Merged update from upstream sources

This is an automated DistroBaker update from upstream sources. If you do not know what this is about or would like to opt out, contact the OSCI team. Source: https://src.fedoraproject.org/rpms/openssh.git#44aae310bd4e0f19369ea1c91ada03334f29c843
2021-03-22 10:10:25 +00:00 · 2021-03-22 10:10:25 +00:00 · d029bb77ce
commit d029bb77ce
parent fa840d638a
27 changed files with 456 additions and 644 deletions
--- a/.gitignore
+++ b/.gitignore
@ -45,3 +45,6 @@ pam_ssh_agent_auth-0.9.2.tar.bz2
 /openssh-8.4p1.tar.gz
 /openssh-8.4p1.tar.gz.asc
 /pam_ssh_agent_auth-0.10.4.tar.gz
 /openssh-8.5p1.tar.gz
 /openssh-8.5p1.tar.gz.asc
 /gpgkey-736060BA.gpg
--- a/openssh-6.6.1p1-log-in-chroot.patch
+++ b/openssh-6.6.1p1-log-in-chroot.patch
@ -2,14 +2,14 @@ diff -up openssh-7.4p1/log.c.log-in-chroot openssh-7.4p1/log.c
 --- openssh-7.4p1/log.c.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/log.c	2016-12-23 15:14:33.330168088 +0100
@@ -250,6 +250,11 @@ debug3(const char *fmt,...)
- void
+ log_init(const char *av0, LogLevel level, SyslogFacility facility,
- log_init(char *av0, LogLevel level, SyslogFacility facility, int on_stderr)
+     int on_stderr)
 {
 +	log_init_handler(av0, level, facility, on_stderr, 1);
 +}
 +
 +void
-+log_init_handler(char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
+log_init_handler(const char *av0, LogLevel level, SyslogFacility facility, int on_stderr, int reset_handler) {
 #if defined(HAVE_OPENLOG_R) && defined(SYSLOG_DATA_INIT)
 	struct syslog_data sdata = SYSLOG_DATA_INIT;
 #endif
@ -30,10 +30,10 @@ diff -up openssh-7.4p1/log.h.log-in-chroot openssh-7.4p1/log.h
 --- openssh-7.4p1/log.h.log-in-chroot	2016-12-19 05:59:41.000000000 +0100
 +++ openssh-7.4p1/log.h	2016-12-23 15:14:33.330168088 +0100
@@ -49,6 +49,7 @@ typedef enum {
- typedef void (log_handler_fn)(LogLevel, const char *, void *);
+     const char *, void *);
- void     log_init(char *, LogLevel, SyslogFacility, int);
+ void     log_init(const char *, LogLevel, SyslogFacility, int);
-+void     log_init_handler(char *, LogLevel, SyslogFacility, int, int);
+void     log_init_handler(const char *, LogLevel, SyslogFacility, int, int);
 LogLevel log_level_get(void);
 int      log_change_level(LogLevel);
 int      log_is_on_stderr(void);
@ -59,14 +59,14 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 	ssh_signal(SIGHUP, &monitor_child_handler);
 	ssh_signal(SIGTERM, &monitor_child_handler);
@@ -472,7 +476,7 @@ monitor_read_log(struct monitor *pmonito
 	/* Log it */
 	if (log_level_name(level) == NULL)
- 		fatal("%s: invalid log level %u (corrupted message?)",
+ 		fatal_f("invalid log level %u (corrupted message?)", level);
- 		    __func__, level);
+-	sshlog(file, func, line, 0, level, NULL, "%s [preauth]", msg);
-	do_log2(level, "%s [preauth]", msg);
+	sshlog(file, func, line, 0, level, NULL, "%s [%s]", msg, pmonitor->m_state);
 +	do_log2(level, "%s [%s]", msg, pmonitor->m_state);
 	sshbuf_free(logmsg);
- 	free(msg);
+ 	free(file);
@@ -1719,13 +1723,28 @@ monitor_init(void)
 	mon = xcalloc(1, sizeof(*mon));
 	monitor_openfds(mon, 1);
@ -89,7 +89,7 @@ diff -up openssh-7.4p1/monitor.c.log-in-chroot openssh-7.4p1/monitor.c
 +		xasprintf(&dev_log_path, "%s/dev/log", chroot_dir);
 +
 +		if (stat(dev_log_path, &dev_log_stat) != 0) {
-+			debug("%s: /dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", __func__, chroot_dir);
+			debug_f("/dev/log doesn't exist in %s chroot - will try to log via monitor using [postauth] suffix", chroot_dir);
 +			do_logfds = 1;
 +		}
 +		free(dev_log_path);
--- a/openssh-6.6.1p1-selinux-contexts.patch
+++ b/openssh-6.6.1p1-selinux-contexts.patch
@ -34,19 +34,19 @@ index 8f32464..18a2ca4 100644
 +
 +	contexts_path = selinux_openssh_contexts_path();
 +	if (contexts_path == NULL) {
-+		debug3("%s: Failed to get the path to SELinux context", __func__);
+		debug3_f("Failed to get the path to SELinux context");
 +		return;
 +	}
 +
 +	if ((contexts_file = fopen(contexts_path, "r")) == NULL) {
-+		debug("%s: Failed to open SELinux context file", __func__);
+		debug_f("Failed to open SELinux context file");
 +		return;
 +	}
 +
 +	if (fstat(fileno(contexts_file), &sb) != 0 ||
 +	    sb.st_uid != 0 || (sb.st_mode & 022) != 0) {
-+		logit("%s: SELinux context file needs to be owned by root"
+		logit_f("SELinux context file needs to be owned by root"
-+		    " and not writable by anyone else", __func__);
+		    " and not writable by anyone else");
 +		fclose(contexts_file);
 +		return;
 +	}
@ -70,7 +70,7 @@ index 8f32464..18a2ca4 100644
 +		if (arg && strcmp(arg, "privsep_preauth") == 0) {
 +			arg = strdelim(&cp);
 +			if (!arg || *arg == '\0') {
-+				debug("%s: privsep_preauth is empty", __func__);
+				debug_f("privsep_preauth is empty");
 +				fclose(contexts_file);
 +				return;
 +			}
@ -80,8 +80,8 @@ index 8f32464..18a2ca4 100644
 +	fclose(contexts_file);
 +
 +	if (preauth_context == NULL) {
-+		debug("%s: Unable to find 'privsep_preauth' option in"
+		debug_f("Unable to find 'privsep_preauth' option in"
-+		    " SELinux context file", __func__);
+		    " SELinux context file");
 +		return;
 +	}
 +
@ -101,10 +101,11 @@ index 22ea8ef..1fc963d 100644
 	if ((cx = index(cx + 1, ':')))
 		strlcat(newctx, cx, newlen);
 -	debug3("%s: setting context from '%s' to '%s'", __func__,
-+	debug("%s: setting context from '%s' to '%s'", __func__,
+	debug_f("setting context from '%s' to '%s'",
 	    oldctx, newctx);
 	if (setcon(newctx) < 0)
- 		switchlog("%s: setcon %s from %s failed with %s", __func__,
+ 		do_log2(log_level, "%s: setcon %s from %s failed with %s",
 		    __func__, newctx, oldctx, strerror(errno));
 diff --git a/openbsd-compat/port-linux.h b/openbsd-compat/port-linux.h
 index cb51f99..8b7cda2 100644
 --- a/openbsd-compat/port-linux.h
--- a/openssh-6.6p1-GSSAPIEnablek5users.patch
+++ b/openssh-6.6p1-GSSAPIEnablek5users.patch
@ -39,8 +39,8 @@ diff -up openssh-7.4p1/servconf.c.GSSAPIEnablek5users openssh-7.4p1/servconf.c
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
@@ -418,7 +421,7 @@ typedef enum {
- 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedKeyTypes,
+ 	sHostbasedUsesNameFromPacketOnly, sHostbasedAcceptedAlgorithms,
- 	sHostKeyAlgorithms,
+ 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 -	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
 +	sGssAuthentication, sGssCleanupCreds, sGssEnablek5users, sGssStrictAcceptor,
--- a/openssh-6.6p1-keycat.patch
+++ b/openssh-6.6p1-keycat.patch
@ -1,10 +1,10 @@
-diff -up openssh/auth.c.keycat openssh/misc.c
+diff -up openssh/misc.c.keycat openssh/misc.c
--- openssh/auth.c.keycat	2015-06-24 10:57:50.158849606 +0200
+--- openssh/misc.c.keycat	2015-06-24 10:57:50.158849606 +0200
-+++ openssh/auth.c	2015-06-24 11:04:23.989868638 +0200
+++ openssh/misc.c	2015-06-24 11:04:23.989868638 +0200
-@@ -966,6 +966,14 @@ subprocess(const char *tag, struct passw
+@@ -966,6 +966,13 @@ subprocess(const char *tag, struct passw
 			error("%s: dup2: %s", tag, strerror(errno));
 			_exit(1);
 		}
 +#ifdef WITH_SELINUX
 +		if (sshd_selinux_setup_env_variables() < 0) {
 +			error ("failed to copy environment:  %s",
@ -12,10 +12,9 @@ diff -up openssh/auth.c.keycat openssh/misc.c
 +			_exit(127);
 +		}
 +#endif
-+
+ 		if (env != NULL)
- 		execve(av[0], av, child_env);
+ 			execve(av[0], av, env);
- 		error("%s exec \"%s\": %s", tag, command, strerror(errno));
+ 		else
 		_exit(127);
 diff -up openssh/HOWTO.ssh-keycat.keycat openssh/HOWTO.ssh-keycat
 --- openssh/HOWTO.ssh-keycat.keycat	2015-06-24 10:57:50.157849608 +0200
 +++ openssh/HOWTO.ssh-keycat	2015-06-24 10:57:50.157849608 +0200
--- a/openssh-6.6p1-kuserok.patch
+++ b/openssh-6.6p1-kuserok.patch
@ -193,7 +193,7 @@ diff -up openssh-7.4p1/servconf.c.kuserok openssh-7.4p1/servconf.c
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
@@ -399,7 +402,7 @@ typedef enum {
- 	sPermitRootLogin, sLogFacility, sLogLevel,
+ 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 -	sKerberosGetAFSToken, sKerberosUniqueCCache,
--- a/openssh-6.6p1-privsep-selinux.patch
+++ b/openssh-6.6p1-privsep-selinux.patch
@ -13,7 +13,7 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
 --- openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux	2016-12-23 18:58:52.973122201 +0100
 +++ openssh-7.4p1/openbsd-compat/port-linux-sshd.c	2016-12-23 18:58:52.974122201 +0100
@@ -419,6 +419,28 @@ sshd_selinux_setup_exec_context(char *pw
- 	debug3("%s: done", __func__);
+ 	debug3_f("done");
 }
 +void
@ -25,15 +25,15 @@ diff -up openssh-7.4p1/openbsd-compat/port-linux-sshd.c.privsep-selinux openssh-
 +		return;
 +
 +	if (getexeccon((security_context_t *)&ctx) != 0) {
-+		logit("%s: getexeccon failed with %s", __func__, strerror(errno));
+		logit_f("getexeccon failed with %s", strerror(errno));
 +		return;
 +	}
 +	if (ctx != NULL) {
 +		/* unset exec context before we will lose this capabililty */
 +		if (setexeccon(NULL) != 0)
-+			fatal("%s: setexeccon failed with %s", __func__, strerror(errno));
+			fatal_f("setexeccon failed with %s", strerror(errno));
 +		if (setcon(ctx) != 0)
-+			fatal("%s: setcon failed with %s", __func__, strerror(errno));
+			fatal_f("setcon failed with %s", strerror(errno));
 +		freecon(ctx);
 +	}
 +}
--- a/openssh-6.7p1-coverity.patch
+++ b/openssh-6.7p1-coverity.patch
@ -34,7 +34,7 @@ diff -up openssh-7.4p1/monitor_wrap.c.coverity openssh-7.4p1/monitor_wrap.c
@@ -525,10 +525,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
- 		error("%s: cannot allocate fds for pty", __func__);
+ 		error_f("cannot allocate fds for pty");
 -		if (tmp1 > 0)
 +		if (tmp1 >= 0)
 			close(tmp1);
@ -120,11 +120,11 @@ diff -up openssh-7.4p1/serverloop.c.coverity openssh-7.4p1/serverloop.c
 -		while (read(notify_pipe[0], &c, 1) != -1)
 +	if (notify_pipe[0] >= 0 && FD_ISSET(notify_pipe[0], readset))
 +		while (read(notify_pipe[0], &c, 1) >= 0)
- 			debug2("%s: reading", __func__);
+ 			debug2_f("reading");
 }
@@ -518,7 +518,7 @@ server_request_tun(void)
- 		debug("%s: invalid tun", __func__);
+ 		debug_f("invalid tun");
 		goto done;
 	}
 -	if (auth_opts->force_tun_device != -1) {
--- a/openssh-7.1p2-audit-race-condition.patch
+++ b/openssh-7.1p2-audit-race-condition.patch
@ -13,33 +13,33 @@ diff -up openssh-7.4p1/monitor_wrap.c.audit-race openssh-7.4p1/monitor_wrap.c
 +	struct sshbuf *m;
 +	int r, ret = 0;
 +
-+	debug3("%s: entering", __func__);
+	debug3_f("entering");
 +	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	do {
 +		blen = atomicio(read, fdin, buf, sizeof(buf));
 +		if (blen == 0) /* closed pipe */
 +			break;
 +		if (blen != sizeof(buf)) {
-+			error("%s: Failed to read the buffer from child", __func__);
+			error_f("Failed to read the buffer from child");
 +			ret = -1;
 +			break;
 +		}
 +
 +		msg_len = get_u32(buf);
 +		if (msg_len > 256 * 1024)
-+			fatal("%s: read: bad msg_len %d", __func__, msg_len);
+			fatal_f("read: bad msg_len %d", msg_len);
 +		sshbuf_reset(m);
 +		if ((r = sshbuf_reserve(m, msg_len, NULL)) != 0)
-+			fatal("%s: buffer error: %s", __func__, ssh_err(r));
+			fatal_fr(r, "buffer error");
 +		if (atomicio(read, fdin, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
-+			error("%s: Failed to read the the buffer content from the child", __func__);
+			error_f("Failed to read the the buffer content from the child");
 +			ret = -1;
 +			break;
 +		}
 +		if (atomicio(vwrite, pmonitor->m_recvfd, buf, blen) != blen || 
 +		    atomicio(vwrite, pmonitor->m_recvfd, sshbuf_mutable_ptr(m), msg_len) != msg_len) {
-+			error("%s: Failed to write the message to the monitor", __func__);
+			error_f("Failed to write the message to the monitor");
 +			ret = -1;
 +			break;
 +		}
--- a/openssh-7.2p2-k5login_directory.patch
+++ b/openssh-7.2p2-k5login_directory.patch
@ -49,7 +49,7 @@ index a7c0c5f..df8cc9a 100644
 +	int ret = 0;
 +
 +	ret = ssh_krb5_get_k5login_directory(krb_context, &k5login_directory);
-+	debug3("%s: k5login_directory = %s (rv=%d)", __func__, k5login_directory, ret);
+	debug3_f("k5login_directory = %s (rv=%d)", k5login_directory, ret);
 +	if (k5login_directory == NULL || ret != 0) {
 +		/* If not set, the library will look for  k5login
 +		 * files in the user's home directory, with the filename  .k5login.
@ -64,7 +64,7 @@ index a7c0c5f..df8cc9a 100644
 +			k5login_directory[strlen(k5login_directory)-1] != '/' ? "/" : "",
 +			pw->pw_name);
 +	}
-+	debug("%s: Checking existence of file %s", __func__, file);
+	debug_f("Checking existence of file %s", file);
 -	snprintf(file, sizeof(file), "%s/.k5login", pw->pw_dir);
 	return access(file, F_OK) == 0;
--- a/openssh-7.6p1-audit.patch
+++ b/openssh-7.6p1-audit.patch
@ -943,7 +943,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 		return SSH_ERR_NO_CIPHER_ALG_MATCH;
 +	}
 	if ((enc->cipher = cipher_by_name(name)) == NULL) {
- 		error("%s: unsupported cipher %s", __func__, name);
+ 		error_f("unsupported cipher %s", name);
 		free(name);
@@ -783,8 +788,12 @@ choose_mac(struct ssh *ssh, struct sshma
 {
@ -957,7 +957,7 @@ diff -up openssh/kex.c.audit openssh/kex.c
 		return SSH_ERR_NO_MAC_ALG_MATCH;
 +	}
 	if (mac_setup(mac, name) < 0) {
- 		error("%s: unsupported MAC %s", __func__, name);
+ 		error_f("unsupported MAC %s", name);
 		free(name);
@@ -796,12 +805,16 @@ choose_mac(struct ssh *ssh, struct sshma
 }
@ -1094,7 +1094,7 @@ diff -up openssh/Makefile.in.audit openssh/Makefile.in
 --- openssh/Makefile.in.audit	2019-04-03 17:02:20.705885965 +0200
 +++ openssh/Makefile.in	2019-04-03 17:02:20.715886060 +0200
@@ -109,7 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
- 	sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
+ 	kexsntrup761x25519.o sntrup761.o kexgen.o \
 	kexgssc.o \
 	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
 -	sshbuf-io.o
@ -1172,15 +1172,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
@@ -1455,6 +1474,8 @@ mm_answer_keyverify(struct ssh *ssh, int
 	if (hostbased_cuser == NULL || hostbased_chost == NULL ||
 	  !monitor_allowed_key(blob, bloblen))
- 		fatal("%s: bad key, not previously allowed", __func__);
+ 		fatal_f("bad key, not previously allowed");
 +	if (type != key_blobtype)
-+		fatal("%s: bad key type", __func__);
+		fatal_f("bad key type");
 	/* Empty signature algorithm means NULL. */
 	if (*sigalg == '\0') {
-@@ -1470,25 +1491,28 @@ mm_answer_keyverify(struct ssh *ssh, int
+@@ -1470,27 +1491,30 @@ mm_answer_keyverify(struct ssh *ssh, int
 	case MM_USERKEY:
- 		valid_data = monitor_valid_userblob(data, datalen);
+ 		valid_data = monitor_valid_userblob(ssh, data, datalen);
 		auth_method = "publickey";
 +		ret = user_key_verify(ssh, key, signature, signaturelen, data,
 +		    datalen, sigalg, ssh->compat, &sig_details);
@ -1198,15 +1198,17 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 		break;
 	}
 	if (!valid_data)
- 		fatal("%s: bad signature data blob", __func__);
+ 		fatal_f("bad %s signature data blob",
 		    key_blobtype == MM_USERKEY ? "userkey" :
 		    (key_blobtype == MM_HOSTKEY ? "hostkey" : "unknown"));
 	if ((fp = sshkey_fingerprint(key, options.fingerprint_hash,
 	    SSH_FP_DEFAULT)) == NULL)
- 		fatal("%s: sshkey_fingerprint failed", __func__);
+ 		fatal_f("sshkey_fingerprint failed");
 -	ret = sshkey_verify(key, signature, signaturelen, data, datalen,
 -	    sigalg, ssh->compat, &sig_details);
- 	debug3("%s: %s %p signature %s%s%s", __func__, auth_method, key,
+ 	debug3_f("%s %p signature %s%s%s", auth_method, key,
 	    (ret == 0) ? "verified" : "unverified",
 	    (ret != 0) ? ": " : "", (ret != 0) ? ssh_err(ret) : "");
@@ -1536,13 +1560,19 @@ mm_record_login(struct ssh *ssh, Session
@ -1216,14 +1218,14 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 -mm_session_close(Session *s)
 +mm_session_close(struct ssh *ssh, Session *s)
 {
- 	debug3("%s: session %d pid %ld", __func__, s->self, (long)s->pid);
+ 	debug3_f("session %d pid %ld", s->self, (long)s->pid);
 	if (s->ttyfd != -1) {
- 		debug3("%s: tty %s ptyfd %d", __func__, s->tty, s->ptyfd);
+ 		debug3_f("tty %s ptyfd %d", s->tty, s->ptyfd);
 		session_pty_cleanup2(s);
 	}
 +#ifdef SSH_AUDIT_EVENTS
 +	if (s->command != NULL) {
-+		debug3("%s: command %d", __func__, s->command_handle);
+		debug3_f("command %d", s->command_handle);
 +		session_end_command2(ssh, s);
 +	}
 +#endif
@ -1237,11 +1239,11 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 -		mm_session_close(s);
 +		mm_session_close(ssh, s);
 	if ((r = sshbuf_put_u32(m, 0)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "assemble 0");
 	mm_request_send(sock, MONITOR_ANS_PTY, m);
@@ -1628,7 +1658,7 @@ mm_answer_pty_cleanup(struct ssh *ssh, i
 	if ((r = sshbuf_get_cstring(m, &tty, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse tty");
 	if ((s = session_by_tty(tty)) != NULL)
 -		mm_session_close(s);
 +		mm_session_close(ssh, s);
@ -1271,7 +1273,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 -	audit_run_command(cmd);
 +	s = session_new();
 +	if (s == NULL)
-+		fatal("%s: error allocating a session", __func__);
+		fatal_f("error allocating a session");
 +	s->command = cmd;
 +#ifdef SSH_AUDIT_EVENTS
 +	s->command_handle = audit_run_command(ssh, cmd);
@ -1293,15 +1295,15 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 +	u_char *cmd = NULL;
 +	Session *s;
 +
-+	debug3("%s entering", __func__);
+	debug3_f("entering");
 +	if ((r = sshbuf_get_u32(m, &handle)) != 0 ||
 +	    (r = sshbuf_get_string(m, &cmd, &len)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	s = session_by_id(handle);
 +	if (s == NULL || s->ttyfd != -1 || s->command == NULL ||
 +	    strcmp(s->command, cmd) != 0)
-+		fatal("%s: invalid handle", __func__);
+		fatal_f("invalid handle");
 +	mm_session_close(ssh, s);
 	free(cmd);
 	return (0);
@ -1311,13 +1313,13 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 mm_get_keystate(struct ssh *ssh, struct monitor *pmonitor)
 {
 +	struct sshbuf *m;
- 	debug3("%s: Waiting for new keys", __func__);
+ 	debug3_f("Waiting for new keys");
 	if ((child_state = sshbuf_new()) == NULL)
@@ -1774,6 +1842,19 @@ mm_get_keystate(struct ssh *ssh, struct
 	mm_request_receive_expect(pmonitor->m_sendfd, MONITOR_REQ_KEYEXPORT,
 	    child_state);
- 	debug3("%s: GOT new keys", __func__);
+ 	debug3_f("GOT new keys");
 +
 +#ifdef SSH_AUDIT_EVENTS
 +	m = sshbuf_new();
@ -1345,7 +1347,7 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 +	int what, r;
 +
 +	if ((r = sshbuf_get_u32(m, &what)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	audit_unsupported_body(ssh, what);
 +
@ -1370,10 +1372,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 +	    (r = sshbuf_get_cstring(m, &compress, NULL)) != 0 ||
 +	    (r = sshbuf_get_cstring(m, &pfs, NULL)) != 0 ||
 +	    (r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	pid = (pid_t) tmp;
 +	if ((r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	uid = (pid_t) tmp;
 +
 +	audit_kex_body(ssh, ctos, cipher, mac, compress, pfs, pid, uid);
@ -1398,10 +1400,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 +
 +	if ((r = sshbuf_get_u32(m, &ctos)) != 0 ||
 +	    (r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	pid = (pid_t) tmp;
 +	if ((r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	uid = (uid_t) tmp;
 +
 +	audit_session_key_free_body(ssh, ctos, pid, uid);
@ -1423,10 +1425,10 @@ diff -up openssh/monitor.c.audit openssh/monitor.c
 +
 +	if ((r = sshbuf_get_cstring(m, &fp, &len)) != 0 ||
 +	    (r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	pid = (pid_t) tmp;
 +	if ((r = sshbuf_get_u64(m, &tmp)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	uid = (uid_t) tmp;
 +
 +	audit_destroy_sensitive_data(ssh, fp, pid, uid);
@ -1470,7 +1472,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
@@ -525,7 +525,8 @@ mm_sshkey_verify(const struct sshkey *ke
 		*sig_detailsp = NULL;
 	if ((m = sshbuf_new()) == NULL)
- 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 -	if ((r = sshkey_puts(key, m)) != 0 ||
 +	if ((r = sshbuf_put_u32(m, type)) != 0 ||
 +	    (r = sshkey_puts(key, m)) != 0 ||
@ -1522,7 +1524,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_COMMAND, m);
 +
 +	if ((r = sshbuf_get_u32(m, &handle)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	sshbuf_free(m);
 +
 +	return (handle);
@ -1534,13 +1536,13 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 +	int r;
 +	struct sshbuf *m;
 +
-+	debug3("%s entering command %s", __func__, command);
+	debug3_f("entering command %s", command);
 +
 + 	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_u32(m, handle)) != 0 ||
 +	    (r = sshbuf_put_cstring(m, command)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_END_COMMAND, m);
 	sshbuf_free(m);
@ -1558,9 +1560,9 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 +	struct sshbuf *m;
 +
 + 	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_u32(m, what)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_UNSUPPORTED, m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_UNSUPPORTED,
@ -1577,7 +1579,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 +	struct sshbuf *m;
 +
 + 	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
 +	    (r = sshbuf_put_cstring(m, cipher)) != 0 ||
 +	    (r = sshbuf_put_cstring(m, (mac ? mac : "<implicit>"))) != 0 ||
@ -1585,7 +1587,7 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 +	    (r = sshbuf_put_cstring(m, fps)) != 0 ||
 +	    (r = sshbuf_put_u64(m, pid)) != 0 ||
 +	    (r = sshbuf_put_u64(m, uid)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_KEX, m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_KEX,
@ -1601,11 +1603,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 +	struct sshbuf *m;
 +
 + 	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_u32(m, ctos)) != 0 ||
 +	    (r = sshbuf_put_u64(m, pid)) != 0 ||
 +	    (r = sshbuf_put_u64(m, uid)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SESSION_KEY_FREE, m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_AUDIT_SESSION_KEY_FREE,
@ -1620,11 +1622,11 @@ diff -up openssh/monitor_wrap.c.audit openssh/monitor_wrap.c
 +	struct sshbuf *m;
 +
 + 	if ((m = sshbuf_new()) == NULL)
-+ 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_cstring(m, fp)) != 0 ||
 +	    (r = sshbuf_put_u64(m, pid)) != 0 ||
 +	    (r = sshbuf_put_u64(m, uid)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUDIT_SERVER_KEY_FREE, m);
 +	sshbuf_free(m);
@ -1903,7 +1905,7 @@ diff -up openssh/session.c.audit openssh/session.c
 +		if (s->used)
 +			return s;
 +	}
-+	debug("%s: unknown id %d", __func__, id);
+	debug_f("unknown id %d", id);
 +	session_dump();
 +	return NULL;
 +}
@ -2115,7 +2117,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 			sshkey_free(sensitive_data.host_certificates[i]);
 			sensitive_data.host_certificates[i] = NULL;
 		}
-@@ -400,14 +437,26 @@ destroy_sensitive_data(void)
+@@ -400,20 +437,38 @@ destroy_sensitive_data(void)
 /* Demote private to public keys for network child */
 void
@ -2142,9 +2144,8 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 +				fp = NULL;
 			if ((r = sshkey_from_private(
 			    sensitive_data.host_keys[i], &tmp)) != 0)
- 				fatal("could not demote host %s key: %s",
+ 				fatal_r(r, "could not demote host %s key",
-@@ -415,6 +464,12 @@ demote_sensitive_data(void)
+ 				    sshkey_type(sensitive_data.host_keys[i]));
 				    ssh_err(r));
 			sshkey_free(sensitive_data.host_keys[i]);
 			sensitive_data.host_keys[i] = tmp;
 +			if (fp != NULL) {
@ -2254,7 +2255,7 @@ diff -up openssh/sshd.c.audit openssh/sshd.c
 		do_cleanup(the_active_state, the_authctxt);
 		if (use_privsep && privsep_is_preauth &&
@@ -2414,9 +2482,16 @@ cleanup_exit(int i)
- 				    pmonitor->m_pid, strerror(errno));
+ 			}
 		}
 	}
 +	is_privsep_child = use_privsep && pmonitor != NULL && pmonitor->m_pid == 0;
--- a/openssh-7.6p1-cleanup-selinux.patch
+++ b/openssh-7.6p1-cleanup-selinux.patch
@ -2,9 +2,9 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
 --- openssh/auth2-pubkey.c.refactor	2019-04-04 13:19:12.188821236 +0200
 +++ openssh/auth2-pubkey.c	2019-04-04 13:19:12.276822078 +0200
@@ -72,6 +72,9 @@
 /* import */
 extern ServerOptions options;
 extern u_char *session_id2;
 extern u_int session_id2_len;
 +extern int inetd_flag;
 +extern int rexeced_flag;
 +extern Authctxt *the_authctxt;
@ -12,59 +12,59 @@ diff -up openssh/auth2-pubkey.c.refactor openssh/auth2-pubkey.c
 static char *
 format_key(const struct sshkey *key)
@@ -511,7 +514,8 @@ match_principals_command(struct ssh *ssh
- 
+ 	if ((pid = subprocess("AuthorizedPrincipalsCommand", command,
 	if ((pid = subprocess("AuthorizedPrincipalsCommand", runas_pw, command,
 	    ac, av, &f,
-	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
+ 	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
-+	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+-	    runas_pw, temporarily_use_uid, restore_uid)) == 0)
 +	    runas_pw, temporarily_use_uid, restore_uid,
 +	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
 		goto out;
 	uid_swapped = 1;
@@ -981,7 +985,8 @@ user_key_command_allowed2(struct ssh *ss
- 
+ 	if ((pid = subprocess("AuthorizedKeysCommand", command,
 	if ((pid = subprocess("AuthorizedKeysCommand", runas_pw, command,
 	    ac, av, &f,
-	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD)) == 0)
+	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
-+	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_STDERR_DISCARD,
+-	    runas_pw, temporarily_use_uid, restore_uid)) == 0)
 +	    runas_pw, temporarily_use_uid, restore_uid,
 +	    (inetd_flag && !rexeced_flag), the_authctxt)) == 0)
 		goto out;
 	uid_swapped = 1;
-diff -up openssh/auth.c.refactor openssh/auth.c
+diff -up openssh/misc.c.refactor openssh/misc.c
--- openssh/auth.c.refactor	2019-04-04 13:19:12.235821686 +0200
+--- openssh/misc.c.refactor	2019-04-04 13:19:12.235821686 +0200
-+++ openssh/auth.c	2019-04-04 13:19:12.276822078 +0200
+++ openssh/misc.c	2019-04-04 13:19:12.276822078 +0200
@@ -756,7 +756,8 @@ auth_get_canonical_hostname(struct ssh *
  */
 pid_t
- subprocess(const char *tag, struct passwd *pw, const char *command,
+ subprocess(const char *tag, const char *command,
-    int ac, char **av, FILE **child, u_int flags)
+     int ac, char **av, FILE **child, u_int flags,
-+    int ac, char **av, FILE **child, u_int flags, int inetd,
+-    struct passwd *pw, privdrop_fn *drop_privs, privrestore_fn *restore_privs)
-+    void *the_authctxt)
+    struct passwd *pw, privdrop_fn *drop_privs,
 +    privrestore_fn *restore_privs, int inetd, void *the_authctxt)
 {
 	FILE *f = NULL;
 	struct stat st;
@@ -872,7 +873,7 @@ subprocess(const char *tag, struct passw
 			_exit(1);
 		}
 #ifdef WITH_SELINUX
 -		if (sshd_selinux_setup_env_variables() < 0) {
 +		if (sshd_selinux_setup_env_variables(inetd, the_authctxt) < 0) {
 			error ("failed to copy environment:  %s",
 			    strerror(errno));
 			_exit(127);
-diff -up openssh/auth.h.refactor openssh/auth.h
+diff -up openssh/misc.h.refactor openssh/misc.h
--- openssh/auth.h.refactor	2019-04-04 13:19:12.251821839 +0200
+--- openssh/misc.h.refactor	2019-04-04 13:19:12.251821839 +0200
-+++ openssh/auth.h	2019-04-04 13:19:12.276822078 +0200
+++ openssh/misc.h	2019-04-04 13:19:12.276822078 +0200
@@ -235,7 +235,7 @@ struct passwd *fakepw(void);
- #define	SSH_SUBPROCESS_STDOUT_CAPTURE  (1<<1)  /* Redirect stdout */
+ #define	SSH_SUBPROCESS_UNSAFE_PATH	(1<<3)	/* Don't check for safe cmd */
- #define	SSH_SUBPROCESS_STDERR_DISCARD  (1<<2)  /* Discard stderr */
+ #define	SSH_SUBPROCESS_PRESERVE_ENV	(1<<4)	/* Keep parent environment */
- pid_t	subprocess(const char *, struct passwd *,
+ pid_t subprocess(const char *, const char *, int, char **, FILE **, u_int,
-    const char *, int, char **, FILE **, u_int flags);
+-    struct passwd *, privdrop_fn *, privrestore_fn *);
-+    const char *, int, char **, FILE **, u_int flags, int, void *);
+    struct passwd *, privdrop_fn *, privrestore_fn *, int, void *);
 int	 sys_auth_passwd(struct ssh *, const char *);
 typedef struct arglist arglist;
 struct arglist {
 diff -up openssh/openbsd-compat/port-linux.h.refactor openssh/openbsd-compat/port-linux.h
 --- openssh/openbsd-compat/port-linux.h.refactor	2019-04-04 13:19:12.256821887 +0200
 +++ openssh/openbsd-compat/port-linux.h	2019-04-04 13:19:12.276822078 +0200
@ -145,7 +145,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
 	char *role;
@@ -342,11 +339,11 @@ sshd_selinux_setup_variables(int(*set_it
- 	debug3("%s: setting execution context", __func__);
+ 	debug3_f("setting execution context");
 -	ssh_selinux_get_role_level(&role, &reqlvl);
 +	ssh_selinux_get_role_level(&role, &reqlvl, the_authctxt);
@ -203,10 +203,10 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.refactor openssh/openbsd-compa
 +		if (sshd_selinux_setup_pam_variables(inetd, pam_setenv, authctxt)) {
 			switch (security_getenforce()) {
 			case -1:
- 				fatal("%s: security_getenforce() failed", __func__);
+ 				fatal_f("security_getenforce() failed");
@@ -410,7 +411,7 @@ sshd_selinux_setup_exec_context(char *pw
- 	debug3("%s: setting execution context", __func__);
+ 	debug3_f("setting execution context");
 -	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
 +	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx, inetd, authctxt);
@ -269,3 +269,15 @@ diff -up openssh/sshd.c.refactor openssh/sshd.c
 #endif
 #ifdef USE_PAM
 	if (options.use_pam) {
 diff -up openssh/sshconnect.c.refactor openssh/sshconnect.c
 --- openssh/sshconnect.c.refactor	2021-02-24 00:12:03.065325046 +0100
 +++ openssh/sshconnect.c	2021-02-24 00:12:12.126449544 +0100
@@ -892,7 +892,7 @@ load_hostkeys_command(struct hostkeys *h
 	if ((pid = subprocess(tag, command, ac, av, &f,
 	    SSH_SUBPROCESS_STDOUT_CAPTURE|SSH_SUBPROCESS_UNSAFE_PATH|
 -	    SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL)) == 0)
 +	    SSH_SUBPROCESS_PRESERVE_ENV, NULL, NULL, NULL, 0, NULL)) == 0)
 		goto out;
 	load_hostkeys_file(hostkeys, hostfile_hostname, tag, f, 1);
--- a/openssh-7.7p1-fips.patch
+++ b/openssh-7.7p1-fips.patch
@ -165,7 +165,7 @@ diff -up openssh-8.0p1/myproposal.h.fips openssh-8.0p1/myproposal.h
 +
 /* Not a KEX value, but here so all the algorithm defaults are together */
 #define	SSH_ALLOWED_CA_SIGALGS	\
- 	"ecdsa-sha2-nistp256," \
+ 	"ssh-ed25519," \
 diff -up openssh-8.0p1/readconf.c.fips openssh-8.0p1/readconf.c
 --- openssh-8.0p1/readconf.c.fips	2019-07-23 14:55:45.334525723 +0200
 +++ openssh-8.0p1/readconf.c	2019-07-23 14:55:45.402526411 +0200
@ -416,7 +416,7 @@ diff -up openssh-8.0p1/sshkey.c.fips openssh-8.0p1/sshkey.c
 	if (!BN_set_word(f4, RSA_F4) ||
 	    !RSA_generate_key_ex(private, bits, f4, NULL)) {
 +			if (FIPS_mode())
-+				logit("%s: the key length might be unsupported by FIPS mode approved key generation method", __func__);
+				logit_f("the key length might be unsupported by FIPS mode approved key generation method");
 		ret = SSH_ERR_LIBCRYPTO_ERROR;
 		goto out;
 	}
--- a/openssh-7.7p1-gssapi-new-unique.patch
+++ b/openssh-7.7p1-gssapi-new-unique.patch
@ -151,7 +151,7 @@ index a5a81ed2..63f877f2 100644
 +ssh_krb5_expand_template(char **result, const char *template) {
 +	char *p_n, *p_o, *r, *tmp_template;
 +
-+	debug3("%s: called, template = %s", __func__, template);
+	debug3_f("called, template = %s", template);
 +	if (template == NULL)
 +		return -1;
 +
@ -179,7 +179,7 @@ index a5a81ed2..63f877f2 100644
 +		} else {
 +			p_o = strchr(p_n, '}') + 1;
 +			*p_o = '\0';
-+			debug("%s: unsupported token %s in %s", __func__, p_n, template);
+			debug_f("unsupported token %s in %s", p_n, template);
 +			/* unknown token, fallback to the default */
 +			goto cleanup;
 +		}
@ -207,7 +207,7 @@ index a5a81ed2..63f877f2 100644
 +	int ret = 0;
 +	char *value = NULL;
 +
-+	debug3("%s: called", __func__);
+	debug3_f("called");
 +	ret = krb5_get_profile(ctx, &p);
 +	if (ret)
 +		return ret;
@ -218,7 +218,7 @@ index a5a81ed2..63f877f2 100644
 +
 +	ret = ssh_krb5_expand_template(ccname, value);
 +
-+	debug3("%s: returning with ccname = %s", __func__, *ccname);
+	debug3_f("returning with ccname = %s", *ccname);
 +	return ret;
 +}
 +
@ -242,7 +242,7 @@ index a5a81ed2..63f877f2 100644
 -		logit("mkstemp(): %.100s", strerror(oerrno));
 -		return oerrno;
 -	}
-+	debug3("%s: called", __func__);
+	debug3_f("called");
 +	if (need_environment)
 +		*need_environment = 0;
 +	ret = ssh_krb5_get_cctemplate(ctx, &ccname);
@ -283,7 +283,7 @@ index a5a81ed2..63f877f2 100644
 -	close(tmpfd);
 -	return (krb5_cc_resolve(ctx, ccname, ccache));
-+	debug3("%s: setting default ccname to %s", __func__, ccname);
+	debug3_f("setting default ccname to %s", ccname);
 +	/* set the default with already expanded user IDs */
 +	ret = krb5_cc_set_default_name(ctx, ccname);
 +	if (ret)
@ -304,13 +304,13 @@ index a5a81ed2..63f877f2 100644
 +	 * a primary cache for this collection, if it supports that (non-FILE)
 +	 */
 +	if (krb5_cc_support_switch(ctx, type)) {
-+		debug3("%s: calling cc_new_unique(%s)", __func__, ccname);
+		debug3_f("calling cc_new_unique(%s)", ccname);
 +		ret = krb5_cc_new_unique(ctx, type, NULL, ccache);
 +		free(type);
 +		if (ret)
 +			return ret;
 +
-+		debug3("%s: calling cc_switch()", __func__);
+		debug3_f("calling cc_switch()");
 +		return krb5_cc_switch(ctx, *ccache);
 +	} else {
 +		/* Otherwise, we can not create a unique ccname here (either
@ -318,7 +318,7 @@ index a5a81ed2..63f877f2 100644
 +		 * collections
 +		 */
 +		free(type);
-+		debug3("%s: calling cc_resolve(%s)", __func__, ccname);
+		debug3_f("calling cc_resolve(%s)", ccname);
 +		return (krb5_cc_resolve(ctx, ccname, ccache));
 +	}
 }
@ -513,7 +513,7 @@ diff -up openssh-7.9p1/servconf.c.ccache_name openssh-7.9p1/servconf.c
 		options->gss_authentication = 0;
 	if (options->gss_keyex == -1)
@@ -447,7 +450,8 @@ typedef enum {
- 	sPermitRootLogin, sLogFacility, sLogLevel,
+ 	sPermitRootLogin, sLogFacility, sLogLevel, sLogVerbose,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
 -	sKerberosGetAFSToken, sChallengeResponseAuthentication,
--- a/openssh-7.8p1-role-mls.patch
+++ b/openssh-7.8p1-role-mls.patch
@ -52,7 +52,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 	gss_buffer_desc mic, gssbuf;
 	const char *displayname;
@@ -298,7 +299,13 @@ input_gssapi_mic(int type, u_int32_t ple
- 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 	mic.value = p;
 	mic.length = len;
 -	ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
@ -63,7 +63,7 @@ diff -up openssh/auth2-gss.c.role-mls openssh/auth2-gss.c
 +#endif
 +		micuser = authctxt->user;
 +	ssh_gssapi_buildmic(b, micuser, authctxt->service,
- 	    "gssapi-with-mic");
+ 	    "gssapi-with-mic", ssh->kex->session_id);
 	if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
@@ -311,6 +318,8 @@ input_gssapi_mic(int type, u_int32_t ple
@ -80,7 +80,7 @@ diff -up openssh/auth2-hostbased.c.role-mls openssh/auth2-hostbased.c
 +++ openssh/auth2-hostbased.c	2018-08-22 11:14:56.816430924 +0200
@@ -123,7 +123,16 @@ userauth_hostbased(struct ssh *ssh)
 	/* reconstruct packet */
- 	if ((r = sshbuf_put_string(b, session_id2, session_id2_len)) != 0 ||
+ 	if ((r = sshbuf_put_stringb(b, ssh->kex->session_id)) != 0 ||
 	    (r = sshbuf_put_u8(b, SSH2_MSG_USERAUTH_REQUEST)) != 0 ||
 +#ifdef WITH_SELINUX
 +	    (authctxt->role
@ -224,8 +224,8 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
 +	monitor_permit_authentications(1);
 +
 +	if ((r = sshbuf_get_cstring(m, &authctxt->role, NULL)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_f("buffer error: %s", ssh_err(r));
-+	debug3("%s: role=%s", __func__, authctxt->role);
+	debug3_f("role=%s", authctxt->role);
 +
 +	if (strlen(authctxt->role) == 0) {
 +		free(authctxt->role);
@ -251,7 +251,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
@@ -1251,6 +1280,8 @@ monitor_valid_userblob(u_char *data, u_i
 		fail++;
 	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse userstyle");
 +	if ((s = strchr(cp, '/')) != NULL)
 +		*s = '\0';
 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
@ -269,7 +269,7 @@ diff -up openssh/monitor.c.role-mls openssh/monitor.c
@@ -1308,6 +1339,8 @@ monitor_valid_hostbasedblob(u_char *data
 		fail++;
 	if ((r = sshbuf_get_cstring(b, &cp, NULL)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse userstyle");
 +	if ((s = strchr(p, '/')) != NULL)
 +		*s = '\0';
 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
@ -305,12 +305,12 @@ diff -up openssh/monitor_wrap.c.role-mls openssh/monitor_wrap.c
 +	int r;
 +	struct sshbuf *m;
 +
-+	debug3("%s entering", __func__);
+	debug3_f("entering");
 +
 +	if ((m = sshbuf_new()) == NULL)
-+		fatal("%s: sshbuf_new failed", __func__);
+		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_cstring(m, role ? role : "")) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_f("buffer error: %s", ssh_err(r));
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_AUTHROLE, m);
 +
 +	sshbuf_free(m);
@ -357,7 +357,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
 -void
 -ssh_selinux_setup_exec_context(char *pwname)
 -{
-	security_context_t user_ctx = NULL;
+-	char *user_ctx = NULL;
 -
 -	if (!ssh_selinux_enabled())
 -		return;
@ -393,7 +393,7 @@ diff -up openssh/openbsd-compat/port-linux.c.role-mls openssh/openbsd-compat/por
 -	user_ctx = ssh_selinux_getctxbyname(pwname);
 +	if (getexeccon(&user_ctx) != 0) {
-+		error("%s: getexeccon: %s", __func__, strerror(errno));
+		error_f("getexeccon: %s", strerror(errno));
 +		goto out;
 +	}
 +
@ -418,7 +418,7 @@ diff -up openssh/openbsd-compat/port-linux.h.role-mls openssh/openbsd-compat/por
 diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compat/port-linux-sshd.c
 --- openssh/openbsd-compat/port-linux-sshd.c.role-mls	2018-08-22 11:14:56.819430949 +0200
 +++ openssh/openbsd-compat/port-linux-sshd.c	2018-08-22 11:14:56.819430949 +0200
-@@ -0,0 +1,425 @@
+@@ -0,0 +1,421 @@
 +/*
 + * Copyright (c) 2005 Daniel Walsh <dwalsh@redhat.com>
 + * Copyright (c) 2014 Petr Lautrbach <plautrba@redhat.com>
@ -530,7 +530,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +	access_vector_t bit;
 +	security_class_t class;
 +
-+	debug("%s: src:%s dst:%s", __func__, src, dst);
+	debug_f("src:%s dst:%s", src, dst);
 +	class = string_to_security_class("context");
 +	if (!class) {
 +		error("string_to_security_class failed to translate security class context");
@ -692,7 +692,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +			    /* we actually don't change level */
 +			    reqlvl = "";
 +
-+			debug("%s: current connection level '%s'", __func__, reqlvl);
+			debug_f("current connection level '%s'", reqlvl);
 +
 +		}
 +
@ -720,8 +720,8 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +		}
 +	}
 +	if (r != 0) {
-+		error("%s: Failed to get default SELinux security "
+		error_f("Failed to get default SELinux security "
-+		    "context for %s", __func__, pwname);
+		    "context for %s", pwname);
 +	}
 +
 +#ifdef HAVE_GETSEUSERBYNAME
@ -746,7 +746,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +	char *use_current;
 +	int rv;
 +
-+	debug3("%s: setting execution context", __func__);
+	debug3_f("setting execution context");
 +
 +	ssh_selinux_get_role_level(&role, &reqlvl);
 +
@ -783,32 +783,30 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +		if (sshd_selinux_setup_pam_variables()) {
 +			switch (security_getenforce()) {
 +			case -1:
-+				fatal("%s: security_getenforce() failed", __func__);
+				fatal_f("security_getenforce() failed");
 +			case 0:
-+				error("%s: SELinux PAM variable setup failure. Continuing in permissive mode.",
+				error_f("SELinux PAM variable setup failure. Continuing in permissive mode.");
 +				    __func__);
 +			break;
 +			default:
-+				fatal("%s: SELinux PAM variable setup failure. Aborting connection.",
+				fatal_f("SELinux PAM variable setup failure. Aborting connection.");
 +				    __func__);
 +			}
 +		}
 +		return;
 +	}
 +
-+	debug3("%s: setting execution context", __func__);
+	debug3_f("setting execution context");
 +
 +	r = sshd_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
 +	if (r >= 0) {
 +		r = setexeccon(user_ctx);
 +		if (r < 0) {
-+			error("%s: Failed to set SELinux execution context %s for %s",
+			error_f("Failed to set SELinux execution context %s for %s",
-+			    __func__, user_ctx, pwname);
+			    user_ctx, pwname);
 +		}
 +#ifdef HAVE_SETKEYCREATECON
 +		else if (setkeycreatecon(user_ctx) < 0) {
-+			error("%s: Failed to set SELinux keyring creation context %s for %s",
+			error_f("Failed to set SELinux keyring creation context %s for %s",
-+			    __func__, user_ctx, pwname);
+			    user_ctx, pwname);
 +		}
 +#endif
 +	}
@ -823,14 +821,12 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +	if (r < 0) {
 +		switch (security_getenforce()) {
 +		case -1:
-+			fatal("%s: security_getenforce() failed", __func__);
+			fatal_f("security_getenforce() failed");
 +		case 0:
-+			error("%s: SELinux failure. Continuing in permissive mode.",
+			error_f("ELinux failure. Continuing in permissive mode.");
 +			    __func__);
 +			break;
 +		default:
-+			fatal("%s: SELinux failure. Aborting connection.",
+			fatal_f("SELinux failure. Aborting connection.");
 +			    __func__);
 +		}
 +	}
 +	if (user_ctx != NULL && user_ctx != default_ctx)
@ -838,7 +834,7 @@ diff -up openssh/openbsd-compat/port-linux-sshd.c.role-mls openssh/openbsd-compa
 +	if (default_ctx != NULL)
 +		freecon(default_ctx);
 +
-+	debug3("%s: done", __func__);
+	debug3_f("done");
 +}
 +
 +#endif
--- a/openssh-7.9p1-ssh-copy-id.patch
+++ b/openssh-7.9p1-ssh-copy-id.patch
@ -1,27 +0,0 @@
 From 22bfdcf060b632b5a6ff603f8f42ff166c211a66 Mon Sep 17 00:00:00 2001
 From: Jakub Jelen <jjelen@redhat.com>
 Date: Tue, 29 Sep 2020 10:02:45 +0000
 Subject: [PATCH] Fail hard on the first failed attempt to write the
 authorized_keys_file
 ---
 ssh-copy-id | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
 diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
 index 392f64f..e69a23f 100755
 --- a/contrib/ssh-copy-id
 +++ b/contrib/ssh-copy-id
@@ -251,7 +251,7 @@ installkeys_sh() {
 	cd;
 	umask 077;
 	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
 -	  { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE}; } &&
 +	  { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
 	  cat >> ${AUTH_KEY_FILE} ||
 	  exit 1;
 	if type restorecon >/dev/null 2>&1; then
 -- 
 GitLab
--- a/openssh-8.0p1-crypto-policies.patch
+++ b/openssh-8.0p1-crypto-policies.patch
@ -1,7 +1,7 @@
 diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 --- openssh-8.2p1/ssh_config.5.crypto-policies	2020-03-26 14:40:44.546775605 +0100
 +++ openssh-8.2p1/ssh_config.5	2020-03-26 14:52:20.700649727 +0100
-@@ -359,17 +359,17 @@ or
+@@ -359,14 +359,13 @@ or
 .Qq *.c.example.com
 domains.
 .It Cm CASignatureAlgorithms
@ -14,19 +14,15 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 by certificate authorities (CAs).
 -The default is:
 -.Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 -.Pp
 .Xr ssh 1
 will not accept host certificates signed using algorithms other than those
 specified.
 +.Pp
 .It Cm CertificateFile
 Specifies a file from which the user's certificate is read.
 A corresponding private key must be provided separately in order
@@ -424,20 +424,25 @@ If the option is set to
- .Cm no ,
+ (the default),
 the check will not be executed.
 .It Cm Ciphers
 +The default is handled system-wide by
@ -133,8 +129,8 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 The list of available key exchange algorithms may also be obtained using
 .Qq ssh -Q kex .
@@ -1231,37 +1228,33 @@ The default is INFO.
- DEBUG and DEBUG1 are equivalent.
+ file.
- DEBUG2 and DEBUG3 each specify higher levels of verbose output.
+ This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
@ -179,56 +175,57 @@ diff -up openssh-8.2p1/ssh_config.5.crypto-policies openssh-8.2p1/ssh_config.5
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm NoHostAuthenticationForLocalhost
-@@ -1394,36 +1387,25 @@ instead of continuing to execute and pas
+@@ -1394,37 +1387,25 @@ instead of continuing to execute and pas
 The default is
 .Cm no .
- .It Cm PubkeyAcceptedKeyTypes
+ .It Cm PubkeyAcceptedAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
- Specifies the key types that will be used for public key authentication
+ Specifies the signature algorithms that will be used for public key
- as a comma-separated list of patterns.
+ authentication as a comma-separated list of patterns.
 If the specified list begins with a
 .Sq +
-character, then the key types after it will be appended to the default
+-character, then the algorithms after it will be appended to the default
 -instead of replacing it.
-+character, then the key types after it will be appended to the built-in
+character, then the algorithms after it will be appended to the built-in
 +openssh default instead of replacing it.
 If the specified list begins with a
 .Sq -
- character, then the specified key types (including wildcards) will be removed
+ character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
- character, then the specified key types will be placed at the head of the
+ character, then the specified algorithms will be placed at the head of the
 -default set.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ssh-ed25519-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ssh-ed25519-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 +built-in openssh default set.
 .Pp
- The list of available key types may also be obtained using
+ The list of available signature algorithms may also be obtained using
- .Qq ssh -Q PubkeyAcceptedKeyTypes .
+ .Qq ssh -Q PubkeyAcceptedAlgorithms .
 diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 --- openssh-8.2p1/sshd_config.5.crypto-policies	2020-03-26 14:40:44.530775355 +0100
 +++ openssh-8.2p1/sshd_config.5	2020-03-26 14:48:56.732468099 +0100
-@@ -375,16 +375,16 @@ If the argument is
+@@ -375,14 +375,13 @@ If the argument is
 then no banner is displayed.
 By default, no banner is displayed.
 .It Cm CASignatureAlgorithms
@ -241,16 +238,13 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 by certificate authorities (CAs).
 -The default is:
 -.Bd -literal -offset indent
-ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
+-ssh-ed25519,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,
-ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
+-ecdsa-sha2-nistp521,rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 -.Pp
 Certificates signed using other algorithms will not be accepted for
 public key or host-based authentication.
 +.Pp
 .It Cm ChallengeResponseAuthentication
 Specifies whether challenge-response authentication is allowed (e.g. via
 PAM or through authentication styles supported in
@@ -446,20 +446,25 @@ The default is
 indicating not to
 .Xr chroot 2 .
@ -295,7 +289,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 The list of available ciphers may also be obtained using
 .Qq ssh -Q cipher .
 .It Cm ClientAliveCountMax
-@@ -681,22 +679,24 @@ For this to work
+@@ -681,21 +679,22 @@ For this to work
 .Cm GSSAPIKeyExchange
 needs to be enabled in the server and also used by the client.
 .It Cm GSSAPIKexAlgorithms
@ -326,11 +320,9 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 -.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
 -gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
 This option only applies to connections using GSSAPI.
-+.Pp
+ .It Cm HostbasedAcceptedAlgorithms
- .It Cm HostbasedAcceptedKeyTypes
+ Specifies the signature algorithms that will be accepted for hostbased
- Specifies the key types that will be accepted for hostbased authentication
+@@ -793,26 +793,13 @@ is specified, the location of the socket
 as a list of comma-separated patterns.
@@ -793,25 +793,13 @@ is specified, the location of the socket
 .Ev SSH_AUTH_SOCK
 environment variable.
 .It Cm HostKeyAlgorithms
@ -339,26 +331,27 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
- Specifies the host key algorithms
+ Specifies the host key signature algorithms
 that the server offers.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ssh-ed25519-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ssh-ed25519-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 -.Pp
- The list of available key types may also be obtained using
+ The list of available signature algorithms may also be obtained using
 .Qq ssh -Q HostKeyAlgorithms .
 .It Cm IgnoreRhosts
@@ -943,20 +931,25 @@ Specifies whether to look at .k5login fi
@ -392,7 +385,7 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 .Pp
 .Bl -item -compact -offset indent
@@ -988,15 +981,6 @@ ecdh-sha2-nistp521
- sntrup4591761x25519-sha512@tinyssh.org
+ sntrup761x25519-sha512@openssh.com
 .El
 .Pp
 -The default is:
@ -408,8 +401,8 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 .Qq ssh -Q KexAlgorithms .
 .It Cm ListenAddress
@@ -1065,21 +1049,26 @@ DEBUG and DEBUG1 are equivalent.
- DEBUG2 and DEBUG3 each specify higher levels of debugging output.
+ file.
- Logging with a DEBUG level violates the privacy of users and is not recommended.
+ This option is intended for debugging and no overrides are enabled by default.
 .It Cm MACs
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
@ -454,49 +447,50 @@ diff -up openssh-8.2p1/sshd_config.5.crypto-policies openssh-8.2p1/sshd_config.5
 The list of available MAC algorithms may also be obtained using
 .Qq ssh -Q mac .
 .It Cm Match
-@@ -1480,36 +1460,25 @@ or equivalent.)
+@@ -1480,37 +1460,25 @@ or equivalent.)
 The default is
 .Cm yes .
- .It Cm PubkeyAcceptedKeyTypes
+ .It Cm PubkeyAcceptedAlgorithms
 +The default is handled system-wide by
 +.Xr crypto-policies 7 .
 +To see the defaults and how to modify this default, see manual page
 +.Xr update-crypto-policies 8 .
 +.Pp
- Specifies the key types that will be accepted for public key authentication
+ Specifies the signature algorithms that will be accepted for public key
- as a list of comma-separated patterns.
+ authentication as a list of comma-separated patterns.
 Alternately if the specified list begins with a
 .Sq +
-character, then the specified key types will be appended to the default set
+-character, then the specified algorithms will be appended to the default set
 -instead of replacing them.
-+character, then the specified key types will be appended to the built-in
+character, then the specified algorithms will be appended to the built-in
 +openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq -
- character, then the specified key types (including wildcards) will be removed
+ character, then the specified algorithms (including wildcards) will be removed
 -from the default set instead of replacing them.
 +from the built-in openssh default set instead of replacing them.
 If the specified list begins with a
 .Sq ^
- character, then the specified key types will be placed at the head of the
+ character, then the specified algorithms will be placed at the head of the
 -default set.
 -The default for this option is:
 -.Bd -literal -offset 3n
 -ssh-ed25519-cert-v01@openssh.com,
 -ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ecdsa-sha2-nistp384-cert-v01@openssh.com,
 -ecdsa-sha2-nistp521-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -ssh-ed25519-cert-v01@openssh.com,
 -sk-ssh-ed25519-cert-v01@openssh.com,
 -sk-ecdsa-sha2-nistp256-cert-v01@openssh.com,
 -rsa-sha2-512-cert-v01@openssh.com,
 -rsa-sha2-256-cert-v01@openssh.com,
 -ssh-rsa-cert-v01@openssh.com,
 -ssh-ed25519,
 -ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,
 -sk-ssh-ed25519@openssh.com,
 -sk-ecdsa-sha2-nistp256@openssh.com,
 -ssh-ed25519,sk-ssh-ed25519@openssh.com,
 -rsa-sha2-512,rsa-sha2-256,ssh-rsa
 -.Ed
 +built-in openssh default set.
 .Pp
- The list of available key types may also be obtained using
+ The list of available signature algorithms may also be obtained using
- .Qq ssh -Q PubkeyAcceptedKeyTypes .
+ .Qq ssh -Q PubkeyAcceptedAlgorithms .
--- a/openssh-8.0p1-gssapi-keyex.patch
+++ b/openssh-8.0p1-gssapi-keyex.patch
@ -5,7 +5,7 @@ index e7549470..b68c1710 100644
@@ -109,6 +109,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
 	kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \
 	kexgexc.o kexgexs.o \
- 	sntrup4591761.o kexsntrup4591761x25519.o kexgen.o \
+ 	kexsntrup761x25519.o sntrup761.o kexgen.o \
 +	kexgssc.o \
 	sftp-realpath.o platform-pledge.o platform-tracing.o platform-misc.o \
 	sshbuf-io.o
@ -17,7 +17,7 @@ index e7549470..b68c1710 100644
 -	auth2-gss.o gss-serv.o gss-serv-krb5.o \
 +	auth2-gss.o gss-serv.o gss-serv-krb5.o kexgsss.o \
 	loginrec.o auth-pam.o auth-shadow.o auth-sia.o md5crypt.o \
- 	sftp-server.o sftp-common.o \
+ 	srclimit.o sftp-server.o sftp-common.o \
 	sandbox-null.o sandbox-rlimit.o sandbox-systrace.o sandbox-darwin.o \
 diff --git a/auth.c b/auth.c
 index 086b8ebb..687c57b4 100644
@ -138,7 +138,7 @@ index 9351e042..d6446c0c 100644
 --- a/auth2-gss.c
 +++ b/auth2-gss.c
@@ -1,7 +1,7 @@
- /* $OpenBSD: auth2-gss.c,v 1.29 2018/07/31 03:10:27 djm Exp $ */
+ /* $OpenBSD: auth2-gss.c,v 1.32 2021/01/27 10:15:08 djm Exp $ */
 /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
@ -165,19 +165,19 @@ index 9351e042..d6446c0c 100644
 +
 +	if ((r = sshpkt_get_string(ssh, &p, &len)) != 0 ||
 +	    (r = sshpkt_get_end(ssh)) != 0)
-+		fatal("%s: %s", __func__, ssh_err(r));
+		fatal_fr(r, "parsing");
 +
 +	if ((b = sshbuf_new()) == NULL)
-+		fatal("%s: sshbuf_new failed", __func__);
+		fatal_f("sshbuf_new failed");
 +
 +	mic.value = p;
 +	mic.length = len;
 +
 +	ssh_gssapi_buildmic(b, authctxt->user, authctxt->service,
-+	    "gssapi-keyex");
+	    "gssapi-keyex", ssh->kex->session_id);
 +
 +	if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
-+		fatal("%s: sshbuf_mutable_ptr failed", __func__);
+		fatal_f("sshbuf_mutable_ptr failed");
 +	gssbuf.length = sshbuf_len(b);
 +
 +	/* gss_kex_context is NULL with privsep, so we can't check it here */
@ -197,7 +197,7 @@ index 9351e042..d6446c0c 100644
  * how to check local user kuserok and the like)
@@ -260,7 +302,8 @@ input_gssapi_exchange_complete(int type, u_int32_t plen, struct ssh *ssh)
 	if ((r = sshpkt_get_end(ssh)) != 0)
- 		fatal("%s: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse packet");
 -	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user));
 +	authenticated = PRIVSEP(ssh_gssapi_userok(authctxt->user,
@ -441,7 +441,7 @@ index d56257b4..763a63ff 100644
 --- a/gss-genr.c
 +++ b/gss-genr.c
@@ -1,7 +1,7 @@
- /* $OpenBSD: gss-genr.c,v 1.26 2018/07/10 09:13:30 djm Exp $ */
+ /* $OpenBSD: gss-genr.c,v 1.28 2021/01/27 10:05:28 djm Exp $ */
 /*
 - * Copyright (c) 2001-2007 Simon Wilkinson. All rights reserved.
@ -449,7 +449,7 @@ index d56257b4..763a63ff 100644
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
-@@ -41,12 +41,36 @@
+@@ -41,9 +41,33 @@
 #include "sshbuf.h"
 #include "log.h"
 #include "ssh2.h"
@ -461,9 +461,6 @@ index d56257b4..763a63ff 100644
 #include "ssh-gss.h"
 extern u_char *session_id2;
 extern u_int session_id2_len;
 +typedef struct {
 +	char *encoded;
 +	gss_OID oid;
@ -486,7 +483,7 @@ index d56257b4..763a63ff 100644
 /* sshbuf_get for gss_buffer_desc */
 int
 ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
-@@ -62,6 +86,162 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
+@@ -62,6 +86,159 @@ ssh_gssapi_get_buffer_desc(struct sshbuf *b, gss_buffer_desc *g)
 	return 0;
 }
@ -548,7 +545,7 @@ index d56257b4..763a63ff 100644
 +	    (gss_supported->count + 1));
 +
 +	if ((buf = sshbuf_new()) == NULL)
-+		fatal("%s: sshbuf_new failed", __func__);
+		fatal_f("sshbuf_new failed");
 +
 +	oidpos = 0;
 +	s = cp = xstrdup(kex);
@ -565,8 +562,7 @@ index d56257b4..763a63ff 100644
 +			        gss_supported->elements[i].elements,
 +			        gss_supported->elements[i].length)) != 0 ||
 +			    (r = ssh_digest_final(md, digest, sizeof(digest))) != 0)
-+				fatal("%s: digest failed: %s", __func__,
+				fatal_fr(r, "digest failed");
 +				    ssh_err(r));
 +			ssh_digest_free(md);
 +			md = NULL;
 +
@ -581,12 +577,10 @@ index d56257b4..763a63ff 100644
 +				(p = strsep(&cp, ","))) {
 +				if (sshbuf_len(buf) != 0 &&
 +				    (r = sshbuf_put_u8(buf, ',')) != 0)
-+					fatal("%s: sshbuf_put_u8 error: %s",
+					fatal_fr(r, "sshbuf_put_u8 error");
 +					    __func__, ssh_err(r));
 +				if ((r = sshbuf_put(buf, p, strlen(p))) != 0 ||
 +				    (r = sshbuf_put(buf, encoded, enclen)) != 0)
-+					fatal("%s: sshbuf_put error: %s",
+					fatal_fr(r, "sshbuf_put error");
 +					    __func__, ssh_err(r));
 +			}
 +
 +			gss_enc2oid[oidpos].oid = &(gss_supported->elements[i]);
@ -599,7 +593,7 @@ index d56257b4..763a63ff 100644
 +	gss_enc2oid[oidpos].encoded = NULL;
 +
 +	if ((mechs = sshbuf_dup_string(buf)) == NULL)
-+		fatal("%s: sshbuf_dup_string failed", __func__);
+		fatal_f("sshbuf_dup_string failed");
 +
 +	sshbuf_free(buf);
 +
@ -721,7 +715,7 @@ index d56257b4..763a63ff 100644
 +
 void
 ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
-     const char *context)
+     const char *context, const struct sshbuf *session_id)
@@ -273,11 +500,16 @@ ssh_gssapi_buildmic(struct sshbuf *b, const char *user, const char *service,
 }
@ -1123,10 +1117,10 @@ index ab3a15f0..6ce56e92 100644
 +
 +	if (gssapi_client.store.data != NULL) {
 +		if ((problem = krb5_cc_resolve(gssapi_client.store.data, gssapi_client.store.envval, &ccache))) {
-+			debug("%s: krb5_cc_resolve(): %.100s", __func__,
+			debug_f("krb5_cc_resolve(): %.100s",
 +				krb5_get_err_text(gssapi_client.store.data, problem));
 +		} else if ((problem = krb5_cc_destroy(gssapi_client.store.data, ccache))) {
-+			debug("%s: krb5_cc_destroy(): %.100s", __func__,
+			debug_f("krb5_cc_destroy(): %.100s",
 +				krb5_get_err_text(gssapi_client.store.data, problem));
 +		} else {
 +			krb5_free_context(gssapi_client.store.data);
@ -1375,7 +1369,7 @@ index ce85f043..574c7609 100644
@@ -698,6 +755,9 @@ kex_free(struct kex *kex)
 	sshbuf_free(kex->server_version);
 	sshbuf_free(kex->client_pub);
- 	free(kex->session_id);
+ 	sshbuf_free(kex->session_id);
 +#ifdef GSSAPI
 +	free(kex->gss_host);
 +#endif /* GSSAPI */
@ -1389,7 +1383,7 @@ index a5ae6ac0..fe714141 100644
@@ -102,6 +102,15 @@ enum kex_exchange {
 	KEX_ECDH_SHA2,
 	KEX_C25519_SHA256,
- 	KEX_KEM_SNTRUP4591761X25519_SHA512,
+ 	KEX_KEM_SNTRUP761X25519_SHA512,
 +#ifdef GSSAPI
 +	KEX_GSS_GRP1_SHA1,
 +	KEX_GSS_GRP14_SHA1,
@ -1498,7 +1492,7 @@ new file mode 100644
 index 00000000..f6e1405e
 --- /dev/null
 +++ b/kexgssc.c
-@@ -0,0 +1,606 @@
+@@ -0,0 +1,599 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
 + *
@ -1597,7 +1591,7 @@ index 00000000..f6e1405e
 +		r = kex_c25519_keypair(kex);
 +		break;
 +	default:
-+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+		fatal_f("Unexpected KEX type %d", kex->kex_type);
 +	}
 +	if (r != 0)
 +		return r;
@ -1785,7 +1779,7 @@ index 00000000..f6e1405e
 +	    server_blob,
 +	    shared_secret,
 +	    hash, &hashlen)) != 0)
-+		fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+		fatal_f("Unexpected KEX type %d", kex->kex_type);
 +
 +	gssbuf.value = hash;
 +	gssbuf.length = hashlen;
@ -2074,13 +2068,6 @@ index 00000000..f6e1405e
 +
 +	gss_release_buffer(&min_status, &msg_tok);
 +
 +	/* save session id */
 +	if (kex->session_id == NULL) {
 +		kex->session_id_len = hashlen;
 +		kex->session_id = xmalloc(kex->session_id_len);
 +		memcpy(kex->session_id, hash, kex->session_id_len);
 +	}
 +
 +	if (kex->gss_deleg_creds)
 +		ssh_gssapi_credentials_updated(ctxt);
 +
@ -2202,12 +2189,12 @@ index 00000000..60bc02de
 +		free(mechs);
 +	}
 +
-+	debug2("%s: Identifying %s", __func__, kex->name);
+	debug2_f("Identifying %s", kex->name);
 +	oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
 +	if (oid == GSS_C_NO_OID)
 +	   fatal("Unknown gssapi mechanism");
 +
-+	debug2("%s: Acquiring credentials", __func__);
+	debug2_f("Acquiring credentials");
 +
 +	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
 +		fatal("Unable to acquire credentials for the server");
@ -2242,7 +2229,7 @@ index 00000000..60bc02de
 +				    &shared_secret);
 +				break;
 +			default:
-+				fatal("%s: Unexpected KEX type %d", __func__, kex->kex_type);
+				fatal_f("Unexpected KEX type %d", kex->kex_type);
 +			}
 +			if (r != 0)
 +				goto out;
@ -2398,12 +2385,12 @@ index 00000000..60bc02de
 +		if ((mechs = ssh_gssapi_server_mechanisms()))
 +			free(mechs);
 +
-+	debug2("%s: Identifying %s", __func__, kex->name);
+	debug2_f("Identifying %s", kex->name);
 +	oid = ssh_gssapi_id_kex(NULL, kex->name, kex->kex_type);
 +	if (oid == GSS_C_NO_OID)
 +	   fatal("Unknown gssapi mechanism");
 +
-+	debug2("%s: Acquiring credentials", __func__);
+	debug2_f("Acquiring credentials");
 +
 +	if (GSS_ERROR(PRIVSEP(ssh_gssapi_server_ctx(&ctxt, oid))))
 +		fatal("Unable to acquire credentials for the server");
@ -2641,44 +2628,44 @@ index 2ce89fe9..ebf76c7f 100644
 		monitor_permit(mon_dispatch, MONITOR_REQ_PTY, 1);
@@ -1713,6 +1730,17 @@ monitor_apply_keystate(struct ssh *ssh, struct monitor *pmonitor)
 # ifdef OPENSSL_HAS_ECC
- 		kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
+ 	kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
 # endif
 +# ifdef GSSAPI
-+		if (options.gss_keyex) {
+	if (options.gss_keyex) {
-+			kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
+		kex->kex[KEX_GSS_GRP1_SHA1] = kexgss_server;
-+			kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
+		kex->kex[KEX_GSS_GRP14_SHA1] = kexgss_server;
-+			kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
+		kex->kex[KEX_GSS_GRP14_SHA256] = kexgss_server;
-+			kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
+		kex->kex[KEX_GSS_GRP16_SHA512] = kexgss_server;
-+			kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
+		kex->kex[KEX_GSS_GEX_SHA1] = kexgssgex_server;
-+			kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
+		kex->kex[KEX_GSS_NISTP256_SHA256] = kexgss_server;
-+			kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
+		kex->kex[KEX_GSS_C25519_SHA256] = kexgss_server;
-+		}
+	}
 +# endif
 #endif /* WITH_OPENSSL */
- 		kex->kex[KEX_C25519_SHA256] = kex_gen_server;
+ 	kex->kex[KEX_C25519_SHA256] = kex_gen_server;
- 		kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
+ 	kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
@@ -1806,8 +1834,8 @@ mm_answer_gss_setup_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
 	u_char *p;
 	int r;
 -	if (!options.gss_authentication)
-		fatal("%s: GSSAPI authentication not enabled", __func__);
+-		fatal_f("GSSAPI authentication not enabled");
 +	if (!options.gss_authentication && !options.gss_keyex)
-+		fatal("%s: GSSAPI not enabled", __func__);
+		fatal_f("GSSAPI not enabled");
 	if ((r = sshbuf_get_string(m, &p, &len)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "parse");
@@ -1839,8 +1867,8 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
 	OM_uint32 flags = 0; /* GSI needs this */
 	int r;
 -	if (!options.gss_authentication)
-		fatal("%s: GSSAPI authentication not enabled", __func__);
+-		fatal_f("GSSAPI authentication not enabled");
 +	if (!options.gss_authentication && !options.gss_keyex)
-+		fatal("%s: GSSAPI not enabled", __func__);
+		fatal_f("GSSAPI not enabled");
 	if ((r = ssh_gssapi_get_buffer_desc(m, &in)) != 0)
- 		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+ 		fatal_fr(r, "ssh_gssapi_get_buffer_desc");
@@ -1860,6 +1888,7 @@ mm_answer_gss_accept_ctx(struct ssh *ssh, int sock, struct sshbuf *m)
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
 		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
@ -2692,9 +2679,9 @@ index 2ce89fe9..ebf76c7f 100644
 	int r;
 -	if (!options.gss_authentication)
-		fatal("%s: GSSAPI authentication not enabled", __func__);
+-		fatal_f("GSSAPI authentication not enabled");
 +	if (!options.gss_authentication && !options.gss_keyex)
-+		fatal("%s: GSSAPI not enabled", __func__);
+		fatal_f("GSSAPI not enabled");
 	if ((r = ssh_gssapi_get_buffer_desc(m, &gssbuf)) != 0 ||
 	    (r = ssh_gssapi_get_buffer_desc(m, &mic)) != 0)
@ -2707,13 +2694,13 @@ index 2ce89fe9..ebf76c7f 100644
 	const char *displayname;
 -	if (!options.gss_authentication)
-		fatal("%s: GSSAPI authentication not enabled", __func__);
+-		fatal_f("GSSAPI authentication not enabled");
 +	if (!options.gss_authentication && !options.gss_keyex)
-+		fatal("%s: GSSAPI not enabled", __func__);
+		fatal_f("GSSAPI not enabled");
 -	authenticated = authctxt->valid && ssh_gssapi_userok(authctxt->user);
 +	if ((r = sshbuf_get_u32(m, &kex)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	authenticated = authctxt->valid &&
 +	    ssh_gssapi_userok(authctxt->user, authctxt->pw, kex);
@ -2721,7 +2708,7 @@ index 2ce89fe9..ebf76c7f 100644
 	sshbuf_reset(m);
 	if ((r = sshbuf_put_u32(m, authenticated)) != 0)
@@ -1913,7 +1946,11 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
- 	debug3("%s: sending result %d", __func__, authenticated);
+ 	debug3_f("sending result %d", authenticated);
 	mm_request_send(sock, MONITOR_ANS_GSSUSEROK, m);
 -	auth_method = "gssapi-with-mic";
@ -2733,7 +2720,7 @@ index 2ce89fe9..ebf76c7f 100644
 	if ((displayname = ssh_gssapi_displayname()) != NULL)
 		auth2_record_info(authctxt, "%s", displayname);
-@@ -1921,5 +1958,85 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
+@@ -1921,5 +1958,84 @@ mm_answer_gss_userok(struct ssh *ssh, int sock, struct sshbuf *m)
 	/* Monitor loop will terminate if authenticated */
 	return (authenticated);
 }
@ -2749,16 +2736,15 @@ index 2ce89fe9..ebf76c7f 100644
 +	int r;
 +
 +	if (!options.gss_authentication && !options.gss_keyex)
-+		fatal("%s: GSSAPI not enabled", __func__);
+		fatal_f("GSSAPI not enabled");
 +
 +	if ((r = sshbuf_get_string(m, &p, &len)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +	data.value = p;
 +	data.length = len;
 +	/* Lengths of SHA-1, SHA-256 and SHA-512 hashes that are used */
 +	if (data.length != 20 && data.length != 32 && data.length != 64)
-+		fatal("%s: data length incorrect: %d", __func__,
+		fatal_f("data length incorrect: %d", (int) data.length);
 +		    (int) data.length);
 +
 +	/* Save the session ID on the first time around */
 +	if (session_id2_len == 0) {
@ -2774,7 +2760,7 @@ index 2ce89fe9..ebf76c7f 100644
 +
 +	if ((r = sshbuf_put_u32(m, major)) != 0 ||
 +	    (r = sshbuf_put_string(m, hash.value, hash.length)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(socket, MONITOR_ANS_GSSSIGN, m);
 +
@ -2795,12 +2781,12 @@ index 2ce89fe9..ebf76c7f 100644
 +	int r, ok;
 +
 +	if (!options.gss_authentication && !options.gss_keyex)
-+		fatal("%s: GSSAPI not enabled", __func__);
+		fatal_f("GSSAPI not enabled");
 +
 +	if ((r = sshbuf_get_string(m, (u_char **)&store.filename, NULL)) != 0 ||
 +	    (r = sshbuf_get_string(m, (u_char **)&store.envvar, NULL)) != 0 ||
 +	    (r = sshbuf_get_string(m, (u_char **)&store.envval, NULL)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	ok = ssh_gssapi_update_creds(&store);
 +
@ -2810,7 +2796,7 @@ index 2ce89fe9..ebf76c7f 100644
 +
 +	sshbuf_reset(m);
 +	if ((r = sshbuf_put_u32(m, ok)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(socket, MONITOR_ANS_GSSUPCREDS, m);
 +
@ -2847,14 +2833,14 @@ index 001a8fa1..6edb509a 100644
 	int r, authenticated = 0;
 	if ((m = sshbuf_new()) == NULL)
- 		fatal("%s: sshbuf_new failed", __func__);
+ 		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_u32(m, kex)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUSEROK, m);
 	mm_request_receive_expect(pmonitor->m_recvfd,
@@ -1012,4 +1014,57 @@ mm_ssh_gssapi_userok(char *user)
- 	debug3("%s: user %sauthenticated",__func__, authenticated ? "" : "not ");
+ 	debug3_f("user %sauthenticated", authenticated ? "" : "not ");
 	return (authenticated);
 }
 +
@ -2866,16 +2852,16 @@ index 001a8fa1..6edb509a 100644
 +	int r;
 +
 +	if ((m = sshbuf_new()) == NULL)
-+		fatal("%s: sshbuf_new failed", __func__);
+		fatal_f("sshbuf_new failed");
 +	if ((r = sshbuf_put_string(m, data->value, data->length)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSSIGN, m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSSIGN, m);
 +
 +	if ((r = sshbuf_get_u32(m, &major)) != 0 ||
 +	    (r = ssh_gssapi_get_buffer_desc(m, hash)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	sshbuf_free(m);
 +
@ -2889,7 +2875,7 @@ index 001a8fa1..6edb509a 100644
 +	int r, ok;
 +
 +	if ((m = sshbuf_new()) == NULL)
-+		fatal("%s: sshbuf_new failed", __func__);
+		fatal_f("sshbuf_new failed");
 +
 +	if ((r = sshbuf_put_cstring(m,
 +	    store->filename ? store->filename : "")) != 0 ||
@ -2897,13 +2883,13 @@ index 001a8fa1..6edb509a 100644
 +	    store->envvar ? store->envvar : "")) != 0 ||
 +	    (r = sshbuf_put_cstring(m,
 +	    store->envval ? store->envval : "")) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	mm_request_send(pmonitor->m_recvfd, MONITOR_REQ_GSSUPCREDS, m);
 +	mm_request_receive_expect(pmonitor->m_recvfd, MONITOR_ANS_GSSUPCREDS, m);
 +
 +	if ((r = sshbuf_get_u32(m, &ok)) != 0)
-+		fatal("%s: buffer error: %s", __func__, ssh_err(r));
+		fatal_fr(r, "buffer error");
 +
 +	sshbuf_free(m);
 +
@ -3124,7 +3110,7 @@ index 70f5f73f..191575a1 100644
 		options->password_authentication = 1;
 	if (options->kbd_interactive_authentication == -1)
@@ -531,6 +543,7 @@ typedef enum {
- 	sHostKeyAlgorithms,
+ 	sHostKeyAlgorithms, sPerSourceMaxStartups, sPerSourceNetBlockSize,
 	sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
 	sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
 +	sGssKeyEx, sGssKexAlgorithms, sGssStoreRekey,
@ -3246,7 +3232,7 @@ index 36180d07..70dd3665 100644
 --- a/ssh-gss.h
 +++ b/ssh-gss.h
@@ -1,6 +1,6 @@
- /* $OpenBSD: ssh-gss.h,v 1.14 2018/07/10 09:13:30 djm Exp $ */
+ /* $OpenBSD: ssh-gss.h,v 1.15 2021/01/27 10:05:28 djm Exp $ */
 /*
 - * Copyright (c) 2001-2003 Simon Wilkinson. All rights reserved.
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@ -3332,7 +3318,7 @@ index 36180d07..70dd3665 100644
@@ -123,17 +149,33 @@ void ssh_gssapi_delete_ctx(Gssctxt **);
 OM_uint32 ssh_gssapi_sign(Gssctxt *, gss_buffer_t, gss_buffer_t);
 void ssh_gssapi_buildmic(struct sshbuf *, const char *,
-     const char *, const char *);
+     const char *, const char *, const struct sshbuf *);
 -int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *);
 +int ssh_gssapi_check_mechanism(Gssctxt **, gss_OID, const char *, const char *);
 +OM_uint32 ssh_gssapi_client_identity(Gssctxt *, const char *);
@ -3382,7 +3368,7 @@ index 60de6087..db5c65bc 100644
 +.It GSSAPITrustDns
 .It HashKnownHosts
 .It Host
- .It HostbasedAuthentication
+ .It HostbasedAcceptedAlgorithms
@@ -579,6 +585,8 @@ flag),
 (supported message integrity codes),
 .Ar kex
@ -3526,9 +3512,9 @@ index af00fb30..03bc87eb 100644
 +
 	xxx_host = host;
 	xxx_hostaddr = hostaddr;
- 
+ 	xxx_conn_info = cinfo;
@@ -206,6 +209,42 @@ ssh_kex2(struct ssh *ssh, char *host, struct sockaddr *hostaddr, u_short port)
- 		    compat_pkalg_proposal(options.hostkeyalgorithms);
+ 		    compat_pkalg_proposal(ssh, options.hostkeyalgorithms);
 	}
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3588,7 +3574,7 @@ index af00fb30..03bc87eb 100644
 +# endif
 +#endif /* WITH_OPENSSL */
 	ssh->kex->kex[KEX_C25519_SHA256] = kex_gen_client;
- 	ssh->kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_client;
+	ssh->kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_client;
 	ssh->kex->verify_host_key=&verify_host_key_callback;
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
@ -3604,7 +3590,7 @@ index af00fb30..03bc87eb 100644
 	/* remove ext-info from the KEX proposals for rekeying */
 	myproposal[PROPOSAL_KEX_ALGS] =
- 	    compat_kex_proposal(options.kex_algorithms);
+ 	    compat_kex_proposal(ssh, options.kex_algorithms);
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
 +	/* repair myproposal after it was crumpled by the */
 +	/* ext-info removal above */
@ -3616,7 +3602,7 @@ index af00fb30..03bc87eb 100644
 +	}
 +#endif
 	if ((r = kex_prop2buf(ssh->kex->my, myproposal)) != 0)
- 		fatal("kex_prop2buf: %s", ssh_err(r));
+ 		fatal_r(r, "kex_prop2buf");
@@ -330,6 +392,7 @@ static int input_gssapi_response(int type, u_int32_t, struct ssh *);
 static int input_gssapi_token(int type, u_int32_t, struct ssh *);
@ -3714,13 +3700,13 @@ index af00fb30..03bc87eb 100644
 +	}
 +
 +	if ((b = sshbuf_new()) == NULL)
-+		fatal("%s: sshbuf_new failed", __func__);
+		fatal_f("sshbuf_new failed");
 +
 +	ssh_gssapi_buildmic(b, authctxt->server_user, authctxt->service,
-+	    "gssapi-keyex");
+	    "gssapi-keyex", ssh->kex->session_id);
 +
 +	if ((gssbuf.value = sshbuf_mutable_ptr(b)) == NULL)
-+		fatal("%s: sshbuf_mutable_ptr failed", __func__);
+		fatal_f("sshbuf_mutable_ptr failed");
 +	gssbuf.length = sshbuf_len(b);
 +
 +	if (GSS_ERROR(ssh_gssapi_sign(gss_kex_context, &gssbuf, &mic))) {
@ -3734,7 +3720,7 @@ index af00fb30..03bc87eb 100644
 +	    (r = sshpkt_put_cstring(ssh, authctxt->method->name)) != 0 ||
 +	    (r = sshpkt_put_string(ssh, mic.value, mic.length)) != 0 ||
 +	    (r = sshpkt_send(ssh)) != 0)
-+		fatal("%s: %s", __func__, ssh_err(r));
+		fatal_fr(r, "parsing");
 +
 +	sshbuf_free(b);
 +	gss_release_buffer(&ms, &mic);
@ -3751,11 +3737,11 @@ index 60b2aaf7..d92f03aa 100644
 +++ b/sshd.c
@@ -817,8 +817,8 @@ notify_hostkeys(struct ssh *ssh)
 	}
- 	debug3("%s: sent %u hostkeys", __func__, nkeys);
+ 	debug3_f("sent %u hostkeys", nkeys);
 	if (nkeys == 0)
-		fatal("%s: no hostkeys", __func__);
+-		fatal_f("no hostkeys");
 -	if ((r = sshpkt_send(ssh)) != 0)
-+		debug3("%s: no hostkeys", __func__);
+		debug3_f("no hostkeys");
 +	else if ((r = sshpkt_send(ssh)) != 0)
 		sshpkt_fatal(ssh, r, "%s: send", __func__);
 	sshbuf_free(buf);
@ -3772,7 +3758,7 @@ index 60b2aaf7..d92f03aa 100644
 	}
@@ -2347,6 +2348,48 @@ do_ssh2_kex(struct ssh *ssh)
 	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = compat_pkalg_proposal(
- 	    list_hostkey_types());
+ 	    ssh, list_hostkey_types());
 +#if defined(GSSAPI) && defined(WITH_OPENSSL)
 +	{
@ -3818,7 +3804,7 @@ index 60b2aaf7..d92f03aa 100644
 +
 	/* start key exchange */
 	if ((r = kex_setup(ssh, myproposal)) != 0)
- 		fatal("kex_setup: %s", ssh_err(r));
+ 		fatal_r(r, "kex_setup");
@@ -2362,7 +2405,18 @@ do_ssh2_kex(struct ssh *ssh)
 # ifdef OPENSSL_HAS_ECC
 	kex->kex[KEX_ECDH_SHA2] = kex_gen_server;
@ -3837,7 +3823,7 @@ index 60b2aaf7..d92f03aa 100644
 +# endif
 +#endif /* WITH_OPENSSL */
 	kex->kex[KEX_C25519_SHA256] = kex_gen_server;
- 	kex->kex[KEX_KEM_SNTRUP4591761X25519_SHA512] = kex_gen_server;
+ 	kex->kex[KEX_KEM_SNTRUP761X25519_SHA512] = kex_gen_server;
 	kex->load_host_public_key=&get_hostkey_public_by_type;
 diff --git a/sshd_config b/sshd_config
 index 19b7c91a..2c48105f 100644
@ -3898,9 +3884,9 @@ index 70ccea44..f6b41a2f 100644
 +.Dq gss-group14-sha256-,gss-group16-sha512-,gss-nistp256-sha256-,
 +gss-curve25519-sha256-,gss-group14-sha1-,gss-gex-sha1- .
 +This option only applies to connections using GSSAPI.
- .It Cm HostbasedAcceptedKeyTypes
+ .It Cm HostbasedAcceptedAlgorithms
- Specifies the key types that will be accepted for hostbased authentication
+ Specifies the signature algorithms that will be accepted for hostbased
- as a list of comma-separated patterns.
+ authentication as a list of comma-separated patterns.
 diff --git a/sshkey.c b/sshkey.c
 index 57995ee6..fd5b7724 100644
 --- a/sshkey.c
--- a/openssh-8.0p1-openssl-kdf.patch
+++ b/openssh-8.0p1-openssl-kdf.patch
@ -96,7 +96,7 @@ index b6f041f4..1fbce2bb 100644
 +		goto out;
 +	}
 +	r = EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID,
-+	    kex->session_id, kex->session_id_len);
+	    sshbuf_ptr(kex->session_id), sshbuf_len(kex->session_id));
 +	if (r != 1) {
 +		r = SSH_ERR_LIBCRYPTO_ERROR;
 +		goto out;
--- a/openssh-8.0p1-pkcs11-uri.patch
+++ b/openssh-8.0p1-pkcs11-uri.patch
@ -57,26 +57,26 @@ index e7549470..4511f82a 100644
 	rm -f regress/unittests/utf8/test_utf8$(EXEEXT)
 +	rm -f regress/unittests/pkcs11/*.o
 +	rm -f regress/unittests/pkcs11/test_pkcs11$(EXEEXT)
 	rm -f regress/misc/kexfuzz/*.o
 	rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
 	rm -f regress/misc/sk-dummy/*.o
 	rm -f regress/misc/sk-dummy/*.lo
 	rm -f regress/misc/sk-dummy/sk-dummy.so
@@ -322,6 +324,8 @@ distclean:	regressclean
 	rm -f regress/unittests/match/test_match
 	rm -f regress/unittests/utf8/*.o
 	rm -f regress/unittests/utf8/test_utf8
 +	rm -f regress/unittests/pkcs11/*.o
 +	rm -f regress/unittests/pkcs11/test_pkcs11
 	rm -f regress/misc/kexfuzz/*.o
 	rm -f regress/misc/kexfuzz/kexfuzz$(EXEEXT)
 	(cd openbsd-compat && $(MAKE) distclean)
 	if test -d pkg ; then \
 		rm -fr pkg ; \
@@ -490,6 +494,7 @@ regress-prep:
 	$(MKDIR_P) `pwd`/regress/unittests/kex
 	$(MKDIR_P) `pwd`/regress/unittests/match
 	$(MKDIR_P) `pwd`/regress/unittests/utf8
 +	$(MKDIR_P) `pwd`/regress/unittests/pkcs11
 	$(MKDIR_P) `pwd`/regress/misc/kexfuzz
 	$(MKDIR_P) `pwd`/regress/misc/sk-dummy
 	[ -f `pwd`/regress/Makefile ] || \
 	    ln -s `cd $(srcdir) && pwd`/regress/Makefile `pwd`/regress/Makefile
@@ -617,6 +622,16 @@ regress/unittests/utf8/test_utf8$(EXEEXT): \
 	    regress/unittests/test_helper/libtest_helper.a \
 	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@ -91,17 +91,17 @@ index e7549470..4511f82a 100644
 +	    regress/unittests/test_helper/libtest_helper.a \
 +	    -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 +
- MISC_KEX_FUZZ_OBJS=\
+ # These all need to be compiled -fPIC, so they are treated differently.
- 	regress/misc/kexfuzz/kexfuzz.o \
+ SK_DUMMY_OBJS=\
- 	$(SKOBJS)
+ 	regress/misc/sk-dummy/sk-dummy.lo \
@@ -655,6 +670,7 @@ regress-unit-binaries: regress-prep $(REGRESSLIBS) \
 	regress/unittests/kex/test_kex$(EXEEXT) \
 	regress/unittests/match/test_match$(EXEEXT) \
 	regress/unittests/utf8/test_utf8$(EXEEXT) \
 +	regress/unittests/pkcs11/test_pkcs11$(EXEEXT) \
 	regress/misc/kexfuzz/kexfuzz$(EXEEXT)
 tests:	file-tests t-exec interop-tests unit
 	echo all tests passed
 diff --git a/configure.ac b/configure.ac
 index b689db4b..98d3ce4f 100644
 --- a/configure.ac
@ -1075,10 +1075,10 @@ index 7eb6f0dc..27d8e4af 100644
 +	char *provider = NULL, *pin = NULL, *sane_uri = NULL;
 	char **comments = NULL;
 	int r, i, count = 0, success = 0, confirm = 0;
- 	u_int seconds;
+ 	u_int seconds = 0;
@@ -681,33 +743,28 @@ process_add_smartcard_key(SocketEntry *e)
- 			goto send;
+ 		error_f("failed to parse constraints");
- 		}
+ 		goto send;
 	}
 -	if (realpath(provider, canonical_provider) == NULL) {
 -		verbose("failed PKCS#11 add of \"%.100s\": realpath: %s",
@ -1093,13 +1093,13 @@ index 7eb6f0dc..27d8e4af 100644
 +	if (sane_uri == NULL)
 		goto send;
 -	}
-	debug("%s: add %.100s", __func__, canonical_provider);
+-	debug_f("add %.100s", canonical_provider);
 +
 	if (lifetime && !death)
 		death = monotime() + lifetime;
 -	count = pkcs11_add_provider(canonical_provider, pin, &keys, &comments);
-+	debug("%s: add %.100s", __func__, sane_uri);
+	debug_f("add %.100s", sane_uri);
 +	count = pkcs11_add_provider(sane_uri, pin, &keys, &comments);
 	for (i = 0; i < count; i++) {
 		k = keys[i];
@ -1147,8 +1147,8 @@ index 7eb6f0dc..27d8e4af 100644
 		goto send;
 -	}
-	debug("%s: remove %.100s", __func__, canonical_provider);
+-	debug_f("remove %.100s", canonical_provider);
-+	debug("%s: remove %.100s", __func__, sane_uri);
+	debug_f("remove %.100s", sane_uri);
 	for (id = TAILQ_FIRST(&idtab->idlist); id; id = nxt) {
 		nxt = TAILQ_NEXT(id, next);
 		/* Skip file--based keys */
@ -1165,7 +1165,7 @@ index 7eb6f0dc..27d8e4af 100644
 +	if (pkcs11_del_provider(sane_uri) == 0)
 		success = 1;
 	else
- 		error("%s: pkcs11_del_provider failed", __func__);
+ 		error_f("pkcs11_del_provider failed");
 send:
 	free(provider);
 +	free(sane_uri);
@ -1198,7 +1198,7 @@ index 8a0ffef5..ead8a562 100644
 	u_int nkeys, i;
 	struct sshbuf *msg;
-+	debug("%s: called, name = %s", __func__, name);
+	debug_f("called, name = %s", name);
 +
 	if (fd < 0 && pkcs11_start_helper() < 0)
 		return (-1);
@ -1207,7 +1207,7 @@ index 8a0ffef5..ead8a562 100644
 		*keysp = xcalloc(nkeys, sizeof(struct sshkey *));
 		if (labelsp)
 			*labelsp = xcalloc(nkeys, sizeof(char *));
-+		debug("%s: nkeys = %u", __func__, nkeys);
+		debug_f("nkeys = %u", nkeys);
 		for (i = 0; i < nkeys; i++) {
 			/* XXX clean up properly instead of fatal() */
 			if ((r = sshbuf_get_string(msg, &blob, &blen)) != 0 ||
@ -1216,7 +1216,7 @@ new file mode 100644
 index 00000000..e1a7b4e0
 --- /dev/null
 +++ b/ssh-pkcs11-uri.c
-@@ -0,0 +1,425 @@
+@@ -0,0 +1,419 @@
 +/*
 + * Copyright (c) 2017 Red Hat
 + *
@ -1493,13 +1493,12 @@ index 00000000..e1a7b4e0
 +	size_t scheme_len = strlen(PKCS11_URI_SCHEME);
 +	if (strlen(uri) < scheme_len || /* empty URI matches everything */
 +	    strncmp(uri, PKCS11_URI_SCHEME, scheme_len) != 0) {
-+		error("%s: The '%s' does not look like PKCS#11 URI",
+		error_f("The '%s' does not look like PKCS#11 URI", uri);
 +		    __func__, uri);
 +		return -1;
 +	}
 +
 +	if (pkcs11 == NULL) {
-+		error("%s: Bad arguments. The pkcs11 can't be null", __func__);
+		error_f("Bad arguments. The pkcs11 can't be null");
 +		return -1;
 +	}
 +
@ -1510,7 +1509,7 @@ index 00000000..e1a7b4e0
 +	/* everything before ? */
 +	tok = strtok_r(str1, "?", &saveptr1);
 +	if (tok == NULL) {
-+		error("%s: pk11-path expected, got EOF", __func__);
+		error_f("pk11-path expected, got EOF");
 +		rv = -1;
 +		goto out;
 +	}
@ -1536,35 +1535,32 @@ index 00000000..e1a7b4e0
 +		case pId:
 +			/* CKA_ID */
 +			if (pkcs11->id != NULL) {
-+				verbose("%s: The id already set in the PKCS#11 URI",
+				verbose_f("The id already set in the PKCS#11 URI");
 +					__func__);
 +				rv = -1;
 +				goto out;
 +			}
 +			len = percent_decode(arg, &pkcs11->id);
 +			if (len <= 0) {
-+				verbose("%s: Failed to percent-decode CKA_ID: %s",
+				verbose_f("Failed to percent-decode CKA_ID: %s", arg);
 +				    __func__, arg);
 +				rv = -1;
 +				goto out;
 +			} else
 +				pkcs11->id_len = len;
-+			debug3("%s: Setting CKA_ID = %s from PKCS#11 URI",
+			debug3_f("Setting CKA_ID = %s from PKCS#11 URI", arg);
 +			    __func__, arg);
 +			break;
 +		case pToken:
 +			/* CK_TOKEN_INFO -> label */
 +			charptr = &pkcs11->token;
 + parse_string:
 +			if (*charptr != NULL) {
-+				verbose("%s: The %s already set in the PKCS#11 URI",
+				verbose_f("The %s already set in the PKCS#11 URI",
-+				    keywords[opcode].name, __func__);
+				    keywords[opcode].name);
 +				rv = -1;
 +				goto out;
 +			}
 +			percent_decode(arg, charptr);
-+			debug3("%s: Setting %s = %s from PKCS#11 URI",
+			debug3_f("Setting %s = %s from PKCS#11 URI",
-+			    __func__, keywords[opcode].name, *charptr);
+			    keywords[opcode].name, *charptr);
 +			break;
 +
 +		case pObject:
@ -1584,8 +1580,7 @@ index 00000000..e1a7b4e0
 +
 +		default:
 +			/* Unrecognized attribute in the URI path SHOULD be error */
-+			verbose("%s: Unknown part of path in PKCS#11 URI: %s",
+			verbose_f("Unknown part of path in PKCS#11 URI: %s", tok);
 +			    __func__, tok);
 +		}
 +	}
 +
@ -1608,32 +1603,31 @@ index 00000000..e1a7b4e0
 +		case pModulePath:
 +			/* module-path is PKCS11Provider */
 +			if (pkcs11->module_path != NULL) {
-+				verbose("%s: Multiple module-path attributes are"
+				verbose_f("Multiple module-path attributes are"
-+				    "not supported the PKCS#11 URI", __func__);
+				    "not supported the PKCS#11 URI");
 +				rv = -1;
 +				goto out;
 +			}
 +			percent_decode(arg, &pkcs11->module_path);
-+			debug3("%s: Setting PKCS11Provider = %s from PKCS#11 URI",
+			debug3_f("Setting PKCS11Provider = %s from PKCS#11 URI",
-+			    __func__, pkcs11->module_path);
+			    pkcs11->module_path);
 +			break;
 +
 +		case pPinValue:
 +			/* pin-value */
 +			if (pkcs11->pin != NULL) {
-+				verbose("%s: Multiple pin-value attributes are"
+				verbose_f("Multiple pin-value attributes are"
-+				    "not supported the PKCS#11 URI", __func__);
+				    "not supported the PKCS#11 URI");
 +				rv = -1;
 +				goto out;
 +			}
 +			percent_decode(arg, &pkcs11->pin);
-+			debug3("%s: Setting PIN from PKCS#11 URI", __func__);
+			debug3_f("Setting PIN from PKCS#11 URI");
 +			break;
 +
 +		default:
 +			/* Unrecognized attribute in the URI query SHOULD be ignored */
-+			verbose("%s: Unknown part of query in PKCS#11 URI: %s",
+			verbose_f("Unknown part of query in PKCS#11 URI: %s", tok);
 +			    __func__, tok);
 +		}
 +	}
 +out:
@ -1727,7 +1721,7 @@ index a302c79c..879fe917 100644
 };
 int pkcs11_interactive = 0;
-@@ -106,26 +114,63 @@ pkcs11_init(int interactive)
+@@ -106,26 +114,61 @@ pkcs11_init(int interactive)
  * this is called when a provider gets unregistered.
  */
 static void
@ -1740,8 +1734,7 @@ index a302c79c..879fe917 100644
 -	debug("pkcs11_provider_finalize: %p refcount %d valid %d",
 -	    p, p->refcount, p->valid);
 -	if (!p->valid)
-+	debug("%s: %p refcount %d valid %d", __func__,
+	debug_f("%p refcount %d valid %d", m, m->refcount, m->valid);
 +	    m, m->refcount, m->valid);
 +	if (!m->valid)
 		return;
 -	for (i = 0; i < p->nslots; i++) {
@ -1769,11 +1762,11 @@ index a302c79c..879fe917 100644
 +static void
 +pkcs11_module_unref(struct pkcs11_module *m)
 +{
-+	debug("%s: %p refcount %d", __func__, m, m->refcount);
+	debug_f("%p refcount %d", m, m->refcount);
 +	if (--m->refcount <= 0) {
 +		pkcs11_module_finalize(m);
 +		if (m->valid)
-+			error("%s: %p still valid", __func__, m);
+			error_f("%p still valid", m);
 +		free(m->slotlist);
 +		free(m->slotinfo);
 +		free(m->module_path);
@ -1790,8 +1783,7 @@ index a302c79c..879fe917 100644
 +static void
 +pkcs11_provider_finalize(struct pkcs11_provider *p)
 +{
-+	debug("%s: %p refcount %d valid %d", __func__,
+	debug_f("%p refcount %d valid %d", p, p->refcount, p->valid);
 +	    p, p->refcount, p->valid);
 +	if (!p->valid)
 +		return;
 +	pkcs11_module_unref(p->module);
@ -1807,7 +1799,7 @@ index a302c79c..879fe917 100644
 pkcs11_provider_unref(struct pkcs11_provider *p)
 {
 -	debug("pkcs11_provider_unref: %p refcount %d", p, p->refcount);
-+	debug("%s: %p refcount %d", __func__, p, p->refcount);
+	debug_f("%p refcount %d", p, p->refcount);
 	if (--p->refcount <= 0) {
 -		if (p->valid)
 -			error("pkcs11_provider_unref: %p still valid", p);
@ -1853,7 +1845,7 @@ index a302c79c..879fe917 100644
 +	int rv;
 +	struct pkcs11_uri *uri;
 +
-+	debug("%s: called, provider_id = %s", __func__, provider_id);
+	debug_f("called, provider_id = %s", provider_id);
 +
 +	uri = pkcs11_uri_init();
 +	if (uri == NULL)
@ -1881,7 +1873,7 @@ index a302c79c..879fe917 100644
 +	char *provider_uri = pkcs11_uri_get(uri);
 -	if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
-+	debug3("%s(%s): called", __func__, provider_uri);
+	debug3_f("called with provider %s", provider_uri);
 +
 +	if ((p = pkcs11_provider_lookup(provider_uri)) != NULL) {
 		TAILQ_REMOVE(&pkcs11_providers, p, next);
@ -1977,7 +1969,7 @@ index a302c79c..879fe917 100644
 		    si->token.label);
 -		if ((pin = read_passphrase(prompt, RP_ALLOW_EOF)) == NULL) {
 +		if ((pin = read_passphrase(prompt, RP_ALLOW_EOF|RP_ALLOW_STDIN)) == NULL) {
- 			debug("%s: no pin specified", __func__);
+ 			debug_f("no pin specified");
 			return (-1);	/* bail out */
 		}
 	}
@ -2296,7 +2288,7 @@ index a302c79c..879fe917 100644
 		error("BN_bin2bn failed");
 		goto fail;
@@ -871,7 +1032,7 @@ pkcs11_fetch_rsa_pubkey(struct pkcs11_provider *p, CK_ULONG slotidx,
- 		fatal("%s: set key", __func__);
+ 		fatal_f("set key");
 	rsa_n = rsa_e = NULL; /* transferred */
 -	if (pkcs11_rsa_wrap(p, slotidx, &key_attr[0], rsa))
@ -2508,7 +2500,7 @@ index a302c79c..879fe917 100644
 	int ret = -1;
 	struct pkcs11_provider *p = NULL;
 	void *handle = NULL;
-@@ -1484,167 +1670,303 @@ pkcs11_register_provider(char *provider_id, char *pin,
+@@ -1484,164 +1670,298 @@ pkcs11_register_provider(char *provider_id, char *pin,
 	CK_FUNCTION_LIST *f = NULL;
 	CK_TOKEN_INFO *token;
 	CK_ULONG i;
@ -2522,7 +2514,7 @@ index a302c79c..879fe917 100644
 +#ifdef PKCS11_DEFAULT_PROVIDER
 +		provider_module = strdup(PKCS11_DEFAULT_PROVIDER);
 +#else
-+		error("%s: No module path provided", __func__);
+		error_f("No module path provided");
 		goto fail;
 -	*providerp = NULL;
 -
@ -2536,16 +2528,14 @@ index a302c79c..879fe917 100644
 +	}
 -	if (pkcs11_provider_lookup(provider_id) != NULL) {
-		debug("%s: provider already registered: %s",
+-		debug_f("provider already registered: %s", provider_id);
 -		    __func__, provider_id);
 -		goto fail;
 +	p = xcalloc(1, sizeof(*p));
 +	p->name = pkcs11_uri_get(uri);
 +
 +	if ((m = pkcs11_provider_lookup_module(provider_module)) != NULL
 +	   && m->valid) {
-+		debug("%s: provider module already initialized: %s",
+		debug_f("provider module already initialized: %s", provider_module);
 +		    __func__, provider_module);
 +		free(provider_module);
 +		/* Skip the initialization of PKCS#11 module */
 +		m->refcount++;
@ -2605,8 +2595,8 @@ index a302c79c..879fe917 100644
 +	rmspace(m->info.manufacturerID, sizeof(m->info.manufacturerID));
 +	if (uri->lib_manuf != NULL &&
 +	    strcmp(uri->lib_manuf, m->info.manufacturerID)) {
-+		debug("%s: Skipping provider %s not matching library_manufacturer",
+		debug_f("Skipping provider %s not matching library_manufacturer",
-+		    __func__, m->info.manufacturerID);
+		    m->info.manufacturerID);
 +		goto fail;
 +	}
 +	rmspace(m->info.libraryDescription, sizeof(m->info.libraryDescription));
@ -2634,9 +2624,8 @@ index a302c79c..879fe917 100644
 	}
 -	if (p->nslots == 0) {
 +	if (m->nslots == 0) {
- 		debug("%s: provider %s returned no slots", __func__,
+-		debug_f("provider %s returned no slots", provider_id);
-		    provider_id);
+		debug_f("provider %s returned no slots", provider_module);
 +		    provider_module);
 		ret = -SSH_PKCS11_ERR_NO_SLOTS;
 		goto fail;
 	}
@ -2663,8 +2652,8 @@ index a302c79c..879fe917 100644
 +		if ((rv = f->C_GetTokenInfo(m->slotlist[i], token))
 		    != CKR_OK) {
 			error("C_GetTokenInfo for provider %s slot %lu "
-			    "failed: %lu", provider_id, (unsigned long)i, rv);
+-			    "failed: %lu", provider_id, (u_long)i, rv);
-+			    "failed: %lu", provider_module, (unsigned long)i, rv);
+			    "failed: %lu", provider_module, (u_long)i, rv);
 +			token->flags = 0;
 			continue;
 		}
@ -2735,25 +2724,23 @@ index a302c79c..879fe917 100644
 +	for (i = 0; i < p->module->nslots; i++) {
 +		token = &p->module->slotinfo[i].token;
 		if ((token->flags & CKF_TOKEN_INITIALIZED) == 0) {
- 			debug2("%s: ignoring uninitialised token in "
+ 			debug2_f("ignoring uninitialised token in "
- 			    "provider %s slot %lu", __func__,
+-			    "provider %s slot %lu", provider_id, (u_long)i);
-			    provider_id, (unsigned long)i);
+			    "provider %s slot %lu", provider_uri, (u_long)i);
 +			    provider_uri, (unsigned long)i);
 +			continue;
 +		}
 +		if (uri->token != NULL &&
 +		    strcmp(token->label, uri->token) != 0) {
-+			debug2("%s: ignoring token not matching label (%s) "
+			debug2_f("ignoring token not matching label (%s) "
-+			    "specified by PKCS#11 URI in slot %lu", __func__,
+			    "specified by PKCS#11 URI in slot %lu",
 +			    token->label, (unsigned long)i);
 +			continue;
 +		}
 +		if (uri->manuf != NULL &&
 +		    strcmp(token->manufacturerID, uri->manuf) != 0) {
-+			debug2("%s: ignoring token not matching requrested "
+			debug2_f("ignoring token not matching requrested "
 +			    "manufacturerID (%s) specified by PKCS#11 URI in "
-+			    "slot %lu", __func__,
+			    "slot %lu", token->manufacturerID, (unsigned long)i);
 +			    token->manufacturerID, (unsigned long)i);
 			continue;
 		}
 -		rmspace(token->label, sizeof(token->label));
@ -2789,8 +2776,7 @@ index a302c79c..879fe917 100644
 			 * expose keys.
 			 */
 -			if (pkcs11_login_slot(p, &p->slotinfo[i],
-+			debug3("%s: Trying to login as there were no keys found",
+			debug3_f("Trying to login as there were no keys found");
 +			    __func__);
 +			if (pkcs11_login_slot(p, &p->module->slotinfo[i],
 			    CKU_USER) < 0) {
 				error("login failed");
@ -2802,8 +2788,8 @@ index a302c79c..879fe917 100644
 +			pkcs11_fetch_certs(p, i, keyp, labelsp, &nkeys, uri);
 +		}
 +		if (nkeys == 0 && uri->object != NULL) {
-+			debug3("%s: No keys found. Retrying without label (%s) ",
+			debug3_f("No keys found. Retrying without label (%s) ",
-+			    __func__, uri->object);
+			    uri->object);
 +			/* Try once more without the label filter */
 +			char *label = uri->object;
 +			uri->object = NULL; /* XXX clone uri? */
@ -2852,7 +2838,7 @@ index a302c79c..879fe917 100644
 +	struct pkcs11_uri *uri = NULL;
 +	int r;
 +
-+	debug("%s: called, provider_id = %s", __func__, provider_id);
+	debug_f("called, provider_id = %s", provider_id);
 +
 +	uri = pkcs11_uri_init();
 +	if (uri == NULL)
@ -2878,12 +2864,11 @@ index a302c79c..879fe917 100644
 +pkcs11_add_provider_by_uri(struct pkcs11_uri *uri, char *pin,
 +    struct sshkey ***keyp, char ***labelsp)
 {
-	struct pkcs11_provider *p = NULL;
+ 	struct pkcs11_provider *p = NULL;
 	int nkeys;
 +	struct pkcs11_provider *p = NULL;
 +	char *provider_uri = pkcs11_uri_get(uri);
 +
-+	debug("%s: called, provider_uri = %s", __func__, provider_uri);
+	debug_f("called, provider_uri = %s", provider_uri);
 -	nkeys = pkcs11_register_provider(provider_id, pin, keyp, labelsp,
 -	    &p, CKU_USER);
@ -2892,11 +2877,11 @@ index a302c79c..879fe917 100644
 	/* no keys found or some other error, de-register provider */
 	if (nkeys <= 0 && p != NULL) {
@@ -1652,7 +1974,37 @@ pkcs11_add_provider(char *provider_id, char *pin, struct sshkey ***keyp,
 		pkcs11_provider_unref(p);
 	}
 	if (nkeys == 0)
- 		debug("%s: provider %s returned no keys", __func__,
+-		debug_f("provider %s returned no keys", provider_id);
-		    provider_id);
+		debug_f("provider %s returned no keys", provider_uri);
 +		    provider_uri);
 +
 +	free(provider_uri);
 +	return nkeys;
@ -2930,26 +2915,6 @@ index a302c79c..879fe917 100644
 	return (nkeys);
 }
@@ -1674,7 +2026,7 @@ pkcs11_gakp(char *provider_id, char *pin, unsigned int slotidx, char *label,
 	if ((p = pkcs11_provider_lookup(provider_id)) != NULL)
 		debug("%s: provider \"%s\" available", __func__, provider_id);
 -	else if ((ret = pkcs11_register_provider(provider_id, pin, NULL, NULL,
 +	else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, NULL,
 	    &p, CKU_SO)) < 0) {
 		debug("%s: could not register provider %s", __func__,
 		    provider_id);
@@ -1746,8 +2098,8 @@ pkcs11_destroy_keypair(char *provider_id, char *pin, unsigned long slotidx,
 	if ((p = pkcs11_provider_lookup(provider_id)) != NULL) {
 		debug("%s: using provider \"%s\"", __func__, provider_id);
 -	} else if (pkcs11_register_provider(provider_id, pin, NULL, NULL, &p,
 -	    CKU_SO) < 0) {
 +	} else if ((rv = pkcs11_register_provider(provider_id, pin, NULL, NULL,
 +	    &p, CKU_SO)) < 0) {
 		debug("%s: could not register provider %s", __func__,
 		    provider_id);
 		goto out;
 diff --git a/ssh-pkcs11.h b/ssh-pkcs11.h
 index 81f1d7c5..feaf74de 100644
 --- a/ssh-pkcs11.h
@ -2995,7 +2960,7 @@ index 15aee569..976844cb 100644
 +	pkcs11_terminate();
  skip_connect:
- 	exit_status = ssh_session2(ssh, pw);
+ 	exit_status = ssh_session2(ssh, cinfo);
@@ -2076,6 +2085,45 @@ ssh_session2(struct ssh *ssh, struct passwd *pw)
 	    options.escape_char : SSH_ESCAPECHAR_NONE, id);
 }
@ -3041,7 +3006,7 @@ index 15aee569..976844cb 100644
 +
 /* Loads all IdentityFile and CertificateFile keys */
 static void
- load_public_identity_files(struct passwd *pw)
+ load_public_identity_files(const struct ssh_conn_info *cinfo)
@@ -2090,11 +2138,6 @@ load_public_identity_files(struct passwd *pw)
 	char *certificate_files[SSH_MAX_CERTIFICATE_FILES];
 	struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES];
@ -3117,9 +3082,9 @@ index 15aee569..976844cb 100644
 +		}
 +#endif /* ENABLE_PKCS11 */
 +		cp = tilde_expand_filename(name, getuid());
- 		filename = default_client_percent_dollar_expand(cp,
+ 		filename = default_client_percent_dollar_expand(cp, cinfo);
 		    pw->pw_dir, host, options.user, pw->pw_name);
 		free(cp);
 		check_load(sshkey_load_public(filename, &public, NULL),
 diff --git a/ssh_config.5 b/ssh_config.5
 index 06a32d31..4b2763bd 100644
 --- a/ssh_config.5
--- a/openssh-8.2p1-x11-without-ipv6.patch
+++ b/openssh-8.2p1-x11-without-ipv6.patch
@ -7,8 +7,8 @@ diff --git a/channels.c b/channels.c
 			if (x11_use_localhost)
 				set_reuseaddr(sock);
 			if (bind(sock, ai->ai_addr, ai->ai_addrlen) == -1) {
- 				debug2("%s: bind port %d: %.100s", __func__,
+ 				debug2_f("bind port %d: %.100s", port,
- 				    port, strerror(errno));
+ 				    strerror(errno));
 				close(sock);
 +
 +				/* do not remove successfully opened
--- a/openssh-8.4p1-debian-compat.patch
+++ b/openssh-8.4p1-debian-compat.patch
@ -37,8 +37,8 @@
 +	 * SHA2 signature types.
 +	 */
 +	if (alg == NULL &&
-+	    (key->type == KEY_RSA && (datafellows & SSH_BUG_SIGTYPE74))) {
+	    (key->type == KEY_RSA && (ssh->compat & SSH_BUG_SIGTYPE74))) {
-+		oallowed = allowed = xstrdup(options.pubkey_key_types);
+		oallowed = allowed = xstrdup(options.pubkey_accepted_algos);
 +		while ((cp = strsep(&allowed, ",")) != NULL) {
 +			if (sshkey_type_from_name(cp) != key->type)
 +				continue;
--- a/openssh-8.4p1-sandbox-seccomp.patch
+++ b/openssh-8.4p1-sandbox-seccomp.patch
@ -1,14 +0,0 @@
 diff --git a/sandbox-seccomp-filter.c b/sandbox-seccomp-filter.c
 index e0768c06..5065ae7e 100644
 --- a/sandbox-seccomp-filter.c
 +++ b/sandbox-seccomp-filter.c
@@ -267,6 +267,9 @@ static const struct sock_filter preauth_insns[] = {
 #ifdef __NR_pselect6
 	SC_ALLOW(__NR_pselect6),
 #endif
 +#ifdef __NR_pselect6_time64
 +	SC_ALLOW(__NR_pselect6_time64),
 +#endif
 #ifdef __NR_read
 	SC_ALLOW(__NR_read),
 #endif
--- a/openssh-8.4p1-ssh-copy-id.patch
+++ b/openssh-8.4p1-ssh-copy-id.patch
@ -1,130 +0,0 @@
 From 66f16e5425eb881570e82bfef7baeac2e7accc0a Mon Sep 17 00:00:00 2001
 From: Oleg <Fallmay@users.noreply.github.com>
 Date: Thu, 1 Oct 2020 12:09:08 +0300
 Subject: [PATCH] Fix `EOF: command not found` error in ssh-copy-id
 ---
 contrib/ssh-copy-id | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
 index 392f64f94..a76907717 100644
 --- a/contrib/ssh-copy-id
 +++ b/contrib/ssh-copy-id
@@ -247,7 +247,7 @@ installkeys_sh() {
   #    the -z `tail ...` checks for a trailing newline. The echo adds one if was missing
   #    the cat adds the keys we're getting via STDIN
   #    and if available restorecon is used to restore the SELinux context
 -  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF)
 +  INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
 	cd;
 	umask 077;
 	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
@@ -258,6 +258,7 @@ installkeys_sh() {
 	  restorecon -F .ssh ${AUTH_KEY_FILE};
 	fi
 EOF
 +  )
   # to defend against quirky remote shells: use 'exec sh -c' to get POSIX;
   printf "exec sh -c '%s'" "${INSTALLKEYS_SH}"
 From de59a431cdec833e3ec15691dd950402b4c052cf Mon Sep 17 00:00:00 2001
 From: Philip Hands <phil@hands.com>
 Date: Sat, 3 Oct 2020 00:20:07 +0200
 Subject: [PATCH] un-nest $() to make ksh cheerful
 ---
 ssh-copy-id | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)
 From 02ac2c3c3db5478a440dfb1b90d15f686f2cbfc6 Mon Sep 17 00:00:00 2001
 From: Philip Hands <phil@hands.com>
 Date: Fri, 2 Oct 2020 21:30:10 +0200
 Subject: [PATCH] ksh doesn't grok 'local'
 and AFAICT it's not actually doing anything useful in the code, so let's
 see how things go without it.
 ---
 ssh-copy-id | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)
 diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
 index a769077..11c9463 100755
 --- a/contrib/ssh-copy-id
 +++ b/contrib/ssh-copy-id
@@ -76,7 +76,7 @@ quote() {
 }
 use_id_file() {
 -  local L_ID_FILE="$1"
 +  L_ID_FILE="$1"
   if [ -z "$L_ID_FILE" ] ; then
     printf '%s: ERROR: no ID file found\n' "$0"
@@ -94,7 +94,7 @@ use_id_file() {
   # check that the files are readable
   for f in "$PUB_ID_FILE" ${PRIV_ID_FILE:+"$PRIV_ID_FILE"} ; do
     ErrMSG=$( { : < "$f" ; } 2>&1 ) || {
 -      local L_PRIVMSG=""
 +      L_PRIVMSG=""
       [ "$f" = "$PRIV_ID_FILE" ] && L_PRIVMSG="	(to install the contents of '$PUB_ID_FILE' anyway, look at the -f option)"
       printf "\\n%s: ERROR: failed to open ID file '%s': %s\\n" "$0" "$f" "$(printf '%s\n%s\n' "$ErrMSG" "$L_PRIVMSG" | sed -e 's/.*: *//')"
       exit 1
@@ -169,7 +169,7 @@ fi
 # populate_new_ids() uses several global variables ($USER_HOST, $SSH_OPTS ...)
 # and has the side effect of setting $NEW_IDS
 populate_new_ids() {
 -  local L_SUCCESS="$1"
 +  L_SUCCESS="$1"
   # shellcheck disable=SC2086
   if [ "$FORCED" ] ; then
@@ -181,13 +181,12 @@ populate_new_ids() {
   eval set -- "$SSH_OPTS"
   umask 0177
 -  local L_TMP_ID_FILE
   L_TMP_ID_FILE=$(mktemp ~/.ssh/ssh-copy-id_id.XXXXXXXXXX)
   if test $? -ne 0 || test "x$L_TMP_ID_FILE" = "x" ; then
     printf '%s: ERROR: mktemp failed\n' "$0" >&2
     exit 1
   fi
 -  local L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
 +  L_CLEANUP="rm -f \"$L_TMP_ID_FILE\" \"${L_TMP_ID_FILE}.stderr\""
   # shellcheck disable=SC2064
   trap "$L_CLEANUP" EXIT TERM INT QUIT
   printf '%s: INFO: attempting to log in with the new key(s), to filter out any that are already installed\n' "$0" >&2
@@ -237,7 +236,7 @@ populate_new_ids() {
 #    produce a one-liner to add the keys to remote authorized_keys file
 #    optionally takes an alternative path for authorized_keys
 installkeys_sh() {
 -  local AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
 +  AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
   # In setting INSTALLKEYS_SH:
   #    the tr puts it all on one line (to placate tcsh)
 -- 
 diff --git a/contrib/ssh-copy-id b/contrib/ssh-copy-id
 index 11c9463..ee3f637 100755
 --- a/contrib/ssh-copy-id
 +++ b/contrib/ssh-copy-id
@@ -237,6 +237,7 @@ populate_new_ids() {
 #    optionally takes an alternative path for authorized_keys
 installkeys_sh() {
   AUTH_KEY_FILE=${1:-.ssh/authorized_keys}
 +  AUTH_KEY_DIR=$(dirname "${AUTH_KEY_FILE}")
   # In setting INSTALLKEYS_SH:
   #    the tr puts it all on one line (to placate tcsh)
@@ -249,7 +250,7 @@ installkeys_sh() {
   INSTALLKEYS_SH=$(tr '\t\n' ' ' <<-EOF
 	cd;
 	umask 077;
 -	mkdir -p $(dirname "${AUTH_KEY_FILE}") &&
 +	mkdir -p "${AUTH_KEY_DIR}" &&
 	  { [ -z \`tail -1c ${AUTH_KEY_FILE} 2>/dev/null\` ] || echo >> ${AUTH_KEY_FILE} || exit 1; } &&
 	  cat >> ${AUTH_KEY_FILE} ||
 	  exit 1;
 -- 
--- a/openssh.spec
+++ b/openssh.spec
@ -50,21 +50,21 @@
 %{?static_openssl:%global static_libcrypto 1}
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
-%global openssh_ver 8.4p1
+%global openssh_ver 8.5p1
-%global openssh_rel 5
+%global openssh_rel 2
 %global pam_ssh_agent_ver 0.10.4
-%global pam_ssh_agent_rel 1
+%global pam_ssh_agent_rel 2
 Summary: An open source implementation of SSH protocol version 2
 Name: openssh
 Version: %{openssh_ver}
-Release: %{openssh_rel}%{?dist}.1
+Release: %{openssh_rel}%{?dist}
 URL: http://www.openssh.com/portable.html
 #URL1: https://github.com/jbeverly/pam_ssh_agent_auth/
 Source0: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz
 Source1: ftp://ftp.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-%{version}.tar.gz.asc
 Source2: sshd.pam
-Source3: DJM-GPG-KEY.gpg
+Source3: gpgkey-736060BA.gpg
 Source4: https://github.com/jbeverly/pam_ssh_agent_auth/archive/pam_ssh_agent_auth-%{pam_ssh_agent_ver}.tar.gz
 Source5: pam_ssh_agent-rmheaders
 Source6: ssh-keycat.pam
@ -75,6 +75,7 @@ Source11: sshd.service
 Source12: sshd-keygen@.service
 Source13: sshd-keygen
 Source15: sshd-keygen.target
 Source16: ssh-agent.service
 #https://bugzilla.mindrot.org/show_bug.cgi?id=2581
 Patch100: openssh-6.7p1-coverity.patch
@ -178,9 +179,6 @@ Patch950: openssh-7.5p1-sandbox.patch
 Patch951: openssh-8.0p1-pkcs11-uri.patch
 # Unbreak scp between two IPv6 hosts (#1620333)
 Patch953: openssh-7.8p1-scp-ipv6.patch
 # ssh-copy-id is unmaintained: Aggreagete patches
 # https://gitlab.com/phil_hands/ssh-copy-id/-/merge_requests/2
 Patch958: openssh-7.9p1-ssh-copy-id.patch
 # Mention crypto-policies in manual pages (#1668325)
 Patch962: openssh-8.0p1-crypto-policies.patch
 # Use OpenSSL high-level API to produce and verify signatures (#1707485)
@ -191,9 +189,6 @@ Patch964: openssh-8.0p1-openssl-kdf.patch
 Patch965: openssh-8.2p1-visibility.patch
 # Do not break X11 without IPv6
 Patch966: openssh-8.2p1-x11-without-ipv6.patch
 Patch967: openssh-8.4p1-ssh-copy-id.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=3232
 Patch968: openssh-8.4p1-sandbox-seccomp.patch
 # https://bugzilla.mindrot.org/show_bug.cgi?id=3213
 Patch969: openssh-8.4p1-debian-compat.patch
@ -216,6 +211,7 @@ BuildRequires: pam-devel
 BuildRequires: openssl-devel >= 0.9.8j
 BuildRequires: perl-podlators
 BuildRequires: systemd-devel
 BuildRequires: systemd-rpm-macros
 BuildRequires: gcc make
 BuildRequires: p11-kit-devel
 BuildRequires: libfido2-devel
@ -266,7 +262,7 @@ Requires: openssh = %{version}-%{release}
 %package -n pam_ssh_agent_auth
 Summary: PAM module for authentication with ssh-agent
 Version: %{pam_ssh_agent_ver}
-Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}.3
+Release: %{pam_ssh_agent_rel}.%{openssh_rel}%{?dist}
 License: BSD
 %description
@ -364,14 +360,11 @@ popd
 %patch950 -p1 -b .sandbox
 %patch951 -p1 -b .pkcs11-uri
 %patch953 -p1 -b .scp-ipv6
 %patch958 -p1 -b .ssh-copy-id
 %patch962 -p1 -b .crypto-policies
 %patch963 -p1 -b .openssl-evp
 %patch964 -p1 -b .openssl-kdf
 %patch965 -p1 -b .visibility
 %patch966 -p1 -b .x11-ipv6
 %patch967 -p1 -b .ssh-copy-id
 %patch968 -p1 -b .seccomp
 %patch969 -p0 -b .debian
 %patch200 -p1 -b .audit
@ -517,6 +510,8 @@ install -m644 %{SOURCE10} $RPM_BUILD_ROOT/%{_unitdir}/sshd.socket
 install -m644 %{SOURCE11} $RPM_BUILD_ROOT/%{_unitdir}/sshd.service
 install -m644 %{SOURCE12} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen@.service
 install -m644 %{SOURCE15} $RPM_BUILD_ROOT/%{_unitdir}/sshd-keygen.target
 install -d -m755 $RPM_BUILD_ROOT/%{_userunitdir}
 install -m644 %{SOURCE16} $RPM_BUILD_ROOT/%{_userunitdir}/ssh-agent.service
 install -m744 %{SOURCE13} $RPM_BUILD_ROOT/%{_libexecdir}/openssh/sshd-keygen
 install -m755 contrib/ssh-copy-id $RPM_BUILD_ROOT%{_bindir}/
 install contrib/ssh-copy-id.1 $RPM_BUILD_ROOT%{_mandir}/man1/
@ -573,6 +568,12 @@ test -f %{sysconfig_anaconda} && \
 %postun server
 %systemd_postun_with_restart sshd.service
 %post clients
 %systemd_user_post ssh-agent.service
 %preun clients
 %systemd_user_preun ssh-agent.service
 %files
 %license LICENCE
 %doc CREDITS ChangeLog OVERVIEW PROTOCOL* README README.platform README.privsep README.tun README.dns TODO
@ -607,6 +608,7 @@ test -f %{sysconfig_anaconda} && \
 %attr(0644,root,root) %{_mandir}/man1/ssh-copy-id.1*
 %attr(0644,root,root) %{_mandir}/man8/ssh-pkcs11-helper.8*
 %attr(0644,root,root) %{_mandir}/man8/ssh-sk-helper.8*
 %attr(0644,root,root) %{_userunitdir}/ssh-agent.service
 %files server
 %dir %attr(0711,root,root) %{_datadir}/empty.sshd
@ -648,6 +650,16 @@ test -f %{sysconfig_anaconda} && \
 %endif
 %changelog
 * Tue Mar 09 2021 Rex Dieter <rdieter@fedoraproject.org> - 8.5p1-2
 - ssh-agent.serivce is user unit (#1761817#27)
 * Wed Mar 03 2021 Jakub Jelen <jjelen@redhat.com> - 8.5p1-1 + 0.10.4-2
 - New upstream release (#1934336)
 * Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 8.4p1-5.2
 - Rebuilt for updated systemd-rpm-macros
  See https://pagure.io/fesco/issue/2583.
 * Tue Jan 26 2021 Fedora Release Engineering <releng@fedoraproject.org> - 8.4p1-5.1
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
--- a/6
+++ b/6
@ -1,4 +1,4 @@
-SHA512 (openssh-8.4p1.tar.gz) = d65275b082c46c5efe7cf3264fa6794d6e99a36d4a54b50554fc56979d6c0837381587fd5399195e1db680d2a5ad1ef0b99a180eac2b4de5637906cb7a89e9ce
+SHA512 (openssh-8.5p1.tar.gz) = af9c34d89170a30fc92a63973e32c766ed4a6d254bb210e317c000d46913e78d0c60c7befe62d993d659be000b828b9d4d3832fc40df1c3d33850aaa6293846f
-SHA512 (openssh-8.4p1.tar.gz.asc) = 3d9a026db27729a5a56785db3824230ccf2a3beca4bb48ef465e44d869b944dbc5d443152a1b1be21bc9c213c465d3d7ca1f876a387d0a6b9682a0cfec3e6e32
+SHA512 (openssh-8.5p1.tar.gz.asc) = 264a991c7207f2215875e2b472a649ede1a69f6486d25777bf522047c26ea77c2995d34b6917a993ea9a250b7dd5298a30f1975e20e471f079c9064ce283cec2
 SHA512 (pam_ssh_agent_auth-0.10.4.tar.gz) = caccf72174d15e43f4c86a459ac6448682e62116557cf1e1e828955f3d1731595b238df42adec57860e7f341e92daf5d8285020bcb5018f3b8a5145aa32ee1c2
-SHA512 (DJM-GPG-KEY.gpg) = db1191ed9b6495999e05eed2ef863fb5179bdb63e94850f192dad68eed8579836f88fbcfffd9f28524fe1457aff8cd248ee3e0afc112c8f609b99a34b80ecc0d
+SHA512 (gpgkey-736060BA.gpg) = df44f3fdbcd1d596705348c7f5aed3f738c5f626a55955e0642f7c6c082995cf36a1b1891bb41b8715cb2aff34fef1c877e0eff0d3507dd00a055ba695757a21
--- a/ssh-agent.service
+++ b/ssh-agent.service
@ -0,0 +1,14 @@
 # Requires SSH_AUTH_SOCK="$XDG_RUNTIME_DIR/ssh-agent.socket"
 # set in environment, handled for example in plasma via
 # /etc/xdg/plasma-workspace/env/ssh-agent.sh
 [Unit]
 ConditionEnvironment=!SSH_AGENT_PID
 Description=OpenSSH key agent
 Documentation=man:ssh-agent(1) man:ssh-add(1) man:ssh(1)
 [Service]
 Environment=SSH_AUTH_SOCK=%t/ssh-agent.socket
 ExecStart=/usr/bin/ssh-agent -a $SSH_AUTH_SOCK
 PassEnvironment=SSH_AGENT_PID
 SuccessExitStatus=2
 Type=forking