Vendor import of OpenSSH 7.2p1.

Makefile.in

@@ -91,11 +91,11 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o \
 	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
 	kexdhc.o kexgexc.o kexecdhc.o kexc25519c.o \
-	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o
+	kexdhs.o kexgexs.o kexecdhs.o kexc25519s.o \
+	platform-pledge.o
 
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
-	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-	roaming_common.o roaming_client.o
+	sshconnect.o sshconnect1.o sshconnect2.o mux.o
 
 SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	audit.o audit-bsm.o audit-linux.o platform.o \
@@ -108,9 +108,9 @@ SSHDOBJS=sshd.o auth-rhosts.o auth-passwd.o auth-rsa.o auth-rh-rsa.o \
 	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
 	sftp-server.o sftp-common.o \
-	roaming_common.o roaming_serv.o \
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
-	sandbox-seccomp-filter.o sandbox-capsicum.o
+	sandbox-seccomp-filter.o sandbox-capsicum.o sandbox-pledge.o \
+	sandbox-solaris.o
 
 MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-keysign.8.out ssh-pkcs11-helper.8.out sshd_config.5.out ssh_config.5.out
 MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-keysign.8 ssh-pkcs11-helper.8 sshd_config.5 ssh_config.5
@@ -178,14 +178,14 @@ ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
 	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
-ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
-	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
+ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o readconf.o
+	$(LD) -o $@ ssh-keysign.o readconf.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
-ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
-	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
+ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o
+	$(LD) -o $@ ssh-keyscan.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
@@ -327,10 +327,6 @@ install-files:
 	$(INSTALL) -m 644 sftp-server.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	$(INSTALL) -m 644 ssh-keysign.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	$(INSTALL) -m 644 ssh-pkcs11-helper.8.out $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-	-rm -f $(DESTDIR)$(bindir)/slogin
-	ln -s ./ssh$(EXEEXT) $(DESTDIR)$(bindir)/slogin
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
-	ln -s ./ssh.1 $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 
 install-sysconf:
 	if [ ! -d $(DESTDIR)$(sysconfdir) ]; then \
@@ -359,41 +355,19 @@ install-sysconf:
 
 host-key: ssh-keygen$(EXEEXT)
 	@if [ -z "$(DESTDIR)" ] ; then \
-		if [ -f "$(sysconfdir)/ssh_host_key" ] ; then \
-			echo "$(sysconfdir)/ssh_host_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t rsa1 -f $(sysconfdir)/ssh_host_key -N "" ; \
-		fi ; \
-		if [ -f $(sysconfdir)/ssh_host_dsa_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_dsa_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t dsa -f $(sysconfdir)/ssh_host_dsa_key -N "" ; \
-		fi ; \
-		if [ -f $(sysconfdir)/ssh_host_rsa_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_rsa_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t rsa -f $(sysconfdir)/ssh_host_rsa_key -N "" ; \
-		fi ; \
-		if [ -f $(sysconfdir)/ssh_host_ed25519_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_ed25519_key already exists, skipping." ; \
-		else \
-			./ssh-keygen -t ed25519 -f $(sysconfdir)/ssh_host_ed25519_key -N "" ; \
-		fi ; \
-		if [ -z "@COMMENT_OUT_ECC@" ] ; then \
-		    if [ -f $(sysconfdir)/ssh_host_ecdsa_key ] ; then \
-			echo "$(sysconfdir)/ssh_host_ecdsa_key already exists, skipping." ; \
-		    else \
-			./ssh-keygen -t ecdsa -f $(sysconfdir)/ssh_host_ecdsa_key -N "" ; \
-		    fi ; \
-		fi ; \
-	fi ;
+		./ssh-keygen -A; \
+	fi
 
-host-key-force: ssh-keygen$(EXEEXT)
-	./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""
+host-key-force: ssh-keygen$(EXEEXT) ssh$(EXEEXT)
+	if ./ssh -Q protocol-version | grep '^1$$' >/dev/null; then \
+		./ssh-keygen -t rsa1 -f $(DESTDIR)$(sysconfdir)/ssh_host_key -N ""; \
+	fi
 	./ssh-keygen -t dsa -f $(DESTDIR)$(sysconfdir)/ssh_host_dsa_key -N ""
 	./ssh-keygen -t rsa -f $(DESTDIR)$(sysconfdir)/ssh_host_rsa_key -N ""
 	./ssh-keygen -t ed25519 -f $(DESTDIR)$(sysconfdir)/ssh_host_ed25519_key -N ""
-	test -z "@COMMENT_OUT_ECC@" && ./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""
+	if ./ssh -Q key | grep ecdsa >/dev/null ; then \
+		./ssh-keygen -t ecdsa -f $(DESTDIR)$(sysconfdir)/ssh_host_ecdsa_key -N ""; \
+	fi
 
 uninstallall:	uninstall
 	-rm -f $(DESTDIR)$(sysconfdir)/ssh_config
@@ -407,7 +381,6 @@ uninstallall:	uninstall
 	-rmdir $(DESTDIR)$(libexecdir)
 
 uninstall:
-	-rm -f $(DESTDIR)$(bindir)/slogin
 	-rm -f $(DESTDIR)$(bindir)/ssh$(EXEEXT)
 	-rm -f $(DESTDIR)$(bindir)/scp$(EXEEXT)
 	-rm -f $(DESTDIR)$(bindir)/ssh-add$(EXEEXT)
@@ -430,7 +403,6 @@ uninstall:
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/sftp-server.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-keysign.8
 	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)8/ssh-pkcs11-helper.8
-	-rm -f $(DESTDIR)$(mandir)/$(mansubdir)1/slogin.1
 
 regress-prep:
 	[ -d `pwd`/regress ] || mkdir -p `pwd`/regress
@@ -462,6 +434,10 @@ regress/netcat$(EXEEXT): $(srcdir)/regress/netcat.c
 	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
 	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 
+regress/check-perm$(EXEEXT): $(srcdir)/regress/check-perm.c
+	$(CC) $(CFLAGS) $(CPPFLAGS) -o $@ $? \
+	$(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
+
 UNITTESTS_TEST_HELPER_OBJS=\
 	regress/unittests/test_helper/test_helper.o \
 	regress/unittests/test_helper/fuzz.o
@@ -510,8 +486,7 @@ regress/unittests/bitmap/test_bitmap$(EXEEXT): ${UNITTESTS_TEST_BITMAP_OBJS} \
 
 UNITTESTS_TEST_KEX_OBJS=\
 	regress/unittests/kex/tests.o \
-	regress/unittests/kex/test_kex.o \
-	roaming_dummy.o
+	regress/unittests/kex/test_kex.o
 
 regress/unittests/kex/test_kex$(EXEEXT): ${UNITTESTS_TEST_KEX_OBJS} \
     regress/unittests/test_helper/libtest_helper.a libssh.a
@@ -534,6 +509,7 @@ REGRESS_BINARIES=\
 	regress/modpipe$(EXEEXT) \
 	regress/setuid-allowed$(EXEEXT) \
 	regress/netcat$(EXEEXT) \
+	regress/check-perm$(EXEEXT) \
 	regress/unittests/sshbuf/test_sshbuf$(EXEEXT) \
 	regress/unittests/sshkey/test_sshkey$(EXEEXT) \
 	regress/unittests/bitmap/test_bitmap$(EXEEXT) \

README

-See http://www.openssh.com/txt/release-7.1p2 for the release notes.
+See http://www.openssh.com/txt/release-7.2p1 for the release notes.
 
 Please read http://www.openssh.com/report.html for bug reporting
 instructions and note that we do not use Github for bug reporting or

README.platform

@@ -36,6 +36,9 @@ loginrestrictions() function, in particular that the user has the
 "rlogin" attribute set.  This check is not done for the root account,
 instead the PermitRootLogin setting in sshd_config is used.
 
+If you are using the IBM compiler you probably want to use CC=xlc rather
+than the default of cc.
+
 
 Cygwin
 ------

auth-bsdauth.c

-/* $OpenBSD: auth-bsdauth.c,v 1.13 2014/06/24 01:13:21 djm Exp $ */
+/* $OpenBSD: auth-bsdauth.c,v 1.14 2015/10/20 23:24:25 mmcc Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -103,7 +103,7 @@ bsdauth_respond(void *ctx, u_int numresponses, char **responses)
 	if (!authctxt->valid)
 		return -1;
 
-	if (authctxt->as == 0)
+	if (authctxt->as == NULL)
 		error("bsdauth_respond: no bsd auth session");
 
 	if (numresponses != 1)

auth-krb5.c

-/* $OpenBSD: auth-krb5.c,v 1.20 2013/07/20 01:55:13 djm Exp $ */
+/* $OpenBSD: auth-krb5.c,v 1.21 2016/01/27 06:44:58 djm Exp $ */
 /*
  *    Kerberos v5 authentication and ticket-passing routines.
  *
- * $FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar Exp $
+ * From: FreeBSD: src/crypto/openssh/auth-krb5.c,v 1.6 2001/02/13 16:58:04 assar
  */
 /*
  * Copyright (c) 2002 Daniel Kouril.  All rights reserved.

auth-options.c

-/* $OpenBSD: auth-options.c,v 1.68 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: auth-options.c,v 1.70 2015/12/10 17:08:40 mmcc Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -75,18 +75,44 @@ auth_clear_options(void)
 		free(ce->s);
 		free(ce);
 	}
-	if (forced_command) {
-		free(forced_command);
-		forced_command = NULL;
-	}
-	if (authorized_principals) {
-		free(authorized_principals);
-		authorized_principals = NULL;
-	}
+	free(forced_command);
+	forced_command = NULL;
+	free(authorized_principals);
+	authorized_principals = NULL;
 	forced_tun_device = -1;
 	channel_clear_permitted_opens();
 }
 
+/*
+ * Match flag 'opt' in *optsp, and if allow_negate is set then also match
+ * 'no-opt'. Returns -1 if option not matched, 1 if option matches or 0
+ * if negated option matches. 
+ * If the option or negated option matches, then *optsp is updated to
+ * point to the first character after the option and, if 'msg' is not NULL
+ * then a message based on it added via auth_debug_add().
+ */
+static int
+match_flag(const char *opt, int allow_negate, char **optsp, const char *msg)
+{
+	size_t opt_len = strlen(opt);
+	char *opts = *optsp;
+	int negate = 0;
+
+	if (allow_negate && strncasecmp(opts, "no-", 3) == 0) {
+		opts += 3;
+		negate = 1;
+	}
+	if (strncasecmp(opts, opt, opt_len) == 0) {
+		*optsp = opts + opt_len;
+		if (msg != NULL) {
+			auth_debug_add("%s %s.", msg,
+			    negate ? "disabled" : "enabled");
+		}
+		return negate ? 0 : 1;
+	}
+	return -1;
+}
+
 /*
  * return 1 if access is granted, 0 if not.
  * side effect: sets key option flags
@@ -95,7 +121,7 @@ int
 auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 {
 	const char *cp;
-	int i;
+	int i, r;
 
 	/* reset options */
 	auth_clear_options();
@@ -104,52 +130,48 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		return 1;
 
 	while (*opts && *opts != ' ' && *opts != '\t') {
-		cp = "cert-authority";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			key_is_cert_authority = 1;
-			opts += strlen(cp);
+		if ((r = match_flag("cert-authority", 0, &opts, NULL)) != -1) {
+			key_is_cert_authority = r;
 			goto next_option;
 		}
-		cp = "no-port-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Port forwarding disabled.");
+		if ((r = match_flag("restrict", 0, &opts, NULL)) != -1) {
+			auth_debug_add("Key is restricted.");
 			no_port_forwarding_flag = 1;
-			opts += strlen(cp);
+			no_agent_forwarding_flag = 1;
+			no_x11_forwarding_flag = 1;
+			no_pty_flag = 1;
+			no_user_rc = 1;
 			goto next_option;
 		}
-		cp = "no-agent-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Agent forwarding disabled.");
-			no_agent_forwarding_flag = 1;
-			opts += strlen(cp);
+		if ((r = match_flag("port-forwarding", 1, &opts,
+		    "Port forwarding")) != -1) {
+			no_port_forwarding_flag = r != 1;
 			goto next_option;
 		}
-		cp = "no-X11-forwarding";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("X11 forwarding disabled.");
-			no_x11_forwarding_flag = 1;
-			opts += strlen(cp);
+		if ((r = match_flag("agent-forwarding", 1, &opts,
+		    "Agent forwarding")) != -1) {
+			no_agent_forwarding_flag = r != 1;
 			goto next_option;
 		}
-		cp = "no-pty";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("Pty allocation disabled.");
-			no_pty_flag = 1;
-			opts += strlen(cp);
+		if ((r = match_flag("x11-forwarding", 1, &opts,
+		    "X11 forwarding")) != -1) {
+			no_x11_forwarding_flag = r != 1;
 			goto next_option;
 		}
-		cp = "no-user-rc";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
-			auth_debug_add("User rc file execution disabled.");
-			no_user_rc = 1;
-			opts += strlen(cp);
+		if ((r = match_flag("pty", 1, &opts,
+		    "PTY allocation")) != -1) {
+			no_pty_flag = r != 1;
+			goto next_option;
+		}
+		if ((r = match_flag("user-rc", 1, &opts,
+		    "User rc execution")) != -1) {
+			no_user_rc = r != 1;
 			goto next_option;
 		}
 		cp = "command=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			opts += strlen(cp);
-			if (forced_command != NULL)
-				free(forced_command);
+			free(forced_command);
 			forced_command = xmalloc(strlen(opts) + 1);
 			i = 0;
 			while (*opts) {
@@ -179,8 +201,7 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 		cp = "principals=\"";
 		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
 			opts += strlen(cp);
-			if (authorized_principals != NULL)
-				free(authorized_principals);
+			free(authorized_principals);
 			authorized_principals = xmalloc(strlen(opts) + 1);
 			i = 0;
 			while (*opts) {
@@ -566,8 +587,7 @@ parse_option_list(struct sshbuf *oblob, struct passwd *pw,
 		free(*cert_forced_command);
 		*cert_forced_command = NULL;
 	}
-	if (name != NULL)
-		free(name);
+	free(name);
 	sshbuf_free(data);
 	sshbuf_free(c);
 	return ret;
@@ -611,8 +631,7 @@ auth_cert_options(struct sshkey *k, struct passwd *pw)
 	no_user_rc |= cert_no_user_rc;
 	/* CA-specified forced command supersedes key option */
 	if (cert_forced_command != NULL) {
-		if (forced_command != NULL)
-			free(forced_command);
+		free(forced_command);
 		forced_command = cert_forced_command;
 	}
 	return 0;

auth-pam.c

@@ -45,7 +45,8 @@
  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* Based on $FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des Exp $ */
+/* Based on FreeBSD: src/crypto/openssh/auth2-pam-freebsd.c,v 1.11 2003/03/31 13:48:18 des */
+
 #include "includes.h"
 
 #include <sys/types.h>

auth.h

-/* $OpenBSD: auth.h,v 1.84 2015/05/08 06:41:56 djm Exp $ */
+/* $OpenBSD: auth.h,v 1.86 2015/12/04 16:41:28 markus Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -209,7 +209,7 @@ Key	*get_hostkey_private_by_type(int, int, struct ssh *);
 int	 get_hostkey_index(Key *, int, struct ssh *);
 int	 ssh1_session_key(BIGNUM *);
 int	 sshd_hostkey_sign(Key *, Key *, u_char **, size_t *,
-	     const u_char *, size_t, u_int);
+	     const u_char *, size_t, const char *, u_int);
 
 /* debug messages during authentication */
 void	 auth_debug_add(const char *fmt,...) __attribute__((format(printf, 1, 2)));

auth2-pubkey.c

-/* $OpenBSD: auth2-pubkey.c,v 1.53 2015/06/15 18:44:22 jsing Exp $ */
+/* $OpenBSD: auth2-pubkey.c,v 1.55 2016/01/27 00:53:12 djm Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -79,19 +79,19 @@ userauth_pubkey(Authctxt *authctxt)
 {
 	Buffer b;
 	Key *key = NULL;
-	char *pkalg, *userstyle;
+	char *pkalg, *userstyle, *fp = NULL;
 	u_char *pkblob, *sig;
 	u_int alen, blen, slen;
 	int have_sig, pktype;
 	int authenticated = 0;
 
 	if (!authctxt->valid) {
-		debug2("userauth_pubkey: disabled because of invalid user");
+		debug2("%s: disabled because of invalid user", __func__);
 		return 0;
 	}
 	have_sig = packet_get_char();
 	if (datafellows & SSH_BUG_PKAUTH) {
-		debug2("userauth_pubkey: SSH_BUG_PKAUTH");
+		debug2("%s: SSH_BUG_PKAUTH", __func__);
 		/* no explicit pkalg given */
 		pkblob = packet_get_string(&blen);
 		buffer_init(&b);
@@ -106,18 +106,18 @@ userauth_pubkey(Authctxt *authctxt)
 	pktype = key_type_from_name(pkalg);
 	if (pktype == KEY_UNSPEC) {
 		/* this is perfectly legal */
-		logit("userauth_pubkey: unsupported public key algorithm: %s",
-		    pkalg);
+		logit("%s: unsupported public key algorithm: %s",
+		    __func__, pkalg);
 		goto done;
 	}
 	key = key_from_blob(pkblob, blen);
 	if (key == NULL) {
-		error("userauth_pubkey: cannot decode key: %s", pkalg);
+		error("%s: cannot decode key: %s", __func__, pkalg);
 		goto done;
 	}
 	if (key->type != pktype) {
-		error("userauth_pubkey: type mismatch for decoded key "
-		    "(received %d, expected %d)", key->type, pktype);
+		error("%s: type mismatch for decoded key "
+		    "(received %d, expected %d)", __func__, key->type, pktype);
 		goto done;
 	}
 	if (key_type_plain(key->type) == KEY_RSA &&
@@ -126,6 +126,7 @@ userauth_pubkey(Authctxt *authctxt)
 		    "signature scheme");
 		goto done;
 	}
+	fp = sshkey_fingerprint(key, options.fingerprint_hash, SSH_FP_DEFAULT);
 	if (auth2_userkey_already_used(authctxt, key)) {
 		logit("refusing previously-used %s key", key_type(key));
 		goto done;
@@ -138,6 +139,8 @@ userauth_pubkey(Authctxt *authctxt)
 	}
 
 	if (have_sig) {
+		debug3("%s: have signature for %s %s",
+		    __func__, sshkey_type(key), fp);
 		sig = packet_get_string(&slen);
 		packet_check_eom();
 		buffer_init(&b);
@@ -183,7 +186,8 @@ userauth_pubkey(Authctxt *authctxt)
 		buffer_free(&b);
 		free(sig);
 	} else {
-		debug("test whether pkalg/pkblob are acceptable");
+		debug("%s: test whether pkalg/pkblob are acceptable for %s %s",
+		    __func__, sshkey_type(key), fp);
 		packet_check_eom();
 
 		/* XXX fake reply and always send PK_OK ? */
@@ -206,11 +210,12 @@ userauth_pubkey(Authctxt *authctxt)
 	if (authenticated != 1)
 		auth_clear_options();
 done:
-	debug2("userauth_pubkey: authenticated %d pkalg %s", authenticated, pkalg);
+	debug2("%s: authenticated %d pkalg %s", __func__, authenticated, pkalg);
 	if (key != NULL)
 		key_free(key);
 	free(pkalg);
 	free(pkblob);
+	free(fp);
 	return authenticated;
 }
 
@@ -796,8 +801,9 @@ check_authkeys_file(FILE *f, char *file, Key* key, struct passwd *pw)
 				free(fp);
 				continue;
 			}
-			verbose("Accepted certificate ID \"%s\" "
+			verbose("Accepted certificate ID \"%s\" (serial %llu) "
 			    "signed by %s CA %s via %s", key->cert->key_id,
+			    (unsigned long long)key->cert->serial,
 			    key_type(found), fp, file);
 			free(fp);
 			found_key = 1;
@@ -875,8 +881,10 @@ user_cert_trusted_ca(struct passwd *pw, Key *key)
 	if (auth_cert_options(key, pw) != 0)
 		goto out;
 
-	verbose("Accepted certificate ID \"%s\" signed by %s CA %s via %s",
-	    key->cert->key_id, key_type(key->cert->signature_key), ca_fp,
+	verbose("Accepted certificate ID \"%s\" (serial %llu) signed by "
+	    "%s CA %s via %s", key->cert->key_id,
+	    (unsigned long long)key->cert->serial,
+	    key_type(key->cert->signature_key), ca_fp,
 	    options.trusted_user_ca_keys);
 	ret = 1;
 

authfd.c

-/* $OpenBSD: authfd.c,v 1.98 2015/07/03 03:43:18 djm Exp $ */
+/* $OpenBSD: authfd.c,v 1.100 2015/12/04 16:41:28 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -426,11 +426,24 @@ ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
 }
 #endif
 
+/* encode signature algoritm in flag bits, so we can keep the msg format */
+static u_int
+agent_encode_alg(struct sshkey *key, const char *alg)
+{
+	if (alg != NULL && key->type == KEY_RSA) {
+		if (strcmp(alg, "rsa-sha2-256") == 0)
+			return SSH_AGENT_RSA_SHA2_256;
+		else if (strcmp(alg, "rsa-sha2-512") == 0)
+			return SSH_AGENT_RSA_SHA2_512;
+	}
+	return 0;
+}
+
 /* ask agent to sign data, returns err.h code on error, 0 on success */
 int
 ssh_agent_sign(int sock, struct sshkey *key,
     u_char **sigp, size_t *lenp,
-    const u_char *data, size_t datalen, u_int compat)
+    const u_char *data, size_t datalen, const char *alg, u_int compat)
 {
 	struct sshbuf *msg;
 	u_char *blob = NULL, type;
@@ -449,12 +462,13 @@ ssh_agent_sign(int sock, struct sshkey *key,
 		return SSH_ERR_ALLOC_FAIL;
 	if ((r = sshkey_to_blob(key, &blob, &blen)) != 0)
 		goto out;
+	flags |= agent_encode_alg(key, alg);
 	if ((r = sshbuf_put_u8(msg, SSH2_AGENTC_SIGN_REQUEST)) != 0 ||
 	    (r = sshbuf_put_string(msg, blob, blen)) != 0 ||
 	    (r = sshbuf_put_string(msg, data, datalen)) != 0 ||
 	    (r = sshbuf_put_u32(msg, flags)) != 0)
 		goto out;
-	if ((r = ssh_request_reply(sock, msg, msg) != 0))
+	if ((r = ssh_request_reply(sock, msg, msg)) != 0)
 		goto out;
 	if ((r = sshbuf_get_u8(msg, &type)) != 0)
 		goto out;

authfd.h

-/* $OpenBSD: authfd.h,v 1.38 2015/01/14 20:05:27 djm Exp $ */
+/* $OpenBSD: authfd.h,v 1.39 2015/12/04 16:41:28 markus Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -41,7 +41,7 @@ int	ssh_decrypt_challenge(int sock, struct sshkey* key, BIGNUM *challenge,
 	    u_char session_id[16], u_char response[16]);
 int	ssh_agent_sign(int sock, struct sshkey *key,
 	    u_char **sigp, size_t *lenp,
-	    const u_char *data, size_t datalen, u_int compat);
+	    const u_char *data, size_t datalen, const char *alg, u_int compat);
 
 /* Messages for the authentication agent connection. */
 #define SSH_AGENTC_REQUEST_RSA_IDENTITIES	1
@@ -86,5 +86,7 @@ int	ssh_agent_sign(int sock, struct sshkey *key,
 #define SSH_COM_AGENT2_FAILURE			102
 
 #define	SSH_AGENT_OLD_SIGNATURE			0x01
+#define	SSH_AGENT_RSA_SHA2_256			0x02
+#define	SSH_AGENT_RSA_SHA2_512			0x04
 
 #endif				/* AUTHFD_H */

authfile.c

-/* $OpenBSD: authfile.c,v 1.116 2015/07/09 09:49:46 markus Exp $ */
+/* $OpenBSD: authfile.c,v 1.120 2015/12/11 04:21:11 mmcc Exp $ */
 /*
  * Copyright (c) 2000, 2013 Markus Friedl.  All rights reserved.
  *
@@ -243,8 +243,7 @@ sshkey_load_private_type_fd(int fd, int type, const char *passphrase,
 	/* success */
 	r = 0;
  out:
-	if (buffer != NULL)
-		sshbuf_free(buffer);
+	sshbuf_free(buffer);
 	return r;
 }
 
@@ -272,14 +271,13 @@ sshkey_load_private(const char *filename, const char *passphrase,
 		goto out;
 	}
 	if ((r = sshkey_load_file(fd, buffer)) != 0 ||
-	    (r = sshkey_parse_private_fileblob(buffer, passphrase, filename,
-	    keyp, commentp)) != 0)
+	    (r = sshkey_parse_private_fileblob(buffer, passphrase, keyp,
+	    commentp)) != 0)
 		goto out;
 	r = 0;
  out:
 	close(fd);
-	if (buffer != NULL)
-		sshbuf_free(buffer);
+	sshbuf_free(buffer);
 	return r;
 }
 
@@ -426,10 +424,8 @@ sshkey_load_cert(const char *filename, struct sshkey **keyp)
 	r = 0;
 
  out:
-	if (file != NULL)
-		free(file);
-	if (pub != NULL)
-		sshkey_free(pub);
+	free(file);
+	sshkey_free(pub);
 	return r;
 }
 
@@ -474,10 +470,8 @@ sshkey_load_private_cert(int type, const char *filename, const char *passphrase,
 	*keyp = key;
 	key = NULL;
  out:
-	if (key != NULL)
-		sshkey_free(