From 096fb65084593f9f3c1fc91b6d9052759a272a00 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 20 Mar 2017 22:08:06 +0000
Subject: upstream commit

remove /usr/bin/time calls around tests, makes diffing test
runs harder. Based on patch from Mike Frysinger

Upstream-Regress-ID: 81c1083b14dcf473b23d2817882f40b346ebc95c
---
 regress/keytype.sh | 15 +++++----------
 1 file changed, 5 insertions(+), 10 deletions(-)

(limited to 'regress')

diff --git a/regress/keytype.sh b/regress/keytype.sh
index 8f697788f..88b022de4 100644
--- a/regress/keytype.sh
+++ b/regress/keytype.sh
@@ -1,13 +1,8 @@
-#	$OpenBSD: keytype.sh,v 1.4 2015/07/10 06:23:25 markus Exp $
+#	$OpenBSD: keytype.sh,v 1.5 2017/03/20 22:08:06 djm Exp $
 #	Placed in the Public Domain.
 
 tid="login with different key types"
 
-TIME=`which time 2>/dev/null`
-if test ! -x "$TIME"; then
-	TIME=""
-fi
-
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 cp $OBJ/ssh_proxy $OBJ/ssh_proxy_bak
 
@@ -26,8 +21,8 @@ for kt in $ktypes; do
 	rm -f $OBJ/key.$kt
 	bits=`echo ${kt} | awk -F- '{print $2}'`
 	type=`echo ${kt}  | awk -F- '{print $1}'`
-	printf "keygen $type, $bits bits:\t"
-	${TIME} ${SSHKEYGEN} -b $bits -q -N '' -t $type  -f $OBJ/key.$kt ||\
+	verbose "keygen $type, $bits bits"
+	${SSHKEYGEN} -b $bits -q -N '' -t $type  -f $OBJ/key.$kt ||\
 		fail "ssh-keygen for type $type, $bits bits failed"
 done
 
@@ -63,8 +58,8 @@ for ut in $ktypes; do
 		) > $OBJ/known_hosts
 		cat $OBJ/key.$ut.pub > $OBJ/authorized_keys_$USER
 		for i in $tries; do
-			printf "userkey $ut, hostkey ${ht}:\t"
-			${TIME} ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
+			verbose "userkey $ut, hostkey ${ht}"
+			${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
 			if [ $? -ne 0 ]; then
 				fail "ssh userkey $ut, hostkey $ht failed"
 			fi
-- 
cgit v1.2.3


From e0194b471efe7d3daedc9cc66686cb1ab69d3be8 Mon Sep 17 00:00:00 2001
From: "jsg@openbsd.org" <jsg@openbsd.org>
Date: Mon, 17 Apr 2017 11:02:31 +0000
Subject: upstream commit

Change COMPILER_VERSION tests which limited additional
warnings to gcc4 to instead skip them on gcc3 as clang can handle
-Wpointer-sign and -Wold-style-definition.

Upstream-Regress-ID: e48d7dc13e48d9334b8195ef884dfbc51316012f
---
 regress/misc/kexfuzz/Makefile  | 4 ++--
 regress/unittests/Makefile.inc | 4 ++--
 2 files changed, 4 insertions(+), 4 deletions(-)

(limited to 'regress')

diff --git a/regress/misc/kexfuzz/Makefile b/regress/misc/kexfuzz/Makefile
index 3018b632f..d0aca8dfe 100644
--- a/regress/misc/kexfuzz/Makefile
+++ b/regress/misc/kexfuzz/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.1 2016/03/04 02:30:37 djm Exp $
+#	$OpenBSD: Makefile,v 1.2 2017/04/17 11:02:31 jsg Exp $
 
 .include <bsd.own.mk>
 .include <bsd.obj.mk>
@@ -49,7 +49,7 @@ CDIAGFLAGS+=	-Wswitch
 CDIAGFLAGS+=	-Wtrigraphs
 CDIAGFLAGS+=	-Wuninitialized
 CDIAGFLAGS+=	-Wunused
-.if ${COMPILER_VERSION} == "gcc4"
+.if ${COMPILER_VERSION:L} != "gcc3"
 CDIAGFLAGS+=	-Wpointer-sign
 CDIAGFLAGS+=	-Wold-style-definition
 .endif
diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc
index 3d9eaba5c..00c9dd191 100644
--- a/regress/unittests/Makefile.inc
+++ b/regress/unittests/Makefile.inc
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.inc,v 1.9 2016/11/01 13:43:27 tb Exp $
+#	$OpenBSD: Makefile.inc,v 1.10 2017/04/17 11:02:31 jsg Exp $
 
 .include <bsd.own.mk>
 .include <bsd.obj.mk>
@@ -30,7 +30,7 @@ CDIAGFLAGS+=	-Wswitch
 CDIAGFLAGS+=	-Wtrigraphs
 CDIAGFLAGS+=	-Wuninitialized
 CDIAGFLAGS+=	-Wunused
-.if ${COMPILER_VERSION} == "gcc4"
+.if ${COMPILER_VERSION:L} != "gcc3"
 CDIAGFLAGS+=	-Wpointer-sign
 CDIAGFLAGS+=	-Wold-style-definition
 .endif
-- 
cgit v1.2.3


From 06ec837a34542627e2183a412d6a9d2236f22140 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Fri, 28 Apr 2017 14:30:03 +1000
Subject: Id sync for integrity.sh rev 1.21 which pulls in some shell
 portability fixes

---
 regress/integrity.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'regress')

diff --git a/regress/integrity.sh b/regress/integrity.sh
index 1df2924f5..978234d00 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: integrity.sh,v 1.20 2017/01/06 02:26:10 dtucker Exp $
+#	$OpenBSD: integrity.sh,v 1.21 2017/04/28 04:00:14 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="integrity"
-- 
cgit v1.2.3


From 9504ea6b27f9f0ece64e88582ebb9235e664a100 Mon Sep 17 00:00:00 2001
From: Darren Tucker <dtucker@zip.com.au>
Date: Fri, 28 Apr 2017 14:33:43 +1000
Subject: Merge integrity.sh rev 1.22.

Merge missing bits from Colin Watson's patch in bz#2658 which make integrity
tests more robust against timeouts.  ok djm@
---
 regress/integrity.sh | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'regress')

diff --git a/regress/integrity.sh b/regress/integrity.sh
index 978234d00..b71aa46fd 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: integrity.sh,v 1.21 2017/04/28 04:00:14 dtucker Exp $
+#	$OpenBSD: integrity.sh,v 1.22 2017/04/28 04:16:27 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="integrity"
@@ -60,14 +60,16 @@ for m in $macs; do
 		Corrupted?MAC* | *message?authentication?code?incorrect*)
 				emac=`expr $emac + 1`; skip=0;;
 		padding*)	epad=`expr $epad + 1`; skip=0;;
+		*Timeout,?server*)
+				etmo=`expr $etmo + 1`; skip=0;;
 		*)		fail "unexpected error mac $m at $off: $out";;
 		esac
 	done
-	verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen"
+	verbose "test $tid: $ecnt errors: mac $emac padding $epad length $elen timeout $etmo"
 	if [ $emac -eq 0 ]; then
 		fail "$m: no mac errors"
 	fi
-	expect=`expr $ecnt - $epad - $elen`
+	expect=`expr $ecnt - $epad - $elen - $etmo`
 	if [ $emac -ne $expect ]; then
 		fail "$m: expected $expect mac errors, got $emac"
 	fi
-- 
cgit v1.2.3


From 557f921aad004be15805e09fd9572969eb3d9321 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 30 Apr 2017 23:33:48 +0000
Subject: upstream commit

remove SSHv1 support from unit tests

Upstream-Regress-ID: 395ca2aa48f1f7d23eefff6cb849ea733ca8bbfe
---
 regress/unittests/Makefile.inc                  |   2 +-
 regress/unittests/hostkeys/mktestdata.sh        |  16 +-
 regress/unittests/hostkeys/test_iterate.c       | 249 +++++-------------------
 regress/unittests/hostkeys/testdata/known_hosts |  45 ++---
 regress/unittests/sshkey/mktestdata.sh          |  35 +---
 regress/unittests/sshkey/test_file.c            |  51 +----
 regress/unittests/sshkey/test_fuzz.c            |  45 +----
 regress/unittests/sshkey/test_sshkey.c          |  12 +-
 8 files changed, 76 insertions(+), 379 deletions(-)

(limited to 'regress')

diff --git a/regress/unittests/Makefile.inc b/regress/unittests/Makefile.inc
index 00c9dd191..36d1ff42c 100644
--- a/regress/unittests/Makefile.inc
+++ b/regress/unittests/Makefile.inc
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile.inc,v 1.10 2017/04/17 11:02:31 jsg Exp $
+#	$OpenBSD: Makefile.inc,v 1.11 2017/04/30 23:33:48 djm Exp $
 
 .include <bsd.own.mk>
 .include <bsd.obj.mk>
diff --git a/regress/unittests/hostkeys/mktestdata.sh b/regress/unittests/hostkeys/mktestdata.sh
index 36890ba11..5a46de990 100644
--- a/regress/unittests/hostkeys/mktestdata.sh
+++ b/regress/unittests/hostkeys/mktestdata.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
-# $OpenBSD: mktestdata.sh,v 1.1 2015/02/16 22:18:34 djm Exp $
+# $OpenBSD: mktestdata.sh,v 1.2 2017/04/30 23:33:48 djm Exp $
 
 set -ex
 
 cd testdata
 
-rm -f rsa1* rsa* dsa* ecdsa* ed25519*
+rm -f rsa* dsa* ecdsa* ed25519*
 rm -f known_hosts*
 
 gen_all() {
@@ -13,13 +13,12 @@ gen_all() {
 	_ecdsa_bits=256
 	test "x$_n" = "x1" && _ecdsa_bits=384
 	test "x$_n" = "x2" && _ecdsa_bits=521
-	ssh-keygen -qt rsa1 -b 1024 -C "RSA1 #$_n" -N "" -f rsa1_$_n
 	ssh-keygen -qt rsa -b 1024 -C "RSA #$_n" -N "" -f rsa_$_n
 	ssh-keygen -qt dsa -b 1024 -C "DSA #$_n" -N "" -f dsa_$_n
 	ssh-keygen -qt ecdsa -b $_ecdsa_bits -C "ECDSA #$_n" -N "" -f ecdsa_$_n
 	ssh-keygen -qt ed25519 -C "ED25519 #$_n" -N "" -f ed25519_$_n
 	# Don't need private keys
-	rm -f rsa1_$_n  rsa_$_n dsa_$_n ecdsa_$_n ed25519_$_n
+	rm -f rsa_$_n dsa_$_n ecdsa_$_n ed25519_$_n
 }
 
 hentries() {
@@ -64,7 +63,6 @@ rm -f known_hosts_hash_frag.old
 	echo
 
 	echo "# Revoked and CA keys"
-	printf "@revoked sisyphus.example.com " ; cat rsa1_4.pub
 	printf "@revoked sisyphus.example.com " ; cat ed25519_4.pub
 	printf "@cert-authority prometheus.example.com " ; cat ecdsa_4.pub
 	printf "@cert-authority *.example.com " ; cat dsa_4.pub
@@ -72,19 +70,13 @@ rm -f known_hosts_hash_frag.old
 	printf "\n"
 	echo "# Some invalid lines"
 	# Invalid marker
-	printf "@what sisyphus.example.com " ; cat rsa1_1.pub
+	printf "@what sisyphus.example.com " ; cat dsa_1.pub
 	# Key missing
 	echo "sisyphus.example.com      "
 	# Key blob missing
 	echo "prometheus.example.com ssh-ed25519 "
 	# Key blob truncated
 	echo "sisyphus.example.com ssh-dsa AAAATgAAAAdz"
-	# RSA1 key truncated after key bits
-	echo "prometheus.example.com 1024   "
-	# RSA1 key truncated after exponent
-	echo "sisyphus.example.com 1024 65535   "
-	# RSA1 key incorrect key bits
-	printf "prometheus.example.com 1025 " ; cut -d' ' -f2- < rsa1_1.pub
 	# Invalid type
 	echo "sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg=="
 	# Type mismatch with blob
diff --git a/regress/unittests/hostkeys/test_iterate.c b/regress/unittests/hostkeys/test_iterate.c
index 2eaaf063a..751825dda 100644
--- a/regress/unittests/hostkeys/test_iterate.c
+++ b/regress/unittests/hostkeys/test_iterate.c
@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_iterate.c,v 1.4 2015/03/31 22:59:01 djm Exp $ */
+/* 	$OpenBSD: test_iterate.c,v 1.5 2017/04/30 23:33:48 djm Exp $ */
 /*
  * Regress test for hostfile.h hostkeys_foreach()
  *
@@ -90,14 +90,6 @@ check(struct hostkey_foreach_line *l, void *_ctx)
 	expected_keytype = (parse_key || expected->no_parse_keytype < 0) ?
 	    expected->l.keytype : expected->no_parse_keytype;
 
-#ifndef WITH_SSH1
-	if (parse_key && (expected->l.keytype == KEY_RSA1 ||
-	    expected->no_parse_keytype == KEY_RSA1)) {
-		expected_status = HKF_STATUS_INVALID;
-		expected_keytype = KEY_UNSPEC;
-		parse_key = 0;
-	}
-#endif
 #ifndef OPENSSL_HAS_ECC
 	if (expected->l.keytype == KEY_ECDSA ||
 	    expected->no_parse_keytype == KEY_ECDSA) {
@@ -150,10 +142,6 @@ prepare_expected(struct expected *expected, size_t n)
 	for (i = 0; i < n; i++) {
 		if (expected[i].key_file == NULL)
 			continue;
-#ifndef WITH_SSH1
-		if (expected[i].l.keytype == KEY_RSA1)
-			continue;
-#endif
 #ifndef OPENSSL_HAS_ECC
 		if (expected[i].l.keytype == KEY_ECDSA)
 			continue;
@@ -217,22 +205,9 @@ struct expected expected_full[] = {
 		NULL,	/* filled at runtime */
 		"ED25519 #1",
 	} },
-	{ "rsa1_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
-		NULL,
-		5,
-		HKF_STATUS_OK,
-		0,
-		NULL,
-		MRK_NONE,
-		"sisyphus.example.com",
-		NULL,
-		KEY_RSA1,
-		NULL,	/* filled at runtime */
-		"RSA1 #1",
-	} },
 	{ "rsa_1.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
 		NULL,
-		6,
+		5,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -245,7 +220,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		7,
+		6,
 		HKF_STATUS_COMMENT,
 		0,
 		"",
@@ -258,7 +233,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		8,
+		7,
 		HKF_STATUS_COMMENT,
 		0,
 		"# Plain host keys, hostnames + addresses",
@@ -271,7 +246,7 @@ struct expected expected_full[] = {
 	} },
 	{ "dsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
 		NULL,
-		9,
+		8,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -284,7 +259,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ecdsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
 		NULL,
-		10,
+		9,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -297,7 +272,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ed25519_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
 		NULL,
-		11,
+		10,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -308,22 +283,9 @@ struct expected expected_full[] = {
 		NULL,	/* filled at runtime */
 		"ED25519 #2",
 	} },
-	{ "rsa1_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
-		NULL,
-		12,
-		HKF_STATUS_OK,
-		0,
-		NULL,
-		MRK_NONE,
-		"prometheus.example.com,192.0.2.1,2001:db8::1",
-		NULL,
-		KEY_RSA1,
-		NULL,	/* filled at runtime */
-		"RSA1 #2",
-	} },
 	{ "rsa_2.pub" , -1, -1, HKF_MATCH_HOST, 0, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
 		NULL,
-		13,
+		11,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -336,7 +298,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		14,
+		12,
 		HKF_STATUS_COMMENT,
 		0,
 		"",
@@ -349,7 +311,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		15,
+		13,
 		HKF_STATUS_COMMENT,
 		0,
 		"# Some hosts with wildcard names / IPs",
@@ -362,7 +324,7 @@ struct expected expected_full[] = {
 	} },
 	{ "dsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
 		NULL,
-		16,
+		14,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -375,7 +337,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ecdsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
 		NULL,
-		17,
+		15,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -388,7 +350,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ed25519_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
 		NULL,
-		18,
+		16,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -399,22 +361,9 @@ struct expected expected_full[] = {
 		NULL,	/* filled at runtime */
 		"ED25519 #3",
 	} },
-	{ "rsa1_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
-		NULL,
-		19,
-		HKF_STATUS_OK,
-		0,
-		NULL,
-		MRK_NONE,
-		"*.example.com,192.0.2.*,2001:*",
-		NULL,
-		KEY_RSA1,
-		NULL,	/* filled at runtime */
-		"RSA1 #3",
-	} },
 	{ "rsa_3.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, HKF_MATCH_IP, HKF_MATCH_IP, -1, {
 		NULL,
-		20,
+		17,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -427,7 +376,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		21,
+		18,
 		HKF_STATUS_COMMENT,
 		0,
 		"",
@@ -440,7 +389,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		22,
+		19,
 		HKF_STATUS_COMMENT,
 		0,
 		"# Hashed hostname and address entries",
@@ -453,7 +402,7 @@ struct expected expected_full[] = {
 	} },
 	{ "dsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, {
 		NULL,
-		23,
+		20,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -466,7 +415,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ecdsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, {
 		NULL,
-		24,
+		21,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -479,7 +428,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ed25519_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, {
 		NULL,
-		25,
+		22,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -490,22 +439,9 @@ struct expected expected_full[] = {
 		NULL,	/* filled at runtime */
 		"ED25519 #5",
 	} },
-	{ "rsa1_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, {
-		NULL,
-		26,
-		HKF_STATUS_OK,
-		0,
-		NULL,
-		MRK_NONE,
-		NULL,
-		NULL,
-		KEY_RSA1,
-		NULL,	/* filled at runtime */
-		"RSA1 #5",
-	} },
 	{ "rsa_5.pub" , -1, -1, 0, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, -1, {
 		NULL,
-		27,
+		23,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -518,7 +454,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		28,
+		24,
 		HKF_STATUS_COMMENT,
 		0,
 		"",
@@ -536,7 +472,7 @@ struct expected expected_full[] = {
 	 */
 	{ "dsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, {
 		NULL,
-		29,
+		25,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -549,7 +485,7 @@ struct expected expected_full[] = {
 	} },
 	{ "dsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, {
 		NULL,
-		30,
+		26,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -562,7 +498,7 @@ struct expected expected_full[] = {
 	} },
 	{ "dsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, {
 		NULL,
-		31,
+		27,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -575,7 +511,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ecdsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, {
 		NULL,
-		32,
+		28,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -588,7 +524,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ecdsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, {
 		NULL,
-		33,
+		29,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -601,7 +537,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ecdsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, {
 		NULL,
-		34,
+		30,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -614,7 +550,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ed25519_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, {
 		NULL,
-		35,
+		31,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -627,7 +563,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ed25519_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, {
 		NULL,
-		36,
+		32,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -640,7 +576,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ed25519_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, {
 		NULL,
-		37,
+		33,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -651,48 +587,9 @@ struct expected expected_full[] = {
 		NULL,	/* filled at runtime */
 		"ED25519 #6",
 	} },
-	{ "rsa1_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, {
-		NULL,
-		38,
-		HKF_STATUS_OK,
-		0,
-		NULL,
-		MRK_NONE,
-		NULL,
-		NULL,
-		KEY_RSA1,
-		NULL,	/* filled at runtime */
-		"RSA1 #6",
-	} },
-	{ "rsa1_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, {
-		NULL,
-		39,
-		HKF_STATUS_OK,
-		0,
-		NULL,
-		MRK_NONE,
-		NULL,
-		NULL,
-		KEY_RSA1,
-		NULL,	/* filled at runtime */
-		"RSA1 #6",
-	} },
-	{ "rsa1_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, {
-		NULL,
-		40,
-		HKF_STATUS_OK,
-		0,
-		NULL,
-		MRK_NONE,
-		NULL,
-		NULL,
-		KEY_RSA1,
-		NULL,	/* filled at runtime */
-		"RSA1 #6",
-	} },
 	{ "rsa_6.pub" , -1, -1, HKF_MATCH_HOST|HKF_MATCH_HOST_HASHED, 0, 0, 0, -1, {
 		NULL,
-		41,
+		34,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -705,7 +602,7 @@ struct expected expected_full[] = {
 	} },
 	{ "rsa_6.pub" , -1, -1, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, 0, -1, {
 		NULL,
-		42,
+		35,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -718,7 +615,7 @@ struct expected expected_full[] = {
 	} },
 	{ "rsa_6.pub" , -1, -1, 0, 0, 0, HKF_MATCH_IP|HKF_MATCH_IP_HASHED, -1, {
 		NULL,
-		43,
+		36,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -731,7 +628,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		44,
+		37,
 		HKF_STATUS_COMMENT,
 		0,
 		"",
@@ -744,7 +641,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		45,
+		38,
 		HKF_STATUS_COMMENT,
 		0,
 		"",
@@ -757,7 +654,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		46,
+		39,
 		HKF_STATUS_COMMENT,
 		0,
 		"# Revoked and CA keys",
@@ -768,22 +665,9 @@ struct expected expected_full[] = {
 		NULL,
 		NULL,
 	} },
-	{ "rsa1_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
-		NULL,
-		47,
-		HKF_STATUS_OK,
-		0,
-		NULL,
-		MRK_REVOKE,
-		"sisyphus.example.com",
-		NULL,
-		KEY_RSA1,
-		NULL,	/* filled at runtime */
-		"RSA1 #4",
-	} },
 	{ "ed25519_4.pub" , -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
 		NULL,
-		48,
+		40,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -796,7 +680,7 @@ struct expected expected_full[] = {
 	} },
 	{ "ecdsa_4.pub" , -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, {
 		NULL,
-		49,
+		41,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -809,7 +693,7 @@ struct expected expected_full[] = {
 	} },
 	{ "dsa_4.pub" , -1, -1, HKF_MATCH_HOST, HKF_MATCH_HOST, 0, 0, -1, {
 		NULL,
-		50,
+		42,
 		HKF_STATUS_OK,
 		0,
 		NULL,
@@ -822,7 +706,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		51,
+		43,
 		HKF_STATUS_COMMENT,
 		0,
 		"",
@@ -835,7 +719,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		52,
+		44,
 		HKF_STATUS_COMMENT,
 		0,
 		"# Some invalid lines",
@@ -848,7 +732,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, 0, 0, 0, -1, {
 		NULL,
-		53,
+		45,
 		HKF_STATUS_INVALID,
 		0,
 		NULL,
@@ -861,7 +745,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
 		NULL,
-		54,
+		46,
 		HKF_STATUS_INVALID,
 		0,
 		NULL,
@@ -874,7 +758,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, {
 		NULL,
-		55,
+		47,
 		HKF_STATUS_INVALID,
 		0,
 		NULL,
@@ -887,33 +771,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
 		NULL,
-		56,
-		HKF_STATUS_INVALID,	/* Would be ok if key not parsed */
-		0,
-		NULL,
-		MRK_NONE,
-		"sisyphus.example.com",
-		NULL,
-		KEY_UNSPEC,
-		NULL,
-		NULL,
-	} },
-	{ NULL, -1, -1, HKF_MATCH_HOST, 0, 0, 0, -1, {
-		NULL,
-		57,
-		HKF_STATUS_INVALID,	/* Would be ok if key not parsed */
-		0,
-		NULL,
-		MRK_NONE,
-		"prometheus.example.com",
-		NULL,
-		KEY_UNSPEC,
-		NULL,
-		NULL,
-	} },
-	{ NULL, HKF_STATUS_OK, KEY_RSA1, 0, HKF_MATCH_HOST, 0, 0, -1, {
-		NULL,
-		58,
+		48,
 		HKF_STATUS_INVALID,	/* Would be ok if key not parsed */
 		0,
 		NULL,
@@ -924,22 +782,9 @@ struct expected expected_full[] = {
 		NULL,
 		NULL,
 	} },
-	{ NULL, HKF_STATUS_OK, KEY_RSA1, HKF_MATCH_HOST, 0, 0, 0, -1, {
-		NULL,
-		59,
-		HKF_STATUS_INVALID,	/* Would be ok if key not parsed */
-		0,
-		NULL,
-		MRK_NONE,
-		"prometheus.example.com",
-		NULL,
-		KEY_UNSPEC,
-		NULL,	/* filled at runtime */
-		NULL,
-	} },
 	{ NULL, -1, -1, 0, HKF_MATCH_HOST, 0, 0, -1, {
 		NULL,
-		60,
+		49,
 		HKF_STATUS_INVALID,
 		0,
 		NULL,
@@ -952,7 +797,7 @@ struct expected expected_full[] = {
 	} },
 	{ NULL, HKF_STATUS_OK, KEY_RSA, HKF_MATCH_HOST, 0, 0, 0, -1, {
 		NULL,
-		61,
+		50,
 		HKF_STATUS_INVALID,	/* Would be ok if key not parsed */
 		0,
 		NULL,
diff --git a/regress/unittests/hostkeys/testdata/known_hosts b/regress/unittests/hostkeys/testdata/known_hosts
index 3740f674b..4446f45df 100644
--- a/regress/unittests/hostkeys/testdata/known_hosts
+++ b/regress/unittests/hostkeys/testdata/known_hosts
@@ -2,60 +2,49 @@
 sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1
 sisyphus.example.com ecdsa-sha2-nistp384 AAAAE2VjZHNhLXNoYTItbmlzdHAzODQAAAAIbmlzdHAzODQAAABhBF6yQEtD9yBw9gmDRf477WBBzvWhAa0ioBI3nbA4emKykj0RbuQd5C4XdQAEOZGzE7v//FcCjwB2wi+JH5eKkxCtN6CjohDASZ1huoIV2UVyYIicZJEEOg1IWjjphvaxtw== ECDSA #1
 sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIK9ks7jkua5YWIwByRnnnc6UPJQWI75O0e/UJdPYU1JI ED25519 #1
-sisyphus.example.com 1024 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1
 sisyphus.example.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDg4hB4vAZHJ0PVRiJajOv/GlytFWNpv5/9xgB9+5BIbvp8LOrFZ5D9K0Gsmwpd4G4rfaAz8j896DhMArg0vtkilIPPGt/6VzWMERgvaIQPJ/IE99X3+fjcAG56oAWwy29JX10lQMzBPU6XJIaN/zqpkb6qUBiAHBdLpxrFBBU0/w== RSA #1
 
 # Plain host keys, hostnames + addresses
 prometheus.example.com,192.0.2.1,2001:db8::1 ssh-dss AAAAB3NzaC1kc3MAAACBAI38Hy/61/O5Bp6yUG8J5XQCeNjRS0xvjlCdzKLyXCueMa+L+X2L/u9PWUsy5SVbTjGgpB8sF6UkCNsV+va7S8zCCHas2MZ7GPlxP6GZBkRPTIFR0N/Pu7wfBzDQz0t0iL4VmxBfTBQv/SxkGWZg+yHihIQP9fwdSAwD/7aVh6ItAAAAFQDSyihIUlINlswM0PJ8wXSti3yIMwAAAIB+oqzaB6ozqs8YxpN5oQOBa/9HEBQEsp8RSIlQmVubXRNgktp42n+Ii1waU9UUk8DX5ahhIeR6B7ojWkqmDAji4SKpoHf4kmr6HvYo85ZSTSx0W4YK/gJHSpDJwhlT52tAfb1JCbWSObjl09B4STv7KedCHcR5oXQvvrV+XoKOSAAAAIAue/EXrs2INw1RfaKNHC0oqOMxmRitv0BFMuNVPo1VDj39CE5kA7AHjwvS1TNeaHtK5Hhgeb6vsmLmNPTOc8xCob0ilyQbt9O0GbONeF2Ge7D2UJyULA/hxql+tCYFIC6yUrmo35fF9XiNisXLoaflk9fjp7ROWWVwnki/jstaQw== DSA #2
 prometheus.example.com,192.0.2.1,2001:db8::1 ecdsa-sha2-nistp521 AAAAE2VjZHNhLXNoYTItbmlzdHA1MjEAAAAIbmlzdHA1MjEAAACFBAB8qVcXwgBM92NCmReQlPrZAoui4Bz/mW0VUBFOpHXXW1n+15b/Y7Pc6UBd/ITTZmaBciXY+PWaSBGdwc5GdqGdLgFyJ/QAGrFMPNpVutm/82gNQzlxpNwjbMcKyiZEXzSgnjS6DzMQ0WuSMdzIBXq8OW/Kafxg4ZkU6YqALUXxlQMZuQ== ECDSA #2
 prometheus.example.com,192.0.2.1,2001:db8::1 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIBp6PVW0z2o9C4Ukv/JOgmK7QMFe1pD1s3ADFF7IQob ED25519 #2
-prometheus.example.com,192.0.2.1,2001:db8::1 1024 65537 135970715082947442639683969597180728933388298633245835186618852623800675939308729462220235058285909679252157995530180587329132927339620517781785310829060832352381015614725360278571924286986474946772141568893116432268565829418506866604294073334978275702221949783314402806080929601995102334442541344606109853641 RSA1 #2
 prometheus.example.com,192.0.2.1,2001:db8::1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDmbUhNabB5AmBDX6GNHZ3lbn7pRxqfpW+f53QqNGlK0sLV+0gkMIrOfUp1kdE2ZLE6tfzdicatj/RlH6/wuo4yyYb+Pyx3G0vxdmAIiA4aANq38XweDucBC0TZkRWVHK+Gs5V/uV0z7N0axJvkkJujMLvST3CRiiWwlficBc6yVQ== RSA #2
 
 # Some hosts with wildcard names / IPs
 *.example.com,192.0.2.*,2001:* ssh-dss AAAAB3NzaC1kc3MAAACBAI6lz2Ip9bzE7TGuDD4SjO9S4Ac90gq0h6ai1O06eI8t/Ot2uJ5Jk2QyVr2jvIZHDl/5bwBx7+5oyjlwRoUrAPPD814wf5tU2tSnmdu1Wbf0cBswif5q0r4tevzmopp/AtgH11QHo3u0/pfyJd10qBDLV2FaYSKMmZvyPfZJ0s9pAAAAFQD5Eqjl6Rx2qVePodD9OwAPT0bU6wAAAIAfnDm6csZF0sFaJR3NIJvaYgSGr8s7cqlsk2gLltB/1wOOO2yX+NeEC+B0H93hlMfaUsPa08bwgmYxnavSMqEBpmtPceefJiEd68zwYqXd38f88wyWZ9Z5iwaI/6OVZPHzCbDxOa4ewVTevRNYUKP1xUTZNT8/gSMfZLYPk4T2AQAAAIAUKroozRMyV+3V/rxt0gFnNxRXBKk+9cl3vgsQ7ktkI9cYg7V1T2K0XF21AVMK9gODszy6PBJjV6ruXBV6TRiqIbQauivp3bHHKYsG6wiJNqwdbVwIjfvv8nn1qFoZQLXG3sdONr9NwN8KzrX89OV0BlR2dVM5qqp+YxOXymP9yg== DSA #3
 *.example.com,192.0.2.*,2001:* ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIb3BhJZk+vUQPg5TQc1koIzuGqloCq7wjr9LjlhG24IBeiFHLsdWw74HDlH4DrOmlxToVYk2lTdnjARleRByjk= ECDSA #3
 *.example.com,192.0.2.*,2001:* ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBlYfExtYZAPqYvYdrlpGlSWhh/XNHcH3v3c2JzsVNbB ED25519 #3
-*.example.com,192.0.2.*,2001:* 1024 65537 125895605498029643697051635076028105429632810811904702876152645261610759866299221305725069141163240694267669117205342283569102183636228981857946763978553664895308762890072813014496700601576921921752482059207749978374872713540759920335553799711267170948655579130584031555334229966603000896364091459595522912269 RSA1 #3
 *.example.com,192.0.2.*,2001:* ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDX8F93W3SH4ZSus4XUQ2cw9dqcuyUETTlKEeGv3zlknV3YCoe2Mp04naDhiuwj8sOsytrZSESzLY1ZEyzrjxE6ZFVv8NKgck/AbRjcwlRFOcx9oKUxOrXRa0IoXlTq0kyjKCJfaHBKnGitZThknCPTbVmpATkm5xx6J0WEDozfoQ== RSA #3
 
 # Hashed hostname and address entries
-|1|6FWxoqTCAfm8sZ7T/q73OmxCFGM=|S4eQmusok4cbyDzzGEFGIAthDbw= ssh-dss AAAAB3NzaC1kc3MAAACBALrFy7w5ihlaOG+qR+6fj+vm5EQaO3qwxgACLcgH+VfShuOG4mkx8qFJmf+OZ3fh5iKngjNZfKtfcqI7zHWdk6378TQfQC52/kbZukjNXOLCpyNkogahcjA00onIoTK1RUDuMW28edAHwPFbpttXDTaqis+8JPMY8hZwsZGENCzTAAAAFQD6+It5vozwGgaN9ROYPMlByhi6jwAAAIBz2mcAC694vNzz9b6614gkX9d9E99PzJYfU1MPkXDziKg7MrjBw7Opd5y1jL09S3iL6lSTlHkKwVKvQ3pOwWRwXXRrKVus4I0STveoApm526jmp6mY0YEtqR98vMJ0v97h1ydt8FikKlihefCsnXVicb8887PXs2Y8C6GuFT3tfQAAAIBbmHtV5tPcrMRDkULhaQ/Whap2VKvT2DUhIHA7lx6oy/KpkltOpxDZOIGUHKqffGbiR7Jh01/y090AY5L2eCf0S2Ytx93+eADwVVpJbFJo6zSwfeey2Gm6L2oA+rCz9zTdmtZoekpD3/RAOQjnJIAPwbs7mXwabZTw4xRtiYIRrw== DSA #5
-|1|hTrfD0CuuB9ZbOa1CHFYvIk/gKE=|tPmW50t7flncm1UyM+DR97ubDNU= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIudcagzq4QPtP1jkpje34+0POLB0jwT64hqrbCqhTH2T800KDZ0h2vwlJYa3OP3Oqru9AB5pnuHsKw7mAhUGY= ECDSA #5
-|1|fOGqe75X5ZpTz4c7DitP4E8/y30=|Lmcch2fh54bUYoV//S2VqDFVeiY= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINf63qSV8rD57N+digID8t28WVhd3Yf2K2UhaoG8TsWQ ED25519 #5
-|1|0RVzLjY3lwE3MRweguaAXaCCWk8=|DbcIgJQcRZJMYI6NYDOM6oJycPk= 1024 65537 127931411493401587586867047972295564331543694182352197506125410692673654572057908999642645524647232712160516076508316152810117209181150078352725299319149726341058893406440426414316276977768958023952319602422835879783057966985348561111880658922724668687074412548487722084792283453716871417610020757212399252171 RSA1 #5
-|1|4q79XnHpKBNQhyMLAqbPPDN+JKo=|k1Wvjjb52zDdrXWM801+wX5oH8U= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC/C15Q4sfnk7BZff1er8bscay+5s51oD4eWArlHWMK/ZfYeeTAccTy+7B7Jv+MS4nKCpflrvJI2RQz4kS8vF0ATdBbi4jeWefStlHNg0HLhnCY7NAfDIlRdaN9lm3Pqm2vmr+CkqwcJaSpycDg8nPN9yNAuD6pv7NDuUnECezojQ== RSA #5
+|1|z3xOIdT5ue3Vuf3MzT67kaioqjw=|GZhhe5uwDOBQrC9N4cCjpbLpSn4= ssh-dss AAAAB3NzaC1kc3MAAACBALrFy7w5ihlaOG+qR+6fj+vm5EQaO3qwxgACLcgH+VfShuOG4mkx8qFJmf+OZ3fh5iKngjNZfKtfcqI7zHWdk6378TQfQC52/kbZukjNXOLCpyNkogahcjA00onIoTK1RUDuMW28edAHwPFbpttXDTaqis+8JPMY8hZwsZGENCzTAAAAFQD6+It5vozwGgaN9ROYPMlByhi6jwAAAIBz2mcAC694vNzz9b6614gkX9d9E99PzJYfU1MPkXDziKg7MrjBw7Opd5y1jL09S3iL6lSTlHkKwVKvQ3pOwWRwXXRrKVus4I0STveoApm526jmp6mY0YEtqR98vMJ0v97h1ydt8FikKlihefCsnXVicb8887PXs2Y8C6GuFT3tfQAAAIBbmHtV5tPcrMRDkULhaQ/Whap2VKvT2DUhIHA7lx6oy/KpkltOpxDZOIGUHKqffGbiR7Jh01/y090AY5L2eCf0S2Ytx93+eADwVVpJbFJo6zSwfeey2Gm6L2oA+rCz9zTdmtZoekpD3/RAOQjnJIAPwbs7mXwabZTw4xRtiYIRrw== DSA #5
+|1|B7t/AYabn8zgwU47Cb4A/Nqt3eI=|arQPZyRphkzisr7w6wwikvhaOyE= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBPIudcagzq4QPtP1jkpje34+0POLB0jwT64hqrbCqhTH2T800KDZ0h2vwlJYa3OP3Oqru9AB5pnuHsKw7mAhUGY= ECDSA #5
+|1|JR81WxEocTP5d7goIRkl8fHBbno=|l6sj6FOsoXxgEZMzn/BnOfPKN68= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINf63qSV8rD57N+digID8t28WVhd3Yf2K2UhaoG8TsWQ ED25519 #5
+|1|W7x4zY6KtTZJgsopyOusJqvVPag=|QauLt7hKezBZFZi2i4Xopho7Nsk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQC/C15Q4sfnk7BZff1er8bscay+5s51oD4eWArlHWMK/ZfYeeTAccTy+7B7Jv+MS4nKCpflrvJI2RQz4kS8vF0ATdBbi4jeWefStlHNg0HLhnCY7NAfDIlRdaN9lm3Pqm2vmr+CkqwcJaSpycDg8nPN9yNAuD6pv7NDuUnECezojQ== RSA #5
 
-|1|0M6PIx6THA3ipIOvTl3fcgn2z+A=|bwEJAOwJz+Sm7orFdgj170mD/zY= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6
-|1|a6WGHcL+9gX3e96tMlgDSDJwtSg=|5Dqlb/yqNEf7jgfllrp/ygLmRV8= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6
-|1|OeCpi7Pn5Q6c8la4fPf9G8YctT8=|sC6D7lDXTafIpokZJ1+1xWg2R6Q= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6
-|1|BHESVyiJ7G2NN0lxrw7vT109jmk=|TKof+015J77bXqibsh0N1Lp0MKk= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6
-|1|wY53mZNASDJ5/P3JYCJ4FUNa6WQ=|v8p0MfV5lqlZB2J0yLxl/gsWVQo= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6
-|1|horeoyFPwfKhyFN+zJZ5LCfOo/I=|2ofvp0tNwCbKsV8FuiFA4gQG2Z8= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6
-|1|Aw4fXumZfx6jEIJuDGIyeEMd81A=|5FdLtdm2JeKNsS8IQeQlGYIadOE= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6
-|1|+dGUNpv6GblrDd5fgHLlOWpSbEo=|He/pQ1yJjtiCyTNWpGwjBD4sZFI= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6
-|1|E/PACGl8m1T7QnPedOoooozstP0=|w6DQAFT8yZgj0Hlkz5R1TppYHCA= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6
-|1|SaoyMStgxpYfwedSXBAghi8Zo0s=|Gz78k69GaE6iViV3OOvbStKqyTA= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6
-|1|8qfGeiT5WTCzWYbXPQ+lsLg7km4=|1sIBwiSUr8IGkvrUGm3/9QYurmA= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6
-|1|87M1OtyHg1BZiDY3rT6lYsZFnAU=|eddAQVcMNbn2OB87XWXFQnYo6R4= 1024 65537 140883028436203600354693376066567741282115117509696517282419557936340193768851493584179972504103033755515036493433917203732876685813283050574208967197963391667532902202382549275760997891673884333346000558018002659506756213191532156293935482587878596032743105911487673274674568768638010598205190227631909167257 RSA1 #6
-|1|60w3wFfC0XWI+rRmRlxIRhh8lwE=|yMhsGrzBJKiesAdSQ/PVgkCrDKk= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
-|1|5gdEMmLUJC7grqWhRJPy2OTaSyE=|/XTfmLMa/B8npcVCGFRdaHl+d/0= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
-|1|6FGCWUr42GHdMB/eifnHNCuwgdk=|ONJvYZ/ANmi59R5HrOhLPmvYENM= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
+|1|mxnU8luzqWLvfVi5qBm5xVIyCRM=|9Epopft7LBd80Bf6RmWPIpwa8yU= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6
+|1|klvLmvh2vCpkNMDEjVvrE8SJWTg=|e/dqEEBLnbgqmwEesl4cDRu/7TM= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6
+|1|wsk3ddB3UjuxEsoeNCeZjZ6NvZs=|O3O/q2Z/u7DrxoTiIq6kzCevQT0= ssh-dss AAAAB3NzaC1kc3MAAACBAIutigAse65TCW6hHDOEGXenE9L4L0talHbs65hj3UUNtWflKdQeXLofqXgW8AwaDKmnuRPrxRoxVNXj84n45wtBEdt4ztmdAZteAbXSnHqpcxME3jDxh3EtxzGPXLs+RUmKPVguraSgo7W2oN7KFx6VM+AcAtxANSTlvDid3s47AAAAFQCd9Q3kkHSLWe77sW0eRaayI45ovwAAAIAw6srGF6xvFasI44Y3r9JJ2K+3ezozl3ldL3p2+p2HG3iWafC4SdV8pB6ZIxKlYAywiiFb3LzH/JweGFq1jtoFDRM3MlYORBevydU4zPz7b5QLDVB0sY4evYtWmg2BFJvoWRfhLnlZVW7h5N8v4fNIwdVmVsw4Ljes7iF2HRGhHgAAAIBDFT3fww2Oby1xUA6G9pDAcVikrQFqp1sJRylNTUyeyQ37SNAGzYxwHJFgQr8gZLdRQ1UW+idYpqVbVNcYFMOiw/zSqK2OfVwPZ9U+TTKdc992ChSup6vJEKM/ZVIyDWDbJr7igQ4ahy7jo9mFvm8ljN926EnspQzCvs0Dxk6tHA== DSA #6
+|1|B8epmkLSni+vGZDijr/EwxeR2k4=|7ct8yzNOVJhKm3ZD2w0XIT7df8E= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6
+|1|JojD885UhYhbCu571rgyM/5PpYU=|BJaU2aE1FebQZy3B5tzTDRWFRG0= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6
+|1|5t7UDHDybVrDZVQPCpwdnr6nk4k=|EqJ73W/veIL3H2x+YWHcJxI5ETA= ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBK1wRLyKtvK3Mmhd0XPkKwW4ev1KBVf8J4aG8lESq1TsaqqfOXYGyxMq5pN8fCGiD5UPOqyTYz/ZNzClRhJRHao= ECDSA #6
+|1|OCcBfGc/b9+ip+W6Gp+3ftdluO4=|VbrKUdzOOtIBOOmEE+jlK4SD3Xc= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6
+|1|9fLN0YdP+BJ25lKuKvYuOdUo93w=|vZyr0rOiX01hv5XbghhHMW+Zb3U= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6
+|1|nc9RoaaQ0s5jdPxwlUmluGHU3uk=|un6OsJajokKQ3MgyS9mfDNeyP6U= ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPLW0ZwCkRQldpLa4I5BpwGa/om+WE6OgC8jdVqakt0Z ED25519 #6
+|1|rsHB6juT9q6GOY91qOeOwL6TSJE=|ps/vXF9Izuues5PbOn887Gw/2Dg= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
+|1|BsckdLH2aRyWQooRmv+Yo3t4dKg=|Lf3tJc5Iyx0KxNwAG89FsImsfEE= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
+|1|plqkBA4hq7UATyd5+/Xl+zL7ghw=|stacofaUed46666mfqxp9gJFjt4= ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClu/3I6GG1Ai89Imnw0vXmWJ2OW0ftQwRrsbIAD0qzLFYpkJ76QWnzpCehvK9u0L5hcw7z2Y6mRLcSBsqONc+HVU73Qi7M4zHRvtjprPs3SOyLpf0J9sL1WiHBDwg2P0miHMCdqHDd5nVXkJB2d4eeecmgezGLa29NOHZjbza5yw== RSA #6
 
 
 # Revoked and CA keys
-@revoked sisyphus.example.com 1024 65537 174143366122697048196335388217056770310345753698079464367148030836533360510864881734142526411160017107552815906024399248049666856133771656680462456979369587903909343046704480897527203474513676654933090991684252819423129896444427656841613263783484827101210734799449281639493127615902427443211183258155381810593 RSA1 #4
 @revoked sisyphus.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDFP8L9REfN/iYy1KIRtFqSCn3V2+vOCpoZYENFGLdOF ED25519 #4
 @cert-authority prometheus.example.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHZd0OXHIWwK3xnjAdMZ1tojxWycdu38pORO/UX5cqsKMgGCKQVBWWO3TFk1ePkGIE9VMWT1hCGqWRRwYlH+dSE= ECDSA #4
 @cert-authority *.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAKvjnFHm0VvMr5h2Zu3nURsxQKGoxm+DCzYDxRYcilK07Cm5c4XTrFbA2X86+9sGs++W7QRMcTJUYIg0a+UtIMtAjwORd6ZPXM2K5dBW+gh1oHyvKi767tWX7I2c+1ZPJDY95mUUfZQUEfdy9eGDSBmw/pSsveQ1ur6XNUh/MtP/AAAAFQDHnXk/9jBJAdce1pHtLWnbdPSGdQAAAIEAm2OLy8tZBfiEO3c3X1yyB/GTcDwrQCqRMDkhnsmrliec3dWkOfNTzu+MrdvF8ymTWLEqPpbMheYtvNyZ3TF0HO5W7aVBpdGZbOdOAIfB+6skqGbI8A5Up1d7dak/bSsqL2r5NjwbDOdq+1hBzzvbl/qjh+sQarV2zHrpKoQaV28AAACANtkBVedBbqIAdphCrN/LbUi9WlyuF9UZz+tlpVLYrj8GJVwnplV2tvOmUw6yP5/pzCimTsao8dpL5PWxm7fKxLWVxA+lEsA4WeC885CiZn8xhdaJOCN+NyJ2bqkz+4VPI7oDGBm0aFwUqJn+M1PiSgvI50XdF2dBsFRTRNY0wzA= DSA #4
 
 # Some invalid lines
-@what sisyphus.example.com 1024 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1
+@what sisyphus.example.com ssh-dss AAAAB3NzaC1kc3MAAACBAOqffHxEW4c+Z9q/r3l4sYK8F7qrBsU8XF9upGsW62T9InROFFq9IO0x3pQ6mDA0Wtw0sqcDmkPCHPyP4Ok/fU3/drLaZusHoVYu8pBBrWsIDrKgkeX9TEodBsSrYdl4Sqtqq9EZv9+DttV6LStZrgYyUTOKwOF95wGantpLynX5AAAAFQDdt+zjRNlETDsgmxcSYFgREirJrQAAAIBQlrPaiPhR24FhnMLcHH4016vL7AqDDID6Qw7PhbXGa4/XlxWMIigjBKrIPKvnZ6p712LSnCKtcbfdx0MtmJlNa01CYqPaRhgRaf+uGdvTkTUcdaq8R5lLJL+JMNwUhcC8ijm3NqEjXjffuebGe1EzIeiITbA7Nndcd+GytwRDegAAAIEAkRYPjSVcUxfUHhHdpP6V8CuY1+CYSs9EPJ7iiWTDuXWVIBTU32oJLAnrmAcOwtIzEfPvm+rff5FI/Yhon2pB3VTXhPPEBjYzE5qANanAT4e6tzAVc5f3DUhHaDknwRYfDz86GFvuLtDjeE/UZ9t6OofYoEsCBpYozLAprBvNIQY= DSA #1
 sisyphus.example.com      
 prometheus.example.com ssh-ed25519 
 sisyphus.example.com ssh-dsa AAAATgAAAAdz
-prometheus.example.com 1024   
-sisyphus.example.com 1024 65535   
-prometheus.example.com 1025 65537 153895431603677073925890314548566704948446776958334195280085080329934839226701954473292358821568047724356487621573742372399387931887004184139835510820577359977148363519970774657801798872789118894962853659233045778161859413980935372685480527355016624825696983269800574755126132814333241868538220824608980319407 RSA1 #1
 sisyphus.example.com ssh-XXX AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg==
 prometheus.example.com ssh-rsa AAAATgAAAAdzc2gtWFhYAAAAP0ZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRkZVQ0tPRkZGVUNLT0ZGRlVDS09GRg==
diff --git a/regress/unittests/sshkey/mktestdata.sh b/regress/unittests/sshkey/mktestdata.sh
index e11100145..8047bc62f 100755
--- a/regress/unittests/sshkey/mktestdata.sh
+++ b/regress/unittests/sshkey/mktestdata.sh
@@ -1,25 +1,8 @@
 #!/bin/sh
-# $OpenBSD: mktestdata.sh,v 1.5 2015/07/07 14:53:30 markus Exp $
+# $OpenBSD: mktestdata.sh,v 1.6 2017/04/30 23:33:48 djm Exp $
 
 PW=mekmitasdigoat
 
-rsa1_params() {
-	_in="$1"
-	_outbase="$2"
-	set -e
-	ssh-keygen -f $_in -e -m pkcs8 | \
-	    openssl rsa -noout -text -pubin | \
-	    awk '/^Modulus:$/,/^Exponent:/' | \
-	    grep -v '^[a-zA-Z]' | tr -d ' \n:' > ${_outbase}.n
-	# XXX need conversion support in ssh-keygen for the other params
-	for x in n ; do
-		echo "" >> ${_outbase}.$x
-		echo ============ ${_outbase}.$x
-		cat ${_outbase}.$x
-		echo ============
-	done
-}
-
 rsa_params() {
 	_in="$1"
 	_outbase="$2"
@@ -87,20 +70,18 @@ set -ex
 
 cd testdata
 
-rm -f rsa1_1 rsa_1 dsa_1 ecdsa_1 ed25519_1
-rm -f rsa1_2 rsa_2 dsa_2 ecdsa_2 ed25519_2
+rm -f rsa_1 dsa_1 ecdsa_1 ed25519_1
+rm -f rsa_2 dsa_2 ecdsa_2 ed25519_2
 rm -f rsa_n dsa_n ecdsa_n # new-format keys
-rm -f rsa1_1_pw rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw
+rm -f rsa_1_pw dsa_1_pw ecdsa_1_pw ed25519_1_pw
 rm -f rsa_n_pw dsa_n_pw ecdsa_n_pw
 rm -f pw *.pub *.bn.* *.param.* *.fp *.fp.bb
 
-ssh-keygen -t rsa1 -b 1024 -C "RSA1 test key #1" -N "" -f rsa1_1
 ssh-keygen -t rsa -b 1024 -C "RSA test key #1" -N "" -f rsa_1
 ssh-keygen -t dsa -b 1024 -C "DSA test key #1" -N "" -f dsa_1
 ssh-keygen -t ecdsa -b 256 -C "ECDSA test key #1" -N "" -f ecdsa_1
 ssh-keygen -t ed25519 -C "ED25519 test key #1" -N "" -f ed25519_1
 
-ssh-keygen -t rsa1 -b 2048 -C "RSA1 test key #2" -N "" -f rsa1_2
 ssh-keygen -t rsa -b 2048 -C "RSA test key #2" -N "" -f rsa_2
 ssh-keygen -t dsa -b 1024 -C "DSA test key #2" -N "" -f dsa_2
 ssh-keygen -t ecdsa -b 521 -C "ECDSA test key #2" -N "" -f ecdsa_2
@@ -110,7 +91,6 @@ cp rsa_1 rsa_n
 cp dsa_1 dsa_n
 cp ecdsa_1 ecdsa_n
 
-cp rsa1_1 rsa1_1_pw
 cp rsa_1 rsa_1_pw
 cp dsa_1 dsa_1_pw
 cp ecdsa_1 ecdsa_1_pw
@@ -119,7 +99,6 @@ cp rsa_1 rsa_n_pw
 cp dsa_1 dsa_n_pw
 cp ecdsa_1 ecdsa_n_pw
 
-ssh-keygen -pf rsa1_1_pw -N "$PW"
 ssh-keygen -pf rsa_1_pw -N "$PW"
 ssh-keygen -pf dsa_1_pw -N "$PW"
 ssh-keygen -pf ecdsa_1_pw -N "$PW"
@@ -128,8 +107,6 @@ ssh-keygen -opf rsa_n_pw -N "$PW"
 ssh-keygen -opf dsa_n_pw -N "$PW"
 ssh-keygen -opf ecdsa_n_pw -N "$PW"
 
-rsa1_params rsa1_1 rsa1_1.param
-rsa1_params rsa1_2 rsa1_2.param
 rsa_params rsa_1 rsa_1.param
 rsa_params rsa_2 rsa_2.param
 dsa_params dsa_1 dsa_1.param
@@ -160,12 +137,10 @@ ssh-keygen -s ecdsa_1 -I julius -n host1,host2 -h \
 ssh-keygen -s ed25519_1 -I julius -n host1,host2 -h \
     -V 19990101:20110101 -z 8 ed25519_1.pub
 
-ssh-keygen -lf rsa1_1 | awk '{print $2}' > rsa1_1.fp
 ssh-keygen -lf rsa_1 | awk '{print $2}' > rsa_1.fp
 ssh-keygen -lf dsa_1 | awk '{print $2}' > dsa_1.fp
 ssh-keygen -lf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp
 ssh-keygen -lf ed25519_1 | awk '{print $2}' > ed25519_1.fp
-ssh-keygen -lf rsa1_2 | awk '{print $2}' > rsa1_2.fp
 ssh-keygen -lf rsa_2 | awk '{print $2}' > rsa_2.fp
 ssh-keygen -lf dsa_2 | awk '{print $2}' > dsa_2.fp
 ssh-keygen -lf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp
@@ -176,12 +151,10 @@ ssh-keygen -lf ecdsa_1-cert.pub  | awk '{print $2}' > ecdsa_1-cert.fp
 ssh-keygen -lf ed25519_1-cert.pub  | awk '{print $2}' > ed25519_1-cert.fp
 ssh-keygen -lf rsa_1-cert.pub  | awk '{print $2}' > rsa_1-cert.fp
 
-ssh-keygen -Bf rsa1_1 | awk '{print $2}' > rsa1_1.fp.bb
 ssh-keygen -Bf rsa_1 | awk '{print $2}' > rsa_1.fp.bb
 ssh-keygen -Bf dsa_1 | awk '{print $2}' > dsa_1.fp.bb
 ssh-keygen -Bf ecdsa_1 | awk '{print $2}' > ecdsa_1.fp.bb
 ssh-keygen -Bf ed25519_1 | awk '{print $2}' > ed25519_1.fp.bb
-ssh-keygen -Bf rsa1_2 | awk '{print $2}' > rsa1_2.fp.bb
 ssh-keygen -Bf rsa_2 | awk '{print $2}' > rsa_2.fp.bb
 ssh-keygen -Bf dsa_2 | awk '{print $2}' > dsa_2.fp.bb
 ssh-keygen -Bf ecdsa_2 | awk '{print $2}' > ecdsa_2.fp.bb
diff --git a/regress/unittests/sshkey/test_file.c b/regress/unittests/sshkey/test_file.c
index 906491f2b..99b7e21c0 100644
--- a/regress/unittests/sshkey/test_file.c
+++ b/regress/unittests/sshkey/test_file.c
@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_file.c,v 1.5 2015/10/06 01:20:59 djm Exp $ */
+/* 	$OpenBSD: test_file.c,v 1.6 2017/04/30 23:33:48 djm Exp $ */
 /*
  * Regress test for sshkey.h key management API
  *
@@ -51,55 +51,6 @@ sshkey_file_tests(void)
 	pw = load_text_file("pw");
 	TEST_DONE();
 
-#ifdef WITH_SSH1
-	TEST_START("parse RSA1 from private");
-	buf = load_file("rsa1_1");
-	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
-	sshbuf_free(buf);
-	ASSERT_PTR_NE(k1, NULL);
-	a = load_bignum("rsa1_1.param.n");
-	ASSERT_BIGNUM_EQ(k1->rsa->n, a);
-	BN_free(a);
-	TEST_DONE();
-
-	TEST_START("parse RSA1 from private w/ passphrase");
-	buf = load_file("rsa1_1_pw");
-	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf,
-	    (const char *)sshbuf_ptr(pw), &k2, NULL), 0);
-	sshbuf_free(buf);
-	ASSERT_PTR_NE(k2, NULL);
-	ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
-	sshkey_free(k2);
-	TEST_DONE();
-
-	TEST_START("load RSA1 from public");
-	ASSERT_INT_EQ(sshkey_load_public(test_data_file("rsa1_1.pub"), &k2,
-	    NULL), 0);
-	ASSERT_PTR_NE(k2, NULL);
-	ASSERT_INT_EQ(sshkey_equal(k1, k2), 1);
-	sshkey_free(k2);
-	TEST_DONE();
-
-	TEST_START("RSA1 key hex fingerprint");
-	buf = load_text_file("rsa1_1.fp");
-	cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA256, SSH_FP_BASE64);
-	ASSERT_PTR_NE(cp, NULL);
-	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
-	sshbuf_free(buf);
-	free(cp);
-	TEST_DONE();
-
-	TEST_START("RSA1 key bubblebabble fingerprint");
-	buf = load_text_file("rsa1_1.fp.bb");
-	cp = sshkey_fingerprint(k1, SSH_DIGEST_SHA1, SSH_FP_BUBBLEBABBLE);
-	ASSERT_PTR_NE(cp, NULL);
-	ASSERT_STRING_EQ(cp, (const char *)sshbuf_ptr(buf));
-	sshbuf_free(buf);
-	free(cp);
-	TEST_DONE();
-
-	sshkey_free(k1);
-#endif
 
 	TEST_START("parse RSA from private");
 	buf = load_file("rsa_1");
diff --git a/regress/unittests/sshkey/test_fuzz.c b/regress/unittests/sshkey/test_fuzz.c
index 1f414e0ac..6706045d5 100644
--- a/regress/unittests/sshkey/test_fuzz.c
+++ b/regress/unittests/sshkey/test_fuzz.c
@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_fuzz.c,v 1.6 2015/12/07 02:20:46 djm Exp $ */
+/* 	$OpenBSD: test_fuzz.c,v 1.7 2017/04/30 23:33:48 djm Exp $ */
 /*
  * Fuzz tests for key parsing
  *
@@ -104,49 +104,6 @@ sshkey_fuzz_tests(void)
 	struct fuzz *fuzz;
 	int r;
 
-#ifdef WITH_SSH1
-	TEST_START("fuzz RSA1 private");
-	buf = load_file("rsa1_1");
-	fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
-	    FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
-	    sshbuf_mutable_ptr(buf), sshbuf_len(buf));
-	ASSERT_INT_EQ(sshkey_parse_private_fileblob(buf, "", &k1, NULL), 0);
-	sshkey_free(k1);
-	sshbuf_free(buf);
-	ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
-	TEST_ONERROR(onerror, fuzz);
-	for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
-		r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
-		ASSERT_INT_EQ(r, 0);
-		if (sshkey_parse_private_fileblob(fuzzed, "", &k1, NULL) == 0)
-			sshkey_free(k1);
-		sshbuf_reset(fuzzed);
-	}
-	sshbuf_free(fuzzed);
-	fuzz_cleanup(fuzz);
-	TEST_DONE();
-
-	TEST_START("fuzz RSA1 public");
-	buf = load_file("rsa1_1_pw");
-	fuzz = fuzz_begin(FUZZ_1_BIT_FLIP | FUZZ_1_BYTE_FLIP |
-	    FUZZ_TRUNCATE_START | FUZZ_TRUNCATE_END,
-	    sshbuf_mutable_ptr(buf), sshbuf_len(buf));
-	ASSERT_INT_EQ(sshkey_parse_public_rsa1_fileblob(buf, &k1, NULL), 0);
-	sshkey_free(k1);
-	sshbuf_free(buf);
-	ASSERT_PTR_NE(fuzzed = sshbuf_new(), NULL);
-	TEST_ONERROR(onerror, fuzz);
-	for(; !fuzz_done(fuzz); fuzz_next(fuzz)) {
-		r = sshbuf_put(fuzzed, fuzz_ptr(fuzz), fuzz_len(fuzz));
-		ASSERT_INT_EQ(r, 0);
-		if (sshkey_parse_public_rsa1_fileblob(fuzzed, &k1, NULL) == 0)
-			sshkey_free(k1);
-		sshbuf_reset(fuzzed);
-	}
-	sshbuf_free(fuzzed);
-	fuzz_cleanup(fuzz);
-	TEST_DONE();
-#endif
 
 	TEST_START("fuzz RSA private");
 	buf = load_file("rsa_1");
diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 1476dc2e3..32f8cb63c 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_sshkey.c,v 1.10 2016/05/02 09:52:00 djm Exp $ */
+/* 	$OpenBSD: test_sshkey.c,v 1.11 2017/04/30 23:33:48 djm Exp $ */
 /*
  * Regress test for sshkey.h key management API
  *
@@ -193,16 +193,6 @@ sshkey_tests(void)
 	sshkey_free(k1);
 	TEST_DONE();
 
-	TEST_START("new/free KEY_RSA1");
-	k1 = sshkey_new(KEY_RSA1);
-	ASSERT_PTR_NE(k1, NULL);
-	ASSERT_PTR_NE(k1->rsa, NULL);
-	ASSERT_PTR_NE(k1->rsa->n, NULL);
-	ASSERT_PTR_NE(k1->rsa->e, NULL);
-	ASSERT_PTR_EQ(k1->rsa->p, NULL);
-	sshkey_free(k1);
-	TEST_DONE();
-
 	TEST_START("new/free KEY_RSA");
 	k1 = sshkey_new(KEY_RSA);
 	ASSERT_PTR_NE(k1, NULL);
-- 
cgit v1.2.3


From dd369320d2435b630a5974ab270d686dcd92d024 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sun, 30 Apr 2017 23:34:55 +0000
Subject: upstream commit

eliminate explicit specification of protocol in tests and
loops over protocol. We only support SSHv2 now.

Upstream-Regress-ID: 0082838a9b8a382b7ee9cbf0c1b9db727784fadd
---
 regress/agent-pkcs11.sh        |   4 +-
 regress/agent.sh               |  38 ++++-----
 regress/banner.sh              |   8 +-
 regress/broken-pipe.sh         |  17 ++--
 regress/brokenkeys.sh          |   6 +-
 regress/cert-file.sh           | 131 +++++++++++++++----------------
 regress/cert-hostkey.sh        |  14 ++--
 regress/cert-userkey.sh        |  36 ++++-----
 regress/cfgmatch.sh            |  76 ++++++++----------
 regress/cipher-speed.sh        |  27 +------
 regress/connect-privsep.sh     |  30 +++----
 regress/connect.sh             |  12 ++-
 regress/dynamic-forward.sh     |   2 +-
 regress/exit-status.sh         |  34 ++++----
 regress/forcecommand.sh        |  23 ++----
 regress/forward-control.sh     | 109 ++++++++++++--------------
 regress/forwarding.sh          | 174 +++++++++++++++++++----------------------
 regress/host-expand.sh         |   9 +--
 regress/hostkey-agent.sh       |   4 +-
 regress/integrity.sh           |   4 +-
 regress/key-options.sh         |  52 ++++++------
 regress/keygen-change.sh       |   5 +-
 regress/keyscan.sh             |   6 +-
 regress/localcommand.sh        |  14 ++--
 regress/misc/kexfuzz/kexfuzz.c |   4 +-
 regress/multiplex.sh           |   6 +-
 regress/principals-command.sh  |  18 ++---
 regress/proto-mismatch.sh      |  12 +--
 regress/proto-version.sh       |  14 +---
 regress/proxy-connect.sh       |  41 +++++-----
 regress/putty-transfer.sh      |  45 +++++------
 regress/reconfigure.sh         |  22 +++---
 regress/reexec.sh              |  19 ++---
 regress/stderr-after-eof.sh    |   4 +-
 regress/stderr-data.sh         |  14 ++--
 regress/test-exec.sh           |  26 +-----
 regress/transfer.sh            |  29 +++----
 regress/try-ciphers.sh         |  24 ++----
 regress/yes-head.sh            |  18 ++---
 39 files changed, 482 insertions(+), 649 deletions(-)

(limited to 'regress')

diff --git a/regress/agent-pkcs11.sh b/regress/agent-pkcs11.sh
index 3aa20c8b1..db3018b88 100644
--- a/regress/agent-pkcs11.sh
+++ b/regress/agent-pkcs11.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent-pkcs11.sh,v 1.2 2015/01/12 11:46:32 djm Exp $
+#	$OpenBSD: agent-pkcs11.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="pkcs11 agent test"
@@ -53,7 +53,7 @@ else
 	fi
 
 	trace "pkcs11 connect via agent"
-	${SSH} -2 -F $OBJ/ssh_proxy somehost exit 5
+	${SSH} -F $OBJ/ssh_proxy somehost exit 5
 	r=$?
 	if [ $r -ne 5 ]; then
 		fail "ssh connect failed (exit code $r)"
diff --git a/regress/agent.sh b/regress/agent.sh
index c5e2794b7..0baf0c74a 100644
--- a/regress/agent.sh
+++ b/regress/agent.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent.sh,v 1.11 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: agent.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="simple agent test"
@@ -46,28 +46,24 @@ else
 	fi
 
 	trace "simple connect via agent"
-	for p in ${SSH_PROTOCOLS}; do
-		${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p
-		r=$?
-		if [ $r -ne 5$p ]; then
-			fail "ssh connect with protocol $p failed (exit code $r)"
-		fi
-	done
+	${SSH} -F $OBJ/ssh_proxy somehost exit 52
+	r=$?
+	if [ $r -ne 52 ]; then
+		fail "ssh connect with failed (exit code $r)"
+	fi
 
 	trace "agent forwarding"
-	for p in ${SSH_PROTOCOLS}; do
-		${SSH} -A -$p -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
-		r=$?
-		if [ $r -ne 0 ]; then
-			fail "ssh-add -l via agent fwd proto $p failed (exit code $r)"
-		fi
-		${SSH} -A -$p -F $OBJ/ssh_proxy somehost \
-			"${SSH} -$p -F $OBJ/ssh_proxy somehost exit 5$p"
-		r=$?
-		if [ $r -ne 5$p ]; then
-			fail "agent fwd proto $p failed (exit code $r)"
-		fi
-	done
+	${SSH} -A -F $OBJ/ssh_proxy somehost ${SSHADD} -l > /dev/null 2>&1
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "ssh-add -l via agent fwd failed (exit code $r)"
+	fi
+	${SSH} -A -F $OBJ/ssh_proxy somehost \
+		"${SSH} -F $OBJ/ssh_proxy somehost exit 52"
+	r=$?
+	if [ $r -ne 52 ]; then
+		fail "agent fwd failed (exit code $r)"
+	fi
 
 	trace "delete all agent keys"
 	${SSHADD} -D > /dev/null 2>&1
diff --git a/regress/banner.sh b/regress/banner.sh
index 0b9c95007..0d9654fe2 100644
--- a/regress/banner.sh
+++ b/regress/banner.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: banner.sh,v 1.2 2003/10/11 11:49:49 dtucker Exp $
+#	$OpenBSD: banner.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="banner"
@@ -9,7 +9,7 @@ touch $OBJ/empty.in
 
 trace "test missing banner file"
 verbose "test $tid: missing banner file"
-( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
 	cmp $OBJ/empty.in $OBJ/banner.out ) || \
 	fail "missing banner file"
 
@@ -30,14 +30,14 @@ for s in 0 10 100 1000 10000 100000 ; do
 
 	trace "test banner size $s"
 	verbose "test $tid: size $s"
-	( ${SSH} -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+	( ${SSH} -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
 		cmp $OBJ/banner.in $OBJ/banner.out ) || \
 		fail "banner size $s mismatch"
 done
 
 trace "test suppress banner (-q)"
 verbose "test $tid: suppress banner (-q)"
-( ${SSH} -q -2 -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
+( ${SSH} -q -F $OBJ/ssh_proxy otherhost true 2>$OBJ/banner.out && \
 	cmp $OBJ/empty.in $OBJ/banner.out ) || \
 	fail "suppress banner (-q)"
 
diff --git a/regress/broken-pipe.sh b/regress/broken-pipe.sh
index a416f7a3b..c69276e27 100644
--- a/regress/broken-pipe.sh
+++ b/regress/broken-pipe.sh
@@ -1,15 +1,12 @@
-#	$OpenBSD: broken-pipe.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: broken-pipe.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="broken pipe test"
 
-for p in ${SSH_PROTOCOLS}; do
-	trace "protocol $p"
-	for i in 1 2 3 4; do
-		${SSH} -$p -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
-		r=$?
-		if [ $r -ne 0 ]; then
-			fail "broken pipe returns $r for protocol $p"
-		fi
-	done
+for i in 1 2 3 4; do
+	${SSH} -F $OBJ/ssh_config_config nexthost echo $i 2> /dev/null | true
+	r=$?
+	if [ $r -ne 0 ]; then
+		fail "broken pipe returns $r"
+	fi
 done
diff --git a/regress/brokenkeys.sh b/regress/brokenkeys.sh
index 3e70c348a..9d5a54fa9 100644
--- a/regress/brokenkeys.sh
+++ b/regress/brokenkeys.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: brokenkeys.sh,v 1.1 2004/10/29 23:59:22 djm Exp $
+#	$OpenBSD: brokenkeys.sh,v 1.2 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="broken keys"
@@ -14,9 +14,9 @@ echo "ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEABTM= bad key" > $KEYS
 cat ${KEYS}.bak >> ${KEYS}
 cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
 
-${SSH} -2 -F $OBJ/ssh_config somehost true
+${SSH} -F $OBJ/ssh_config somehost true
 if [ $? -ne 0 ]; then
-	fail "ssh connect with protocol $p failed"
+	fail "ssh connect with failed"
 fi
 
 mv ${KEYS}.bak ${KEYS}
diff --git a/regress/cert-file.sh b/regress/cert-file.sh
index 43b8e0201..8fd62c773 100644
--- a/regress/cert-file.sh
+++ b/regress/cert-file.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-file.sh,v 1.5 2017/03/11 23:44:16 djm Exp $
+#	$OpenBSD: cert-file.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="ssh with certificates"
@@ -54,66 +54,64 @@ cat $OBJ/ssh_proxy | grep -v IdentityFile > $OBJ/no_identity_config
 # XXX: verify that certificate used was what we expect. Needs exposure of
 # keys via enviornment variable or similar.
 
-for p in ${SSH_PROTOCOLS}; do
 	# Key with no .pub should work - finding the equivalent *-cert.pub.
-	verbose "protocol $p: identity cert with no plain public file"
-	${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-	    -i $OBJ/user_key3 somehost exit 5$p
-	[ $? -ne 5$p ] && fail "ssh failed"
-
-	# CertificateFile matching private key with no .pub file should work.
-	verbose "protocol $p: CertificateFile with no plain public file"
-	${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
-	    -oCertificateFile=$OBJ/user_key3-cert.pub \
-	    -i $OBJ/user_key3 somehost exit 5$p
-	[ $? -ne 5$p ] && fail "ssh failed"
-
-	# Just keys should fail
-	verbose "protocol $p: plain keys"
-	${SSH} $opts2 somehost exit 5$p
-	r=$?
-	if [ $r -eq 5$p ]; then
-		fail "ssh succeeded with no certs in protocol $p"
-	fi
-
-	# Keys with untrusted cert should fail.
-	verbose "protocol $p: untrusted cert"
-	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -eq 5$p ]; then
-		fail "ssh succeeded with bad cert in protocol $p"
-	fi
-
-	# Good cert with bad key should fail.
-	verbose "protocol $p: good cert, bad key"
-	opts3="$opts -i $OBJ/user_key2"
-	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -eq 5$p ]; then
-		fail "ssh succeeded with no matching key in protocol $p"
-	fi
-
-	# Keys with one trusted cert, should succeed.
-	verbose "protocol $p: single trusted"
-	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -ne 5$p ]; then
-		fail "ssh failed with trusted cert and key in protocol $p"
-	fi
-
-	# Multiple certs and keys, with one trusted cert, should succeed.
-	verbose "protocol $p: multiple trusted"
-	opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-	opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-	${SSH} $opts3 somehost exit 5$p
-	r=$?
-	if [ $r -ne 5$p ]; then
-		fail "ssh failed with multiple certs in protocol $p"
-	fi
-done
+verbose "identity cert with no plain public file"
+${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
+    -i $OBJ/user_key3 somehost exit 52
+[ $? -ne 52 ] && fail "ssh failed"
+
+# CertificateFile matching private key with no .pub file should work.
+verbose "CertificateFile with no plain public file"
+${SSH} -F $OBJ/no_identity_config -oIdentitiesOnly=yes \
+    -oCertificateFile=$OBJ/user_key3-cert.pub \
+    -i $OBJ/user_key3 somehost exit 52
+[ $? -ne 52 ] && fail "ssh failed"
+
+# Just keys should fail
+verbose "plain keys"
+${SSH} $opts2 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+	fail "ssh succeeded with no certs"
+fi
+
+# Keys with untrusted cert should fail.
+verbose "untrusted cert"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+	fail "ssh succeeded with bad cert"
+fi
+
+# Good cert with bad key should fail.
+verbose "good cert, bad key"
+opts3="$opts -i $OBJ/user_key2"
+opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -eq 52 ]; then
+	fail "ssh succeeded with no matching key"
+fi
+
+# Keys with one trusted cert, should succeed.
+verbose "single trusted"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -ne 52 ]; then
+	fail "ssh failed with trusted cert and key"
+fi
+
+# Multiple certs and keys, with one trusted cert, should succeed.
+verbose "multiple trusted"
+opts3="$opts2 -oCertificateFile=$OBJ/cert_user_key1_2.pub"
+opts3="$opts3 -oCertificateFile=$OBJ/cert_user_key1_1.pub"
+${SSH} $opts3 somehost exit 52
+r=$?
+if [ $r -ne 52 ]; then
+	fail "ssh failed with multiple certs"
+fi
 
 #next, using an agent in combination with the keys
 SSH_AUTH_SOCK=/nonexistent ${SSHADD} -l > /dev/null 2>&1
@@ -139,26 +137,25 @@ if [ $? -ne 0 ]; then
 fi
 
 # try ssh with the agent and certificates
-# note: ssh agent only uses certificates in protocol 2
 opts="-F $OBJ/ssh_proxy"
 # with no certificates, shoud fail
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -eq 52 ]; then
-	fail "ssh connect with agent in protocol 2 succeeded with no cert"
+	fail "ssh connect with agent in succeeded with no cert"
 fi
 
 #with an untrusted certificate, should fail
 opts="$opts -oCertificateFile=$OBJ/cert_user_key1_2.pub"
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -eq 52 ]; then
-	fail "ssh connect with agent in protocol 2 succeeded with bad cert"
+	fail "ssh connect with agent in succeeded with bad cert"
 fi
 
 #with an additional trusted certificate, should succeed
 opts="$opts -oCertificateFile=$OBJ/cert_user_key1_1.pub"
-${SSH} -2 $opts somehost exit 52
+${SSH} $opts somehost exit 52
 if [ $? -ne 52 ]; then
-	fail "ssh connect with agent in protocol 2 failed with good cert"
+	fail "ssh connect with agent in failed with good cert"
 fi
 
 trace "kill agent"
diff --git a/regress/cert-hostkey.sh b/regress/cert-hostkey.sh
index 62261cf8b..3d5732a5d 100644
--- a/regress/cert-hostkey.sh
+++ b/regress/cert-hostkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-hostkey.sh,v 1.14 2016/05/02 09:52:00 djm Exp $
+#	$OpenBSD: cert-hostkey.sh,v 1.15 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified host keys"
@@ -104,7 +104,7 @@ attempt_connect() {
 	shift; shift
 	verbose "$tid: $_ident expect success $_expect_success"
 	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 	    "$@" -F $OBJ/ssh_proxy somehost true
 	_r=$?
@@ -169,7 +169,7 @@ for privsep in yes no ; do
 		) > $OBJ/sshd_proxy
 
 		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 			-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
@@ -190,7 +190,7 @@ for ktype in $PLAIN_TYPES ; do
 		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
 	) > $OBJ/sshd_proxy
 	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 		-F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
@@ -222,7 +222,7 @@ test_one() {
 		) > $OBJ/sshd_proxy
 
 		cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-		${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+		${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 		    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		rc=$?
@@ -271,7 +271,7 @@ for ktype in $PLAIN_TYPES ; do
 		echo HostCertificate $OBJ/cert_host_key_${ktype}-cert.pub
 	) > $OBJ/sshd_proxy
 
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 		-F $OBJ/ssh_proxy somehost true
 	if [ $? -ne 0 ]; then
@@ -303,7 +303,7 @@ for kt in $PLAIN_TYPES ; do
 	) > $OBJ/sshd_proxy
 
 	cp $OBJ/known_hosts-cert.orig $OBJ/known_hosts-cert
-	${SSH} -2 -oUserKnownHostsFile=$OBJ/known_hosts-cert \
+	${SSH} -oUserKnownHostsFile=$OBJ/known_hosts-cert \
 	    -oGlobalKnownHostsFile=$OBJ/known_hosts-cert \
 		-F $OBJ/ssh_proxy -q somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
diff --git a/regress/cert-userkey.sh b/regress/cert-userkey.sh
index 7005fd55e..6a23fe300 100644
--- a/regress/cert-userkey.sh
+++ b/regress/cert-userkey.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cert-userkey.sh,v 1.17 2016/11/30 03:01:33 djm Exp $
+#	$OpenBSD: cert-userkey.sh,v 1.18 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="certified user keys"
@@ -67,7 +67,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		# Missing authorized_principals
 		verbose "$tid: ${_prefix} missing authorized_principals"
 		rm -f $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -76,7 +76,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		# Empty authorized_principals
 		verbose "$tid: ${_prefix} empty authorized_principals"
 		echo > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -85,7 +85,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		# Wrong authorized_principals
 		verbose "$tid: ${_prefix} wrong authorized_principals"
 		echo gregorsamsa > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -94,7 +94,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		# Correct authorized_principals
 		verbose "$tid: ${_prefix} correct authorized_principals"
 		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
@@ -103,7 +103,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		# authorized_principals with bad key option
 		verbose "$tid: ${_prefix} authorized_principals bad key opt"
 		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -113,7 +113,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		verbose "$tid: ${_prefix} authorized_principals command=false"
 		echo 'command="false" mekmitasdigoat' > \
 		    $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -124,7 +124,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 		verbose "$tid: ${_prefix} authorized_principals command=true"
 		echo 'command="true" mekmitasdigoat' > \
 		    $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
@@ -148,7 +148,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 			printf 'cert-authority,principals="gregorsamsa" '
 			cat $OBJ/user_ca_key.pub
 		) > $OBJ/authorized_keys_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -160,7 +160,7 @@ for ktype in $EXTRA_TYPES $PLAIN_TYPES ; do
 			printf 'cert-authority,principals="mekmitasdigoat" '
 			cat $OBJ/user_ca_key.pub
 		) > $OBJ/authorized_keys_$USER
-		${SSH} -2i $OBJ/cert_user_key_${ktype} \
+		${SSH} -i $OBJ/cert_user_key_${ktype} \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
@@ -198,7 +198,7 @@ basic_tests() {
 				echo "PubkeyAcceptedKeyTypes ${t}"
 			) > $OBJ/ssh_proxy
 
-			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true
 			if [ $? -ne 0 ]; then
 				fail "ssh cert connect failed"
@@ -215,7 +215,7 @@ basic_tests() {
 			) > $OBJ/sshd_proxy
 			cp $OBJ/cert_user_key_${ktype}.pub \
 			    $OBJ/cert_user_key_revoked
-			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			if [ $? -eq 0 ]; then
 				fail "ssh cert connect succeeded unexpecedly"
@@ -224,14 +224,14 @@ basic_tests() {
 			rm $OBJ/cert_user_key_revoked
 			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked \
 			    $OBJ/cert_user_key_${ktype}.pub
-			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			if [ $? -eq 0 ]; then
 				fail "ssh cert connect succeeded unexpecedly"
 			fi
 			verbose "$tid: ${_prefix} empty KRL"
 			${SSHKEYGEN} -kqf $OBJ/cert_user_key_revoked
-			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			if [ $? -ne 0 ]; then
 				fail "ssh cert connect failed"
@@ -246,7 +246,7 @@ basic_tests() {
 			echo "PubkeyAcceptedKeyTypes ${t}"
 			echo "$extra_sshd"
 		) > $OBJ/sshd_proxy
-		${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+		${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
 		    somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpecedly"
@@ -260,7 +260,7 @@ basic_tests() {
 		echo "$extra_sshd"
 	) > $OBJ/sshd_proxy
 	verbose "$tid: ensure CA key does not authenticate user"
-	${SSH} -2i $OBJ/user_ca_key \
+	${SSH} -i $OBJ/user_ca_key \
 	    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		fail "ssh cert connect with CA key succeeded unexpectedly"
@@ -307,7 +307,7 @@ test_one() {
 			    $sign_opts $OBJ/cert_user_key_${ktype} ||
 				fail "couldn't sign cert_user_key_${ktype}"
 
-			${SSH} -2i $OBJ/cert_user_key_${ktype} \
+			${SSH} -i $OBJ/cert_user_key_${ktype} \
 			    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 			rc=$?
 			if [ "x$result" = "xsuccess" ] ; then
@@ -378,7 +378,7 @@ for ktype in $PLAIN_TYPES ; do
 	    -n $USER $OBJ/cert_user_key_${ktype} ||
 		fatal "couldn't sign cert_user_key_${ktype}"
 	verbose "$tid: user ${ktype} connect wrong cert"
-	${SSH} -2i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
+	${SSH} -i $OBJ/cert_user_key_${ktype} -F $OBJ/ssh_proxy \
 	    somehost true >/dev/null 2>&1
 	if [ $? -eq 0 ]; then
 		fail "ssh cert connect $ident succeeded unexpectedly"
diff --git a/regress/cfgmatch.sh b/regress/cfgmatch.sh
index 056296398..2504d04f4 100644
--- a/regress/cfgmatch.sh
+++ b/regress/cfgmatch.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cfgmatch.sh,v 1.9 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: cfgmatch.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshd_config match"
@@ -13,7 +13,7 @@ echo "ExitOnForwardFailure=yes" >> $OBJ/ssh_proxy
 start_client()
 {
 	rm -f $pidfile
-	${SSH} -q -$p $fwd "$@" somehost \
+	${SSH} -q $fwd "$@" somehost \
 	    exec sh -c \'"echo \$\$ > $pidfile; exec sleep 100"\' \
 	    >>$TEST_REGRESS_LOGFILE 2>&1 &
 	client_pid=$!
@@ -56,22 +56,18 @@ start_sshd
 #set -x
 
 # Test Match + PermitOpen in sshd_config.  This should be permitted
-for p in ${SSH_PROTOCOLS}; do
-	trace "match permitopen localhost proto $p"
-	start_client -F $OBJ/ssh_config
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
-	    fail "match permitopen permit proto $p"
-	stop_client
-done
+trace "match permitopen localhost"
+start_client -F $OBJ/ssh_config
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match permitopen permit"
+stop_client
 
 # Same but from different source.  This should not be permitted
-for p in ${SSH_PROTOCOLS}; do
-	trace "match permitopen proxy proto $p"
-	start_client -F $OBJ/ssh_proxy
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
-	    fail "match permitopen deny proto $p"
-	stop_client
-done
+trace "match permitopen proxy"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
+    fail "match permitopen deny"
+stop_client
 
 # Retry previous with key option, should also be denied.
 cp /dev/null $OBJ/authorized_keys_$USER
@@ -79,23 +75,19 @@ for t in ${SSH_KEYTYPES}; do
 	printf 'permitopen="127.0.0.1:'$PORT'" ' >> $OBJ/authorized_keys_$USER
 	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
 done
-for p in ${SSH_PROTOCOLS}; do
-	trace "match permitopen proxy w/key opts proto $p"
-	start_client -F $OBJ/ssh_proxy
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
-	    fail "match permitopen deny w/key opt proto $p"
-	stop_client
-done
+trace "match permitopen proxy w/key opts"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
+    fail "match permitopen deny w/key opt"
+stop_client
 
 # Test both sshd_config and key options permitting the same dst/port pair.
 # Should be permitted.
-for p in ${SSH_PROTOCOLS}; do
-	trace "match permitopen localhost proto $p"
-	start_client -F $OBJ/ssh_config
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
-	    fail "match permitopen permit proto $p"
-	stop_client
-done
+trace "match permitopen localhost"
+start_client -F $OBJ/ssh_config
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "match permitopen permit"
+stop_client
 
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
@@ -103,13 +95,11 @@ echo "Match User $USER" >>$OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
 
 # Test that a Match overrides a PermitOpen in the global section
-for p in ${SSH_PROTOCOLS}; do
-	trace "match permitopen proxy w/key opts proto $p"
-	start_client -F $OBJ/ssh_proxy
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true && \
-	    fail "match override permitopen proto $p"
-	stop_client
-done
+trace "match permitopen proxy w/key opts"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true && \
+    fail "match override permitopen"
+stop_client
 
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 echo "PermitOpen 127.0.0.1:1 127.0.0.1:$PORT 127.0.0.2:2" >>$OBJ/sshd_proxy
@@ -118,10 +108,8 @@ echo "PermitOpen 127.0.0.1:1 127.0.0.1:2" >>$OBJ/sshd_proxy
 
 # Test that a rule that doesn't match doesn't override, plus test a
 # PermitOpen entry that's not at the start of the list
-for p in ${SSH_PROTOCOLS}; do
-	trace "nomatch permitopen proxy w/key opts proto $p"
-	start_client -F $OBJ/ssh_proxy
-	${SSH} -q -$p -p $fwdport -F $OBJ/ssh_config somehost true || \
-	    fail "nomatch override permitopen proto $p"
-	stop_client
-done
+trace "nomatch permitopen proxy w/key opts"
+start_client -F $OBJ/ssh_proxy
+${SSH} -q -p $fwdport -F $OBJ/ssh_config somehost true || \
+    fail "nomatch override permitopen"
+stop_client
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 575dc2341..5da95b3a9 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cipher-speed.sh,v 1.13 2015/03/24 20:22:17 markus Exp $
+#	$OpenBSD: cipher-speed.sh,v 1.14 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="cipher speed"
@@ -12,16 +12,16 @@ getbytes ()
 tries="1 2"
 
 for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
-	trace "proto 2 cipher $c mac $m"
+	trace "cipher $c mac $m"
 	for x in $tries; do
 		printf "%-60s" "$c/$m:"
 		( ${SSH} -o 'compression no' \
-			-F $OBJ/ssh_proxy -2 -m $m -c $c somehost \
+			-F $OBJ/ssh_proxy -m $m -c $c somehost \
 			exec sh -c \'"dd of=/dev/null obs=32k"\' \
 		< ${DATA} ) 2>&1 | getbytes
 
 		if [ $? -ne 0 ]; then
-			fail "ssh -2 failed with mac $m cipher $c"
+			fail "ssh failed with mac $m cipher $c"
 		fi
 	done
 	# No point trying all MACs for AEAD ciphers since they are ignored.
@@ -30,22 +30,3 @@ for c in `${SSH} -Q cipher`; do n=0; for m in `${SSH} -Q mac`; do
 	fi
 	n=`expr $n + 1`
 done; done
-
-if ssh_version 1; then
-	ciphers="3des blowfish"
-else
-	ciphers=""
-fi
-for c in $ciphers; do
-	trace "proto 1 cipher $c"
-	for x in $tries; do
-		printf "%-60s" "$c:"
-		( ${SSH} -o 'compression no' \
-			-F $OBJ/ssh_proxy -1 -c $c somehost \
-			exec sh -c \'"dd of=/dev/null obs=32k"\' \
-		< ${DATA} ) 2>&1 | getbytes
-		if [ $? -ne 0 ]; then
-			fail "ssh -1 failed with cipher $c"
-		fi
-	done
-done
diff --git a/regress/connect-privsep.sh b/regress/connect-privsep.sh
index 81cedc7e5..b6abb65e3 100644
--- a/regress/connect-privsep.sh
+++ b/regress/connect-privsep.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: connect-privsep.sh,v 1.8 2016/11/01 13:43:27 tb Exp $
+#	$OpenBSD: connect-privsep.sh,v 1.9 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="proxy connect with privsep"
@@ -6,23 +6,19 @@ tid="proxy connect with privsep"
 cp $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
 echo 'UsePrivilegeSeparation yes' >> $OBJ/sshd_proxy
 
-for p in ${SSH_PROTOCOLS}; do
-	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
-	if [ $? -ne 0 ]; then
-		fail "ssh privsep+proxyconnect protocol $p failed"
-	fi
-done
+${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
+if [ $? -ne 0 ]; then
+	fail "ssh privsep+proxyconnect failed"
+fi
 
 cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
 echo 'UsePrivilegeSeparation sandbox' >> $OBJ/sshd_proxy
 
-for p in ${SSH_PROTOCOLS}; do
-	${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
-	if [ $? -ne 0 ]; then
-		# XXX replace this with fail once sandbox has stabilised
-		warn "ssh privsep/sandbox+proxyconnect protocol $p failed"
-	fi
-done
+${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
+if [ $? -ne 0 ]; then
+	# XXX replace this with fail once sandbox has stabilised
+	warn "ssh privsep/sandbox+proxyconnect failed"
+fi
 
 # Because sandbox is sensitive to changes in libc, especially malloc, retest
 # with every malloc.conf option (and none).
@@ -32,10 +28,8 @@ else
 	mopts=`echo $TEST_MALLOC_OPTIONS | sed 's/./& /g'`
 fi
 for m in '' $mopts ; do
-    for p in ${SSH_PROTOCOLS}; do
-	env MALLOC_OPTIONS="$m" ${SSH} -$p -F $OBJ/ssh_proxy 999.999.999.999 true
+	env MALLOC_OPTIONS="$m" ${SSH} -F $OBJ/ssh_proxy 999.999.999.999 true
 	if [ $? -ne 0 ]; then
-		fail "ssh privsep/sandbox+proxyconnect protocol $p mopt '$m' failed"
+		fail "ssh privsep/sandbox+proxyconnect mopt '$m' failed"
 	fi
-    done
 done
diff --git a/regress/connect.sh b/regress/connect.sh
index f0d55d343..1b344b603 100644
--- a/regress/connect.sh
+++ b/regress/connect.sh
@@ -1,13 +1,11 @@
-#	$OpenBSD: connect.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: connect.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="simple connect"
 
 start_sshd
 
-for p in ${SSH_PROTOCOLS}; do
-	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh connect with protocol $p failed"
-	fi
-done
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect with failed"
+fi
diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index dd67c9639..2e2115f84 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: dynamic-forward.sh,v 1.11 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: dynamic-forward.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="dynamic forwarding"
diff --git a/regress/exit-status.sh b/regress/exit-status.sh
index 397d8d732..aadf99fb3 100644
--- a/regress/exit-status.sh
+++ b/regress/exit-status.sh
@@ -1,24 +1,22 @@
-#	$OpenBSD: exit-status.sh,v 1.7 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: exit-status.sh,v 1.8 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="remote exit status"
 
-for p in ${SSH_PROTOCOLS}; do
-	for s in 0 1 4 5 44; do
-		trace "proto $p status $s"
-		verbose "test $tid: proto $p status $s"
-		${SSH} -$p -F $OBJ/ssh_proxy otherhost exit $s
-		r=$?
-		if [ $r -ne $s ]; then
-			fail "exit code mismatch for protocol $p: $r != $s"
-		fi
+for s in 0 1 4 5 44; do
+	trace "status $s"
+	verbose "test $tid: status $s"
+	${SSH} -F $OBJ/ssh_proxy otherhost exit $s
+	r=$?
+	if [ $r -ne $s ]; then
+		fail "exit code mismatch for: $r != $s"
+	fi
 
-		# same with early close of stdout/err
-		${SSH} -$p -F $OBJ/ssh_proxy -n otherhost \
-                	exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
-		r=$?
-		if [ $r -ne $s ]; then
-			fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
-		fi
-	done
+	# same with early close of stdout/err
+	${SSH} -F $OBJ/ssh_proxy -n otherhost exec \
+	    sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
+	r=$?
+	if [ $r -ne $s ]; then
+		fail "exit code (with sleep) mismatch for: $r != $s"
+	fi
 done
diff --git a/regress/forcecommand.sh b/regress/forcecommand.sh
index 8a9b090ea..e059f1fdb 100644
--- a/regress/forcecommand.sh
+++ b/regress/forcecommand.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: forcecommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: forcecommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="forced command"
@@ -11,11 +11,8 @@ for t in ${SSH_KEYTYPES}; do
 	cat $OBJ/$t.pub >> $OBJ/authorized_keys_$USER
 done
 
-for p in ${SSH_PROTOCOLS}; do
-	trace "forced command in key option proto $p"
-	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
-	    fail "forced command in key proto $p"
-done
+trace "forced command in key option"
+${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
 
 cp /dev/null $OBJ/authorized_keys_$USER
 for t in ${SSH_KEYTYPES}; do
@@ -26,19 +23,13 @@ done
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 echo "ForceCommand true" >> $OBJ/sshd_proxy
 
-for p in ${SSH_PROTOCOLS}; do
-	trace "forced command in sshd_config overrides key option proto $p"
-	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
-	    fail "forced command in key proto $p"
-done
+trace "forced command in sshd_config overrides key option"
+${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
 
 cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 echo "ForceCommand false" >> $OBJ/sshd_proxy
 echo "Match User $USER" >> $OBJ/sshd_proxy
 echo "    ForceCommand true" >> $OBJ/sshd_proxy
 
-for p in ${SSH_PROTOCOLS}; do
-	trace "forced command with match proto $p"
-	${SSH} -$p -F $OBJ/ssh_proxy somehost false \ ||
-	    fail "forced command in key proto $p"
-done
+trace "forced command with match"
+${SSH} -F $OBJ/ssh_proxy somehost false || fail "forced command in key"
diff --git a/regress/forward-control.sh b/regress/forward-control.sh
index 91957098f..2e9dbb53a 100644
--- a/regress/forward-control.sh
+++ b/regress/forward-control.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: forward-control.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: forward-control.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshd control of local and remote forwarding"
@@ -32,13 +32,12 @@ wait_for_process_to_exit() {
 	return 0
 }
 
-# usage: check_lfwd protocol Y|N message
+# usage: check_lfwd Y|N message
 check_lfwd() {
-	_proto=$1
-	_expected=$2
-	_message=$3
+	_expected=$1
+	_message=$2
 	rm -f $READY
-	${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
+	${SSH} -F $OBJ/ssh_proxy \
 	    -L$LFWD_PORT:127.0.0.1:$PORT \
 	    -o ExitOnForwardFailure=yes \
 	    -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
@@ -62,13 +61,12 @@ check_lfwd() {
 	fi
 }
 
-# usage: check_rfwd protocol Y|N message
+# usage: check_rfwd Y|N message
 check_rfwd() {
-	_proto=$1
-	_expected=$2
-	_message=$3
+	_expected=$1
+	_message=$2
 	rm -f $READY
-	${SSH} -oProtocol=$_proto -F $OBJ/ssh_proxy \
+	${SSH} -F $OBJ/ssh_proxy \
 	    -R$RFWD_PORT:127.0.0.1:$PORT \
 	    -o ExitOnForwardFailure=yes \
 	    -n host exec sh -c \'"sleep 60 & echo \$! > $READY ; wait "\' \
@@ -99,10 +97,8 @@ cp ${OBJ}/sshd_proxy ${OBJ}/sshd_proxy.bak
 cp ${OBJ}/authorized_keys_${USER} ${OBJ}/authorized_keys_${USER}.bak
 
 # Sanity check: ensure the default config allows forwarding
-for p in ${SSH_PROTOCOLS} ; do
-	check_lfwd $p Y "proto $p, default configuration"
-	check_rfwd $p Y "proto $p, default configuration"
-done
+check_lfwd Y "default configuration"
+check_rfwd Y "default configuration"
 
 # Usage: all_tests yes|local|remote|no Y|N Y|N Y|N Y|N Y|N Y|N
 all_tests() {
@@ -115,49 +111,46 @@ all_tests() {
 	_permit_rfwd=$7
 	_badfwd=127.0.0.1:22
 	_goodfwd=127.0.0.1:${PORT}
-	for _proto in ${SSH_PROTOCOLS} ; do
-		cp ${OBJ}/authorized_keys_${USER}.bak \
-		    ${OBJ}/authorized_keys_${USER}
-		_prefix="proto $_proto, AllowTcpForwarding=$_tcpfwd"
-		# No PermitOpen
-		( cat ${OBJ}/sshd_proxy.bak ;
-		  echo "AllowTcpForwarding $_tcpfwd" ) \
-		    > ${OBJ}/sshd_proxy
-		check_lfwd $_proto $_plain_lfwd "$_prefix"
-		check_rfwd $_proto $_plain_rfwd "$_prefix"
-		# PermitOpen via sshd_config that doesn't match
-		( cat ${OBJ}/sshd_proxy.bak ;
-		  echo "AllowTcpForwarding $_tcpfwd" ;
-		  echo "PermitOpen $_badfwd" ) \
-		    > ${OBJ}/sshd_proxy
-		check_lfwd $_proto $_nopermit_lfwd "$_prefix, !PermitOpen"
-		check_rfwd $_proto $_nopermit_rfwd "$_prefix, !PermitOpen"
-		# PermitOpen via sshd_config that does match
-		( cat ${OBJ}/sshd_proxy.bak ;
-		  echo "AllowTcpForwarding $_tcpfwd" ;
-		  echo "PermitOpen $_badfwd $_goodfwd" ) \
-		    > ${OBJ}/sshd_proxy
-		# NB. permitopen via authorized_keys should have same
-		# success/fail as via sshd_config
-		# permitopen via authorized_keys that doesn't match
-		sed "s/^/permitopen=\"$_badfwd\" /" \
-		    < ${OBJ}/authorized_keys_${USER}.bak \
-		    > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
-		( cat ${OBJ}/sshd_proxy.bak ;
-		  echo "AllowTcpForwarding $_tcpfwd" ) \
-		    > ${OBJ}/sshd_proxy
-		check_lfwd $_proto $_nopermit_lfwd "$_prefix, !permitopen"
-		check_rfwd $_proto $_nopermit_rfwd "$_prefix, !permitopen"
-		# permitopen via authorized_keys that does match
-		sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
-		    < ${OBJ}/authorized_keys_${USER}.bak \
-		    > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
-		( cat ${OBJ}/sshd_proxy.bak ;
-		  echo "AllowTcpForwarding $_tcpfwd" ) \
-		    > ${OBJ}/sshd_proxy
-		check_lfwd $_proto $_permit_lfwd "$_prefix, permitopen"
-		check_rfwd $_proto $_permit_rfwd "$_prefix, permitopen"
-	done
+	cp ${OBJ}/authorized_keys_${USER}.bak  ${OBJ}/authorized_keys_${USER}
+	_prefix="AllowTcpForwarding=$_tcpfwd"
+	# No PermitOpen
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_plain_lfwd "$_prefix"
+	check_rfwd $_plain_rfwd "$_prefix"
+	# PermitOpen via sshd_config that doesn't match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitOpen $_badfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_nopermit_lfwd "$_prefix, !PermitOpen"
+	check_rfwd $_nopermit_rfwd "$_prefix, !PermitOpen"
+	# PermitOpen via sshd_config that does match
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ;
+	  echo "PermitOpen $_badfwd $_goodfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	# NB. permitopen via authorized_keys should have same
+	# success/fail as via sshd_config
+	# permitopen via authorized_keys that doesn't match
+	sed "s/^/permitopen=\"$_badfwd\" /" \
+	    < ${OBJ}/authorized_keys_${USER}.bak \
+	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 1 fail"
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_nopermit_lfwd "$_prefix, !permitopen"
+	check_rfwd $_nopermit_rfwd "$_prefix, !permitopen"
+	# permitopen via authorized_keys that does match
+	sed "s/^/permitopen=\"$_badfwd\",permitopen=\"$_goodfwd\" /" \
+	    < ${OBJ}/authorized_keys_${USER}.bak \
+	    > ${OBJ}/authorized_keys_${USER} || fatal "sed 2 fail"
+	( cat ${OBJ}/sshd_proxy.bak ;
+	  echo "AllowTcpForwarding $_tcpfwd" ) \
+	    > ${OBJ}/sshd_proxy
+	check_lfwd $_permit_lfwd "$_prefix, permitopen"
+	check_rfwd $_permit_rfwd "$_prefix, permitopen"
 }
 
 #                      no-permitopen mismatch-permitopen match-permitopen
diff --git a/regress/forwarding.sh b/regress/forwarding.sh
index 45c596d7d..39fccba73 100644
--- a/regress/forwarding.sh
+++ b/regress/forwarding.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: forwarding.sh,v 1.19 2017/01/30 05:22:14 djm Exp $
+#	$OpenBSD: forwarding.sh,v 1.20 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="local and remote forwarding"
@@ -22,30 +22,24 @@ for j in 0 1 2; do
 		last=$a
 	done
 done
-for p in ${SSH_PROTOCOLS}; do
-	q=`expr 3 - $p`
-	if ! ssh_version $q; then
-		q=$p
-	fi
-	trace "start forwarding, fork to background"
-	rm -f $CTL
-	${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f $fwd somehost sleep 10
 
-	trace "transfer over forwarded channels and check result"
-	${SSH} -$q -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
-		somehost cat ${DATA} > ${COPY}
-	test -s ${COPY}		|| fail "failed copy of ${DATA}"
-	cmp ${DATA} ${COPY}	|| fail "corrupted copy of ${DATA}"
+trace "start forwarding, fork to background"
+rm -f $CTL
+${SSH} -S $CTL -M -F $OBJ/ssh_config -f $fwd somehost sleep 10
 
-	${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-done
+trace "transfer over forwarded channels and check result"
+${SSH} -F $OBJ/ssh_config -p$last -o 'ConnectionAttempts=4' \
+	somehost cat ${DATA} > ${COPY}
+test -s ${COPY}		|| fail "failed copy of ${DATA}"
+cmp ${DATA} ${COPY}	|| fail "corrupted copy of ${DATA}"
+
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
 
-for p in ${SSH_PROTOCOLS}; do
 for d in L R; do
-	trace "exit on -$d forward failure, proto $p"
+	trace "exit on -$d forward failure"
 
 	# this one should succeed
-	${SSH} -$p -F $OBJ/ssh_config \
+	${SSH}  -F $OBJ/ssh_config \
 	    -$d ${base}01:127.0.0.1:$PORT \
 	    -$d ${base}02:127.0.0.1:$PORT \
 	    -$d ${base}03:127.0.0.1:$PORT \
@@ -55,7 +49,7 @@ for d in L R; do
 		fatal "connection failed, should not"
 	else
 		# this one should fail
-		${SSH} -q -$p -F $OBJ/ssh_config \
+		${SSH} -q -F $OBJ/ssh_config \
 		    -$d ${base}01:127.0.0.1:$PORT \
 		    -$d ${base}02:127.0.0.1:$PORT \
 		    -$d ${base}03:127.0.0.1:$PORT \
@@ -68,82 +62,74 @@ for d in L R; do
 		fi
 	fi
 done
-done
 
-for p in ${SSH_PROTOCOLS}; do
-	trace "simple clear forwarding proto $p"
-	${SSH} -$p -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
-
-	trace "clear local forward proto $p"
-	rm -f $CTL
-	${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
-	    -oClearAllForwardings=yes somehost sleep 10
-	if [ $? != 0 ]; then
-		fail "connection failed with cleared local forwarding"
-	else
-		# this one should fail
-		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \
-		     >>$TEST_REGRESS_LOGFILE 2>&1 && \
-			fail "local forwarding not cleared"
-	fi
-	${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-	
-	trace "clear remote forward proto $p"
-	rm -f $CTL
-	${SSH} -S $CTL -M -$p -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
-	    -oClearAllForwardings=yes somehost sleep 10
-	if [ $? != 0 ]; then
-		fail "connection failed with cleared remote forwarding"
-	else
-		# this one should fail
-		${SSH} -$p -F $OBJ/ssh_config -p ${base}01 somehost true \
-		     >>$TEST_REGRESS_LOGFILE 2>&1 && \
-			fail "remote forwarding not cleared"
-	fi
-	${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-done
-
-for p in 2; do
-	trace "stdio forwarding proto $p"
-	cmd="${SSH} -$p -F $OBJ/ssh_config"
-	$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" \
-		somehost true
-	if [ $? != 0 ]; then
-		fail "stdio forwarding proto $p"
-	fi
-done
+trace "simple clear forwarding"
+${SSH} -F $OBJ/ssh_config -oClearAllForwardings=yes somehost true
+
+trace "clear local forward"
+rm -f $CTL
+${SSH} -S $CTL -M -f -F $OBJ/ssh_config -L ${base}01:127.0.0.1:$PORT \
+    -oClearAllForwardings=yes somehost sleep 10
+if [ $? != 0 ]; then
+	fail "connection failed with cleared local forwarding"
+else
+	# this one should fail
+	${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \
+	     >>$TEST_REGRESS_LOGFILE 2>&1 && \
+		fail "local forwarding not cleared"
+fi
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+
+trace "clear remote forward"
+rm -f $CTL
+${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R ${base}01:127.0.0.1:$PORT \
+    -oClearAllForwardings=yes somehost sleep 10
+if [ $? != 0 ]; then
+	fail "connection failed with cleared remote forwarding"
+else
+	# this one should fail
+	${SSH} -F $OBJ/ssh_config -p ${base}01 somehost true \
+	     >>$TEST_REGRESS_LOGFILE 2>&1 && \
+		fail "remote forwarding not cleared"
+fi
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+
+trace "stdio forwarding"
+cmd="${SSH} -F $OBJ/ssh_config"
+$cmd -o "ProxyCommand $cmd -q -W localhost:$PORT somehost" somehost true
+if [ $? != 0 ]; then
+	fail "stdio forwarding"
+fi
 
 echo "LocalForward ${base}01 127.0.0.1:$PORT" >> $OBJ/ssh_config
 echo "RemoteForward ${base}02 127.0.0.1:${base}01" >> $OBJ/ssh_config
-for p in ${SSH_PROTOCOLS}; do
-	trace "config file: start forwarding, fork to background"
-	rm -f $CTL
-	${SSH} -S $CTL -M -$p -F $OBJ/ssh_config -f somehost sleep 10
-
-	trace "config file: transfer over forwarded channels and check result"
-	${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
-		somehost cat ${DATA} > ${COPY}
-	test -s ${COPY}		|| fail "failed copy of ${DATA}"
-	cmp ${DATA} ${COPY}	|| fail "corrupted copy of ${DATA}"
-
-	${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-done
 
-for p in 2; do
-	trace "transfer over chained unix domain socket forwards and check result"
-	rm -f $OBJ/unix-[123].fwd
-	rm -f $CTL $CTL.[123]
-	${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
-	${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
-	${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
-	${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
-	${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
-		somehost cat ${DATA} > ${COPY}
-	test -s ${COPY}			|| fail "failed copy ${DATA}"
-	cmp ${DATA} ${COPY}		|| fail "corrupted copy of ${DATA}"
-
-	${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
-	${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost
-	${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost
-	${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost
-done
+trace "config file: start forwarding, fork to background"
+rm -f $CTL
+${SSH} -S $CTL -M -F $OBJ/ssh_config -f somehost sleep 10
+
+trace "config file: transfer over forwarded channels and check result"
+${SSH} -F $OBJ/ssh_config -p${base}02 -o 'ConnectionAttempts=4' \
+	somehost cat ${DATA} > ${COPY}
+test -s ${COPY}		|| fail "failed copy of ${DATA}"
+cmp ${DATA} ${COPY}	|| fail "corrupted copy of ${DATA}"
+
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+
+trace "transfer over chained unix domain socket forwards and check result"
+rm -f $OBJ/unix-[123].fwd
+rm -f $CTL $CTL.[123]
+${SSH} -S $CTL -M -f -F $OBJ/ssh_config -R${base}01:[$OBJ/unix-1.fwd] somehost sleep 10
+${SSH} -S $CTL.1 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-1.fwd]:[$OBJ/unix-2.fwd] somehost sleep 10
+${SSH} -S $CTL.2 -M -f -F $OBJ/ssh_config -R[$OBJ/unix-2.fwd]:[$OBJ/unix-3.fwd] somehost sleep 10
+${SSH} -S $CTL.3 -M -f -F $OBJ/ssh_config -L[$OBJ/unix-3.fwd]:127.0.0.1:$PORT somehost sleep 10
+${SSH} -F $OBJ/ssh_config -p${base}01 -o 'ConnectionAttempts=4' \
+	somehost cat ${DATA} > ${COPY}
+test -s ${COPY}			|| fail "failed copy ${DATA}"
+cmp ${DATA} ${COPY}		|| fail "corrupted copy of ${DATA}"
+
+${SSH} -F $OBJ/ssh_config -S $CTL -O exit somehost
+${SSH} -F $OBJ/ssh_config -S $CTL.1 -O exit somehost
+${SSH} -F $OBJ/ssh_config -S $CTL.2 -O exit somehost
+${SSH} -F $OBJ/ssh_config -S $CTL.3 -O exit somehost
+
diff --git a/regress/host-expand.sh b/regress/host-expand.sh
index 2a95bfe1b..9444f7fb6 100644
--- a/regress/host-expand.sh
+++ b/regress/host-expand.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: host-expand.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: host-expand.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="expand %h and %n"
@@ -11,9 +11,6 @@ somehost
 127.0.0.1
 EOE
 
-for p in ${SSH_PROTOCOLS}; do
-	verbose "test $tid: proto $p"
-	${SSH} -F $OBJ/ssh_proxy -$p somehost true >$OBJ/actual
-	diff $OBJ/expect $OBJ/actual || fail "$tid proto $p"
-done
+${SSH} -F $OBJ/ssh_proxy somehost true >$OBJ/actual
+diff $OBJ/expect $OBJ/actual || fail "$tid"
 
diff --git a/regress/hostkey-agent.sh b/regress/hostkey-agent.sh
index 094700da6..811b6b9ab 100644
--- a/regress/hostkey-agent.sh
+++ b/regress/hostkey-agent.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: hostkey-agent.sh,v 1.6 2015/07/10 06:23:25 markus Exp $
+#	$OpenBSD: hostkey-agent.sh,v 1.7 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="hostkey agent"
@@ -40,7 +40,7 @@ for ps in no yes; do
 		cp $OBJ/known_hosts.orig $OBJ/known_hosts
 		SSH_CONNECTION=`${SSH} $opts host 'echo $SSH_CONNECTION'`
 		if [ $? -ne 0 ]; then
-			fail "protocol $p privsep=$ps failed"
+			fail "privsep=$ps failed"
 		fi
 		if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
 			fail "bad SSH_CONNECTION key type $k privsep=$ps"
diff --git a/regress/integrity.sh b/regress/integrity.sh
index b71aa46fd..3eda40f0a 100644
--- a/regress/integrity.sh
+++ b/regress/integrity.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: integrity.sh,v 1.22 2017/04/28 04:16:27 dtucker Exp $
+#	$OpenBSD: integrity.sh,v 1.23 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="integrity"
@@ -46,7 +46,7 @@ for m in $macs; do
 			macopt="-m $m -c aes128-ctr"
 		fi
 		verbose "test $tid: $m @$off"
-		${SSH} $macopt -2F $OBJ/ssh_proxy -o "$pxy" \
+		${SSH} $macopt -F $OBJ/ssh_proxy -o "$pxy" \
 		    -oServerAliveInterval=1 -oServerAliveCountMax=30 \
 		    999.999.999.999 'printf "%4096s" " "' >/dev/null
 		if [ $? -eq 0 ]; then
diff --git a/regress/key-options.sh b/regress/key-options.sh
index 7a68ad358..2adee6833 100644
--- a/regress/key-options.sh
+++ b/regress/key-options.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: key-options.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: key-options.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="key options"
@@ -8,64 +8,56 @@ authkeys="$OBJ/authorized_keys_${USER}"
 cp $authkeys $origkeys
 
 # Test command= forced command
-for p in ${SSH_PROTOCOLS}; do
-    for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
+for c in 'command="echo bar"' 'no-pty,command="echo bar"'; do
 	sed "s/.*/$c &/" $origkeys >$authkeys
-	verbose "key option proto $p $c"
-	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost echo foo`
+	verbose "key option $c"
+	r=`${SSH} -q -F $OBJ/ssh_proxy somehost echo foo`
 	if [ "$r" = "foo" ]; then
 		fail "key option forced command not restricted"
 	fi
 	if [ "$r" != "bar" ]; then
 		fail "key option forced command not executed"
 	fi
-    done
 done
 
 # Test no-pty
 sed 's/.*/no-pty &/' $origkeys >$authkeys
-for p in ${SSH_PROTOCOLS}; do
-	verbose "key option proto $p no-pty"
-	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost tty`
-	if [ -f "$r" ]; then
-		fail "key option failed proto $p no-pty (pty $r)"
-	fi
-done
+verbose "key option proto no-pty"
+r=`${SSH} -q -F $OBJ/ssh_proxy somehost tty`
+if [ -f "$r" ]; then
+	fail "key option failed no-pty (pty $r)"
+fi
 
 # Test environment=
 echo 'PermitUserEnvironment yes' >> $OBJ/sshd_proxy
 sed 's/.*/environment="FOO=bar" &/' $origkeys >$authkeys
-for p in ${SSH_PROTOCOLS}; do
-	verbose "key option proto $p environment"
-	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
-	if [ "$r" != "bar" ]; then
-		fail "key option environment not set"
-	fi
-done
+verbose "key option environment"
+r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo $FOO'`
+if [ "$r" != "bar" ]; then
+	fail "key option environment not set"
+fi
 
 # Test from= restriction
 start_sshd
-for p in ${SSH_PROTOCOLS}; do
-    for f in 127.0.0.1 '127.0.0.0\/8'; do
+for f in 127.0.0.1 '127.0.0.0\/8'; do
 	cat  $origkeys >$authkeys
-	${SSH} -$p -q -F $OBJ/ssh_proxy somehost true
+	${SSH} -q -F $OBJ/ssh_proxy somehost true
 	if [ $? -ne 0 ]; then
-		fail "key option proto $p failed without restriction"
+		fail "key option failed without restriction"
 	fi
 
 	sed 's/.*/from="'"$f"'" &/' $origkeys >$authkeys
 	from=`head -1 $authkeys | cut -f1 -d ' '`
-	verbose "key option proto $p $from"
-	r=`${SSH} -$p -q -F $OBJ/ssh_proxy somehost 'echo true'`
+	verbose "key option $from"
+	r=`${SSH} -q -F $OBJ/ssh_proxy somehost 'echo true'`
 	if [ "$r" = "true" ]; then
-		fail "key option proto $p $from not restricted"
+		fail "key option $from not restricted"
 	fi
 
-	r=`${SSH} -$p -q -F $OBJ/ssh_config somehost 'echo true'`
+	r=`${SSH} -q -F $OBJ/ssh_config somehost 'echo true'`
 	if [ "$r" != "true" ]; then
-		fail "key option proto $p $from not allowed but should be"
+		fail "key option $from not allowed but should be"
 	fi
-    done
 done
 
 rm -f "$origkeys"
diff --git a/regress/keygen-change.sh b/regress/keygen-change.sh
index e56185050..8b8acd52f 100644
--- a/regress/keygen-change.sh
+++ b/regress/keygen-change.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: keygen-change.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: keygen-change.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="change passphrase for key"
@@ -7,9 +7,6 @@ S1="secret1"
 S2="2secret"
 
 KEYTYPES=`${SSH} -Q key-plain`
-if ssh_version 1; then
-	KEYTYPES="${KEYTYPES} rsa1"
-fi
 
 for t in $KEYTYPES; do
 	# generate user key for agent
diff --git a/regress/keyscan.sh b/regress/keyscan.sh
index f97364b76..3bde1219a 100644
--- a/regress/keyscan.sh
+++ b/regress/keyscan.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: keyscan.sh,v 1.5 2015/09/11 03:44:21 djm Exp $
+#	$OpenBSD: keyscan.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="keyscan"
@@ -9,10 +9,6 @@ rm -f ${OBJ}/host.dsa
 start_sshd
 
 KEYTYPES=`${SSH} -Q key-plain`
-if ssh_version 1; then
-	KEYTYPES="${KEYTYPES} rsa1"
-fi
-
 for t in $KEYTYPES; do
 	trace "keyscan type $t"
 	${SSHKEYSCAN} -t $t -p $PORT 127.0.0.1 127.0.0.1 127.0.0.1 \
diff --git a/regress/localcommand.sh b/regress/localcommand.sh
index 220f19a4d..5224a16b2 100644
--- a/regress/localcommand.sh
+++ b/regress/localcommand.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: localcommand.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: localcommand.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="localcommand"
@@ -6,10 +6,8 @@ tid="localcommand"
 echo 'PermitLocalCommand yes' >> $OBJ/ssh_proxy
 echo 'LocalCommand echo foo' >> $OBJ/ssh_proxy
 
-for p in ${SSH_PROTOCOLS}; do
-	verbose "test $tid: proto $p localcommand"
-	a=`${SSH} -F $OBJ/ssh_proxy -$p somehost true`
-	if [ "$a" != "foo" ] ; then
-		fail "$tid proto $p"
-	fi
-done
+verbose "test $tid: proto $p localcommand"
+a=`${SSH} -F $OBJ/ssh_proxy somehost true`
+if [ "$a" != "foo" ] ; then
+	fail "$tid proto $p"
+fi
diff --git a/regress/misc/kexfuzz/kexfuzz.c b/regress/misc/kexfuzz/kexfuzz.c
index 67058027f..3e2c48160 100644
--- a/regress/misc/kexfuzz/kexfuzz.c
+++ b/regress/misc/kexfuzz/kexfuzz.c
@@ -1,4 +1,4 @@
-/* 	$OpenBSD: kexfuzz.c,v 1.3 2016/10/11 21:49:54 djm Exp $ */
+/* 	$OpenBSD: kexfuzz.c,v 1.4 2017/04/30 23:34:55 djm Exp $ */
 /*
  * Fuzz harness for KEX code
  *
@@ -418,7 +418,7 @@ main(int argc, char **argv)
 	close(fd);
 	/* XXX check that it is a private key */
 	/* XXX support certificates */
-	if (key == NULL || key->type == KEY_UNSPEC || key->type == KEY_RSA1)
+	if (key == NULL || key->type == KEY_UNSPEC)
 		badusage("Invalid key file (-k flag)");
 
 	/* Replace (fuzz) mode */
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index acb9234d9..078a53a88 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: multiplex.sh,v 1.27 2014/12/22 06:14:29 djm Exp $
+#	$OpenBSD: multiplex.sh,v 1.28 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 CTL=/tmp/openssh.regress.ctl-sock.$$
@@ -101,7 +101,7 @@ for s in 0 1 4 5 44; do
 	${SSH} -F $OBJ/ssh_config -S $CTL otherhost exit $s
 	r=$?
 	if [ $r -ne $s ]; then
-		fail "exit code mismatch for protocol $p: $r != $s"
+		fail "exit code mismatch: $r != $s"
 	fi
 
 	# same with early close of stdout/err
@@ -110,7 +110,7 @@ for s in 0 1 4 5 44; do
                 exec sh -c \'"sleep 2; exec > /dev/null 2>&1; sleep 3; exit $s"\'
 	r=$?
 	if [ $r -ne $s ]; then
-		fail "exit code (with sleep) mismatch for protocol $p: $r != $s"
+		fail "exit code (with sleep) mismatch: $r != $s"
 	fi
 done
 
diff --git a/regress/principals-command.sh b/regress/principals-command.sh
index 9b38eb105..bcc68e80b 100644
--- a/regress/principals-command.sh
+++ b/regress/principals-command.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: principals-command.sh,v 1.3 2016/09/26 21:34:38 bluhm Exp $
+#	$OpenBSD: principals-command.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="authorized principals command"
@@ -78,7 +78,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 		# Empty authorized_principals
 		verbose "$tid: ${_prefix} empty authorized_principals"
 		echo > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key \
+		${SSH} -i $OBJ/cert_user_key \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -87,7 +87,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 		# Wrong authorized_principals
 		verbose "$tid: ${_prefix} wrong authorized_principals"
 		echo gregorsamsa > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key \
+		${SSH} -i $OBJ/cert_user_key \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -96,7 +96,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 		# Correct authorized_principals
 		verbose "$tid: ${_prefix} correct authorized_principals"
 		echo mekmitasdigoat > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key \
+		${SSH} -i $OBJ/cert_user_key \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
@@ -105,7 +105,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 		# authorized_principals with bad key option
 		verbose "$tid: ${_prefix} authorized_principals bad key opt"
 		echo 'blah mekmitasdigoat' > $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key \
+		${SSH} -i $OBJ/cert_user_key \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -115,7 +115,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 		verbose "$tid: ${_prefix} authorized_principals command=false"
 		echo 'command="false" mekmitasdigoat' > \
 		    $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key \
+		${SSH} -i $OBJ/cert_user_key \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -125,7 +125,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 		verbose "$tid: ${_prefix} authorized_principals command=true"
 		echo 'command="true" mekmitasdigoat' > \
 		    $OBJ/authorized_principals_$USER
-		${SSH} -2i $OBJ/cert_user_key \
+		${SSH} -i $OBJ/cert_user_key \
 		    -F $OBJ/ssh_proxy somehost false >/dev/null 2>&1
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
@@ -144,7 +144,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 			printf 'cert-authority,principals="gregorsamsa" '
 			cat $OBJ/user_ca_key.pub
 		) > $OBJ/authorized_keys_$USER
-		${SSH} -2i $OBJ/cert_user_key \
+		${SSH} -i $OBJ/cert_user_key \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -eq 0 ]; then
 			fail "ssh cert connect succeeded unexpectedly"
@@ -156,7 +156,7 @@ if [ -x $PRINCIPALS_COMMAND ]; then
 			printf 'cert-authority,principals="mekmitasdigoat" '
 			cat $OBJ/user_ca_key.pub
 		) > $OBJ/authorized_keys_$USER
-		${SSH} -2i $OBJ/cert_user_key \
+		${SSH} -i $OBJ/cert_user_key \
 		    -F $OBJ/ssh_proxy somehost true >/dev/null 2>&1
 		if [ $? -ne 0 ]; then
 			fail "ssh cert connect failed"
diff --git a/regress/proto-mismatch.sh b/regress/proto-mismatch.sh
index 9e8024beb..6ab28c9a7 100644
--- a/regress/proto-mismatch.sh
+++ b/regress/proto-mismatch.sh
@@ -1,21 +1,17 @@
-#	$OpenBSD: proto-mismatch.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: proto-mismatch.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="protocol version mismatch"
 
 mismatch ()
 {
-	server=$1
 	client=$2
-	banner=`echo ${client} | ${SSHD} -o "Protocol=${server}" -i -f ${OBJ}/sshd_proxy`
+	banner=`echo ${client} | ${SSHD} -i -f ${OBJ}/sshd_proxy`
 	r=$?
 	trace "sshd prints ${banner}"
 	if [ $r -ne 255 ]; then
-		fail "sshd prints ${banner} and accepts connect with version ${client}"
+		fail "sshd prints ${banner} but accepts version ${client}"
 	fi
 }
 
-mismatch	2	SSH-1.5-HALLO
-if ssh_version 1; then
-	mismatch	1	SSH-2.0-HALLO
-fi
+mismatch	SSH-1.5-HALLO
diff --git a/regress/proto-version.sh b/regress/proto-version.sh
index cf4946115..5faeb758c 100644
--- a/regress/proto-version.sh
+++ b/regress/proto-version.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: proto-version.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: proto-version.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshd version with different protocol combinations"
@@ -6,9 +6,8 @@ tid="sshd version with different protocol combinations"
 # we just start sshd in inetd mode and check the banner
 check_version ()
 {
-	version=$1
 	expect=$2
-	banner=`printf '' | ${SSHD} -o "Protocol=${version}" -i -f ${OBJ}/sshd_proxy`
+	banner=`printf '' | ${SSHD} -i -f ${OBJ}/sshd_proxy`
 	case ${banner} in
 	SSH-1.99-*)
 		proto=199
@@ -24,13 +23,8 @@ check_version ()
 		;;
 	esac
 	if [ ${expect} -ne ${proto} ]; then
-		fail "wrong protocol version ${banner} for ${version}"
+		fail "wrong protocol version ${banner}"
 	fi
 }
 
-check_version	2	20
-if ssh_version 1; then
-	check_version	2,1	199
-	check_version	1,2	199
-	check_version	1	15
-fi
+check_version	20
diff --git a/regress/proxy-connect.sh b/regress/proxy-connect.sh
index b7a43fabe..f1b9d9f76 100644
--- a/regress/proxy-connect.sh
+++ b/regress/proxy-connect.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: proxy-connect.sh,v 1.9 2016/02/17 02:24:17 djm Exp $
+#	$OpenBSD: proxy-connect.sh,v 1.10 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="proxy connect"
@@ -6,27 +6,22 @@ tid="proxy connect"
 mv $OBJ/sshd_proxy $OBJ/sshd_proxy.orig
 
 for ps in no yes; do
-  cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
-  echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
-
-  for p in ${SSH_PROTOCOLS}; do
-    for c in no yes; do
-	verbose "plain username protocol $p privsep=$ps comp=$c"
-	opts="-$p -oCompression=$c -F $OBJ/ssh_proxy"
-	SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
-	if [ $? -ne 0 ]; then
-		fail "ssh proxyconnect protocol $p privsep=$ps comp=$c failed"
-	fi
-	if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
-		fail "bad SSH_CONNECTION protocol $p privsep=$ps comp=$c: " \
-		    "$SSH_CONNECTION"
-	fi
-    done
-  done
+	cp $OBJ/sshd_proxy.orig $OBJ/sshd_proxy
+	echo "UsePrivilegeSeparation $ps" >> $OBJ/sshd_proxy
+	for c in no yes; do
+		verbose "plain username privsep=$ps comp=$c"
+		opts="-oCompression=$c -F $OBJ/ssh_proxy"
+		SSH_CONNECTION=`${SSH} $opts 999.999.999.999 'echo $SSH_CONNECTION'`
+		if [ $? -ne 0 ]; then
+			fail "ssh proxyconnect privsep=$ps comp=$c failed"
+		fi
+		if [ "$SSH_CONNECTION" != "UNKNOWN 65535 UNKNOWN 65535" ]; then
+			fail "bad SSH_CONNECTION privsep=$ps comp=$c: " \
+			    "$SSH_CONNECTION"
+		fi
+	done
 done
 
-for p in ${SSH_PROTOCOLS}; do
-	verbose "username with style protocol $p"
-	${SSH} -$p -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
-		fail "ssh proxyconnect protocol $p failed"
-done
+verbose "username with style"
+${SSH} -F $OBJ/ssh_proxy ${USER}:style@999.999.999.999 true || \
+	fail "ssh proxyconnect failed"
diff --git a/regress/putty-transfer.sh b/regress/putty-transfer.sh
index 8eb6ae0c0..32c79f9ea 100644
--- a/regress/putty-transfer.sh
+++ b/regress/putty-transfer.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: putty-transfer.sh,v 1.4 2016/11/25 03:02:01 dtucker Exp $
+#	$OpenBSD: putty-transfer.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="putty transfer data"
@@ -8,33 +8,30 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
 	exit 0
 fi
 
-# XXX support protocol 1 too
-for p in 2; do
-	for c in 0 1 ; do 
-	verbose "$tid: proto $p compression $c"
+for c in 0 1 ; do 
+	verbose "$tid: compression $c"
+	rm -f ${COPY}
+	cp ${OBJ}/.putty/sessions/localhost_proxy \
+	    ${OBJ}/.putty/sessions/compression_$c
+	echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
+	env HOME=$PWD ${PLINK} -load compression_$c -batch \
+	    -i putty.rsa cat ${DATA} > ${COPY}
+	if [ $? -ne 0 ]; then
+		fail "ssh cat $DATA failed"
+	fi
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+
+	for s in 10 100 1k 32k 64k 128k 256k; do
+		trace "compression $c dd-size ${s}"
 		rm -f ${COPY}
-		cp ${OBJ}/.putty/sessions/localhost_proxy \
-		    ${OBJ}/.putty/sessions/compression_$c
-		echo "Compression=$c" >> ${OBJ}/.putty/sessions/kex_$k
-		env HOME=$PWD ${PLINK} -load compression_$c -batch \
-		    -i putty.rsa$p cat ${DATA} > ${COPY}
+		dd if=$DATA obs=${s} 2> /dev/null | \
+			env HOME=$PWD ${PLINK} -load compression_$c \
+			    -batch -i putty.rsa \
+			    "cat > ${COPY}"
 		if [ $? -ne 0 ]; then
 			fail "ssh cat $DATA failed"
 		fi
-		cmp ${DATA} ${COPY}		|| fail "corrupted copy"
-	
-		for s in 10 100 1k 32k 64k 128k 256k; do
-			trace "proto $p compression $c dd-size ${s}"
-			rm -f ${COPY}
-			dd if=$DATA obs=${s} 2> /dev/null | \
-				env HOME=$PWD ${PLINK} -load compression_$c \
-				    -batch -i putty.rsa$p \
-				    "cat > ${COPY}"
-			if [ $? -ne 0 ]; then
-				fail "ssh cat $DATA failed"
-			fi
-			cmp $DATA ${COPY}	|| fail "corrupted copy"
-		done
+		cmp $DATA ${COPY}	|| fail "corrupted copy"
 	done
 done
 rm -f ${COPY}
diff --git a/regress/reconfigure.sh b/regress/reconfigure.sh
index eecddd3c7..dd15eddb2 100644
--- a/regress/reconfigure.sh
+++ b/regress/reconfigure.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: reconfigure.sh,v 1.5 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: reconfigure.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="simple connect after reconfigure"
@@ -18,12 +18,10 @@ fi
 start_sshd
 
 trace "connect before restart"
-for p in ${SSH_PROTOCOLS} ; do
-	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh connect with protocol $p failed before reconfigure"
-	fi
-done
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect with failed before reconfigure"
+fi
 
 PID=`$SUDO cat $PIDFILE`
 rm -f $PIDFILE
@@ -39,9 +37,7 @@ done
 test -f $PIDFILE || fatal "sshd did not restart"
 
 trace "connect after restart"
-for p in ${SSH_PROTOCOLS} ; do
-	${SSH} -o "Protocol=$p" -F $OBJ/ssh_config somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh connect with protocol $p failed after reconfigure"
-	fi
-done
+${SSH} -F $OBJ/ssh_config somehost true
+if [ $? -ne 0 ]; then
+	fail "ssh connect with failed after reconfigure"
+fi
diff --git a/regress/reexec.sh b/regress/reexec.sh
index 72957d4cd..ce23a1af3 100644
--- a/regress/reexec.sh
+++ b/regress/reexec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: reexec.sh,v 1.10 2016/12/16 01:06:27 dtucker Exp $
+#	$OpenBSD: reexec.sh,v 1.11 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="reexec tests"
@@ -19,16 +19,13 @@ start_sshd_copy ()
 copy_tests ()
 {
 	rm -f ${COPY}
-	for p in ${SSH_PROTOCOLS} ; do
-		verbose "$tid: proto $p"
-		${SSH} -nqo "Protocol=$p" -F $OBJ/ssh_config somehost \
-		    cat ${DATA} > ${COPY}
-		if [ $? -ne 0 ]; then
-			fail "ssh cat $DATA failed"
-		fi
-		cmp ${DATA} ${COPY}		|| fail "corrupted copy"
-		rm -f ${COPY}
-	done
+	${SSH} -nq -F $OBJ/ssh_config somehost \
+	    cat ${DATA} > ${COPY}
+	if [ $? -ne 0 ]; then
+		fail "ssh cat $DATA failed"
+	fi
+	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+	rm -f ${COPY}
 }
 
 verbose "test config passing"
diff --git a/regress/stderr-after-eof.sh b/regress/stderr-after-eof.sh
index 218ac6b68..9065245e8 100644
--- a/regress/stderr-after-eof.sh
+++ b/regress/stderr-after-eof.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: stderr-after-eof.sh,v 1.2 2013/05/17 04:29:14 dtucker Exp $
+#	$OpenBSD: stderr-after-eof.sh,v 1.3 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="stderr data after eof"
@@ -10,7 +10,7 @@ for i in 1 2 3 4 5 6; do
 	(date;echo $i) | md5 >> ${DATA}
 done
 
-${SSH} -2 -F $OBJ/ssh_proxy otherhost \
+${SSH} -F $OBJ/ssh_proxy otherhost \
 	exec sh -c \'"exec > /dev/null; sleep 2; cat ${DATA} 1>&2 $s"\' \
 	2> ${COPY}
 r=$?
diff --git a/regress/stderr-data.sh b/regress/stderr-data.sh
index 8c8149a73..0ceb72b3a 100644
--- a/regress/stderr-data.sh
+++ b/regress/stderr-data.sh
@@ -1,13 +1,12 @@
-#	$OpenBSD: stderr-data.sh,v 1.4 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: stderr-data.sh,v 1.5 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="stderr data transfer"
 
 for n in '' -n; do
-for p in ${SSH_PROTOCOLS}; do
-	verbose "test $tid: proto $p ($n)"
-	${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
-		exec sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
+	verbose "test $tid: ($n)"
+	${SSH} $n -F $OBJ/ssh_proxy otherhost exec \
+	    sh -c \'"exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
 		2> ${COPY}
 	r=$?
 	if [ $r -ne 0 ]; then
@@ -16,8 +15,8 @@ for p in ${SSH_PROTOCOLS}; do
 	cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
 	rm -f ${COPY}
 
-	${SSH} $n -$p -F $OBJ/ssh_proxy otherhost \
-		exec sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
+	${SSH} $n -F $OBJ/ssh_proxy otherhost exec \
+	    sh -c \'"echo a; exec > /dev/null; sleep 3; cat ${DATA} 1>&2 $s"\' \
 		> /dev/null 2> ${COPY}
 	r=$?
 	if [ $r -ne 0 ]; then
@@ -26,4 +25,3 @@ for p in ${SSH_PROTOCOLS}; do
 	cmp ${DATA} ${COPY}	|| fail "stderr corrupt"
 	rm -f ${COPY}
 done
-done
diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index dc033cd96..1480f13fc 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.59 2017/02/07 23:03:11 dtucker Exp $
+#	$OpenBSD: test-exec.sh,v 1.60 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 #SUDO=sudo
@@ -130,12 +130,6 @@ if [ "x$TEST_SSH_CONCH" != "x" ]; then
 	esac
 fi
 
-SSH_PROTOCOLS=2
-#SSH_PROTOCOLS=`$SSH -Q protocol-version`
-if [ "x$TEST_SSH_PROTOCOLS" != "x" ]; then
-	SSH_PROTOCOLS="${TEST_SSH_PROTOCOLS}"
-fi
-
 # Path to sshd must be absolute for rexec
 case "$SSHD" in
 /*) ;;
@@ -386,22 +380,11 @@ fatal ()
 	exit $RESULT
 }
 
-ssh_version ()
-{
-	echo ${SSH_PROTOCOLS} | grep "$1" >/dev/null
-}
-
 RESULT=0
 PIDFILE=$OBJ/pidfile
 
 trap fatal 3 2
 
-if ssh_version 1; then
-	PROTO="2,1"
-else
-	PROTO="2"
-fi
-
 # create server config
 cat << EOF > $OBJ/sshd_config
 	StrictModes		no
@@ -460,11 +443,8 @@ fi
 
 rm -f $OBJ/known_hosts $OBJ/authorized_keys_$USER
 
-if ssh_version 1; then
-	SSH_KEYTYPES="rsa rsa1"
-else
-	SSH_KEYTYPES="rsa ed25519"
-fi
+SSH_KEYTYPES="rsa ed25519"
+
 trace "generate keys"
 for t in ${SSH_KEYTYPES}; do
 	# generate user key
diff --git a/regress/transfer.sh b/regress/transfer.sh
index 36c14634a..cf174a006 100644
--- a/regress/transfer.sh
+++ b/regress/transfer.sh
@@ -1,26 +1,23 @@
-#	$OpenBSD: transfer.sh,v 1.3 2015/03/03 22:35:19 markus Exp $
+#	$OpenBSD: transfer.sh,v 1.4 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="transfer data"
 
-for p in ${SSH_PROTOCOLS}; do
-	verbose "$tid: proto $p"
+rm -f ${COPY}
+${SSH} -n -q -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
+if [ $? -ne 0 ]; then
+	fail "ssh cat $DATA failed"
+fi
+cmp ${DATA} ${COPY}		|| fail "corrupted copy"
+
+for s in 10 100 1k 32k 64k 128k 256k; do
+	trace "dd-size ${s}"
 	rm -f ${COPY}
-	${SSH} -n -q -$p -F $OBJ/ssh_proxy somehost cat ${DATA} > ${COPY}
+	dd if=$DATA obs=${s} 2> /dev/null | \
+		${SSH} -q -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
 	if [ $? -ne 0 ]; then
 		fail "ssh cat $DATA failed"
 	fi
-	cmp ${DATA} ${COPY}		|| fail "corrupted copy"
-
-	for s in 10 100 1k 32k 64k 128k 256k; do
-		trace "proto $p dd-size ${s}"
-		rm -f ${COPY}
-		dd if=$DATA obs=${s} 2> /dev/null | \
-			${SSH} -q -$p -F $OBJ/ssh_proxy somehost "cat > ${COPY}"
-		if [ $? -ne 0 ]; then
-			fail "ssh cat $DATA failed"
-		fi
-		cmp $DATA ${COPY}		|| fail "corrupted copy"
-	done
+	cmp $DATA ${COPY}		|| fail "corrupted copy"
 done
 rm -f ${COPY}
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index 889a735d2..e04268ba3 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: try-ciphers.sh,v 1.25 2015/03/24 20:22:17 markus Exp $
+#	$OpenBSD: try-ciphers.sh,v 1.26 2017/04/30 23:34:55 djm Exp $
 #	Placed in the Public Domain.
 
 tid="try ciphers"
@@ -8,14 +8,14 @@ cp $OBJ/sshd_proxy $OBJ/sshd_proxy_bak
 for c in `${SSH} -Q cipher`; do
 	n=0
 	for m in `${SSH} -Q mac`; do
-		trace "proto 2 cipher $c mac $m"
-		verbose "test $tid: proto 2 cipher $c mac $m"
+		trace "cipher $c mac $m"
+		verbose "test $tid: cipher $c mac $m"
 		cp $OBJ/sshd_proxy_bak $OBJ/sshd_proxy
 		echo "Ciphers=$c" >> $OBJ/sshd_proxy
 		echo "MACs=$m" >> $OBJ/sshd_proxy
-		${SSH} -F $OBJ/ssh_proxy -2 -m $m -c $c somehost true
+		${SSH} -F $OBJ/ssh_proxy -m $m -c $c somehost true
 		if [ $? -ne 0 ]; then
-			fail "ssh -2 failed with mac $m cipher $c"
+			fail "ssh failed with mac $m cipher $c"
 		fi
 		# No point trying all MACs for AEAD ciphers since they
 		# are ignored.
@@ -26,17 +26,3 @@ for c in `${SSH} -Q cipher`; do
 	done
 done
 
-if ssh_version 1; then
-	ciphers="3des blowfish"
-else
-	ciphers=""
-fi
-for c in $ciphers; do
-	trace "proto 1 cipher $c"
-	verbose "test $tid: proto 1 cipher $c"
-	${SSH} -F $OBJ/ssh_proxy -1 -c $c somehost true
-	if [ $? -ne 0 ]; then
-		fail "ssh -1 failed with cipher $c"
-	fi
-done
-
diff --git a/regress/yes-head.sh b/regress/yes-head.sh
index 1fc754211..fce2f6580 100644
--- a/regress/yes-head.sh
+++ b/regress/yes-head.sh
@@ -3,13 +3,11 @@
 
 tid="yes pipe head"
 
-for p in ${SSH_PROTOCOLS}; do
-	lines=`${SSH} -$p -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
-	if [ $? -ne 0 ]; then
-		fail "yes|head test failed"
-		lines = 0;
-	fi
-	if [ $lines -ne 2000 ]; then
-		fail "yes|head returns $lines lines instead of 2000"
-	fi
-done
+lines=`${SSH} -F $OBJ/ssh_proxy thishost 'sh -c "while true;do echo yes;done | _POSIX2_VERSION=199209 head -2000"' | (sleep 3 ; wc -l)`
+if [ $? -ne 0 ]; then
+	fail "yes|head test failed"
+	lines = 0;
+fi
+if [ $lines -ne 2000 ]; then
+	fail "yes|head returns $lines lines instead of 2000"
+fi
-- 
cgit v1.2.3


From effaf526bfa57c0ac9056ca236becf52385ce8af Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 8 May 2017 01:52:49 +0000
Subject: upstream commit

remove arcfour, blowfish and CAST here too

Upstream-Regress-ID: c613b3bcbef75df1fe84ca4dc2d3ef253dc5e920
---
 regress/dhgex.sh         | 3 +--
 regress/putty-ciphers.sh | 4 ++--
 regress/ssh-com.sh       | 4 ++--
 3 files changed, 5 insertions(+), 6 deletions(-)

(limited to 'regress')

diff --git a/regress/dhgex.sh b/regress/dhgex.sh
index e7c573397..61fc178e8 100644
--- a/regress/dhgex.sh
+++ b/regress/dhgex.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: dhgex.sh,v 1.3 2015/10/23 02:22:01 dtucker Exp $
+#	$OpenBSD: dhgex.sh,v 1.4 2017/05/08 01:52:49 djm Exp $
 #	Placed in the Public Domain.
 
 tid="dhgex"
@@ -54,7 +54,6 @@ check()
 
 #check 2048 3des-cbc
 check 3072 `${SSH} -Q cipher | grep 128`
-check 3072 arcfour blowfish-cbc
 check 7680 `${SSH} -Q cipher | grep 192`
 check 8192 `${SSH} -Q cipher | grep 256`
 check 8192 rijndael-cbc@lysator.liu.se chacha20-poly1305@openssh.com
diff --git a/regress/putty-ciphers.sh b/regress/putty-ciphers.sh
index 9adba674e..419daabba 100644
--- a/regress/putty-ciphers.sh
+++ b/regress/putty-ciphers.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: putty-ciphers.sh,v 1.5 2016/11/25 03:02:01 dtucker Exp $
+#	$OpenBSD: putty-ciphers.sh,v 1.6 2017/05/08 01:52:49 djm Exp $
 #	Placed in the Public Domain.
 
 tid="putty ciphers"
@@ -8,7 +8,7 @@ if test "x$REGRESS_INTEROP_PUTTY" != "xyes" ; then
 	exit 0
 fi
 
-for c in aes blowfish 3des arcfour aes128-ctr aes192-ctr aes256-ctr ; do
+for c in aes 3des aes128-ctr aes192-ctr aes256-ctr ; do
 	verbose "$tid: cipher $c"
 	cp ${OBJ}/.putty/sessions/localhost_proxy \
 	    ${OBJ}/.putty/sessions/cipher_$c
diff --git a/regress/ssh-com.sh b/regress/ssh-com.sh
index 4371d5279..b1a2505d1 100644
--- a/regress/ssh-com.sh
+++ b/regress/ssh-com.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: ssh-com.sh,v 1.9 2015/05/08 07:29:00 djm Exp $
+#	$OpenBSD: ssh-com.sh,v 1.10 2017/05/08 01:52:49 djm Exp $
 #	Placed in the Public Domain.
 
 tid="connect to ssh.com server"
@@ -87,7 +87,7 @@ for v in ${VERSIONS}; do
                 fail "ssh connect to sshd2 ${v} failed"
         fi
 
-	ciphers="3des-cbc blowfish-cbc arcfour"
+	ciphers="3des-cbc"
 	macs="hmac-md5"
 	case $v in
 	2.4.*)
-- 
cgit v1.2.3


From d757a4b633e8874629a1442c7c2e7b1b55d28c19 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Mon, 8 May 2017 06:08:42 +0000
Subject: upstream commit

fix for new SSH_ERR_KEY_LENGTH error value

Upstream-Regress-ID: c38a6e6174d4c3feca3518df150d4fbae0dca8dc
---
 regress/unittests/sshkey/test_sshkey.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

(limited to 'regress')

diff --git a/regress/unittests/sshkey/test_sshkey.c b/regress/unittests/sshkey/test_sshkey.c
index 32f8cb63c..0a73322a3 100644
--- a/regress/unittests/sshkey/test_sshkey.c
+++ b/regress/unittests/sshkey/test_sshkey.c
@@ -1,4 +1,4 @@
-/* 	$OpenBSD: test_sshkey.c,v 1.11 2017/04/30 23:33:48 djm Exp $ */
+/* 	$OpenBSD: test_sshkey.c,v 1.12 2017/05/08 06:08:42 djm Exp $ */
 /*
  * Regress test for sshkey.h key management API
  *
@@ -253,19 +253,19 @@ sshkey_tests(void)
 
 	TEST_START("generate KEY_RSA too small modulus");
 	ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 128, &k1),
-	    SSH_ERR_INVALID_ARGUMENT);
+	    SSH_ERR_KEY_LENGTH);
 	ASSERT_PTR_EQ(k1, NULL);
 	TEST_DONE();
 
 	TEST_START("generate KEY_RSA too large modulus");
 	ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1 << 20, &k1),
-	    SSH_ERR_INVALID_ARGUMENT);
+	    SSH_ERR_KEY_LENGTH);
 	ASSERT_PTR_EQ(k1, NULL);
 	TEST_DONE();
 
 	TEST_START("generate KEY_DSA wrong bits");
 	ASSERT_INT_EQ(sshkey_generate(KEY_DSA, 2048, &k1),
-	    SSH_ERR_INVALID_ARGUMENT);
+	    SSH_ERR_KEY_LENGTH);
 	ASSERT_PTR_EQ(k1, NULL);
 	sshkey_free(k1);
 	TEST_DONE();
@@ -273,7 +273,7 @@ sshkey_tests(void)
 #ifdef OPENSSL_HAS_ECC
 	TEST_START("generate KEY_ECDSA wrong bits");
 	ASSERT_INT_EQ(sshkey_generate(KEY_ECDSA, 42, &k1),
-	    SSH_ERR_INVALID_ARGUMENT);
+	    SSH_ERR_KEY_LENGTH);
 	ASSERT_PTR_EQ(k1, NULL);
 	sshkey_free(k1);
 	TEST_DONE();
@@ -281,7 +281,7 @@ sshkey_tests(void)
 
 	TEST_START("generate KEY_RSA");
 	ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 767, &kr),
-	    SSH_ERR_INVALID_ARGUMENT);
+	    SSH_ERR_KEY_LENGTH);
 	ASSERT_INT_EQ(sshkey_generate(KEY_RSA, 1024, &kr), 0);
 	ASSERT_PTR_NE(kr, NULL);
 	ASSERT_PTR_NE(kr->rsa, NULL);
-- 
cgit v1.2.3


From 6bdf70f01e700348bb4d8c064c31a0ab90896df6 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 9 May 2017 14:35:03 +1000
Subject: clean up regress files and add a .gitignore

---
 .gitignore       | 26 ++++++++++++++++++++++++++
 Makefile.in      | 19 ++++++++++---------
 regress/Makefile | 33 ++++++++++++++++++---------------
 3 files changed, 54 insertions(+), 24 deletions(-)
 create mode 100644 .gitignore

(limited to 'regress')

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 000000000..adb096449
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1,26 @@
+Makefile
+buildpkg.sh
+config.h
+config.h.in
+config.status
+configure
+openbsd-compat/Makefile
+openbsd-compat/regress/Makefile
+openssh.xml
+opensshd.init
+survey.sh
+**/*.o
+**/*.out
+**/*.a
+autom4te.cache/
+scp
+sftp
+sftp-server
+ssh
+ssh-add
+ssh-agent
+ssh-keygen
+ssh-keyscan
+ssh-keysign
+ssh-pkcs11-helper
+sshd
diff --git a/Makefile.in b/Makefile.in
index d7f17df8c..29d539a73 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -228,26 +228,27 @@ umac128.o:	umac.c
 clean:	regressclean
 	rm -f *.o *.a $(TARGETS) logintest config.cache config.log
 	rm -f *.out core survey
+	rm -f regress/check-perm$(EXEEXT)
 	rm -f regress/unittests/test_helper/*.a
 	rm -f regress/unittests/test_helper/*.o
 	rm -f regress/unittests/sshbuf/*.o
-	rm -f regress/unittests/sshbuf/test_sshbuf
+	rm -f regress/unittests/sshbuf/test_sshbuf$(EXEEXT)
 	rm -f regress/unittests/sshkey/*.o
-	rm -f regress/unittests/sshkey/test_sshkey
+	rm -f regress/unittests/sshkey/test_sshkey$(EXEEXT)
 	rm -f regress/unittests/bitmap/*.o
-	rm -f regress/unittests/bitmap/test_bitmap
+	rm -f regress/unittests/bitmap/test_bitmap$(EXEEXT)
 	rm -f regress/unittests/conversion/*.o
-	rm -f regress/unittests/conversion/test_conversion
+	rm -f regress/unittests/conversion/test_conversion$(EXEEXT)
 	rm -f regress/unittests/hostkeys/*.o
-	rm -f regress/unittests/hostkeys/test_hostkeys
+	rm -f regress/unittests/hostkeys/test_hostkeys$(EXEEXT)
 	rm -f regress/unittests/kex/*.o
-	rm -f regress/unittests/kex/test_kex
+	rm -f regress/unittests/kex/test_kex$(EXEEXT)
 	rm -f regress/unittests/match/*.o
-	rm -f regress/unittests/match/test_match
+	rm -f regress/unittests/match/test_match$(EXEEXT)
 	rm -f regress/unittests/utf8/*.o
-	rm -f regress/unittests/utf8/test_utf8
+	rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
 	rm -f regress/misc/kexfuzz/*.o
-	rm -f regress/misc/kexfuzz/kexfuzz
+	rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
 	(cd openbsd-compat && $(MAKE) clean)
 
 distclean:	regressclean
diff --git a/regress/Makefile b/regress/Makefile
index b23496b98..f968c4161 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -89,30 +89,33 @@ INTEROP_TESTS=	putty-transfer putty-ciphers putty-kex conch-ciphers
 
 #LTESTS= 	cipher-speed
 
-USERNAME!=		id -un
+USERNAME=		${LOGNAME}
 CLEANFILES=	*.core actual agent-key.* authorized_keys_${USERNAME} \
 		authorized_keys_${USERNAME}.* \
 		authorized_principals_${USERNAME} \
 		banner.in banner.out cert_host_key* cert_user_key* \
 		copy.1 copy.2 data ed25519-agent ed25519-agent* \
-		ed25519-agent.pub empty.in expect failed-regress.log \
-		failed-ssh.log failed-sshd.log hkr.* host.rsa host.rsa1 \
-		host_* host_ca_key* host_krl_* host_revoked_* key.* \
-		key.dsa-* key.ecdsa-* key.ed25519-512 key.ed25519-512.pub \
-		key.rsa-* keys-command-args kh.* known_hosts \
-		known_hosts-cert known_hosts.* krl-* ls.copy modpipe \
-		netcat pidfile putty.rsa2 ready regress.log remote_pid \
-		revoked-* rsa rsa-agent rsa-agent.pub rsa.pub rsa1 \
-		rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
+		ed25519-agent.pub ed25519 ed25519.pub empty.in \
+		expect failed-regress.log failed-ssh.log failed-sshd.log \
+		hkr.* host.ed25519 host.rsa host.rsa1 host_* \
+		host_ca_key* host_krl_* host_revoked_* key.* \
+		key.dsa-* key.ecdsa-* key.ed25519-512 \
+		key.ed25519-512.pub key.rsa-* keys-command-args kh.* \
+		known_hosts known_hosts-cert known_hosts.* krl-* ls.copy \
+		modpipe netcat no_identity_config \
+		pidfile putty.rsa2 ready regress.log \
+		remote_pid revoked-* rsa rsa-agent rsa-agent.pub rsa.pub \
+		rsa1 rsa1-agent rsa1-agent.pub rsa1.pub rsa_ssh2_cr.prv \
 		rsa_ssh2_crnl.prv scp-ssh-wrapper.exe \
 		scp-ssh-wrapper.scp setuid-allowed sftp-server.log \
 		sftp-server.sh sftp.log ssh-log-wrapper.sh ssh.log \
 		ssh_config ssh_config.* ssh_proxy ssh_proxy_bak \
-		ssh_proxy_envpass sshd.log sshd_config sshd_config.orig \
-		sshd_proxy sshd_proxy.* sshd_proxy_bak sshd_proxy_orig \
-		t10.out t10.out.pub t12.out t12.out.pub t2.out t3.out \
-		t6.out1 t6.out2 t7.out t7.out.pub t8.out t8.out.pub \
-		t9.out t9.out.pub testdata user_*key* user_ca* user_key*
+		ssh_proxy_envpass sshd.log sshd_config sshd_config_minimal \
+		sshd_config.orig sshd_proxy sshd_proxy.* sshd_proxy_bak \
+		sshd_proxy_orig t10.out t10.out.pub t12.out t12.out.pub \
+		t2.out t3.out t6.out1 t6.out2 t7.out t7.out.pub \
+		t8.out t8.out.pub t9.out t9.out.pub testdata \
+		user_*key* user_ca* user_key*
 
 SUDO_CLEAN+=	/var/run/testdata_${USERNAME} /var/run/keycommand_${USERNAME}
 
-- 
cgit v1.2.3


From 1de5e47a85850526a4fdaf77185134046c050f75 Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Wed, 7 Jun 2017 01:48:15 +0000
Subject: upstream commit

unbreak after sshv1 purge

Upstream-Regress-ID: 8ea01a92d5f571b9fba88c1463a4254a7552d51b
---
 regress/proto-version.sh | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'regress')

diff --git a/regress/proto-version.sh b/regress/proto-version.sh
index 5faeb758c..1f33b1f00 100644
--- a/regress/proto-version.sh
+++ b/regress/proto-version.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: proto-version.sh,v 1.6 2017/04/30 23:34:55 djm Exp $
+#	$OpenBSD: proto-version.sh,v 1.7 2017/06/07 01:48:15 djm Exp $
 #	Placed in the Public Domain.
 
 tid="sshd version with different protocol combinations"
@@ -6,7 +6,7 @@ tid="sshd version with different protocol combinations"
 # we just start sshd in inetd mode and check the banner
 check_version ()
 {
-	expect=$2
+	expect=$1
 	banner=`printf '' | ${SSHD} -i -f ${OBJ}/sshd_proxy`
 	case ${banner} in
 	SSH-1.99-*)
-- 
cgit v1.2.3


From c9cdef35524bd59007e17d5bd2502dade69e2dfb Mon Sep 17 00:00:00 2001
From: "djm@openbsd.org" <djm@openbsd.org>
Date: Sat, 24 Jun 2017 06:35:24 +0000
Subject: upstream commit

regress test for ExposeAuthInfo

Upstream-Regress-ID: 190e5b6866376f4061c411ab157ca4d4e7ae86fd
---
 regress/Makefile    |  5 +++--
 regress/authinfo.sh | 17 +++++++++++++++++
 2 files changed, 20 insertions(+), 2 deletions(-)
 create mode 100644 regress/authinfo.sh

(limited to 'regress')

diff --git a/regress/Makefile b/regress/Makefile
index f968c4161..7d50f9cfa 100644
--- a/regress/Makefile
+++ b/regress/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.94 2016/12/16 03:51:19 dtucker Exp $
+#	$OpenBSD: Makefile,v 1.95 2017/06/24 06:35:24 djm Exp $
 
 REGRESS_TARGETS=	unit t1 t2 t3 t4 t5 t6 t7 t8 t9 t10 t11 t12 t-exec
 tests:		prep $(REGRESS_TARGETS)
@@ -79,7 +79,8 @@ LTESTS= 	connect \
 		principals-command \
 		cert-file \
 		cfginclude \
-		allow-deny-users
+		allow-deny-users \
+		authinfo
 
 
 #		dhgex \
diff --git a/regress/authinfo.sh b/regress/authinfo.sh
new file mode 100644
index 000000000..e725296c9
--- /dev/null
+++ b/regress/authinfo.sh
@@ -0,0 +1,17 @@
+#	$OpenBSD: authinfo.sh,v 1.1 2017/06/24 06:35:24 djm Exp $
+#	Placed in the Public Domain.
+
+tid="authinfo"
+
+# Ensure the environment variable doesn't leak when ExposeAuthInfo=no.
+verbose "ExposeAuthInfo=no"
+env SSH_USER_AUTH=blah ${SSH} -F $OBJ/ssh_proxy x \
+	'test -z "$SSH_USER_AUTH"' || fail "SSH_USER_AUTH present"
+
+verbose "ExposeAuthInfo=yes"
+echo ExposeAuthInfo=yes >> $OBJ/sshd_proxy
+${SSH} -F $OBJ/ssh_proxy x \
+	'grep ^publickey "$SSH_USER_AUTH" /dev/null >/dev/null' ||
+	fail "ssh with ExposeAuthInfo failed"
+
+# XXX test multiple auth and key contents
-- 
cgit v1.2.3


From ec9d22cc251cc5acfe7b2bcef9cc7a1fe0e949d8 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Fri, 8 Sep 2017 12:44:13 +1000
Subject: Fuzzer harnesses for sig verify and pubkey parsing

These are some basic clang libfuzzer harnesses for signature
verification and public key parsing. Some assembly (metaphorical)
required.
---
 .gitignore                               |  1 +
 regress/misc/fuzz-harness/Makefile       | 22 ++++++++++++++
 regress/misc/fuzz-harness/README         |  1 +
 regress/misc/fuzz-harness/pubkey_fuzz.cc | 18 ++++++++++++
 regress/misc/fuzz-harness/sig_fuzz.cc    | 50 ++++++++++++++++++++++++++++++++
 5 files changed, 92 insertions(+)
 create mode 100644 regress/misc/fuzz-harness/Makefile
 create mode 100644 regress/misc/fuzz-harness/README
 create mode 100644 regress/misc/fuzz-harness/pubkey_fuzz.cc
 create mode 100644 regress/misc/fuzz-harness/sig_fuzz.cc

(limited to 'regress')

diff --git a/.gitignore b/.gitignore
index e25a83025..650eb3c3c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -25,3 +25,4 @@ ssh-keyscan
 ssh-keysign
 ssh-pkcs11-helper
 sshd
+!regress/misc/fuzz-harness/Makefile
diff --git a/regress/misc/fuzz-harness/Makefile b/regress/misc/fuzz-harness/Makefile
new file mode 100644
index 000000000..8fbfc20c6
--- /dev/null
+++ b/regress/misc/fuzz-harness/Makefile
@@ -0,0 +1,22 @@
+# NB. libssh and libopenbsd-compat should be built with the same sanitizer opts.
+CXX=clang++-3.9
+FUZZ_FLAGS=-fsanitize=address,undefined -fsanitize-coverage=edge
+FUZZ_LIBS=-lFuzzer
+
+CXXFLAGS=-O2 -g -Wall -Wextra -I ../../.. $(FUZZ_FLAGS)
+LDFLAGS=-L ../../.. -L ../../../openbsd-compat -g $(FUZZ_FLAGS)
+LIBS=-lssh -lopenbsd-compat -lcrypto $(FUZZ_LIBS)
+
+all: pubkey_fuzz sig_fuzz
+
+.cc.o:
+	$(CXX) $(CXXFLAGS) -c $< -o $@
+
+pubkey_fuzz: pubkey_fuzz.o
+	$(CXX) -o $@ pubkey_fuzz.o $(LDFLAGS) $(LIBS)
+
+sig_fuzz: sig_fuzz.o
+	$(CXX) -o $@ sig_fuzz.o $(LDFLAGS) $(LIBS)
+
+clean:
+	-rm -f *.o pubkey_fuzz sig_fuzz
diff --git a/regress/misc/fuzz-harness/README b/regress/misc/fuzz-harness/README
new file mode 100644
index 000000000..ae6fbe75d
--- /dev/null
+++ b/regress/misc/fuzz-harness/README
@@ -0,0 +1 @@
+This directory contains fuzzing harnesses for use with clang's libfuzzer.
diff --git a/regress/misc/fuzz-harness/pubkey_fuzz.cc b/regress/misc/fuzz-harness/pubkey_fuzz.cc
new file mode 100644
index 000000000..8bbc11093
--- /dev/null
+++ b/regress/misc/fuzz-harness/pubkey_fuzz.cc
@@ -0,0 +1,18 @@
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+
+extern "C" {
+
+#include "sshkey.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size)
+{
+	struct sshkey *k = NULL;
+	int r = sshkey_from_blob(data, size, &k);
+	if (r == 0) sshkey_free(k);
+	return 0;
+}
+
+} // extern
+
diff --git a/regress/misc/fuzz-harness/sig_fuzz.cc b/regress/misc/fuzz-harness/sig_fuzz.cc
new file mode 100644
index 000000000..0e535b49a
--- /dev/null
+++ b/regress/misc/fuzz-harness/sig_fuzz.cc
@@ -0,0 +1,50 @@
+// cc_fuzz_target test for public key parsing.
+
+#include <stddef.h>
+#include <stdio.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+extern "C" {
+
+#include "includes.h"
+#include "sshkey.h"
+#include "ssherr.h"
+
+static struct sshkey *generate_or_die(int type, unsigned bits) {
+  int r;
+  struct sshkey *ret;
+  if ((r = sshkey_generate(type, bits, &ret)) != 0) {
+    fprintf(stderr, "generate(%d, %u): %s", type, bits, ssh_err(r));
+    abort();
+  }
+  return ret;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t* sig, size_t slen)
+{
+#ifdef WITH_OPENSSL
+  static struct sshkey *rsa = generate_or_die(KEY_RSA, 2048);
+  static struct sshkey *dsa = generate_or_die(KEY_DSA, 1024);
+  static struct sshkey *ecdsa256 = generate_or_die(KEY_ECDSA, 256);
+  static struct sshkey *ecdsa384 = generate_or_die(KEY_ECDSA, 384);
+  static struct sshkey *ecdsa521 = generate_or_die(KEY_ECDSA, 521);
+#endif
+  static struct sshkey *ed25519 = generate_or_die(KEY_ED25519, 0);
+  static const char *data = "If everyone started announcing his nose had "
+      "run away, I don’t know how it would all end";
+  static const size_t dlen = strlen(data);
+
+#ifdef WITH_OPENSSL
+  sshkey_verify(rsa, sig, slen, (const u_char *)data, dlen, 0);
+  sshkey_verify(dsa, sig, slen, (const u_char *)data, dlen, 0);
+  sshkey_verify(ecdsa256, sig, slen, (const u_char *)data, dlen, 0);
+  sshkey_verify(ecdsa384, sig, slen, (const u_char *)data, dlen, 0);
+  sshkey_verify(ecdsa521, sig, slen, (const u_char *)data, dlen, 0);
+#endif
+  sshkey_verify(ed25519, sig, slen, (const u_char *)data, dlen, 0);
+  return 0;
+}
+
+} // extern
-- 
cgit v1.2.3


From 239c57d5bc2253e27e3e6ad7ac52ec8c377ee24e Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Fri, 28 Jul 2017 10:32:08 +0000
Subject: upstream commit

Don't call fatal from stop_sshd since it calls cleanup
which calls stop_sshd which will probably fail in the same way.  Instead,
just bail. Differentiate between sshd dying without cleanup and not shutting
down.

Upstream-Regress-ID: f97315f538618b349e2b0bea02d6b0c9196c6bc4
---
 regress/test-exec.sh | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'regress')

diff --git a/regress/test-exec.sh b/regress/test-exec.sh
index 1480f13fc..68f010b70 100644
--- a/regress/test-exec.sh
+++ b/regress/test-exec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: test-exec.sh,v 1.60 2017/04/30 23:34:55 djm Exp $
+#	$OpenBSD: test-exec.sh,v 1.61 2017/07/28 10:32:08 dtucker Exp $
 #	Placed in the Public Domain.
 
 #SUDO=sudo
@@ -304,8 +304,15 @@ stop_sshd ()
 					i=`expr $i + 1`
 					sleep $i
 				done
-				test -f $PIDFILE && \
-				    fatal "sshd didn't exit port $PORT pid $pid"
+				if test -f $PIDFILE; then
+					if $SUDO kill -0 $pid; then
+						echo "sshd didn't exit " \
+						    "port $PORT pid $pid"
+					else
+						echo "sshd died without cleanup"
+					fi
+					exit 1
+				fi
 			fi
 		fi
 	fi
-- 
cgit v1.2.3


From ec218c105daa9f5b192f7aa890fdb2d4fdc4e9d8 Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Mon, 7 Aug 2017 00:53:51 +0000
Subject: upstream commit

Remove non-privsep test since disabling privsep is now
deprecated.

Upstream-Regress-ID: 77ad3f3d8d52e87f514a80f285c6c1229b108ce8
---
 regress/login-timeout.sh | 20 +++-----------------
 1 file changed, 3 insertions(+), 17 deletions(-)

(limited to 'regress')

diff --git a/regress/login-timeout.sh b/regress/login-timeout.sh
index 12207fd99..4c2d07dc2 100644
--- a/regress/login-timeout.sh
+++ b/regress/login-timeout.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: login-timeout.sh,v 1.8 2016/12/16 01:06:27 dtucker Exp $
+#	$OpenBSD: login-timeout.sh,v 1.9 2017/08/07 00:53:51 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="connect after login grace timeout"
@@ -10,23 +10,9 @@ echo "LoginGraceTime 10s" >> $OBJ/sshd_config
 echo "MaxStartups 1" >> $OBJ/sshd_config
 start_sshd
 
-(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & 
+(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 &
 sleep 15
 ${SSH} -F $OBJ/ssh_config somehost true
 if [ $? -ne 0 ]; then
-	fail "ssh connect after login grace timeout failed with privsep"
-fi
-
-stop_sshd
-
-trace "test login grace without privsep"
-echo "UsePrivilegeSeparation no" >> $OBJ/sshd_config
-start_sshd
-sleep 1
-
-(echo SSH-2.0-fake; sleep 60) | telnet 127.0.0.1 ${PORT} >/dev/null 2>&1 & 
-sleep 15
-${SSH} -F $OBJ/ssh_config somehost true
-if [ $? -ne 0 ]; then
-	fail "ssh connect after login grace timeout failed without privsep"
+	fail "ssh connect after login grace timeout failed"
 fi
-- 
cgit v1.2.3


From cdede10899892f25f1ccdccd7a3fe5e5ef0aa49a Mon Sep 17 00:00:00 2001
From: "dtucker@openbsd.org" <dtucker@openbsd.org>
Date: Mon, 7 Aug 2017 03:52:55 +0000
Subject: upstream commit

Remove obsolete privsep=no fallback test.

Upstream-Regress-ID: 7d6e1baa1678ac6be50c2a1555662eb1047638df
---
 regress/reexec.sh | 15 +--------------
 1 file changed, 1 insertion(+), 14 deletions(-)

(limited to 'regress')

diff --git a/regress/reexec.sh b/regress/reexec.sh
index ce23a1af3..2192456cd 100644
--- a/regress/reexec.sh
+++ b/regress/reexec.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: reexec.sh,v 1.11 2017/04/30 23:34:55 djm Exp $
+#	$OpenBSD: reexec.sh,v 1.12 2017/08/07 03:52:55 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="reexec tests"
@@ -51,17 +51,4 @@ rm -f $SSHD_COPY
 copy_tests
 
 stop_sshd
-
-verbose "test reexec fallback without privsep"
-
-cp $OBJ/sshd_config.orig $OBJ/sshd_config
-echo "UsePrivilegeSeparation=no" >> $OBJ/sshd_config
-
-start_sshd_copy
-rm -f $SSHD_COPY
-
-copy_tests
-
-stop_sshd
-
 fi
-- 
cgit v1.2.3


From 09eacf856e0fe1a6e3fe597ec8032b7046292914 Mon Sep 17 00:00:00 2001
From: "bluhm@openbsd.org" <bluhm@openbsd.org>
Date: Wed, 13 Sep 2017 14:58:26 +0000
Subject: upstream commit

Print SKIPPED if sudo and doas configuration is missing.
Prevents that running the regression test with wrong environment is reported
as failure.  Keep the fatal there to avoid interfering with other setups for
portable ssh. OK dtucker@

Upstream-Regress-ID: f0dc60023caef496ded341ac5aade2a606fa234e
---
 regress/agent-getpeereid.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'regress')

diff --git a/regress/agent-getpeereid.sh b/regress/agent-getpeereid.sh
index 34bced154..037a50914 100644
--- a/regress/agent-getpeereid.sh
+++ b/regress/agent-getpeereid.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: agent-getpeereid.sh,v 1.8 2017/01/06 02:51:16 djm Exp $
+#	$OpenBSD: agent-getpeereid.sh,v 1.9 2017/09/13 14:58:26 bluhm Exp $
 #	Placed in the Public Domain.
 
 tid="disallow agent attach from other uid"
-- 
cgit v1.2.3


From 1b9f321605733754df60fac8c1d3283c89b74455 Mon Sep 17 00:00:00 2001
From: Damien Miller <djm@mindrot.org>
Date: Tue, 26 Sep 2017 16:55:55 +1000
Subject: sync missing changes in dynamic-forward.sh

---
 regress/dynamic-forward.sh | 71 +++++++++++++++++++++++-----------------------
 1 file changed, 35 insertions(+), 36 deletions(-)

(limited to 'regress')

diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index 2e2115f84..2c176b69f 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -17,43 +17,42 @@ trace "will use ProxyCommand $proxycmd"
 
 start_sshd
 
-for p in ${SSH_PROTOCOLS}; do
-	n=0
-	error="1"
-	trace "start dynamic forwarding, fork to background"
-	while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
-		n=`expr $n + 1`
-		${SSH} -$p -F $OBJ/ssh_config -f -D $FWDPORT -q \
-		    -oExitOnForwardFailure=yes somehost exec sh -c \
-			\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
-		error=$?
-		if [ "$error" -ne 0 ]; then
-			trace "forward failed proto $p attempt $n err $error"
-			sleep $n
-		fi
-	done
+n=0
+error="1"
+trace "start dynamic forwarding, fork to background"
+while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
+	n=`expr $n + 1`
+	${SSH} -F $OBJ/ssh_config -f -D $FWDPORT -q \
+	    -oExitOnForwardFailure=yes somehost exec sh -c \
+		\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
+	error=$?
 	if [ "$error" -ne 0 ]; then
-		fatal "failed to start dynamic forwarding proto $p"
+		trace "forward failed attempt $n err $error"
+		sleep $n
 	fi
+done
+if [ "$error" -ne 0 ]; then
+	fatal "failed to start dynamic forwarding"
+fi
 
-	for s in 4 5; do
-	    for h in 127.0.0.1 localhost; do
-		trace "testing ssh protocol $p socks version $s host $h"
-		${SSH} -F $OBJ/ssh_config \
-			-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
-			somehost cat $DATA > $OBJ/ls.copy
-		test -f $OBJ/ls.copy	 || fail "failed copy $DATA"
-		cmp $DATA $OBJ/ls.copy || fail "corrupted copy of $DATA"
-	    done
-	done
-
-	if [ -f $OBJ/remote_pid ]; then
-		remote=`cat $OBJ/remote_pid`
-		trace "terminate remote shell, pid $remote"
-		if [ $remote -gt 1 ]; then
-			kill -HUP $remote
-		fi
-	else
-		fail "no pid file: $OBJ/remote_pid"
-	fi
+for s in 4 5; do
+    for h in 127.0.0.1 localhost; do
+	trace "testing ssh socks version $s host $h"
+	${SSH} -F $OBJ/ssh_config \
+		-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
+		somehost cat ${DATA} > ${COPY}
+	test -f ${COPY}	 || fail "failed copy ${DATA}"
+	cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+    done
 done
+
+if [ -f $OBJ/remote_pid ]; then
+	remote=`cat $OBJ/remote_pid`
+	trace "terminate remote shell, pid $remote"
+	if [ $remote -gt 1 ]; then
+		kill -HUP $remote
+	fi
+else
+	fail "no pid file: $OBJ/remote_pid"
+fi
+
-- 
cgit v1.2.3


From 6a9481258a77b0b54b2a313d1761c87360c5f1f5 Mon Sep 17 00:00:00 2001
From: "markus@openbsd.org" <markus@openbsd.org>
Date: Thu, 21 Sep 2017 19:18:12 +0000
Subject: upstream commit

test reverse dynamic forwarding with SOCKS

Upstream-Regress-ID: 95cf290470f7e5e2f691e4bc6ba19b91eced2f79
---
 regress/dynamic-forward.sh | 73 ++++++++++++++++++++++++----------------------
 1 file changed, 38 insertions(+), 35 deletions(-)

(limited to 'regress')

diff --git a/regress/dynamic-forward.sh b/regress/dynamic-forward.sh
index 2c176b69f..84f8ee192 100644
--- a/regress/dynamic-forward.sh
+++ b/regress/dynamic-forward.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: dynamic-forward.sh,v 1.12 2017/04/30 23:34:55 djm Exp $
+#	$OpenBSD: dynamic-forward.sh,v 1.13 2017/09/21 19:18:12 markus Exp $
 #	Placed in the Public Domain.
 
 tid="dynamic forwarding"
@@ -17,42 +17,45 @@ trace "will use ProxyCommand $proxycmd"
 
 start_sshd
 
-n=0
-error="1"
-trace "start dynamic forwarding, fork to background"
-while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
-	n=`expr $n + 1`
-	${SSH} -F $OBJ/ssh_config -f -D $FWDPORT -q \
-	    -oExitOnForwardFailure=yes somehost exec sh -c \
-		\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
-	error=$?
+for d in D R; do
+	n=0
+	error="1"
+	trace "start dynamic forwarding, fork to background"
+
+	while [ "$error" -ne 0 -a "$n" -lt 3 ]; do
+		n=`expr $n + 1`
+		${SSH} -F $OBJ/ssh_config -f -$d $FWDPORT -q \
+		    -oExitOnForwardFailure=yes somehost exec sh -c \
+			\'"echo \$\$ > $OBJ/remote_pid; exec sleep 444"\'
+		error=$?
+		if [ "$error" -ne 0 ]; then
+			trace "forward failed attempt $n err $error"
+			sleep $n
+		fi
+	done
 	if [ "$error" -ne 0 ]; then
-		trace "forward failed attempt $n err $error"
-		sleep $n
+		fatal "failed to start dynamic forwarding"
 	fi
-done
-if [ "$error" -ne 0 ]; then
-	fatal "failed to start dynamic forwarding"
-fi
-
-for s in 4 5; do
-    for h in 127.0.0.1 localhost; do
-	trace "testing ssh socks version $s host $h"
-	${SSH} -F $OBJ/ssh_config \
-		-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
-		somehost cat ${DATA} > ${COPY}
-	test -f ${COPY}	 || fail "failed copy ${DATA}"
-	cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
-    done
-done
 
-if [ -f $OBJ/remote_pid ]; then
-	remote=`cat $OBJ/remote_pid`
-	trace "terminate remote shell, pid $remote"
-	if [ $remote -gt 1 ]; then
-		kill -HUP $remote
+	for s in 4 5; do
+	    for h in 127.0.0.1 localhost; do
+		trace "testing ssh socks version $s host $h (-$d)"
+		${SSH} -F $OBJ/ssh_config \
+			-o "ProxyCommand ${proxycmd}${s} $h $PORT" \
+			somehost cat ${DATA} > ${COPY}
+		test -f ${COPY}	 || fail "failed copy ${DATA}"
+		cmp ${DATA} ${COPY} || fail "corrupted copy of ${DATA}"
+	    done
+	done
+
+	if [ -f $OBJ/remote_pid ]; then
+		remote=`cat $OBJ/remote_pid`
+		trace "terminate remote shell, pid $remote"
+		if [ $remote -gt 1 ]; then
+			kill -HUP $remote
+		fi
+	else
+		fail "no pid file: $OBJ/remote_pid"
 	fi
-else
-	fail "no pid file: $OBJ/remote_pid"
-fi
 
+done
-- 
cgit v1.2.3