ", __func__));
-
-        /* Check e == expected */
-        success = BN_cmp(expected, e) == 0;
- out:
-        BN_CTX_free(bn_ctx);
-        if (h != NULL)
-                BN_clear_free(h);
-        if (gx_q != NULL)
-                BN_clear_free(gx_q);
-        if (g_xh != NULL)
-                BN_clear_free(g_xh);
-        if (g_r != NULL)
-                BN_clear_free(g_r);
-        if (expected != NULL)
-                BN_clear_free(expected);
-        return success;
-}
-
-/*
- * Verify Schnorr signature 'sig' of length 'siglen' against public exponent
- * g_x (g^x) under group defined by 'grp_p', 'grp_q' and 'grp_g' using a
- * SHA256 hash.
- * Signature hash will be salted with 'idlen' bytes from 'id'.
- * Returns -1 on failure, 0 on incorrect signature or 1 on matching signature.
- */
-int
-schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q,
-    const BIGNUM *grp_g,
-    const BIGNUM *g_x, const u_char *id, u_int idlen,
-    const u_char *sig, u_int siglen)
-{
-        Buffer b;
-        int ret = -1;
-        u_int rlen;
-        BIGNUM *r, *e;
-
-        e = r = NULL;
-        if ((e = BN_new()) == NULL ||
-            (r = BN_new()) == NULL) {
-                error("%s: BN_new", __func__);
-                goto out;
-        }
-
-        /* Extract g^v and r from signature blob */
-        buffer_init(&b);
-        buffer_append(&b, sig, siglen);
-        SCHNORR_DEBUG_BUF((buffer_ptr(&b), buffer_len(&b),
-            "%s: sigblob", __func__));
-        buffer_get_bignum2(&b, e);
-        buffer_get_bignum2(&b, r);
-        rlen = buffer_len(&b);
-        buffer_free(&b);
-        if (rlen != 0) {
-                error("%s: remaining bytes in signature %d", __func__, rlen);
-                goto out;
-        }
-
-        ret = schnorr_verify(grp_p, grp_q, grp_g, SSH_DIGEST_SHA256,
-            g_x, id, idlen, r, e);
- out:
-        BN_clear_free(e);
-        BN_clear_free(r);
-
-        return ret;
-}
-
-/* Helper functions */
-
-/*
- * Generate uniformly distributed random number in range (1, high).
- * Return number on success, NULL on failure.
- */
-BIGNUM *
-bn_rand_range_gt_one(const BIGNUM *high)
-{
-        BIGNUM *r, *tmp;
-        int success = -1;
-
-        if ((tmp = BN_new()) == NULL) {
-                error("%s: BN_new", __func__);
-                return NULL;
-        }
-        if ((r = BN_new()) == NULL) {
-                error("%s: BN_new failed", __func__);
-                goto out;
-        }
-        if (BN_set_word(tmp, 2) != 1) {
-                error("%s: BN_set_word(tmp, 2)", __func__);
-                goto out;
-        }
-        if (BN_sub(tmp, high, tmp) == -1) {
-                error("%s: BN_sub failed (tmp = high - 2)", __func__);
-                goto out;
-        }
-        if (BN_rand_range(r, tmp) == -1) {
-                error("%s: BN_rand_range failed", __func__);
-                goto out;
-        }
-        if (BN_set_word(tmp, 2) != 1) {
-                error("%s: BN_set_word(tmp, 2)", __func__);
-                goto out;
-        }
-        if (BN_add(r, r, tmp) == -1) {
-                error("%s: BN_add failed (r = r + 2)", __func__);
-                goto out;
-        }
-        success = 0;
- out:
-        BN_clear_free(tmp);
-        if (success == 0)
-                return r;
-        BN_clear_free(r);
-        return NULL;
-}
-
-/* XXX convert all callers of this to use ssh_digest_memory() directly */
-/*
- * Hash contents of buffer 'b' with hash 'md'. Returns 0 on success,
- * with digest via 'digestp' (caller to free) and length via 'lenp'.
- * Returns -1 on failure.
- */
-int
-hash_buffer(const u_char *buf, u_int len, int hash_alg,
-    u_char **digestp, u_int *lenp)
-{
-        u_char digest[SSH_DIGEST_MAX_LENGTH];
-        u_int digest_len = ssh_digest_bytes(hash_alg);
-
-        if (digest_len == 0) {
-                error("%s: invalid hash", __func__);
-                return -1;
-        }
-        if (ssh_digest_memory(hash_alg, buf, len, digest, digest_len) != 0) {
-                error("%s: digest_memory failed", __func__);
-                return -1;
-        }
-        *digestp = xmalloc(digest_len);
-        *lenp = digest_len;
-        memcpy(*digestp, digest, *lenp);
-        bzero(digest, sizeof(digest));
-        digest_len = 0;
-        return 0;
-}
-
-/* print formatted string followed by bignum */
-void
-debug3_bn(const BIGNUM *n, const char *fmt, ...)
-{
-        char *out, *h;
-        va_list args;
-        int ret;
-
-        out = NULL;
-        va_start(args, fmt);
-        ret = vasprintf(&out, fmt, args);
-        va_end(args);
-        if (ret == -1 || out == NULL)
-                fatal("%s: vasprintf failed", __func__);
-
-        if (n == NULL)
-                debug3("%s(null)", out);
-        else {
-                h = BN_bn2hex(n);
-                debug3("%s0x%s", out, h);
-                free(h);
-        }
-        free(out);
-}
-
-/* print formatted string followed by buffer contents in hex */
-void
-debug3_buf(const u_char *buf, u_int len, const char *fmt, ...)
-{
-        char *out, h[65];
-        u_int i, j;
-        va_list args;
-        int ret;
-
-        out = NULL;
-        va_start(args, fmt);
-        ret = vasprintf(&out, fmt, args);
-        va_end(args);
-        if (ret == -1 || out == NULL)
-                fatal("%s: vasprintf failed", __func__);
-
-        debug3("%s length %u%s", out, len, buf == NULL ? " (null)" : "");
-        free(out);
-        if (buf == NULL)
-                return;
-
-        *h = '\0';
-        for (i = j = 0; i < len; i++) {
-                snprintf(h + j, sizeof(h) - j, "%02x", buf[i]);
-                j += 2;
-                if (j >= sizeof(h) - 1 || i == len - 1) {
-                        debug3("    %s", h);
-                        *h = '\0';
-                        j = 0;
-                }
-        }
-}
-
-/*
- * Construct a MODP group from hex strings p (which must be a safe
- * prime) and g, automatically calculating subgroup q as (p / 2)
- */
-struct modp_group *
-modp_group_from_g_and_safe_p(const char *grp_g, const char *grp_p)
-{
-        struct modp_group *ret;
-
-        ret = xcalloc(1, sizeof(*ret));
-        ret->p = ret->q = ret->g = NULL;
-        if (BN_hex2bn(&ret->p, grp_p) == 0 ||
-            BN_hex2bn(&ret->g, grp_g) == 0)
-                fatal("%s: BN_hex2bn", __func__);
-        /* Subgroup order is p/2 (p is a safe prime) */
-        if ((ret->q = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-        if (BN_rshift1(ret->q, ret->p) != 1)
-                fatal("%s: BN_rshift1", __func__);
-
-        return ret;
-}
-
-void
-modp_group_free(struct modp_group *grp)
-{
-        if (grp->g != NULL)
-                BN_clear_free(grp->g);
-        if (grp->p != NULL)
-                BN_clear_free(grp->p);
-        if (grp->q != NULL)
-                BN_clear_free(grp->q);
-        bzero(grp, sizeof(*grp));
-        free(grp);
-}
-
-/* main() function for self-test */
-
-#ifdef SCHNORR_MAIN
-static void
-schnorr_selftest_one(const BIGNUM *grp_p, const BIGNUM *grp_q,
-    const BIGNUM *grp_g, const BIGNUM *x)
-{
-        BIGNUM *g_x;
-        u_char *sig;
-        u_int siglen;
-        BN_CTX *bn_ctx;
-
-        if ((bn_ctx = BN_CTX_new()) == NULL)
-                fatal("%s: BN_CTX_new", __func__);
-        if ((g_x = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-
-        if (BN_mod_exp(g_x, grp_g, x, grp_p, bn_ctx) == -1)
-                fatal("%s: g_x", __func__);
-        if (schnorr_sign_buf(grp_p, grp_q, grp_g, x, g_x, "junk", 4,
-            &sig, &siglen))
-                fatal("%s: schnorr_sign", __func__);
-        if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
-            sig, siglen) != 1)
-                fatal("%s: verify fail", __func__);
-        if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "JUNK", 4,
-            sig, siglen) != 0)
-                fatal("%s: verify should have failed (bad ID)", __func__);
-        sig[4] ^= 1;
-        if (schnorr_verify_buf(grp_p, grp_q, grp_g, g_x, "junk", 4,
-            sig, siglen) != 0)
-                fatal("%s: verify should have failed (bit error)", __func__);
-        free(sig);
-        BN_free(g_x);
-        BN_CTX_free(bn_ctx);
-}
-
-static void
-schnorr_selftest(void)
-{
-        BIGNUM *x;
-        struct modp_group *grp;
-        u_int i;
-        char *hh;
-
-        grp = jpake_default_group();
-        if ((x = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-        SCHNORR_DEBUG_BN((grp->p, "%s: grp->p = ", __func__));
-        SCHNORR_DEBUG_BN((grp->q, "%s: grp->q = ", __func__));
-        SCHNORR_DEBUG_BN((grp->g, "%s: grp->g = ", __func__));
-
-        /* [1, 20) */
-        for (i = 1; i < 20; i++) {
-                printf("x = %u\n", i);
-                fflush(stdout);
-                if (BN_set_word(x, i) != 1)
-                        fatal("%s: set x word", __func__);
-                schnorr_selftest_one(grp->p, grp->q, grp->g, x);
-        }
-
-        /* 100 x random [0, p) */
-        for (i = 0; i < 100; i++) {
-                if (BN_rand_range(x, grp->p) != 1)
-                        fatal("%s: BN_rand_range", __func__);
-                hh = BN_bn2hex(x);
-                printf("x = (random) 0x%s\n", hh);
-                free(hh);
-                fflush(stdout);
-                schnorr_selftest_one(grp->p, grp->q, grp->g, x);
-        }
-
-        /* [q-20, q) */
-        if (BN_set_word(x, 20) != 1)
-                fatal("%s: BN_set_word (x = 20)", __func__);
-        if (BN_sub(x, grp->q, x) != 1)
-                fatal("%s: BN_sub (q - x)", __func__);
-        for (i = 0; i < 19; i++) {
-                hh = BN_bn2hex(x);
-                printf("x = (q - %d) 0x%s\n", 20 - i, hh);
-                free(hh);
-                fflush(stdout);
-                schnorr_selftest_one(grp->p, grp->q, grp->g, x);
-                if (BN_add(x, x, BN_value_one()) != 1)
-                        fatal("%s: BN_add (x + 1)", __func__);
-        }
-        BN_free(x);
-}
-
-int
-main(int argc, char **argv)
-{
-        log_init(argv[0], SYSLOG_LEVEL_DEBUG3, SYSLOG_FACILITY_USER, 1);
-
-        schnorr_selftest();
-        return 0;
-}
-#endif
-
diff --git a/schnorr.h b/schnorr.h
deleted file mode 100644
index e2405c102..000000000
--- a/schnorr.h
+++ /dev/null
@@ -1,60 +0,0 @@
-/* $OpenBSD: schnorr.h,v 1.2 2014/01/09 23:20:00 djm Exp $ */
-/*
- * Copyright (c) 2009 Damien Miller.  All rights reserved.
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-
-#ifndef SCHNORR_H
-#define SCHNORR_H
-
-#include <sys/types.h>
-
-#include <openssl/bn.h>
-
-struct modp_group {
-        BIGNUM *p, *q, *g;
-};
-
-BIGNUM *bn_rand_range_gt_one(const BIGNUM *high);
-int hash_buffer(const u_char *, u_int, int, u_char **, u_int *);
-void debug3_bn(const BIGNUM *, const char *, ...)
-    __attribute__((__nonnull__ (2)))
-    __attribute__((format(printf, 2, 3)));
-void debug3_buf(const u_char *, u_int, const char *, ...)
-    __attribute__((__nonnull__ (3)))
-    __attribute__((format(printf, 3, 4)));
-struct modp_group *modp_group_from_g_and_safe_p(const char *, const char *);
-void modp_group_free(struct modp_group *);
-
-/* Signature and verification functions */
-int
-schnorr_sign(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
-    int hash_alg, const BIGNUM *x, const BIGNUM *g_x,
-    const u_char *id, u_int idlen, BIGNUM **r_p, BIGNUM **e_p);
-int
-schnorr_sign_buf(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
-    const BIGNUM *x, const BIGNUM *g_x, const u_char *id, u_int idlen,
-    u_char **sig, u_int *siglen);
-int
-schnorr_verify(const BIGNUM *grp_p, const BIGNUM *grp_q, const BIGNUM *grp_g,
-    int hash_alg, const BIGNUM *g_x, const u_char *id, u_int idlen,
-    const BIGNUM *r, const BIGNUM *e);
-int
-schnorr_verify_buf(const BIGNUM *grp_p, const BIGNUM *grp_q,
-    const BIGNUM *grp_g,
-    const BIGNUM *g_x, const u_char *id, u_int idlen,
-    const u_char *sig, u_int siglen);
-
-#endif /* JPAKE_H */
-
diff --git a/scp.0 b/scp.0
index ced71546b..b9eeffc4e 100644
--- a/scp.0
+++ b/scp.0
@@ -160,4 +160,4 @@ AUTHORS
      Timo Rinne <tri@iki.fi>
      Tatu Ylonen <ylo@cs.hut.fi>
 
-OpenBSD 5.4                    October 20, 2013                    OpenBSD 5.4
+OpenBSD 5.5                    October 20, 2013                    OpenBSD 5.5
diff --git a/servconf.c b/servconf.c
index 63ff4ffbc..37fd2de6d 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
 
-/* $OpenBSD: servconf.c,v 1.248 2013/12/06 13:39:49 markus Exp $ */
+/* $OpenBSD: servconf.c,v 1.249 2014/01/29 06:18:35 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -150,7 +150,6 @@ initialize_server_options(ServerOptions *options)
         options->chroot_directory = NULL;
         options->authorized_keys_command = NULL;
         options->authorized_keys_command_user = NULL;
-        options->zero_knowledge_password_authentication = -1;
         options->revoked_keys_file = NULL;
         options->trusted_user_ca_keys = NULL;
         options->authorized_principals_file = NULL;
@@ -305,8 +304,6 @@ fill_default_server_options(ServerOptions *options)
         }
         if (options->permit_tun == -1)
                 options->permit_tun = SSH_TUNMODE_NO;
-        if (options->zero_knowledge_password_authentication == -1)
-                options->zero_knowledge_password_authentication = 0;
         if (options->ip_qos_interactive == -1)
                 options->ip_qos_interactive = IPTOS_LOWDELAY;
         if (options->ip_qos_bulk == -1)
@@ -360,7 +357,7 @@ typedef enum {
         sAcceptEnv, sPermitTunnel,
         sMatch, sPermitOpen, sForceCommand, sChrootDirectory,
         sUsePrivilegeSeparation, sAllowAgentForwarding,
-        sZeroKnowledgePasswordAuthentication, sHostCertificate,
+        sHostCertificate,
         sRevokedKeys, sTrustedUserCAKeys, sAuthorizedPrincipalsFile,
         sKexAlgorithms, sIPQoS, sVersionAddendum,
         sAuthorizedKeysCommand, sAuthorizedKeysCommandUser,
@@ -443,11 +440,6 @@ static struct {
         { "kbdinteractiveauthentication", sKbdInteractiveAuthentication, SSHCFG_ALL },
         { "challengeresponseauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL },
         { "skeyauthentication", sChallengeResponseAuthentication, SSHCFG_GLOBAL }, /* alias */
-#ifdef JPAKE
-        { "zeroknowledgepasswordauthentication", sZeroKnowledgePasswordAuthentication, SSHCFG_ALL },
-#else
-        { "zeroknowledgepasswordauthentication", sUnsupported, SSHCFG_ALL },
-#endif
         { "checkmail", sDeprecated, SSHCFG_GLOBAL },
         { "listenaddress", sListenAddress, SSHCFG_GLOBAL },
         { "addressfamily", sAddressFamily, SSHCFG_GLOBAL },
@@ -1141,10 +1133,6 @@ process_server_config_line(ServerOptions *options, char *line,
                 intptr = &options->password_authentication;
                 goto parse_flag;
 
-        case sZeroKnowledgePasswordAuthentication:
-                intptr = &options->zero_knowledge_password_authentication;
-                goto parse_flag;
-
         case sKbdInteractiveAuthentication:
                 intptr = &options->kbd_interactive_authentication;
                 goto parse_flag;
@@ -1810,7 +1798,6 @@ copy_set_server_options(ServerOptions *dst, ServerOptions *src, int preauth)
         M_CP_INTOPT(hostbased_authentication);
         M_CP_INTOPT(hostbased_uses_name_from_packet_only);
         M_CP_INTOPT(kbd_interactive_authentication);
-        M_CP_INTOPT(zero_knowledge_password_authentication);
         M_CP_INTOPT(permit_root_login);
         M_CP_INTOPT(permit_empty_passwd);
 
@@ -2056,10 +2043,6 @@ dump_config(ServerOptions *o)
         dump_cfg_fmtint(sGssStrictAcceptor, o->gss_strict_acceptor);
         dump_cfg_fmtint(sGssStoreRekey, o->gss_store_rekey);
 #endif
-#ifdef JPAKE
-        dump_cfg_fmtint(sZeroKnowledgePasswordAuthentication,
-            o->zero_knowledge_password_authentication);
-#endif
         dump_cfg_fmtint(sPasswordAuthentication, o->password_authentication);
         dump_cfg_fmtint(sKbdInteractiveAuthentication,
             o->kbd_interactive_authentication);
diff --git a/servconf.h b/servconf.h
index 98d68ceaf..dcd1c2ab8 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.111 2013/12/05 01:16:41 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.112 2014/01/29 06:18:35 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -120,8 +120,6 @@ typedef struct {
                                                  * authentication. */
         int     kbd_interactive_authentication; /* If true, permit */
         int     challenge_response_authentication;
-        int     zero_knowledge_password_authentication;
-                                        /* If true, permit jpake auth */
         int     permit_empty_passwd;    /* If false, do not permit empty
                                          * passwords. */
         int     permit_user_env;        /* If true, read ~/.ssh/environment */
diff --git a/serverloop.c b/serverloop.c
index d3079d25d..441d73b4d 100644
--- a/serverloop.c
+++ b/serverloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: serverloop.c,v 1.169 2013/12/19 00:19:12 dtucker Exp $ */
+/* $OpenBSD: serverloop.c,v 1.170 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -920,7 +920,7 @@ server_input_stdin_data(int type, u_int32_t seq, void *ctxt)
         data = packet_get_string(&data_len);
         packet_check_eom();
         buffer_append(&stdin_buffer, data, data_len);
-        memset(data, 0, data_len);
+        explicit_bzero(data, data_len);
         free(data);
 }
 
diff --git a/session.c b/session.c
index 14df2262c..9d43fc3c7 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.269 2014/01/18 09:36:26 dtucker Exp $ */
+/* $OpenBSD: session.c,v 1.270 2014/01/31 16:39:19 tedu Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -979,6 +979,11 @@ child_set_env(char ***envp, u_int *envsizep, const char *name,
         u_int envsize;
         u_int i, namelen;
 
+        if (strchr(name, '=') != NULL) {
+                error("Invalid environment variable \"%.100s\"", name);
+                return;
+        }
+
         /*
          * If we're passed an uninitialized list, allocate a single null
          * entry before continuing.
@@ -1898,7 +1903,7 @@ session_unused(int id)
                 fatal("%s: insane session id %d (max %d nalloc %d)",
                     __func__, id, options.max_sessions, sessions_nalloc);
         }
-        bzero(&sessions[id], sizeof(*sessions));
+        memset(&sessions[id], 0, sizeof(*sessions));
         sessions[id].self = id;
         sessions[id].used = 0;
         sessions[id].chanid = -1;
@@ -2234,8 +2239,8 @@ session_env_req(Session *s)
         char *name, *val;
         u_int name_len, val_len, i;
 
-        name = packet_get_string(&name_len);
-        val = packet_get_string(&val_len);
+        name = packet_get_cstring(&name_len);
+        val = packet_get_cstring(&val_len);
         packet_check_eom();
 
         /* Don't set too many environment variables */
diff --git a/sftp-client.c b/sftp-client.c
index fc035f2ef..2f5907c85 100644
--- a/sftp-client.c
+++ b/sftp-client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp-client.c,v 1.113 2014/01/17 00:21:06 djm Exp $ */
+/* $OpenBSD: sftp-client.c,v 1.114 2014/01/31 16:39:19 tedu Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -310,7 +310,7 @@ get_decode_statvfs(struct sftp_conn *conn, struct sftp_statvfs *st,
                     SSH2_FXP_EXTENDED_REPLY, type);
         }
 
-        bzero(st, sizeof(*st));
+        memset(st, 0, sizeof(*st));
         st->f_bsize = buffer_get_int64(&msg);
         st->f_frsize = buffer_get_int64(&msg);
         st->f_blocks = buffer_get_int64(&msg);
diff --git a/sftp-server.0 b/sftp-server.0
index 5bf8da600..ce7ddc07f 100644
--- a/sftp-server.0
+++ b/sftp-server.0
@@ -92,4 +92,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 5.4                    October 14, 2013                    OpenBSD 5.4
+OpenBSD 5.5                    October 14, 2013                    OpenBSD 5.5
diff --git a/sftp.0 b/sftp.0
index 248737046..7139aac43 100644
--- a/sftp.0
+++ b/sftp.0
@@ -367,4 +367,4 @@ SEE ALSO
      T. Ylonen and S. Lehtinen, SSH File Transfer Protocol, draft-ietf-secsh-
      filexfer-00.txt, January 2001, work in progress material.
 
-OpenBSD 5.4                    October 20, 2013                    OpenBSD 5.4
+OpenBSD 5.5                    October 20, 2013                    OpenBSD 5.5
diff --git a/ssh-add.0 b/ssh-add.0
index 8d10f7ff4..ba43fee69 100644
--- a/ssh-add.0
+++ b/ssh-add.0
@@ -120,4 +120,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.4                    December 7, 2013                    OpenBSD 5.4
+OpenBSD 5.5                    December 7, 2013                    OpenBSD 5.5
diff --git a/ssh-add.c b/ssh-add.c
index 63ce72083..3421452af 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-add.c,v 1.108 2013/12/19 00:10:30 djm Exp $ */
+/* $OpenBSD: ssh-add.c,v 1.109 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -90,7 +90,7 @@ static void
 clear_pass(void)
 {
         if (pass) {
-                memset(pass, 0, strlen(pass));
+                explicit_bzero(pass, strlen(pass));
                 free(pass);
                 pass = NULL;
         }
@@ -366,7 +366,7 @@ lock_agent(AuthenticationConnection *ac, int lock)
                         fprintf(stderr, "Passwords do not match.\n");
                         passok = 0;
                 }
-                memset(p2, 0, strlen(p2));
+                explicit_bzero(p2, strlen(p2));
                 free(p2);
         }
         if (passok && ssh_lock_agent(ac, lock, p1)) {
@@ -374,7 +374,7 @@ lock_agent(AuthenticationConnection *ac, int lock)
                 ret = 0;
         } else
                 fprintf(stderr, "Failed to %slock agent.\n", lock ? "" : "un");
-        memset(p1, 0, strlen(p1));
+        explicit_bzero(p1, strlen(p1));
         free(p1);
         return (ret);
 }
diff --git a/ssh-agent.0 b/ssh-agent.0
index c4c53ef94..c11523db3 100644
--- a/ssh-agent.0
+++ b/ssh-agent.0
@@ -125,4 +125,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.4                    December 7, 2013                    OpenBSD 5.4
+OpenBSD 5.5                    December 7, 2013                    OpenBSD 5.5
diff --git a/ssh-agent.c b/ssh-agent.c
index 95117e076..ba2461211 100644
--- a/ssh-agent.c
+++ b/ssh-agent.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-agent.c,v 1.181 2013/12/19 01:19:41 djm Exp $ */
+/* $OpenBSD: ssh-agent.c,v 1.183 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -50,7 +50,6 @@
 #include "openbsd-compat/sys-queue.h"
 
 #include <openssl/evp.h>
-#include <openssl/md5.h>
 #include "openbsd-compat/openssl-compat.h"
 
 #include <errno.h>
@@ -75,6 +74,7 @@
 #include "compat.h"
 #include "log.h"
 #include "misc.h"
+#include "digest.h"
 
 #ifdef ENABLE_PKCS11
 #include "ssh-pkcs11.h"
@@ -248,7 +248,7 @@ process_authentication_challenge1(SocketEntry *e)
         Identity *id;
         int i, len;
         Buffer msg;
-        MD5_CTX md;
+        struct ssh_digest_ctx *md;
         Key *key;
 
         buffer_init(&msg);
@@ -284,10 +284,12 @@ process_authentication_challenge1(SocketEntry *e)
                 }
                 memset(buf, 0, 32);
                 BN_bn2bin(challenge, buf + 32 - len);
-                MD5_Init(&md);
-                MD5_Update(&md, buf, 32);
-                MD5_Update(&md, session_id, 16);
-                MD5_Final(mdbuf, &md);
+                if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
+                    ssh_digest_update(md, buf, 32) < 0 ||
+                    ssh_digest_update(md, session_id, 16) < 0 ||
+                    ssh_digest_final(md, mdbuf, sizeof(mdbuf)) < 0)
+                        fatal("%s: md5 failed", __func__);
+                ssh_digest_free(md);
 
                 /* Send the response. */
                 buffer_put_char(&msg, SSH_AGENT_RSA_RESPONSE);
@@ -552,7 +554,7 @@ process_lock_agent(SocketEntry *e, int lock)
         passwd = buffer_get_string(&e->request, NULL);
         if (locked && !lock && strcmp(passwd, lock_passwd) == 0) {
                 locked = 0;
-                memset(lock_passwd, 0, strlen(lock_passwd));
+                explicit_bzero(lock_passwd, strlen(lock_passwd));
                 free(lock_passwd);
                 lock_passwd = NULL;
                 success = 1;
@@ -561,7 +563,7 @@ process_lock_agent(SocketEntry *e, int lock)
                 lock_passwd = xstrdup(passwd);
                 success = 1;
         }
-        memset(passwd, 0, strlen(passwd));
+        explicit_bzero(passwd, strlen(passwd));
         free(passwd);
 
         buffer_put_int(&e->output, 1);
diff --git a/ssh-dss.c b/ssh-dss.c
index 7b897475c..6b4abcb7d 100644
--- a/ssh-dss.c
+++ b/ssh-dss.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-dss.c,v 1.30 2014/01/09 23:20:00 djm Exp $ */
+/* $OpenBSD: ssh-dss.c,v 1.31 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -65,7 +65,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
         }
 
         sig = DSA_do_sign(digest, dlen, key->dsa);
-        memset(digest, 'd', sizeof(digest));
+        explicit_bzero(digest, sizeof(digest));
 
         if (sig == NULL) {
                 error("ssh_dss_sign: sign failed");
@@ -79,7 +79,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
                 DSA_SIG_free(sig);
                 return -1;
         }
-        memset(sigblob, 0, SIGBLOB_LEN);
+        explicit_bzero(sigblob, SIGBLOB_LEN);
         BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
         BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
         DSA_SIG_free(sig);
@@ -168,7 +168,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
                 fatal("%s: BN_bin2bn failed", __func__);
 
         /* clean up */
-        memset(sigblob, 0, len);
+        explicit_bzero(sigblob, len);
         free(sigblob);
 
         /* sha1 the data */
@@ -179,7 +179,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
         }
 
         ret = DSA_do_verify(digest, dlen, sig, key->dsa);
-        memset(digest, 'd', sizeof(digest));
+        explicit_bzero(digest, sizeof(digest));
 
         DSA_SIG_free(sig);
 
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
index 10ad9da60..551c9c460 100644
--- a/ssh-ecdsa.c
+++ b/ssh-ecdsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-ecdsa.c,v 1.8 2014/01/09 23:20:00 djm Exp $ */
+/* $OpenBSD: ssh-ecdsa.c,v 1.10 2014/02/03 23:28:00 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2010 Damien Miller.  All rights reserved.
@@ -72,7 +72,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
         }
 
         sig = ECDSA_do_sign(digest, dlen, key->ecdsa);
-        memset(digest, 'd', sizeof(digest));
+        explicit_bzero(digest, sizeof(digest));
 
         if (sig == NULL) {
                 error("%s: sign failed", __func__);
@@ -140,9 +140,6 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
         /* parse signature */
         if ((sig = ECDSA_SIG_new()) == NULL)
                 fatal("%s: ECDSA_SIG_new failed", __func__);
-        if ((sig->r = BN_new()) == NULL ||
-            (sig->s = BN_new()) == NULL)
-                fatal("%s: BN_new failed", __func__);
 
         buffer_init(&bb);
         buffer_append(&bb, sigblob, len);
@@ -153,7 +150,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
         buffer_free(&bb);
 
         /* clean up */
-        memset(sigblob, 0, len);
+        explicit_bzero(sigblob, len);
         free(sigblob);
 
         /* hash the data */
@@ -169,7 +166,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
         }
 
         ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa);
-        memset(digest, 'd', sizeof(digest));
+        explicit_bzero(digest, sizeof(digest));
 
         ECDSA_SIG_free(sig);
 
diff --git a/ssh-ed25519.c b/ssh-ed25519.c
index 1aedcf83a..160d1f23b 100644
--- a/ssh-ed25519.c
+++ b/ssh-ed25519.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-ed25519.c,v 1.1 2013/12/06 13:39:49 markus Exp $ */
+/* $OpenBSD: ssh-ed25519.c,v 1.3 2014/02/23 20:03:42 djm Exp $ */
 /*
  * Copyright (c) 2013 Markus Friedl <markus@openbsd.org>
  *
@@ -21,6 +21,7 @@
 
 #include "crypto_api.h"
 
+#include <limits.h>
 #include <string.h>
 #include <stdarg.h>
 
@@ -45,6 +46,11 @@ ssh_ed25519_sign(const Key *key, u_char **sigp, u_int *lenp,
                 error("%s: no ED25519 key", __func__);
                 return -1;
         }
+
+        if (datalen >= UINT_MAX - crypto_sign_ed25519_BYTES) {
+                error("%s: datalen %u too long", __func__, datalen);
+                return -1;
+        }
         smlen = slen = datalen + crypto_sign_ed25519_BYTES;
         sig = xmalloc(slen);
 
@@ -66,7 +72,7 @@ ssh_ed25519_sign(const Key *key, u_char **sigp, u_int *lenp,
                 memcpy(*sigp, buffer_ptr(&b), len);
         }
         buffer_free(&b);
-        memset(sig, 's', slen);
+        explicit_bzero(sig, slen);
         free(sig);
 
         return 0;
@@ -130,9 +136,9 @@ ssh_ed25519_verify(const Key *key, const u_char *signature, u_int signaturelen,
         }
         /* XXX compare 'm' and 'data' ? */
 
-        memset(sigblob, 's', len);
-        memset(sm, 'S', smlen);
-        memset(m, 'm', smlen); /* NB. mlen may be invalid if ret != 0 */
+        explicit_bzero(sigblob, len);
+        explicit_bzero(sm, smlen);
+        explicit_bzero(m, smlen); /* NB. mlen may be invalid if ret != 0 */
         free(sigblob);
         free(sm);
         free(m);
diff --git a/ssh-gss.h b/ssh-gss.h
index 885e48185..914701bcf 100644
--- a/ssh-gss.h
+++ b/ssh-gss.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
+/* $OpenBSD: ssh-gss.h,v 1.11 2014/02/26 20:28:44 djm Exp $ */
 /*
  * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
  *
@@ -121,6 +121,8 @@ void ssh_gssapi_set_oid_data(Gssctxt *, void *, size_t);
 void ssh_gssapi_set_oid(Gssctxt *, gss_OID);
 void ssh_gssapi_supported_oids(gss_OID_set *);
 ssh_gssapi_mech *ssh_gssapi_get_ctype(Gssctxt *);
+void ssh_gssapi_prepare_supported_oids(void);
+OM_uint32 ssh_gssapi_test_oid_supported(OM_uint32 *, gss_OID, int *);
 
 OM_uint32 ssh_gssapi_import_name(Gssctxt *, const char *);
 OM_uint32 ssh_gssapi_init_ctx(Gssctxt *, int,
diff --git a/ssh-keygen.0 b/ssh-keygen.0
index a69b37d67..c43678ff0 100644
--- a/ssh-keygen.0
+++ b/ssh-keygen.0
@@ -4,7 +4,7 @@ NAME
      ssh-keygen - authentication key generation, management and conversion
 
 SYNOPSIS
-     ssh-keygen [-q] [-b bits] -t type [-N new_passphrase] [-C comment]
+     ssh-keygen [-q] [-b bits] [-t type] [-N new_passphrase] [-C comment]
                 [-f output_keyfile]
      ssh-keygen -p [-P old_passphrase] [-N new_passphrase] [-f keyfile]
      ssh-keygen -i [-m key_format] [-f input_keyfile]
@@ -559,4 +559,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.4                    December 21, 2013                   OpenBSD 5.4
+OpenBSD 5.5                    February 5, 2014                    OpenBSD 5.5
diff --git a/ssh-keygen.1 b/ssh-keygen.1
index 299ccf8dd..a71de7481 100644
--- a/ssh-keygen.1
+++ b/ssh-keygen.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keygen.1,v 1.119 2013/12/21 07:10:47 tedu Exp $
+.\"     $OpenBSD: ssh-keygen.1,v 1.120 2014/02/05 20:13:25 naddy Exp $
 .\"
 .\" Author: Tatu Ylonen <ylo@cs.hut.fi>
 .\" Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -35,7 +35,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: December 21 2013 $
+.Dd $Mdocdate: February 5 2014 $
 .Dt SSH-KEYGEN 1
 .Os
 .Sh NAME
@@ -46,7 +46,7 @@
 .Nm ssh-keygen
 .Op Fl q
 .Op Fl b Ar bits
-.Fl t Ar type
+.Op Fl t Ar type
 .Op Fl N Ar new_passphrase
 .Op Fl C Ar comment
 .Op Fl f Ar output_keyfile
diff --git a/ssh-keygen.c b/ssh-keygen.c
index eae83a461..2a316bcea 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.238 2013/12/06 13:39:49 markus Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.241 2014/02/05 20:13:25 naddy Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -267,7 +267,7 @@ load_identity(char *filename)
                         pass = read_passphrase("Enter passphrase: ",
                             RP_ALLOW_STDIN);
                 prv = key_load_private(filename, pass, NULL);
-                memset(pass, 0, strlen(pass));
+                explicit_bzero(pass, strlen(pass));
                 free(pass);
         }
         return prv;
@@ -1258,7 +1258,7 @@ do_change_passphrase(struct passwd *pw)
                             RP_ALLOW_STDIN);
                 private = key_load_private(identity_file, old_passphrase,
                     &comment);
-                memset(old_passphrase, 0, strlen(old_passphrase));
+                explicit_bzero(old_passphrase, strlen(old_passphrase));
                 free(old_passphrase);
                 if (private == NULL) {
                         printf("Bad passphrase.\n");
@@ -1280,15 +1280,15 @@ do_change_passphrase(struct passwd *pw)
 
                 /* Verify that they are the same. */
                 if (strcmp(passphrase1, passphrase2) != 0) {
-                        memset(passphrase1, 0, strlen(passphrase1));
-                        memset(passphrase2, 0, strlen(passphrase2));
+                        explicit_bzero(passphrase1, strlen(passphrase1));
+                        explicit_bzero(passphrase2, strlen(passphrase2));
                         free(passphrase1);
                         free(passphrase2);
                         printf("Pass phrases do not match.  Try again.\n");
                         exit(1);
                 }
                 /* Destroy the other copy. */
-                memset(passphrase2, 0, strlen(passphrase2));
+                explicit_bzero(passphrase2, strlen(passphrase2));
                 free(passphrase2);
         }
 
@@ -1296,14 +1296,14 @@ do_change_passphrase(struct passwd *pw)
         if (!key_save_private(private, identity_file, passphrase1, comment,
             use_new_format, new_format_cipher, rounds)) {
                 printf("Saving the key failed: %s.\n", identity_file);
-                memset(passphrase1, 0, strlen(passphrase1));
+                explicit_bzero(passphrase1, strlen(passphrase1));
                 free(passphrase1);
                 key_free(private);
                 free(comment);
                 exit(1);
         }
         /* Destroy the passphrase and the copy of the key in memory. */
-        memset(passphrase1, 0, strlen(passphrase1));
+        explicit_bzero(passphrase1, strlen(passphrase1));
         free(passphrase1);
         key_free(private);               /* Destroys contents */
         free(comment);
@@ -1375,7 +1375,7 @@ do_change_comment(struct passwd *pw)
                 /* Try to load using the passphrase. */
                 private = key_load_private(identity_file, passphrase, &comment);
                 if (private == NULL) {
-                        memset(passphrase, 0, strlen(passphrase));
+                        explicit_bzero(passphrase, strlen(passphrase));
                         free(passphrase);
                         printf("Bad passphrase.\n");
                         exit(1);
@@ -1396,7 +1396,7 @@ do_change_comment(struct passwd *pw)
                 printf("Enter new comment: ");
                 fflush(stdout);
                 if (!fgets(new_comment, sizeof(new_comment), stdin)) {
-                        memset(passphrase, 0, strlen(passphrase));
+                        explicit_bzero(passphrase, strlen(passphrase));
                         key_free(private);
                         exit(1);
                 }
@@ -1407,13 +1407,13 @@ do_change_comment(struct passwd *pw)
         if (!key_save_private(private, identity_file, passphrase, new_comment,
             use_new_format, new_format_cipher, rounds)) {
                 printf("Saving the key failed: %s.\n", identity_file);
-                memset(passphrase, 0, strlen(passphrase));
+                explicit_bzero(passphrase, strlen(passphrase));
                 free(passphrase);
                 key_free(private);
                 free(comment);
                 exit(1);
         }
-        memset(passphrase, 0, strlen(passphrase));
+        explicit_bzero(passphrase, strlen(passphrase));
         free(passphrase);
         public = key_from_private(private);
         key_free(private);
@@ -1716,7 +1716,7 @@ parse_absolute_time(const char *s)
                 fatal("Invalid certificate time format %s", s);
         }
 
-        bzero(&tm, sizeof(tm));
+        memset(&tm, 0, sizeof(tm));
         if (strptime(buf, fmt, &tm) == NULL)
                 fatal("Invalid certificate time %s", s);
         if ((tt = mktime(&tm)) < 0)
@@ -2196,8 +2196,8 @@ usage(void)
         fprintf(stderr, "  -v          Verbose.\n");
         fprintf(stderr, "  -W gen      Generator to use for generating DH-GEX moduli.\n");
         fprintf(stderr, "  -y          Read private key file and print public key.\n");
-        fprintf(stderr, "  -z serial   Specify a serial number.\n");
         fprintf(stderr, "  -Z cipher   Specify a cipher for new private key format.\n");
+        fprintf(stderr, "  -z serial   Specify a serial number.\n");
 
         exit(1);
 }
@@ -2632,15 +2632,15 @@ passphrase_again:
                          * The passphrases do not match.  Clear them and
                          * retry.
                          */
-                        memset(passphrase1, 0, strlen(passphrase1));
-                        memset(passphrase2, 0, strlen(passphrase2));
+                        explicit_bzero(passphrase1, strlen(passphrase1));
+                        explicit_bzero(passphrase2, strlen(passphrase2));
                         free(passphrase1);
                         free(passphrase2);
                         printf("Passphrases do not match.  Try again.\n");
                         goto passphrase_again;
                 }
                 /* Clear the other copy of the passphrase. */
-                memset(passphrase2, 0, strlen(passphrase2));
+                explicit_bzero(passphrase2, strlen(passphrase2));
                 free(passphrase2);
         }
 
@@ -2655,12 +2655,12 @@ passphrase_again:
         if (!key_save_private(private, identity_file, passphrase1, comment,
             use_new_format, new_format_cipher, rounds)) {
                 printf("Saving the key failed: %s.\n", identity_file);
-                memset(passphrase1, 0, strlen(passphrase1));
+                explicit_bzero(passphrase1, strlen(passphrase1));
                 free(passphrase1);
                 exit(1);
         }
         /* Clear the passphrase. */
-        memset(passphrase1, 0, strlen(passphrase1));
+        explicit_bzero(passphrase1, strlen(passphrase1));
         free(passphrase1);
 
         /* Clear the private key and the random number generator. */
diff --git a/ssh-keyscan.0 b/ssh-keyscan.0
index 09cfa0afa..638c19b48 100644
--- a/ssh-keyscan.0
+++ b/ssh-keyscan.0
@@ -27,9 +27,10 @@ DESCRIPTION
      -6      Forces ssh-keyscan to use IPv6 addresses only.
 
      -f file
-             Read hosts or addrlist namelist pairs from this file, one per
+             Read hosts or ``addrlist namelist'' pairs from file, one per
              line.  If - is supplied instead of a filename, ssh-keyscan will
-             read hosts or addrlist namelist pairs from the standard input.
+             read hosts or ``addrlist namelist'' pairs from the standard
+             input.
 
      -H      Hash all hostnames and addresses in the output.  Hashed names may
              be used normally by ssh and sshd, but they do not reveal
@@ -106,4 +107,4 @@ BUGS
      This is because it opens a connection to the ssh port, reads the public
      key, and drops the connection as soon as it gets the key.
 
-OpenBSD 5.4                    December 7, 2013                    OpenBSD 5.4
+OpenBSD 5.5                    January 28, 2014                    OpenBSD 5.5
diff --git a/ssh-keyscan.1 b/ssh-keyscan.1
index 65ef43efd..dae4fd9fb 100644
--- a/ssh-keyscan.1
+++ b/ssh-keyscan.1
@@ -1,4 +1,4 @@
-.\"     $OpenBSD: ssh-keyscan.1,v 1.33 2013/12/07 11:58:46 naddy Exp $
+.\"     $OpenBSD: ssh-keyscan.1,v 1.34 2014/01/28 14:13:39 jmc Exp $
 .\"
 .\" Copyright 1995, 1996 by David Mazieres <dm@lcs.mit.edu>.
 .\"
@@ -6,7 +6,7 @@
 .\" permitted provided that due credit is given to the author and the
 .\" OpenBSD project by leaving this copyright notice intact.
 .\"
-.Dd $Mdocdate: December 7 2013 $
+.Dd $Mdocdate: January 28 2014 $
 .Dt SSH-KEYSCAN 1
 .Os
 .Sh NAME
@@ -56,14 +56,16 @@ Forces
 to use IPv6 addresses only.
 .It Fl f Ar file
 Read hosts or
-.Pa addrlist namelist
-pairs from this file, one per line.
+.Dq addrlist namelist
+pairs from
+.Ar file ,
+one per line.
 If
 .Pa -
 is supplied instead of a filename,
 .Nm
 will read hosts or
-.Pa addrlist namelist
+.Dq addrlist namelist
 pairs from the standard input.
 .It Fl H
 Hash all hostnames and addresses in the output.
@@ -78,7 +80,7 @@ Port to connect to on the remote host.
 .It Fl T Ar timeout
 Set the timeout for connection attempts.
 If
-.Pa timeout
+.Ar timeout
 seconds have elapsed since a connection was initiated to a host or since the
 last time anything was read from that host, then the connection is
 closed and the host in question considered unavailable.
@@ -117,23 +119,23 @@ On the other hand, if the security model allows such a risk,
 can help in the detection of tampered keyfiles or man in the middle
 attacks which have begun after the ssh_known_hosts file was created.
 .Sh FILES
-.Pa Input format:
+Input format:
 .Bd -literal
 1.2.3.4,1.2.4.4 name.my.domain,name,n.my.domain,n,1.2.3.4,1.2.4.4
 .Ed
 .Pp
-.Pa Output format for rsa1 keys:
+Output format for rsa1 keys:
 .Bd -literal
 host-or-namelist bits exponent modulus
 .Ed
 .Pp
-.Pa Output format for rsa, dsa and ecdsa keys:
+Output format for rsa, dsa and ecdsa keys:
 .Bd -literal
 host-or-namelist keytype base64-encoded-key
 .Ed
 .Pp
 Where
-.Pa keytype
+.Ar keytype
 is either
 .Dq ecdsa-sha2-nistp256 ,
 .Dq ecdsa-sha2-nistp384 ,
@@ -145,10 +147,8 @@ or
 .Pp
 .Pa /etc/ssh/ssh_known_hosts
 .Sh EXAMPLES
-Print the
-.Pa rsa
-host key for machine
-.Pa hostname :
+Print the rsa host key for machine
+.Ar hostname :
 .Bd -literal
 $ ssh-keyscan hostname
 .Ed
diff --git a/ssh-keysign.0 b/ssh-keysign.0
index 78a20e894..5f18b54e3 100644
--- a/ssh-keysign.0
+++ b/ssh-keysign.0
@@ -50,4 +50,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 5.4                    December 7, 2013                    OpenBSD 5.4
+OpenBSD 5.5                    December 7, 2013                    OpenBSD 5.5
diff --git a/ssh-pkcs11-helper.0 b/ssh-pkcs11-helper.0
index d9ea34248..20d62f7a9 100644
--- a/ssh-pkcs11-helper.0
+++ b/ssh-pkcs11-helper.0
@@ -22,4 +22,4 @@ HISTORY
 AUTHORS
      Markus Friedl <markus@openbsd.org>
 
-OpenBSD 5.4                      July 16, 2013                     OpenBSD 5.4
+OpenBSD 5.5                      July 16, 2013                     OpenBSD 5.5
diff --git a/ssh-rsa.c b/ssh-rsa.c
index a2112d033..c6f25b3ee 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-rsa.c,v 1.50 2014/01/09 23:20:00 djm Exp $ */
+/* $OpenBSD: ssh-rsa.c,v 1.51 2014/02/02 03:44:31 djm Exp $ */
 /*
  * Copyright (c) 2000, 2003 Markus Friedl <markus@openbsd.org>
  *
@@ -70,7 +70,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
         sig = xmalloc(slen);
 
         ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
-        memset(digest, 'd', sizeof(digest));
+        explicit_bzero(digest, sizeof(digest));
 
         if (ok != 1) {
                 int ecode = ERR_get_error();
@@ -84,7 +84,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
                 u_int diff = slen - len;
                 debug("slen %u > len %u", slen, len);
                 memmove(sig + diff, sig, len);
-                memset(sig, 0, diff);
+                explicit_bzero(sig, diff);
         } else if (len > slen) {
                 error("%s: slen %u slen2 %u", __func__, slen, len);
                 free(sig);
@@ -102,7 +102,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
                 memcpy(*sigp, buffer_ptr(&b), len);
         }
         buffer_free(&b);
-        memset(sig, 's', slen);
+        explicit_bzero(sig, slen);
         free(sig);
 
         return 0;
@@ -161,7 +161,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
                     modlen, len);
                 sigblob = xrealloc(sigblob, 1, modlen);
                 memmove(sigblob + diff, sigblob, len);
-                memset(sigblob, 0, diff);
+                explicit_bzero(sigblob, diff);
                 len = modlen;
         }
         /* hash the data */
@@ -178,8 +178,8 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
 
         ret = openssh_RSA_verify(hash_alg, digest, dlen, sigblob, len,
             key->rsa);
-        memset(digest, 'd', sizeof(digest));
-        memset(sigblob, 's', len);
+        explicit_bzero(digest, sizeof(digest));
+        explicit_bzero(sigblob, len);
         free(sigblob);
         debug("%s: signature %scorrect", __func__, (ret == 0) ? "in" : "");
         return ret;
diff --git a/ssh.0 b/ssh.0
index 3a6a0469d..16868cfca 100644
--- a/ssh.0
+++ b/ssh.0
@@ -943,4 +943,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.4                    December 7, 2013                    OpenBSD 5.4
+OpenBSD 5.5                    December 7, 2013                    OpenBSD 5.5
diff --git a/ssh.c b/ssh.c
index 5d5d4de4d..3e63708da 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.397 2013/12/29 05:42:16 djm Exp $ */
+/* $OpenBSD: ssh.c,v 1.401 2014/02/26 20:18:37 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -231,16 +231,26 @@ tilde_expand_paths(char **paths, u_int num_paths)
         }
 }
 
+/*
+ * Attempt to resolve a host name / port to a set of addresses and
+ * optionally return any CNAMEs encountered along the way.
+ * Returns NULL on failure.
+ * NB. this function must operate with a options having undefined members.
+ */
 static struct addrinfo *
-resolve_host(const char *name, u_int port, int logerr, char *cname, size_t clen)
+resolve_host(const char *name, int port, int logerr, char *cname, size_t clen)
 {
         char strport[NI_MAXSERV];
         struct addrinfo hints, *res;
         int gaierr, loglevel = SYSLOG_LEVEL_DEBUG1;
 
+        if (port <= 0)
+                port = default_ssh_port();
+
         snprintf(strport, sizeof strport, "%u", port);
-        bzero(&hints, sizeof(hints));
-        hints.ai_family = options.address_family;
+        memset(&hints, 0, sizeof(hints));
+        hints.ai_family = options.address_family == -1 ?
+            AF_UNSPEC : options.address_family;
         hints.ai_socktype = SOCK_STREAM;
         if (cname != NULL)
                 hints.ai_flags = AI_CANONNAME;
@@ -265,6 +275,7 @@ resolve_host(const char *name, u_int port, int logerr, char *cname, size_t clen)
 /*
  * Check whether the cname is a permitted replacement for the hostname
  * and perform the replacement if it is.
+ * NB. this function must operate with a options having undefined members.
  */
 static int
 check_follow_cname(char **namep, const char *cname)
@@ -281,7 +292,7 @@ check_follow_cname(char **namep, const char *cname)
          * Don't attempt to canonicalize names that will be interpreted by
          * a proxy unless the user specifically requests so.
          */
-        if (options.proxy_command != NULL &&
+        if (!option_clear_or_none(options.proxy_command) &&
             options.canonicalize_hostname != SSH_CANONICALISE_ALWAYS)
                 return 0;
         debug3("%s: check \"%s\" CNAME \"%s\"", __func__, *namep, cname);
@@ -305,9 +316,10 @@ check_follow_cname(char **namep, const char *cname)
  * Attempt to resolve the supplied hostname after applying the user's
  * canonicalization rules. Returns the address list for the host or NULL
  * if no name was found after canonicalization.
+ * NB. this function must operate with a options having undefined members.
  */
 static struct addrinfo *
-resolve_canonicalize(char **hostp, u_int port)
+resolve_canonicalize(char **hostp, int port)
 {
         int i, ndots;
         char *cp, *fullhost, cname_target[NI_MAXHOST];
@@ -315,13 +327,15 @@ resolve_canonicalize(char **hostp, u_int port)
 
         if (options.canonicalize_hostname == SSH_CANONICALISE_NO)
                 return NULL;
+
         /*
          * Don't attempt to canonicalize names that will be interpreted by
          * a proxy unless the user specifically requests so.
          */
-        if (options.proxy_command != NULL &&
+        if (!option_clear_or_none(options.proxy_command) &&
             options.canonicalize_hostname != SSH_CANONICALISE_ALWAYS)
                 return NULL;
+
         /* Don't apply canonicalization to sufficiently-qualified hostnames */
         ndots = 0;
         for (cp = *hostp; *cp != '\0'; cp++) {
@@ -338,7 +352,9 @@ resolve_canonicalize(char **hostp, u_int port)
                 *cname_target = '\0';
                 xasprintf(&fullhost, "%s.%s.", *hostp,
                     options.canonical_domains[i]);
-                if ((addrs = resolve_host(fullhost, options.port, 0,
+                debug3("%s: attempting \"%s\" => \"%s\"", __func__,
+                    *hostp, fullhost);
+                if ((addrs = resolve_host(fullhost, port, 0,
                     cname_target, sizeof(cname_target))) == NULL) {
                         free(fullhost);
                         continue;
@@ -355,11 +371,41 @@ resolve_canonicalize(char **hostp, u_int port)
                 return addrs;
         }
         if (!options.canonicalize_fallback_local)
-                fatal("%s: Could not resolve host \"%s\"", __progname, host);
+                fatal("%s: Could not resolve host \"%s\"", __progname, *hostp);
+        debug2("%s: host %s not found in any suffix", __func__, *hostp);
         return NULL;
 }
 
 /*
+ * Read per-user configuration file.  Ignore the system wide config
+ * file if the user specifies a config file on the command line.
+ */
+static void
+process_config_files(struct passwd *pw)
+{
+        char buf[MAXPATHLEN];
+        int r;
+
+        if (config != NULL) {
+                if (strcasecmp(config, "none") != 0 &&
+                    !read_config_file(config, pw, host, &options,
+                    SSHCONF_USERCONF))
+                        fatal("Can't open user config file %.100s: "
+                            "%.100s", config, strerror(errno));
+        } else {
+                r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
+                    _PATH_SSH_USER_CONFFILE);
+                if (r > 0 && (size_t)r < sizeof(buf))
+                        (void)read_config_file(buf, pw, host, &options,
+                             SSHCONF_CHECKPERM|SSHCONF_USERCONF);
+
+                /* Read systemwide configuration file after user config. */
+                (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, host,
+                    &options, 0);
+        }
+}
+
+/*
  * Main program for the ssh client.
  */
 int
@@ -832,31 +878,62 @@ main(int ac, char **av)
         if (debug_flag)
                 logit("%s, %s", SSH_VERSION, SSLeay_version(SSLEAY_VERSION));
 
+        /* Parse the configuration files */
+        process_config_files(pw);
+
+        /* Hostname canonicalisation needs a few options filled. */
+        fill_default_options_for_canonicalization(&options);
+
+        /* If the user has replaced the hostname then take it into use now */
+        if (options.hostname != NULL) {
+                /* NB. Please keep in sync with readconf.c:match_cfg_line() */
+                cp = percent_expand(options.hostname,
+                    "h", host, (char *)NULL);
+                free(host);
+                host = cp;
+        }
+
+        /* If canonicalization requested then try to apply it */
+        lowercase(host);
+        if (options.canonicalize_hostname != SSH_CANONICALISE_NO)
+                addrs = resolve_canonicalize(&host, options.port);
+
         /*
-         * Read per-user configuration file.  Ignore the system wide config
-         * file if the user specifies a config file on the command line.
+         * If CanonicalizePermittedCNAMEs have been specified but
+         * other canonicalization did not happen (by not being requested
+         * or by failing with fallback) then the hostname may still be changed
+         * as a result of CNAME following. 
+         *
+         * Try to resolve the bare hostname name using the system resolver's
+         * usual search rules and then apply the CNAME follow rules.
+         *
+         * Skip the lookup if a ProxyCommand is being used unless the user
+         * has specifically requested canonicalisation for this case via
+         * CanonicalizeHostname=always
          */
-        if (config != NULL) {
-                if (strcasecmp(config, "none") != 0 &&
-                    !read_config_file(config, pw, host, &options,
-                    SSHCONF_USERCONF))
-                        fatal("Can't open user config file %.100s: "
-                            "%.100s", config, strerror(errno));
-        } else {
-                r = snprintf(buf, sizeof buf, "%s/%s", pw->pw_dir,
-                    _PATH_SSH_USER_CONFFILE);
-                if (r > 0 && (size_t)r < sizeof(buf))
-                        (void)read_config_file(buf, pw, host, &options,
-                             SSHCONF_CHECKPERM|SSHCONF_USERCONF);
+        if (addrs == NULL && options.num_permitted_cnames != 0 &&
+            (option_clear_or_none(options.proxy_command) ||
+            options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
+                if ((addrs = resolve_host(host, options.port, 1,
+                    cname, sizeof(cname))) == NULL)
+                        cleanup_exit(255); /* resolve_host logs the error */
+                check_follow_cname(&host, cname);
+        }
 
-                /* Read systemwide configuration file after user config. */
-                (void)read_config_file(_PATH_HOST_CONFIG_FILE, pw, host,
-                    &options, 0);
+        /*
+         * If the target hostname has changed as a result of canonicalisation
+         * then re-parse the configuration files as new stanzas may match.
+         */
+        if (strcasecmp(host_arg, host) != 0) {
+                debug("Hostname has changed; re-reading configuration");
+                process_config_files(pw);
         }
 
         /* Fill configuration defaults. */
         fill_default_options(&options);
 
+        if (options.port == 0)
+                options.port = default_ssh_port();
         channel_set_af(options.address_family);
 
         /* Tidy and check options */
@@ -899,37 +976,6 @@ main(int ac, char **av)
         if (options.user == NULL)
                 options.user = xstrdup(pw->pw_name);
 
-        /* Get default port if port has not been set. */
-        if (options.port == 0)
-                options.port = default_ssh_port();
-
-        /* preserve host name given on command line for %n expansion */
-        if (options.hostname != NULL) {
-                /* NB. Please keep in sync with readconf.c:match_cfg_line() */
-                cp = percent_expand(options.hostname,
-                    "h", host, (char *)NULL);
-                free(host);
-                host = cp;
-        }
-
-        /* If canonicalization requested then try to apply it */
-        lowercase(host);
-        if (options.canonicalize_hostname != SSH_CANONICALISE_NO)
-                addrs = resolve_canonicalize(&host, options.port);
-        /*
-         * If canonicalization not requested, or if it failed then try to
-         * resolve the bare hostname name using the system resolver's usual
-         * search rules. Skip the lookup if a ProxyCommand is being used
-         * unless the user has specifically requested canonicalisation.
-         */
-        if (addrs == NULL && (options.proxy_command == NULL ||
-            options.canonicalize_hostname == SSH_CANONICALISE_ALWAYS)) {
-                if ((addrs = resolve_host(host, options.port, 1,
-                    cname, sizeof(cname))) == NULL)
-                        cleanup_exit(255); /* resolve_host logs the error */
-                check_follow_cname(&host, cname);
-        }
-
         if (gethostname(thishost, sizeof(thishost)) == -1)
                 fatal("gethostname: %s", strerror(errno));
         strlcpy(shorthost, thishost, sizeof(shorthost));
@@ -962,6 +1008,16 @@ main(int ac, char **av)
         if (options.control_path != NULL)
                 muxclient(options.control_path);
 
+        /*
+         * If hostname canonicalisation was not enabled, then we may not
+         * have yet resolved the hostname. Do so now.
+         */
+        if (addrs == NULL && options.proxy_command == NULL) {
+                if ((addrs = resolve_host(host, options.port, 1,
+                    cname, sizeof(cname))) == NULL)
+                        cleanup_exit(255); /* resolve_host logs the error */
+        }
+
         timeout_ms = options.connection_timeout * 1000;
 
         /* Open a connection to the remote host. */
@@ -1697,8 +1753,8 @@ load_public_identity_files(void)
 #endif /* PKCS11 */
 
         n_ids = 0;
-        bzero(identity_files, sizeof(identity_files));
-        bzero(identity_keys, sizeof(identity_keys));
+        memset(identity_files, 0, sizeof(identity_files));
+        memset(identity_keys, 0, sizeof(identity_keys));
 
 #ifdef ENABLE_PKCS11
         if (options.pkcs11_provider != NULL &&
@@ -1773,9 +1829,9 @@ load_public_identity_files(void)
         memcpy(options.identity_files, identity_files, sizeof(identity_files));
         memcpy(options.identity_keys, identity_keys, sizeof(identity_keys));
 
-        bzero(pwname, strlen(pwname));
+        explicit_bzero(pwname, strlen(pwname));
         free(pwname);
-        bzero(pwdir, strlen(pwdir));
+        explicit_bzero(pwdir, strlen(pwdir));
         free(pwdir);
 }
 
diff --git a/ssh2.h b/ssh2.h
index 51a963cae..59417e612 100644
--- a/ssh2.h
+++ b/ssh2.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh2.h,v 1.14 2010/08/31 11:54:45 djm Exp $ */
+/* $OpenBSD: ssh2.h,v 1.15 2014/01/29 06:18:35 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -115,12 +115,6 @@
 #define SSH2_MSG_USERAUTH_PASSWD_CHANGEREQ              60
 #define SSH2_MSG_USERAUTH_INFO_REQUEST                  60
 #define SSH2_MSG_USERAUTH_INFO_RESPONSE                 61
-#define SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1            60
-#define SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1            61
-#define SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2            62
-#define SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2            63
-#define SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM          64
-#define SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM          65
 
 /* connection protocol: generic */
 
diff --git a/ssh_config.0 b/ssh_config.0
index e9ac54bfc..6fbd10d61 100644
--- a/ssh_config.0
+++ b/ssh_config.0
@@ -128,6 +128,11 @@ DESCRIPTION
              set to ``always'', then canonicalization is applied to proxied
              connections too.
 
+             If this option is enabled and canonicalisation results in the
+             target hostname changing, then the configuration files are
+             processed again using the new target name to pick up any new
+             configuration in matching Host stanzas.
+
      CanonicalizeMaxDots
              Specifies the maximum number of dot characters in a hostname
              before canonicalization is disabled.  The default, ``1'', allows
@@ -881,4 +886,4 @@ AUTHORS
      created OpenSSH.  Markus Friedl contributed the support for SSH protocol
      versions 1.5 and 2.0.
 
-OpenBSD 5.4                    January 19, 2014                    OpenBSD 5.4
+OpenBSD 5.5                    February 23, 2014                   OpenBSD 5.5
diff --git a/ssh_config.5 b/ssh_config.5
index cc91a5c56..22e637265 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.184 2014/01/19 04:48:08 djm Exp $
-.Dd $Mdocdate: January 19 2014 $
+.\" $OpenBSD: ssh_config.5,v 1.185 2014/02/23 20:11:36 djm Exp $
+.Dd $Mdocdate: February 23 2014 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -283,6 +283,12 @@ If
 is set to
 .Dq always ,
 then canonicalization is applied to proxied connections too.
+.Pp
+If this option is enabled and canonicalisation results in the target hostname
+changing, then the configuration files are processed again using the new
+target name to pick up any new configuration in matching
+.Cm Host
+stanzas.
 .It Cm CanonicalizeMaxDots
 Specifies the maximum number of dot characters in a hostname before
 canonicalization is disabled.
diff --git a/sshconnect.c b/sshconnect.c
index a2fbf9e65..87c3770c0 100644
--- a/sshconnect.c
+++ b/sshconnect.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect.c,v 1.244 2014/01/09 23:26:48 djm Exp $ */
+/* $OpenBSD: sshconnect.c,v 1.246 2014/02/06 22:21:01 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -269,7 +269,7 @@ static int
 ssh_create_socket(int privileged, struct addrinfo *ai)
 {
         int sock, r, gaierr;
-        struct addrinfo hints, *res;
+        struct addrinfo hints, *res = NULL;
 
         sock = socket(ai->ai_family, ai->ai_socktype, ai->ai_protocol);
         if (sock < 0) {
@@ -282,17 +282,19 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
         if (options.bind_address == NULL && !privileged)
                 return sock;
 
-        memset(&hints, 0, sizeof(hints));
-        hints.ai_family = ai->ai_family;
-        hints.ai_socktype = ai->ai_socktype;
-        hints.ai_protocol = ai->ai_protocol;
-        hints.ai_flags = AI_PASSIVE;
-        gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
-        if (gaierr) {
-                error("getaddrinfo: %s: %s", options.bind_address,
-                    ssh_gai_strerror(gaierr));
-                close(sock);
-                return -1;
+        if (options.bind_address) {
+                memset(&hints, 0, sizeof(hints));
+                hints.ai_family = ai->ai_family;
+                hints.ai_socktype = ai->ai_socktype;
+                hints.ai_protocol = ai->ai_protocol;
+                hints.ai_flags = AI_PASSIVE;
+                gaierr = getaddrinfo(options.bind_address, NULL, &hints, &res);
+                if (gaierr) {
+                        error("getaddrinfo: %s: %s", options.bind_address,
+                            ssh_gai_strerror(gaierr));
+                        close(sock);
+                        return -1;
+                }
         }
         /*
          * If we are running as root and want to connect to a privileged
@@ -300,7 +302,7 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
          */
         if (privileged) {
                 PRIV_START;
-                r = bindresvport_sa(sock, res->ai_addr);
+                r = bindresvport_sa(sock, res ? res->ai_addr : NULL);
                 PRIV_END;
                 if (r < 0) {
                         error("bindresvport_sa: af=%d %s", ai->ai_family,
@@ -317,7 +319,8 @@ ssh_create_socket(int privileged, struct addrinfo *ai)
                         return -1;
                 }
         }
-        freeaddrinfo(res);
+        if (res != NULL)
+                freeaddrinfo(res);
         return sock;
 }
 
@@ -1304,7 +1307,7 @@ ssh_put_password(char *password)
         padded = xcalloc(1, size);
         strlcpy(padded, password, size);
         packet_put_string(padded, size);
-        memset(padded, 0, size);
+        explicit_bzero(padded, size);
         free(padded);
 }
 
diff --git a/sshconnect1.c b/sshconnect1.c
index 7bd6cb018..921408ec1 100644
--- a/sshconnect1.c
+++ b/sshconnect1.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect1.c,v 1.72 2013/09/02 22:00:34 deraadt Exp $ */
+/* $OpenBSD: sshconnect1.c,v 1.74 2014/02/02 03:44:32 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -19,7 +19,6 @@
 #include <sys/socket.h>
 
 #include <openssl/bn.h>
-#include <openssl/md5.h>
 
 #include <stdarg.h>
 #include <stdio.h>
@@ -47,6 +46,7 @@
 #include "canohost.h"
 #include "hostfile.h"
 #include "auth.h"
+#include "digest.h"
 
 /* Session id for the current session. */
 u_char session_id[16];
@@ -120,7 +120,7 @@ try_agent_authentication(void)
                          * return a wrong value.
                          */
                         logit("Authentication agent failed to decrypt challenge.");
-                        memset(response, 0, sizeof(response));
+                        explicit_bzero(response, sizeof(response));
                 }
                 key_free(key);
                 debug("Sending response to RSA challenge.");
@@ -161,7 +161,7 @@ static void
 respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
 {
         u_char buf[32], response[16];
-        MD5_CTX md;
+        struct ssh_digest_ctx *md;
         int i, len;
 
         /* Decrypt the challenge using the private key. */
@@ -179,10 +179,12 @@ respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
 
         memset(buf, 0, sizeof(buf));
         BN_bn2bin(challenge, buf + sizeof(buf) - len);
-        MD5_Init(&md);
-        MD5_Update(&md, buf, 32);
-        MD5_Update(&md, session_id, 16);
-        MD5_Final(response, &md);
+        if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
+            ssh_digest_update(md, buf, 32) < 0 ||
+            ssh_digest_update(md, session_id, 16) < 0 ||
+            ssh_digest_final(md, response, sizeof(response)) < 0)
+                fatal("%s: md5 failed", __func__);
+        ssh_digest_free(md);
 
         debug("Sending response to host key RSA challenge.");
 
@@ -193,9 +195,9 @@ respond_to_rsa_challenge(BIGNUM * challenge, RSA * prv)
         packet_send();
         packet_write_wait();
 
-        memset(buf, 0, sizeof(buf));
-        memset(response, 0, sizeof(response));
-        memset(&md, 0, sizeof(md));
+        explicit_bzero(buf, sizeof(buf));
+        explicit_bzero(response, sizeof(response));
+        explicit_bzero(&md, sizeof(md));
 }
 
 /*
@@ -269,7 +271,7 @@ try_rsa_authentication(int idx)
                                 debug2("no passphrase given, try next key");
                                 quit = 1;
                         }
-                        memset(passphrase, 0, strlen(passphrase));
+                        explicit_bzero(passphrase, strlen(passphrase));
                         free(passphrase);
                         if (private != NULL || quit)
                                 break;
@@ -425,7 +427,7 @@ try_challenge_response_authentication(void)
                 }
                 packet_start(SSH_CMSG_AUTH_TIS_RESPONSE);
                 ssh_put_password(response);
-                memset(response, 0, strlen(response));
+                explicit_bzero(response, strlen(response));
                 free(response);
                 packet_send();
                 packet_write_wait();
@@ -458,7 +460,7 @@ try_password_authentication(char *prompt)
                 password = read_passphrase(prompt, 0);
                 packet_start(SSH_CMSG_AUTH_PASSWORD);
                 ssh_put_password(password);
-                memset(password, 0, strlen(password));
+                explicit_bzero(password, strlen(password));
                 free(password);
                 packet_send();
                 packet_write_wait();
@@ -650,8 +652,11 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
         /* Set the encryption key. */
         packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, options.cipher);
 
-        /* We will no longer need the session key here.  Destroy any extra copies. */
-        memset(session_key, 0, sizeof(session_key));
+        /*
+         * We will no longer need the session key here.
+         * Destroy any extra copies.
+         */
+        explicit_bzero(session_key, sizeof(session_key));
 
         /*
          * Expect a success message from the server.  Note that this message
diff --git a/sshconnect2.c b/sshconnect2.c
index 21a269d3c..66cb03527 100644
--- a/sshconnect2.c
+++ b/sshconnect2.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshconnect2.c,v 1.201 2014/01/09 23:20:00 djm Exp $ */
+/* $OpenBSD: sshconnect2.c,v 1.204 2014/02/02 03:44:32 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  * Copyright (c) 2008 Damien Miller.  All rights reserved.
@@ -70,8 +70,6 @@
 #include "pathnames.h"
 #include "uidswap.h"
 #include "hostfile.h"
-#include "schnorr.h"
-#include "jpake.h"
 
 #ifdef GSSAPI
 #include "ssh-gss.h"
@@ -345,18 +343,12 @@ void	input_userauth_error(int, u_int32_t, void *);
 void    input_userauth_info_req(int, u_int32_t, void *);
 void    input_userauth_pk_ok(int, u_int32_t, void *);
 void    input_userauth_passwd_changereq(int, u_int32_t, void *);
-void    input_userauth_jpake_server_step1(int, u_int32_t, void *);
-void    input_userauth_jpake_server_step2(int, u_int32_t, void *);
-void    input_userauth_jpake_server_confirm(int, u_int32_t, void *);
 
 int     userauth_none(Authctxt *);
 int     userauth_pubkey(Authctxt *);
 int     userauth_passwd(Authctxt *);
 int     userauth_kbdint(Authctxt *);
 int     userauth_hostbased(Authctxt *);
-int     userauth_jpake(Authctxt *);
-
-void    userauth_jpake_cleanup(Authctxt *);
 
 #ifdef GSSAPI
 int     userauth_gssapi(Authctxt *authctxt);
@@ -402,13 +394,6 @@ Authmethod authmethods[] = {
                 NULL,
                 &options.pubkey_authentication,
                 NULL},
-#ifdef JPAKE
-        {"jpake-01@openssh.com",
-                userauth_jpake,
-                userauth_jpake_cleanup,
-                &options.zero_knowledge_password_authentication,
-                &options.batch_mode},
-#endif
         {"keyboard-interactive",
                 userauth_kbdint,
                 NULL,
@@ -1000,7 +985,7 @@ userauth_passwd(Authctxt *authctxt)
         packet_put_cstring(authctxt->method->name);
         packet_put_char(0);
         packet_put_cstring(password);
-        memset(password, 0, strlen(password));
+        explicit_bzero(password, strlen(password));
         free(password);
         packet_add_padding(64);
         packet_send();
@@ -1046,7 +1031,7 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
             authctxt->server_user, host);
         password = read_passphrase(prompt, 0);
         packet_put_cstring(password);
-        memset(password, 0, strlen(password));
+        explicit_bzero(password, strlen(password));
         free(password);
         password = NULL;
         while (password == NULL) {
@@ -1063,16 +1048,16 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
                     authctxt->server_user, host);
                 retype = read_passphrase(prompt, 0);
                 if (strcmp(password, retype) != 0) {
-                        memset(password, 0, strlen(password));
+                        explicit_bzero(password, strlen(password));
                         free(password);
                         logit("Mismatch; try again, EOF to quit.");
                         password = NULL;
                 }
-                memset(retype, 0, strlen(retype));
+                explicit_bzero(retype, strlen(retype));
                 free(retype);
         }
         packet_put_cstring(password);
-        memset(password, 0, strlen(password));
+        explicit_bzero(password, strlen(password));
         free(password);
         packet_add_padding(64);
         packet_send();
@@ -1081,209 +1066,6 @@ input_userauth_passwd_changereq(int type, u_int32_t seqnr, void *ctxt)
             &input_userauth_passwd_changereq);
 }
 
-#ifdef JPAKE
-static char *
-pw_encrypt(const char *password, const char *crypt_scheme, const char *salt)
-{
-        /* OpenBSD crypt(3) handles all of these */
-        if (strcmp(crypt_scheme, "crypt") == 0 ||
-            strcmp(crypt_scheme, "bcrypt") == 0 ||
-            strcmp(crypt_scheme, "md5crypt") == 0 ||
-            strcmp(crypt_scheme, "crypt-extended") == 0)
-                return xstrdup(crypt(password, salt));
-        error("%s: unsupported password encryption scheme \"%.100s\"",
-            __func__, crypt_scheme);
-        return NULL;
-}
-
-static BIGNUM *
-jpake_password_to_secret(Authctxt *authctxt, const char *crypt_scheme,
-    const char *salt)
-{
-        char prompt[256], *password, *crypted;
-        u_char *secret;
-        u_int secret_len;
-        BIGNUM *ret;
-
-        snprintf(prompt, sizeof(prompt), "%.30s@%.128s's password (JPAKE): ",
-            authctxt->server_user, authctxt->host);
-        password = read_passphrase(prompt, 0);
-
-        if ((crypted = pw_encrypt(password, crypt_scheme, salt)) == NULL) {
-                logit("Disabling %s authentication", authctxt->method->name);
-                authctxt->method->enabled = NULL;
-                /* Continue with an empty password to fail gracefully */
-                crypted = xstrdup("");
-        }
-
-#ifdef JPAKE_DEBUG
-        debug3("%s: salt = %s", __func__, salt);
-        debug3("%s: scheme = %s", __func__, crypt_scheme);
-        debug3("%s: crypted = %s", __func__, crypted);
-#endif
-
-        if (hash_buffer(crypted, strlen(crypted), SSH_DIGEST_SHA1,
-            &secret, &secret_len) != 0)
-                fatal("%s: hash_buffer", __func__);
-
-        bzero(password, strlen(password));
-        bzero(crypted, strlen(crypted));
-        free(password);
-        free(crypted);
-
-        if ((ret = BN_bin2bn(secret, secret_len, NULL)) == NULL)
-                fatal("%s: BN_bin2bn (secret)", __func__);
-        bzero(secret, secret_len);
-        free(secret);
-
-        return ret;
-}
-
-/* ARGSUSED */
-void
-input_userauth_jpake_server_step1(int type, u_int32_t seq, void *ctxt)
-{
-        Authctxt *authctxt = ctxt;
-        struct jpake_ctx *pctx = authctxt->methoddata;
-        u_char *x3_proof, *x4_proof, *x2_s_proof;
-        u_int x3_proof_len, x4_proof_len, x2_s_proof_len;
-        char *crypt_scheme, *salt;
-
-        /* Disable this message */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1, NULL);
-
-        if ((pctx->g_x3 = BN_new()) == NULL ||
-            (pctx->g_x4 = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-
-        /* Fetch step 1 values */
-        crypt_scheme = packet_get_string(NULL);
-        salt = packet_get_string(NULL);
-        pctx->server_id = packet_get_string(&pctx->server_id_len);
-        packet_get_bignum2(pctx->g_x3);
-        packet_get_bignum2(pctx->g_x4);
-        x3_proof = packet_get_string(&x3_proof_len);
-        x4_proof = packet_get_string(&x4_proof_len);
-        packet_check_eom();
-
-        JPAKE_DEBUG_CTX((pctx, "step 1 received in %s", __func__));
-
-        /* Obtain password and derive secret */
-        pctx->s = jpake_password_to_secret(authctxt, crypt_scheme, salt);
-        bzero(crypt_scheme, strlen(crypt_scheme));
-        bzero(salt, strlen(salt));
-        free(crypt_scheme);
-        free(salt);
-        JPAKE_DEBUG_BN((pctx->s, "%s: s = ", __func__));
-
-        /* Calculate step 2 values */
-        jpake_step2(pctx->grp, pctx->s, pctx->g_x1,
-            pctx->g_x3, pctx->g_x4, pctx->x2,
-            pctx->server_id, pctx->server_id_len,
-            pctx->client_id, pctx->client_id_len,
-            x3_proof, x3_proof_len,
-            x4_proof, x4_proof_len,
-            &pctx->a,
-            &x2_s_proof, &x2_s_proof_len);
-
-        bzero(x3_proof, x3_proof_len);
-        bzero(x4_proof, x4_proof_len);
-        free(x3_proof);
-        free(x4_proof);
-
-        JPAKE_DEBUG_CTX((pctx, "step 2 sending in %s", __func__));
-
-        /* Send values for step 2 */
-        packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP2);
-        packet_put_bignum2(pctx->a);
-        packet_put_string(x2_s_proof, x2_s_proof_len);
-        packet_send();
-
-        bzero(x2_s_proof, x2_s_proof_len);
-        free(x2_s_proof);
-
-        /* Expect step 2 packet from peer */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2,
-            input_userauth_jpake_server_step2);
-}
-
-/* ARGSUSED */
-void
-input_userauth_jpake_server_step2(int type, u_int32_t seq, void *ctxt)
-{
-        Authctxt *authctxt = ctxt;
-        struct jpake_ctx *pctx = authctxt->methoddata;
-        u_char *x4_s_proof;
-        u_int x4_s_proof_len;
-
-        /* Disable this message */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP2, NULL);
-
-        if ((pctx->b = BN_new()) == NULL)
-                fatal("%s: BN_new", __func__);
-
-        /* Fetch step 2 values */
-        packet_get_bignum2(pctx->b);
-        x4_s_proof = packet_get_string(&x4_s_proof_len);
-        packet_check_eom();
-
-        JPAKE_DEBUG_CTX((pctx, "step 2 received in %s", __func__));
-
-        /* Derive shared key and calculate confirmation hash */
-        jpake_key_confirm(pctx->grp, pctx->s, pctx->b,
-            pctx->x2, pctx->g_x1, pctx->g_x2, pctx->g_x3, pctx->g_x4,
-            pctx->client_id, pctx->client_id_len,
-            pctx->server_id, pctx->server_id_len,
-            session_id2, session_id2_len,
-            x4_s_proof, x4_s_proof_len,
-            &pctx->k,
-            &pctx->h_k_cid_sessid, &pctx->h_k_cid_sessid_len);
-
-        bzero(x4_s_proof, x4_s_proof_len);
-        free(x4_s_proof);
-
-        JPAKE_DEBUG_CTX((pctx, "confirm sending in %s", __func__));
-
-        /* Send key confirmation proof */
-        packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_CONFIRM);
-        packet_put_string(pctx->h_k_cid_sessid, pctx->h_k_cid_sessid_len);
-        packet_send();
-
-        /* Expect confirmation from peer */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM,
-            input_userauth_jpake_server_confirm);
-}
-
-/* ARGSUSED */
-void
-input_userauth_jpake_server_confirm(int type, u_int32_t seq, void *ctxt)
-{
-        Authctxt *authctxt = ctxt;
-        struct jpake_ctx *pctx = authctxt->methoddata;
-
-        /* Disable this message */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_CONFIRM, NULL);
-
-        pctx->h_k_sid_sessid = packet_get_string(&pctx->h_k_sid_sessid_len);
-        packet_check_eom();
-
-        JPAKE_DEBUG_CTX((pctx, "confirm received in %s", __func__));
-
-        /* Verify expected confirmation hash */
-        if (jpake_check_confirm(pctx->k,
-            pctx->server_id, pctx->server_id_len,
-            session_id2, session_id2_len,
-            pctx->h_k_sid_sessid, pctx->h_k_sid_sessid_len) == 1)
-                debug("%s: %s success", __func__, authctxt->method->name);
-        else {
-                debug("%s: confirmation mismatch", __func__);
-                /* XXX stash this so if auth succeeds then we can warn/kill */
-        }
-
-        userauth_jpake_cleanup(authctxt);
-}
-#endif /* JPAKE */
-
 static int
 identity_sign(Identity *id, u_char **sigp, u_int *lenp,
     u_char *data, u_int datalen)
@@ -1460,7 +1242,7 @@ load_identity_file(char *filename, int userprovided)
                                 debug2("no passphrase given, try next key");
                                 quit = 1;
                         }
-                        memset(passphrase, 0, strlen(passphrase));
+                        explicit_bzero(passphrase, strlen(passphrase));
                         free(passphrase);
                         if (private != NULL || quit)
                                 break;
@@ -1524,7 +1306,7 @@ pubkey_prepare(Authctxt *authctxt)
                 /* If IdentitiesOnly set and key not found then don't use it */
                 if (!found && options.identities_only) {
                         TAILQ_REMOVE(&files, id, next);
-                        bzero(id, sizeof(*id));
+                        explicit_bzero(id, sizeof(*id));
                         free(id);
                 }
         }
@@ -1719,7 +1501,7 @@ input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
                 response = read_passphrase(prompt, echo ? RP_ECHO : 0);
 
                 packet_put_cstring(response);
-                memset(response, 0, strlen(response));
+                explicit_bzero(response, strlen(response));
                 free(response);
                 free(prompt);
         }
@@ -1889,7 +1671,7 @@ userauth_hostbased(Authctxt *authctxt)
         packet_put_cstring(chost);
         packet_put_cstring(authctxt->local_user);
         packet_put_string(signature, slen);
-        memset(signature, 's', slen);
+        explicit_bzero(signature, slen);
         free(signature);
         free(chost);
         free(pkalg);
@@ -1899,79 +1681,6 @@ userauth_hostbased(Authctxt *authctxt)
         return 1;
 }
 
-#ifdef JPAKE
-int
-userauth_jpake(Authctxt *authctxt)
-{
-        struct jpake_ctx *pctx;
-        u_char *x1_proof, *x2_proof;
-        u_int x1_proof_len, x2_proof_len;
-        static int attempt = 0; /* XXX share with userauth_password's? */
-
-        if (attempt++ >= options.number_of_password_prompts)
-                return 0;
-        if (attempt != 1)
-                error("Permission denied, please try again.");
-
-        if (authctxt->methoddata != NULL)
-                fatal("%s: authctxt->methoddata already set (%p)",
-                    __func__, authctxt->methoddata);
-
-        authctxt->methoddata = pctx = jpake_new();
-
-        /*
-         * Send request immediately, to get the protocol going while
-         * we do the initial computations.
-         */
-        packet_start(SSH2_MSG_USERAUTH_REQUEST);
-        packet_put_cstring(authctxt->server_user);
-        packet_put_cstring(authctxt->service);
-        packet_put_cstring(authctxt->method->name);
-        packet_send();
-        packet_write_wait();
-
-        jpake_step1(pctx->grp,
-            &pctx->client_id, &pctx->client_id_len,
-            &pctx->x1, &pctx->x2, &pctx->g_x1, &pctx->g_x2,
-            &x1_proof, &x1_proof_len,
-            &x2_proof, &x2_proof_len);
-
-        JPAKE_DEBUG_CTX((pctx, "step 1 sending in %s", __func__));
-
-        packet_start(SSH2_MSG_USERAUTH_JPAKE_CLIENT_STEP1);
-        packet_put_string(pctx->client_id, pctx->client_id_len);
-        packet_put_bignum2(pctx->g_x1);
-        packet_put_bignum2(pctx->g_x2);
-        packet_put_string(x1_proof, x1_proof_len);
-        packet_put_string(x2_proof, x2_proof_len);
-        packet_send();
-
-        bzero(x1_proof, x1_proof_len);
-        bzero(x2_proof, x2_proof_len);
-        free(x1_proof);
-        free(x2_proof);
-
-        /* Expect step 1 packet from peer */
-        dispatch_set(SSH2_MSG_USERAUTH_JPAKE_SERVER_STEP1,
-            input_userauth_jpake_server_step1);
-        dispatch_set(SSH2_MSG_USERAUTH_SUCCESS,
-            &input_userauth_success_unexpected);
-
-        return 1;
-}
-
-void
-userauth_jpake_cleanup(Authctxt *authctxt)
-{
-        debug3("%s: clean up", __func__);
-        if (authctxt->methoddata != NULL) {
-                jpake_free(authctxt->methoddata);
-                authctxt->methoddata = NULL;
-        }
-        dispatch_set(SSH2_MSG_USERAUTH_SUCCESS, &input_userauth_success);
-}
-#endif /* JPAKE */
-
 /* find auth method */
 
 /*
diff --git a/sshd.0 b/sshd.0
index 154009c9f..c61d51535 100644
--- a/sshd.0
+++ b/sshd.0
@@ -640,4 +640,4 @@ CAVEATS
      System security is not improved unless rshd, rlogind, and rexecd are
      disabled (thus completely disabling rlogin and rsh into the machine).
 
-OpenBSD 5.4                    December 7, 2013                    OpenBSD 5.4
+OpenBSD 5.5                    December 7, 2013                    OpenBSD 5.5
diff --git a/sshd.c b/sshd.c
index 23e8c2de0..ffe360c62 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.414 2014/01/09 23:26:48 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.420 2014/02/26 21:53:37 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -74,7 +74,6 @@
 
 #include <openssl/dh.h>
 #include <openssl/bn.h>
-#include <openssl/md5.h>
 #include <openssl/rand.h>
 #include "openbsd-compat/openssl-compat.h"
 
@@ -96,6 +95,7 @@
 #include "uidswap.h"
 #include "compat.h"
 #include "cipher.h"
+#include "digest.h"
 #include "key.h"
 #include "kex.h"
 #include "dh.h"
@@ -584,7 +584,7 @@ destroy_sensitive_data(void)
                 }
         }
         sensitive_data.ssh1_host_key = NULL;
-        memset(sensitive_data.ssh1_cookie, 0, SSH_SESSION_KEY_LENGTH);
+        explicit_bzero(sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
 }
 
 /* Demote private to public keys for network child */
@@ -623,10 +623,16 @@ privsep_preauth_child(void)
         /* Enable challenge-response authentication for privilege separation */
         privsep_challenge_enable();
 
+#ifdef GSSAPI
+        /* Cache supported mechanism OIDs for later use */
+        if (options.gss_authentication)
+                ssh_gssapi_prepare_supported_oids();
+#endif
+
         arc4random_stir();
         arc4random_buf(rnd, sizeof(rnd));
         RAND_seed(rnd, sizeof(rnd));
-        bzero(rnd, sizeof(rnd));
+        explicit_bzero(rnd, sizeof(rnd));
 
         /* Demote the private keys to public keys. */
         demote_sensitive_data();
@@ -761,7 +767,7 @@ privsep_postauth(Authctxt *authctxt)
         arc4random_stir();
         arc4random_buf(rnd, sizeof(rnd));
         RAND_seed(rnd, sizeof(rnd));
-        bzero(rnd, sizeof(rnd));
+        explicit_bzero(rnd, sizeof(rnd));
 
         /* Drop privileges */
         do_setusercontext(authctxt->pw, authctxt->role);
@@ -1360,7 +1366,7 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
                         arc4random_stir();
                         arc4random_buf(rnd, sizeof(rnd));
                         RAND_seed(rnd, sizeof(rnd));
-                        bzero(rnd, sizeof(rnd));
+                        explicit_bzero(rnd, sizeof(rnd));
                 }
 
                 /* child process check (or debug mode) */
@@ -1662,7 +1668,8 @@ main(int ac, char **av)
                         fatal("Privilege separation user %s does not exist",
                             SSH_PRIVSEP_USER);
         } else {
-                memset(privsep_pw->pw_passwd, 0, strlen(privsep_pw->pw_passwd));
+                explicit_bzero(privsep_pw->pw_passwd,
+                    strlen(privsep_pw->pw_passwd));
                 privsep_pw = pwcopy(privsep_pw);
                 free(privsep_pw->pw_passwd);
                 privsep_pw->pw_passwd = xstrdup("*");
@@ -2407,7 +2414,7 @@ do_ssh1_kex(void)
                             get_remote_ipaddr(), len, (u_long)sizeof(session_key));
                         rsafail++;
                 } else {
-                        memset(session_key, 0, sizeof(session_key));
+                        explicit_bzero(session_key, sizeof(session_key));
                         BN_bn2bin(session_key_int,
                             session_key + sizeof(session_key) - len);
 
@@ -2426,20 +2433,26 @@ do_ssh1_kex(void)
         if (rsafail) {
                 int bytes = BN_num_bytes(session_key_int);
                 u_char *buf = xmalloc(bytes);
-                MD5_CTX md;
+                struct ssh_digest_ctx *md;
 
                 logit("do_connection: generating a fake encryption key");
                 BN_bn2bin(session_key_int, buf);
-                MD5_Init(&md);
-                MD5_Update(&md, buf, bytes);
-                MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
-                MD5_Final(session_key, &md);
-                MD5_Init(&md);
-                MD5_Update(&md, session_key, 16);
-                MD5_Update(&md, buf, bytes);
-                MD5_Update(&md, sensitive_data.ssh1_cookie, SSH_SESSION_KEY_LENGTH);
-                MD5_Final(session_key + 16, &md);
-                memset(buf, 0, bytes);
+                if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
+                    ssh_digest_update(md, buf, bytes) < 0 ||
+                    ssh_digest_update(md, sensitive_data.ssh1_cookie,
+                    SSH_SESSION_KEY_LENGTH) < 0 ||
+                    ssh_digest_final(md, session_key, sizeof(session_key)) < 0)
+                        fatal("%s: md5 failed", __func__);
+                ssh_digest_free(md);
+                if ((md = ssh_digest_start(SSH_DIGEST_MD5)) == NULL ||
+                    ssh_digest_update(md, session_key, 16) < 0 ||
+                    ssh_digest_update(md, sensitive_data.ssh1_cookie,
+                    SSH_SESSION_KEY_LENGTH) < 0 ||
+                    ssh_digest_final(md, session_key + 16,
+                    sizeof(session_key) - 16) < 0)
+                        fatal("%s: md5 failed", __func__);
+                ssh_digest_free(md);
+                explicit_bzero(buf, bytes);
                 free(buf);
                 for (i = 0; i < 16; i++)
                         session_id[i] = session_key[i] ^ session_key[i + 16];
@@ -2457,7 +2470,7 @@ do_ssh1_kex(void)
         packet_set_encryption_key(session_key, SSH_SESSION_KEY_LENGTH, cipher_type);
 
         /* Destroy our copy of the session key.  It is no longer needed. */
-        memset(session_key, 0, sizeof(session_key));
+        explicit_bzero(session_key, sizeof(session_key));
 
         debug("Received session key; encryption turned on.");
 
diff --git a/sshd_config.0 b/sshd_config.0
index 5962b02b9..413c26008 100644
--- a/sshd_config.0
+++ b/sshd_config.0
@@ -374,6 +374,12 @@ DESCRIPTION
              interactive sessions and ``throughput'' for non-interactive
              sessions.
 
+     KbdInteractiveAuthentication
+             Specifies whether to allow keyboard-interactive authentication.
+             The argument to this keyword must be ``yes'' or ``no''.  The
+             default is to use whatever value ChallengeResponseAuthentication
+             is set to (by default ``yes'').
+
      KerberosAuthentication
              Specifies whether the password provided by the user for
              PasswordAuthentication will be validated through the Kerberos
@@ -460,7 +466,9 @@ DESCRIPTION
      Match   Introduces a conditional block.  If all of the criteria on the
              Match line are satisfied, the keywords on the following lines
              override those set in the global section of the config file,
-             until either another Match line or the end of the file.
+             until either another Match line or the end of the file.  If a
+             keyword appears in multiple Match blocks that are satisified,
+             only the first instance of the keyword is applied.
 
              The arguments to Match are one or more criteria-pattern pairs or
              the single token All which matches all criteria.  The available
@@ -824,4 +832,4 @@ AUTHORS
      versions 1.5 and 2.0.  Niels Provos and Markus Friedl contributed support
      for privilege separation.
 
-OpenBSD 5.4                    December 8, 2013                    OpenBSD 5.4
+OpenBSD 5.5                    February 27, 2014                   OpenBSD 5.5
diff --git a/sshd_config.5 b/sshd_config.5
index 496530bf5..90fd3f4a8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.170 2013/12/08 09:53:27 dtucker Exp $
-.Dd $Mdocdate: December 8 2013 $
+.\" $OpenBSD: sshd_config.5,v 1.172 2014/02/27 22:47:07 djm Exp $
+.Dd $Mdocdate: February 27 2014 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -690,6 +690,17 @@ The default is
 for interactive sessions and
 .Dq throughput
 for non-interactive sessions.
+.It Cm KbdInteractiveAuthentication
+Specifies whether to allow keyboard-interactive authentication.
+The argument to this keyword must be
+.Dq yes
+or
+.Dq no .
+The default is to use whatever value
+.Cm ChallengeResponseAuthentication
+is set to
+(by default
+.Dq yes ) .
 .It Cm KerberosAuthentication
 Specifies whether the password provided by the user for
 .Cm PasswordAuthentication
@@ -816,6 +827,10 @@ line are satisfied, the keywords on the following lines override those
 set in the global section of the config file, until either another
 .Cm Match
 line or the end of the file.
+If a keyword appears in multiple
+.Cm Match
+blocks that are satisified, only the first instance of the keyword is
+applied.
 .Pp
 The arguments to
 .Cm Match
diff --git a/sshlogin.c b/sshlogin.c
index 2688d8d7b..e79ca9b47 100644
--- a/sshlogin.c
+++ b/sshlogin.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshlogin.c,v 1.27 2011/01/11 06:06:09 djm Exp $ */
+/* $OpenBSD: sshlogin.c,v 1.28 2014/01/31 16:39:19 tedu Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
diff --git a/version.h b/version.h
index 0c6ea0fc9..a97c337a3 100644
--- a/version.h
+++ b/version.h
@@ -1,6 +1,6 @@
-/* $OpenBSD: version.h,v 1.69 2014/01/16 07:32:00 djm Exp $ */
+/* $OpenBSD: version.h,v 1.70 2014/02/27 22:57:40 djm Exp $ */
 
-#define SSH_VERSION     "OpenSSH_6.5"
+#define SSH_VERSION     "OpenSSH_6.6"
 
 #define SSH_PORTABLE    "p1"
 #define SSH_RELEASE_MINIMUM     SSH_VERSION SSH_PORTABLE