git: 535af610a4fd - main - ssh: Update to OpenSSH 9.4p1

From: Ed Maste <emaste_at_FreeBSD.org>
Date: Fri, 11 Aug 2023 03:11:10 UTC
The branch main has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=535af610a4fdace6d50960c0ad9be0597eea7a1b

commit 535af610a4fdace6d50960c0ad9be0597eea7a1b
Merge: 6b405053c997 78f30535bcdb
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-08-11 03:10:18 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-08-11 03:10:18 +0000

    ssh: Update to OpenSSH 9.4p1
    
    Excerpts from the release notes:
    
     * ssh-agent(1): PKCS#11 modules must now be specified by their full
       paths. Previously dlopen(3) could search for them in system
       library directories.
    
     * ssh(1): allow forwarding Unix Domain sockets via ssh -W.
    
     * ssh(1): add support for configuration tags to ssh(1).
       This adds a ssh_config(5) "Tag" directive and corresponding
       "Match tag" predicate that may be used to select blocks of
       configuration similar to the pf.conf(5) keywords of the same
       name.
    
     * ssh(1): add a "match localnetwork" predicate. This allows matching
       on the addresses of available network interfaces and may be used to
       vary the effective client configuration based on network location.
    
     * ssh-agent(1): improve isolation between loaded PKCS#11 modules
       by running separate ssh-pkcs11-helpers for each loaded provider.
    
     * ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
       modules being loaded by checking that the requested module
       contains the required symbol before loading it.
    
     * ssh(1): don't incorrectly disable hostname canonicalization when
       CanonicalizeHostname=yes and ProxyJump was expicitly set to
       "none". bz3567
    
    Full release notes at https://www.openssh.com/txt/release-9.4
    
    Relnotes:       Yes
    Sponsored by:   The FreeBSD Foundation

 crypto/openssh/.github/ci-status.md                |     6 +-
 crypto/openssh/.github/configs                     |    45 +-
 crypto/openssh/.github/setup_ci.sh                 |    17 +-
 crypto/openssh/.github/workflows/c-cpp.yml         |    26 +-
 crypto/openssh/.github/workflows/selfhosted.yml    |     2 +-
 crypto/openssh/ChangeLog                           | 13191 ++++++++++---------
 crypto/openssh/INSTALL                             |     8 +-
 crypto/openssh/PROTOCOL.agent                      |     4 +-
 crypto/openssh/PROTOCOL.krl                        |    55 +-
 crypto/openssh/README                              |     2 +-
 crypto/openssh/addr.c                              |     4 +-
 crypto/openssh/auth-options.c                      |    29 +-
 crypto/openssh/auth-pam.c                          |     4 +-
 crypto/openssh/auth2-gss.c                         |    12 +-
 crypto/openssh/auth2-pubkey.c                      |    35 +-
 crypto/openssh/canohost.c                          |     4 +-
 crypto/openssh/chacha.c                            |     3 +-
 crypto/openssh/channels.c                          |    19 +-
 crypto/openssh/channels.h                          |     8 +-
 crypto/openssh/cipher-aes.c                        |     2 +-
 crypto/openssh/cipher-chachapoly-libcrypto.c       |     3 +-
 crypto/openssh/cipher-chachapoly.c                 |     3 +-
 crypto/openssh/clientloop.c                        |    14 +-
 crypto/openssh/config.h                            |    94 +-
 crypto/openssh/configure.ac                        |   107 +-
 crypto/openssh/contrib/redhat/openssh.spec         |     2 +-
 crypto/openssh/contrib/ssh-copy-id                 |    75 +-
 crypto/openssh/contrib/ssh-copy-id.1               |    79 +-
 crypto/openssh/contrib/suse/openssh.spec           |     2 +-
 crypto/openssh/gss-serv.c                          |     2 +-
 crypto/openssh/kexgexs.c                           |     4 +-
 crypto/openssh/krl.c                               |   280 +-
 crypto/openssh/krl.h                               |    10 +-
 crypto/openssh/match.c                             |     5 +-
 crypto/openssh/misc.c                              |    95 +-
 crypto/openssh/misc.h                              |     3 +-
 crypto/openssh/moduli                              |   868 +-
 crypto/openssh/monitor.c                           |     5 +-
 crypto/openssh/monitor_wrap.c                      |     6 +-
 crypto/openssh/mux.c                               |    76 +-
 crypto/openssh/openbsd-compat/bsd-getentropy.c     |     6 +-
 crypto/openssh/openbsd-compat/bsd-snprintf.c       |    31 +-
 .../openssh/openbsd-compat/libressl-api-compat.c   |   556 +-
 crypto/openssh/openbsd-compat/openssl-compat.c     |    20 +-
 crypto/openssh/openbsd-compat/openssl-compat.h     |   158 +-
 crypto/openssh/openbsd-compat/port-linux.c         |    39 +-
 .../openbsd-compat/regress/opensslvertest.c        |    29 +-
 .../openssh/openbsd-compat/regress/snprintftest.c  |     6 +-
 .../openssh/openbsd-compat/regress/strtonumtest.c  |     2 +-
 crypto/openssh/packet.c                            |     4 +-
 crypto/openssh/poly1305.c                          |     3 +-
 crypto/openssh/progressmeter.c                     |     3 +-
 crypto/openssh/readconf.c                          |   108 +-
 crypto/openssh/readconf.h                          |     3 +-
 crypto/openssh/regress/Makefile                    |    10 +-
 crypto/openssh/regress/agent-ptrace.sh             |     2 +-
 crypto/openssh/regress/forcecommand.sh             |     8 +-
 crypto/openssh/regress/forward-control.sh          |     6 +-
 crypto/openssh/regress/misc/sk-dummy/sk-dummy.c    |    27 +-
 crypto/openssh/regress/percent.sh                  |     5 +-
 crypto/openssh/regress/sftp-chroot.sh              |    23 +-
 .../openssh/regress/unittests/misc/test_ptimeout.c |     4 +-
 .../openssh/regress/unittests/sshkey/test_file.c   |     2 +
 crypto/openssh/regress/unittests/sshsig/tests.c    |     2 +-
 .../regress/unittests/test_helper/test_helper.c    |     2 +-
 crypto/openssh/scp.c                               |    23 +-
 crypto/openssh/servconf.c                          |    20 +-
 crypto/openssh/sftp-client.c                       |    54 +-
 crypto/openssh/sftp-common.c                       |     4 +-
 crypto/openssh/sftp-server.c                       |     4 +-
 crypto/openssh/sftp.c                              |    12 +-
 crypto/openssh/sk-usbhid.c                         |    14 +-
 crypto/openssh/ssh-add.c                           |     6 +-
 crypto/openssh/ssh-agent.1                         |    14 +-
 crypto/openssh/ssh-agent.c                         |     8 +-
 crypto/openssh/ssh-keygen.1                        |     6 +-
 crypto/openssh/ssh-keygen.c                        |    16 +-
 crypto/openssh/ssh-keyscan.c                       |    28 +-
 crypto/openssh/ssh-pkcs11-client.c                 |   389 +-
 crypto/openssh/ssh-pkcs11.c                        |    43 +-
 crypto/openssh/ssh-sk.c                            |     8 +-
 crypto/openssh/ssh-xmss.c                          |     4 +-
 crypto/openssh/ssh.1                               |    19 +-
 crypto/openssh/ssh.c                               |    59 +-
 crypto/openssh/ssh_config                          |     2 +-
 crypto/openssh/ssh_config.5                        |    39 +-
 crypto/openssh/ssh_namespace.h                     |     3 +
 crypto/openssh/sshconnect2.c                       |    12 +-
 crypto/openssh/sshd_config                         |     2 +-
 crypto/openssh/sshd_config.5                       |    14 +-
 crypto/openssh/sshkey.c                            |    18 +-
 crypto/openssh/sshkey.h                            |     4 +-
 crypto/openssh/sshsig.c                            |    11 +-
 crypto/openssh/version.h                           |     8 +-
 94 files changed, 8883 insertions(+), 8229 deletions(-)

diff --cc crypto/openssh/INSTALL
index 77b56a9bb734,000000000000..adc6e0825738
mode 100644,000000..100644
--- a/crypto/openssh/INSTALL
+++ b/crypto/openssh/INSTALL
@@@ -1,297 -1,0 +1,293 @@@
 +1. Prerequisites
 +----------------
 +
 +A C compiler.  Any C89 or better compiler that supports variadic macros
 +should work.  Where supported, configure will attempt to enable the
 +compiler's run-time integrity checking options.  Some notes about
 +specific compilers:
 + - clang: -ftrapv and -sanitize=integer require the compiler-rt runtime
 +  (CC=clang LDFLAGS=--rtlib=compiler-rt ./configure)
 +
 +To support Privilege Separation (which is now required) you will need
 +to create the user, group and directory used by sshd for privilege
 +separation.  See README.privsep for details.
 +
 +
 +The remaining items are optional.
 +
 +A working installation of zlib:
 +Zlib 1.1.4 or 1.2.1.2 or greater (earlier 1.2.x versions have problems):
 +https://zlib.net/
 +
 +libcrypto from either of LibreSSL or OpenSSL.  Building without libcrypto
 +is supported but severely restricts the available ciphers and algorithms.
-  - LibreSSL (https://www.libressl.org/)
-  - OpenSSL (https://www.openssl.org) with any of the following versions:
-    - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
- 
- Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to
- 1.1.0g can't be used.
++ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater
++ - OpenSSL (https://www.openssl.org) 1.1.1 or greater
 +
 +LibreSSL/OpenSSL should be compiled as a position-independent library
 +(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC"
 +or LibreSSL as "CFLAGS=-fPIC ./configure") otherwise OpenSSH will not
 +be able to link with it.  If you must use a non-position-independent
 +libcrypto, then you may need to configure OpenSSH --without-pie.
 +
 +If you build either from source, running the OpenSSL self-test ("make
 +tests") or the LibreSSL equivalent ("make check") and ensuring that all
 +tests pass is strongly recommended.
 +
 +NB. If you operating system supports /dev/random, you should configure
 +libcrypto (LibreSSL/OpenSSL) to use it. OpenSSH relies on libcrypto's
 +direct support of /dev/random, or failing that, either prngd or egd.
 +
 +PRNGD:
 +
 +If your system lacks kernel-based random collection, the use of Lutz
 +Jaenicke's PRNGd is recommended. It requires that libcrypto be configured
 +to support it.
 +
 +http://prngd.sourceforge.net/
 +
 +EGD:
 +
 +The Entropy Gathering Daemon (EGD) supports the same interface as prngd.
 +It also supported only if libcrypto is configured to support it.
 +
 +http://egd.sourceforge.net/
 +
 +PAM:
 +
 +OpenSSH can utilise Pluggable Authentication Modules (PAM) if your
 +system supports it. PAM is standard most Linux distributions, Solaris,
 +HP-UX 11, AIX >= 5.2, FreeBSD, NetBSD and Mac OS X.
 +
 +Information about the various PAM implementations are available:
 +
 +Solaris PAM:	http://www.sun.com/software/solaris/pam/
 +Linux PAM:	http://www.kernel.org/pub/linux/libs/pam/
 +OpenPAM:	http://www.openpam.org/
 +
 +If you wish to build the GNOME passphrase requester, you will need the GNOME
 +libraries and headers.
 +
 +GNOME:
 +http://www.gnome.org/
 +
 +Alternatively, Jim Knoble <jmknoble@pobox.com> has written an excellent X11
 +passphrase requester. This is maintained separately at:
 +
 +http://www.jmknoble.net/software/x11-ssh-askpass/
 +
 +TCP Wrappers:
 +
 +If you wish to use the TCP wrappers functionality you will need at least
 +tcpd.h and libwrap.a, either in the standard include and library paths,
 +or in the directory specified by --with-tcp-wrappers.  Version 7.6 is
 +known to work.
 +
 +http://ftp.porcupine.org/pub/security/index.html
 +
 +LibEdit:
 +
 +sftp supports command-line editing via NetBSD's libedit.  If your platform
 +has it available natively you can use that, alternatively you might try
 +these multi-platform ports:
 +
 +http://www.thrysoee.dk/editline/
 +http://sourceforge.net/projects/libedit/
 +
 +LDNS:
 +
 +LDNS is a DNS BSD-licensed resolver library which supports DNSSEC.
 +
 +http://nlnetlabs.nl/projects/ldns/
 +
 +Autoconf:
 +
 +If you modify configure.ac or configure doesn't exist (eg if you checked
 +the code out of git yourself) then you will need autoconf-2.69 and
 +automake-1.16.1 to rebuild the automatically generated files by running
 +"autoreconf".  Earlier versions may also work but this is not guaranteed.
 +
 +http://www.gnu.org/software/autoconf/
 +http://www.gnu.org/software/automake/
 +
 +Basic Security Module (BSM):
 +
 +Native BSM support is known to exist in Solaris from at least 2.5.1,
 +FreeBSD 6.1 and OS X.  Alternatively, you may use the OpenBSM
 +implementation (http://www.openbsm.org).
 +
 +makedepend:
 +
 +https://www.x.org/archive/individual/util/
 +
 +If you are making significant changes to the code you may need to rebuild
 +the dependency (.depend) file using "make depend", which requires the
 +"makedepend" tool from the X11 distribution.
 +
 +libfido2:
 +
 +libfido2 allows the use of hardware security keys over USB.  libfido2
 +in turn depends on libcbor.  libfido2 >= 1.5.0 is strongly recommended.
 +Limited functionality is possible with earlier libfido2 versions.
 +
 +https://github.com/Yubico/libfido2
 +https://github.com/pjk/libcbor
 +
 +
 +2. Building / Installation
 +--------------------------
 +
 +To install OpenSSH with default options:
 +
 +./configure
 +make
 +make install
 +
 +This will install the OpenSSH binaries in /usr/local/bin, configuration files
 +in /usr/local/etc, the server in /usr/local/sbin, etc. To specify a different
 +installation prefix, use the --prefix option to configure:
 +
 +./configure --prefix=/opt
 +make
 +make install
 +
 +Will install OpenSSH in /opt/{bin,etc,lib,sbin}. You can also override
 +specific paths, for example:
 +
 +./configure --prefix=/opt --sysconfdir=/etc/ssh
 +make
 +make install
 +
 +This will install the binaries in /opt/{bin,lib,sbin}, but will place the
 +configuration files in /etc/ssh.
 +
 +If you are using PAM, you may need to manually install a PAM control
 +file as "/etc/pam.d/sshd" (or wherever your system prefers to keep
 +them).  Note that the service name used to start PAM is __progname,
 +which is the basename of the path of your sshd (e.g., the service name
 +for /usr/sbin/osshd will be osshd).  If you have renamed your sshd
 +executable, your PAM configuration may need to be modified.
 +
 +A generic PAM configuration is included as "contrib/sshd.pam.generic",
 +you may need to edit it before using it on your system. If you are
 +using a recent version of Red Hat Linux, the config file in
 +contrib/redhat/sshd.pam should be more useful.  Failure to install a
 +valid PAM file may result in an inability to use password
 +authentication.  On HP-UX 11 and Solaris, the standard /etc/pam.conf
 +configuration will work with sshd (sshd will match the other service
 +name).
 +
 +There are a few other options to the configure script:
 +
 +--with-audit=[module] enable additional auditing via the specified module.
 +Currently, drivers for "debug" (additional info via syslog) and "bsm"
 +(Sun's Basic Security Module) are supported.
 +
 +--with-pam enables PAM support. If PAM support is compiled in, it must
 +also be enabled in sshd_config (refer to the UsePAM directive).
 +
 +--with-prngd-socket=/some/file allows you to enable EGD or PRNGD
 +support and to specify a PRNGd socket. Use this if your Unix lacks
 +/dev/random.
 +
 +--with-prngd-port=portnum allows you to enable EGD or PRNGD support
 +and to specify a EGD localhost TCP port. Use this if your Unix lacks
 +/dev/random.
 +
 +--with-lastlog=FILE will specify the location of the lastlog file.
 +./configure searches a few locations for lastlog, but may not find
 +it if lastlog is installed in a different place.
 +
 +--without-lastlog will disable lastlog support entirely.
 +
 +--with-osfsia, --without-osfsia will enable or disable OSF1's Security
 +Integration Architecture.  The default for OSF1 machines is enable.
 +
 +--with-tcp-wrappers will enable TCP Wrappers (/etc/hosts.allow|deny)
 +support.
 +
 +--with-utmpx enables utmpx support. utmpx support is automatic for
 +some platforms.
 +
 +--without-shadow disables shadow password support.
 +
 +--with-ipaddr-display forces the use of a numeric IP address in the
 +$DISPLAY environment variable. Some broken systems need this.
 +
 +--with-default-path=PATH allows you to specify a default $PATH for sessions
 +started by sshd. This replaces the standard path entirely.
 +
 +--with-pid-dir=PATH specifies the directory in which the sshd.pid file is
 +created.
 +
 +--with-xauth=PATH specifies the location of the xauth binary
 +
 +--with-ssl-dir=DIR allows you to specify where your Libre/OpenSSL
 +libraries are installed.
 +
 +--with-ssl-engine enables Libre/OpenSSL's (hardware) ENGINE support
 +
 +--without-openssl builds without using OpenSSL.  Only a subset of ciphers
 +and algorithms are supported in this configuration.
 +
 +--without-zlib builds without zlib.  This disables the Compression option.
 +
 +--with-4in6 Check for IPv4 in IPv6 mapped addresses and convert them to
 +real (AF_INET) IPv4 addresses. Works around some quirks on Linux.
 +
 +If you need to pass special options to the compiler or linker, you
 +can specify these as environment variables before running ./configure.
 +For example:
 +
 +CC="/usr/foo/cc" CFLAGS="-O" LDFLAGS="-s" LIBS="-lrubbish" ./configure
 +
 +3. Configuration
 +----------------
 +
 +The runtime configuration files are installed by in ${prefix}/etc or
 +whatever you specified as your --sysconfdir (/usr/local/etc by default).
 +
 +The default configuration should be instantly usable, though you should
 +review it to ensure that it matches your security requirements.
 +
 +To generate a host key, run "make host-key". Alternately you can do so
 +manually using the following commands:
 +
 +    ssh-keygen -t [type] -f /etc/ssh/ssh_host_key -N ""
 +
 +for each of the types you wish to generate (rsa, dsa or ecdsa) or
 +
 +    ssh-keygen -A
 +
 +to generate keys for all supported types.
 +
 +Replacing /etc/ssh with the correct path to the configuration directory.
 +(${prefix}/etc or whatever you specified with --sysconfdir during
 +configuration).
 +
 +If you have configured OpenSSH with EGD/prngd support, ensure that EGD or
 +prngd is running and has collected some entropy first.
 +
 +For more information on configuration, please refer to the manual pages
 +for sshd, ssh and ssh-agent.
 +
 +4. (Optional) Send survey
 +-------------------------
 +
 +$ make survey
 +[check the contents of the file "survey" to ensure there's no information
 +that you consider sensitive]
 +$ make send-survey
 +
 +This will send configuration information for the currently configured
 +host to a survey address.  This will help determine which configurations
 +are actually in use, and what valid combinations of configure options
 +exist.  The raw data is available only to the OpenSSH developers, however
 +summary data may be published.
 +
 +5. Problems?
 +------------
 +
 +If you experience problems compiling, installing or running OpenSSH,
 +please refer to the "reporting bugs" section of the webpage at
 +https://www.openssh.com/
diff --cc crypto/openssh/config.h
index 4a274147b22e,000000000000..385e53c82ea3
mode 100644,000000..100644
--- a/crypto/openssh/config.h
+++ b/crypto/openssh/config.h
@@@ -1,2132 -1,0 +1,2042 @@@
 +/* config.h.  Generated from config.h.in by configure.  */
 +/* config.h.in.  Generated from configure.ac by autoheader.  */
 +
 +/* Define if building universal (internal helper macro) */
 +/* #undef AC_APPLE_UNIVERSAL_BUILD */
 +
 +/* Define if you have a getaddrinfo that fails for the all-zeros IPv6 address
 +   */
 +/* #undef AIX_GETNAMEINFO_HACK */
 +
 +/* Define if your AIX loginfailed() function takes 4 arguments (AIX >= 5.2) */
 +/* #undef AIX_LOGINFAILED_4ARG */
 +
 +/* System only supports IPv4 audit records */
 +/* #undef AU_IPv4 */
 +
 +/* Define if your resolver libs need this for getrrsetbyname */
 +/* #undef BIND_8_COMPAT */
 +
 +/* The system has incomplete BSM API */
 +/* #undef BROKEN_BSM_API */
 +
 +/* broken in chroots on older kernels */
 +/* #undef BROKEN_CLOSEFROM */
 +
 +/* Define if cmsg_type is not passed correctly */
 +/* #undef BROKEN_CMSG_TYPE */
 +
 +/* getaddrinfo is broken (if present) */
 +/* #undef BROKEN_GETADDRINFO */
 +
 +/* getgroups(0,NULL) will return -1 */
 +/* #undef BROKEN_GETGROUPS */
 +
 +/* getline is not what we expect */
 +/* #undef BROKEN_GETLINE */
 +
 +/* FreeBSD glob does not do what we need */
 +#define BROKEN_GLOB 1
 +
 +/* Define if you system's inet_ntoa is busted (e.g. Irix gcc issue) */
 +/* #undef BROKEN_INET_NTOA */
 +
 +/* Define if your struct dirent expects you to allocate extra space for d_name
 +   */
 +/* #undef BROKEN_ONE_BYTE_DIRENT_D_NAME */
 +
 +/* System poll(2) implementation is broken */
 +/* #undef BROKEN_POLL */
 +
 +/* Can't do comparisons on readv */
 +/* #undef BROKEN_READV_COMPARISON */
 +
 +/* NetBSD read function is sometimes redirected, breaking atomicio comparisons
 +   against it */
 +/* #undef BROKEN_READ_COMPARISON */
 +
 +/* Needed for NeXT */
 +/* #undef BROKEN_SAVED_UIDS */
 +
 +/* Define if your setregid() is broken */
 +/* #undef BROKEN_SETREGID */
 +
 +/* Define if your setresgid() is broken */
 +/* #undef BROKEN_SETRESGID */
 +
 +/* Define if your setresuid() is broken */
 +/* #undef BROKEN_SETRESUID */
 +
 +/* Define if your setreuid() is broken */
 +/* #undef BROKEN_SETREUID */
 +
 +/* LynxOS has broken setvbuf() implementation */
 +/* #undef BROKEN_SETVBUF */
 +
 +/* QNX shadow support is broken */
 +/* #undef BROKEN_SHADOW_EXPIRE */
 +
 +/* Define if your snprintf is busted */
 +/* #undef BROKEN_SNPRINTF */
 +
 +/* strndup broken, see APAR IY61211 */
 +/* #undef BROKEN_STRNDUP */
 +
 +/* strnlen broken, see APAR IY62551 */
 +/* #undef BROKEN_STRNLEN */
 +
 +/* strnvis detected broken */
 +#define BROKEN_STRNVIS 1
 +
 +/* tcgetattr with ICANON may hang */
 +/* #undef BROKEN_TCGETATTR_ICANON */
 +
 +/* updwtmpx is broken (if present) */
 +/* #undef BROKEN_UPDWTMPX */
 +
 +/* Define if you have BSD auth support */
 +/* #undef BSD_AUTH */
 +
 +/* Define if you want to specify the path to your lastlog file */
 +/* #undef CONF_LASTLOG_FILE */
 +
 +/* Define if you want to specify the path to your utmp file */
 +/* #undef CONF_UTMP_FILE */
 +
 +/* Define if you want to specify the path to your wtmpx file */
 +/* #undef CONF_WTMPX_FILE */
 +
 +/* Define if you want to specify the path to your wtmp file */
 +/* #undef CONF_WTMP_FILE */
 +
 +/* Need to call setpgrp as root */
 +/* #undef DISABLE_FD_PASSING */
 +
 +/* Define if you don't want to use lastlog */
 +/* #undef DISABLE_LASTLOG */
 +
 +/* Define if you don't want to use your system's login() call */
 +/* #undef DISABLE_LOGIN */
 +
 +/* Define if you don't want to use pututline() etc. to write [uw]tmp */
 +/* #undef DISABLE_PUTUTLINE */
 +
 +/* Define if you don't want to use pututxline() etc. to write [uw]tmpx */
 +/* #undef DISABLE_PUTUTXLINE */
 +
 +/* Define if you want to disable shadow passwords */
 +/* #undef DISABLE_SHADOW */
 +
 +/* Define if you don't want to use utmp */
 +#define DISABLE_UTMP 1
 +
 +/* Define if you don't want to use utmpx */
 +/* #undef DISABLE_UTMPX */
 +
 +/* Define if you don't want to use wtmp */
 +#define DISABLE_WTMP 1
 +
 +/* Define if you don't want to use wtmpx */
 +#define DISABLE_WTMPX 1
 +
 +/* Enable for PKCS#11 support */
 +#define ENABLE_PKCS11 /**/
 +
 +/* Enable for U2F/FIDO support */
 +#define ENABLE_SK /**/
 +
 +/* Enable for built-in U2F/FIDO support */
 +/* #undef ENABLE_SK_INTERNAL */
 +
 +/* define if fflush(NULL) does not work */
 +/* #undef FFLUSH_NULL_BUG */
 +
 +/* File names may not contain backslash characters */
 +/* #undef FILESYSTEM_NO_BACKSLASH */
 +
 +/* fsid_t has member val */
 +/* #undef FSID_HAS_VAL */
 +
 +/* fsid_t has member __val */
 +/* #undef FSID_HAS___VAL */
 +
 +/* getpgrp takes one arg */
 +#define GETPGRP_VOID 1
 +
 +/* Conflicting defs for getspnam */
 +/* #undef GETSPNAM_CONFLICTING_DEFS */
 +
 +/* Define if your system glob() function has the GLOB_ALTDIRFUNC extension */
 +#define GLOB_HAS_ALTDIRFUNC 1
 +
 +/* Define if your system glob() function has gl_matchc options in glob_t */
 +#define GLOB_HAS_GL_MATCHC 1
 +
 +/* Define if your system glob() function has gl_statv options in glob_t */
 +/* #undef GLOB_HAS_GL_STATV */
 +
 +/* Define this if you want GSSAPI support in the version 2 protocol */
 +/* #undef GSSAPI */
 +
 +/* Define if you want to use shadow password expire field */
 +/* #undef HAS_SHADOW_EXPIRE */
 +
 +/* Define if your system uses access rights style file descriptor passing */
 +/* #undef HAVE_ACCRIGHTS_IN_MSGHDR */
 +
 +/* Define if you have ut_addr in utmp.h */
 +/* #undef HAVE_ADDR_IN_UTMP */
 +
 +/* Define if you have ut_addr in utmpx.h */
 +/* #undef HAVE_ADDR_IN_UTMPX */
 +
 +/* Define if you have ut_addr_v6 in utmp.h */
 +/* #undef HAVE_ADDR_V6_IN_UTMP */
 +
 +/* Define if you have ut_addr_v6 in utmpx.h */
 +/* #undef HAVE_ADDR_V6_IN_UTMPX */
 +
 +/* Define to 1 if you have the `arc4random' function. */
 +#define HAVE_ARC4RANDOM 1
 +
 +/* Define to 1 if you have the `arc4random_buf' function. */
 +#define HAVE_ARC4RANDOM_BUF 1
 +
 +/* Define to 1 if you have the `arc4random_stir' function. */
 +/* #undef HAVE_ARC4RANDOM_STIR */
 +
 +/* Define to 1 if you have the `arc4random_uniform' function. */
 +#define HAVE_ARC4RANDOM_UNIFORM 1
 +
 +/* Define to 1 if you have the `asprintf' function. */
 +#define HAVE_ASPRINTF 1
 +
 +/* OpenBSD's gcc has bounded */
 +/* #undef HAVE_ATTRIBUTE__BOUNDED__ */
 +
 +/* Have attribute nonnull */
 +#define HAVE_ATTRIBUTE__NONNULL__ 1
 +
 +/* OpenBSD's gcc has sentinel */
 +/* #undef HAVE_ATTRIBUTE__SENTINEL__ */
 +
 +/* Define to 1 if you have the `aug_get_machine' function. */
 +/* #undef HAVE_AUG_GET_MACHINE */
 +
 +/* Define to 1 if you have the `auth_hostok' function. */
 +#define HAVE_AUTH_HOSTOK 1
 +
 +/* Define to 1 if you have the `auth_timeok' function. */
 +#define HAVE_AUTH_TIMEOK 1
 +
 +/* Define to 1 if you have the `b64_ntop' function. */
 +/* #undef HAVE_B64_NTOP */
 +
 +/* Define to 1 if you have the `b64_pton' function. */
 +/* #undef HAVE_B64_PTON */
 +
 +/* Define if you have the basename function. */
 +#define HAVE_BASENAME 1
 +
 +/* Define to 1 if you have the `bcopy' function. */
 +#define HAVE_BCOPY 1
 +
 +/* Define to 1 if you have the `bcrypt_pbkdf' function. */
 +/* #undef HAVE_BCRYPT_PBKDF */
 +
 +/* Define to 1 if you have the `bindresvport_sa' function. */
 +#define HAVE_BINDRESVPORT_SA 1
 +
 +/* Define to 1 if you have the `blf_enc' function. */
 +/* #undef HAVE_BLF_ENC */
 +
 +/* Define to 1 if you have the <blf.h> header file. */
 +/* #undef HAVE_BLF_H */
 +
 +/* Define to 1 if you have the `Blowfish_expand0state' function. */
 +/* #undef HAVE_BLOWFISH_EXPAND0STATE */
 +
 +/* Define to 1 if you have the `Blowfish_expandstate' function. */
 +/* #undef HAVE_BLOWFISH_EXPANDSTATE */
 +
 +/* Define to 1 if you have the `Blowfish_initstate' function. */
 +/* #undef HAVE_BLOWFISH_INITSTATE */
 +
 +/* Define to 1 if you have the `Blowfish_stream2word' function. */
 +/* #undef HAVE_BLOWFISH_STREAM2WORD */
 +
 +/* Define to 1 if you have the `BN_is_prime_ex' function. */
 +#define HAVE_BN_IS_PRIME_EX 1
 +
 +/* Define to 1 if you have the <bsd/libutil.h> header file. */
 +/* #undef HAVE_BSD_LIBUTIL_H */
 +
 +/* Define to 1 if you have the <bsm/audit.h> header file. */
 +/* #undef HAVE_BSM_AUDIT_H */
 +
 +/* Define to 1 if you have the <bstring.h> header file. */
 +/* #undef HAVE_BSTRING_H */
 +
 +/* Define to 1 if you have the `bzero' function. */
 +#define HAVE_BZERO 1
 +
 +/* calloc(0, x) returns NULL */
 +#define HAVE_CALLOC 1
 +
 +/* Define if you have caph_cache_tzdata */
 +#define HAVE_CAPH_CACHE_TZDATA 1
 +
 +/* Define to 1 if you have the <capsicum_helpers.h> header file. */
 +#define HAVE_CAPSICUM_HELPERS_H 1
 +
 +/* Define to 1 if you have the `cap_rights_limit' function. */
 +#define HAVE_CAP_RIGHTS_LIMIT 1
 +
 +/* Define to 1 if you have the `clock' function. */
 +#define HAVE_CLOCK 1
 +
 +/* Have clock_gettime */
 +#define HAVE_CLOCK_GETTIME 1
 +
 +/* define if you have clock_t data type */
 +#define HAVE_CLOCK_T 1
 +
 +/* Define to 1 if you have the `closefrom' function. */
 +#define HAVE_CLOSEFROM 1
 +
 +/* Define to 1 if you have the `close_range' function. */
 +#define HAVE_CLOSE_RANGE 1
 +
 +/* Define if gai_strerror() returns const char * */
 +#define HAVE_CONST_GAI_STRERROR_PROTO 1
 +
 +/* Define if your system uses ancillary data style file descriptor passing */
 +#define HAVE_CONTROL_IN_MSGHDR 1
 +
 +/* Define to 1 if you have the `crypt' function. */
 +#define HAVE_CRYPT 1
 +
 +/* Define to 1 if you have the <crypto/sha2.h> header file. */
 +/* #undef HAVE_CRYPTO_SHA2_H */
 +
 +/* Define to 1 if you have the <crypt.h> header file. */
 +/* #undef HAVE_CRYPT_H */
 +
 +/* Define if you are on Cygwin */
 +/* #undef HAVE_CYGWIN */
 +
 +/* Define if your libraries define daemon() */
 +#define HAVE_DAEMON 1
 +
 +/* Define to 1 if you have the declaration of `AI_NUMERICSERV', and to 0 if
 +   you don't. */
 +#define HAVE_DECL_AI_NUMERICSERV 1
 +
 +/* Define to 1 if you have the declaration of `authenticate', and to 0 if you
 +   don't. */
 +/* #undef HAVE_DECL_AUTHENTICATE */
 +
 +/* Define to 1 if you have the declaration of `bzero', and to 0 if you don't.
 +   */
 +#define HAVE_DECL_BZERO 1
 +
 +/* Define to 1 if you have the declaration of `ftruncate', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_FTRUNCATE 1
 +
 +/* Define to 1 if you have the declaration of `getentropy', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_GETENTROPY 1
 +
 +/* Define to 1 if you have the declaration of `getpeereid', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_GETPEEREID 1
 +
 +/* Define to 1 if you have the declaration of `GLOB_NOMATCH', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_GLOB_NOMATCH 1
 +
 +/* Define to 1 if you have the declaration of `GSS_C_NT_HOSTBASED_SERVICE',
 +   and to 0 if you don't. */
 +/* #undef HAVE_DECL_GSS_C_NT_HOSTBASED_SERVICE */
 +
 +/* Define to 1 if you have the declaration of `howmany', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_HOWMANY 1
 +
 +/* Define to 1 if you have the declaration of `h_errno', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_H_ERRNO 1
 +
 +/* Define to 1 if you have the declaration of `loginfailed', and to 0 if you
 +   don't. */
 +/* #undef HAVE_DECL_LOGINFAILED */
 +
 +/* Define to 1 if you have the declaration of `loginrestrictions', and to 0 if
 +   you don't. */
 +/* #undef HAVE_DECL_LOGINRESTRICTIONS */
 +
 +/* Define to 1 if you have the declaration of `loginsuccess', and to 0 if you
 +   don't. */
 +/* #undef HAVE_DECL_LOGINSUCCESS */
 +
 +/* Define to 1 if you have the declaration of `MAXSYMLINKS', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_MAXSYMLINKS 1
 +
 +/* Define to 1 if you have the declaration of `memmem', and to 0 if you don't.
 +   */
 +#define HAVE_DECL_MEMMEM 1
 +
 +/* Define to 1 if you have the declaration of `NFDBITS', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_NFDBITS 1
 +
 +/* Define to 1 if you have the declaration of `offsetof', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_OFFSETOF 1
 +
 +/* Define to 1 if you have the declaration of `O_NONBLOCK', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_O_NONBLOCK 1
 +
 +/* Define to 1 if you have the declaration of `passwdexpired', and to 0 if you
 +   don't. */
 +/* #undef HAVE_DECL_PASSWDEXPIRED */
 +
 +/* Define to 1 if you have the declaration of `readv', and to 0 if you don't.
 +   */
 +#define HAVE_DECL_READV 1
 +
 +/* Define to 1 if you have the declaration of `setauthdb', and to 0 if you
 +   don't. */
 +/* #undef HAVE_DECL_SETAUTHDB */
 +
 +/* Define to 1 if you have the declaration of `SHUT_RD', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_SHUT_RD 1
 +
 +/* Define to 1 if you have the declaration of `UINT32_MAX', and to 0 if you
 +   don't. */
 +#define HAVE_DECL_UINT32_MAX 1
 +
 +/* Define to 1 if you have the declaration of `writev', and to 0 if you don't.
 +   */
 +#define HAVE_DECL_WRITEV 1
 +
 +/* Define to 1 if you have the declaration of `_getlong', and to 0 if you
 +   don't. */
 +#define HAVE_DECL__GETLONG 0
 +
 +/* Define to 1 if you have the declaration of `_getshort', and to 0 if you
 +   don't. */
 +#define HAVE_DECL__GETSHORT 0
 +
 +/* Define to 1 if you have the `DES_crypt' function. */
 +#define HAVE_DES_CRYPT 1
 +
 +/* Define if you have /dev/ptmx */
 +/* #undef HAVE_DEV_PTMX */
 +
 +/* Define if you have /dev/ptc */
 +/* #undef HAVE_DEV_PTS_AND_PTC */
 +
- /* Define to 1 if you have the `DH_get0_key' function. */
- #define HAVE_DH_GET0_KEY 1
- 
- /* Define to 1 if you have the `DH_get0_pqg' function. */
- #define HAVE_DH_GET0_PQG 1
- 
- /* Define to 1 if you have the `DH_set0_key' function. */
- #define HAVE_DH_SET0_KEY 1
- 
- /* Define to 1 if you have the `DH_set0_pqg' function. */
- #define HAVE_DH_SET0_PQG 1
- 
- /* Define to 1 if you have the `DH_set_length' function. */
- #define HAVE_DH_SET_LENGTH 1
- 
 +/* Define to 1 if you have the <dirent.h> header file. */
 +#define HAVE_DIRENT_H 1
 +
 +/* Define to 1 if you have the `dirfd' function. */
 +#define HAVE_DIRFD 1
 +
 +/* Define to 1 if you have the `dirname' function. */
 +#define HAVE_DIRNAME 1
 +
 +/* Define to 1 if you have the `dlopen' function. */
 +#define HAVE_DLOPEN 1
 +
 +/* Define to 1 if you have the `DSA_generate_parameters_ex' function. */
 +#define HAVE_DSA_GENERATE_PARAMETERS_EX 1
 +
- /* Define to 1 if you have the `DSA_get0_key' function. */
- #define HAVE_DSA_GET0_KEY 1
- 
- /* Define to 1 if you have the `DSA_get0_pqg' function. */
- #define HAVE_DSA_GET0_PQG 1
- 
- /* Define to 1 if you have the `DSA_set0_key' function. */
- #define HAVE_DSA_SET0_KEY 1
- 
- /* Define to 1 if you have the `DSA_set0_pqg' function. */
- #define HAVE_DSA_SET0_PQG 1
- 
- /* Define to 1 if you have the `DSA_SIG_get0' function. */
- #define HAVE_DSA_SIG_GET0 1
- 
- /* Define to 1 if you have the `DSA_SIG_set0' function. */
- #define HAVE_DSA_SIG_SET0 1
- 
- /* Define to 1 if you have the `ECDSA_SIG_get0' function. */
- #define HAVE_ECDSA_SIG_GET0 1
- 
- /* Define to 1 if you have the `ECDSA_SIG_set0' function. */
- #define HAVE_ECDSA_SIG_SET0 1
- 
 +/* Define to 1 if you have the `EC_KEY_METHOD_new' function. */
 +#define HAVE_EC_KEY_METHOD_NEW 1
 +
 +/* Define to 1 if you have the <elf.h> header file. */
 +#define HAVE_ELF_H 1
 +
 +/* Define to 1 if you have the `endgrent' function. */
 +#define HAVE_ENDGRENT 1
 +
 +/* Define to 1 if you have the <endian.h> header file. */
- /* #undef HAVE_ENDIAN_H */
++#define HAVE_ENDIAN_H 1
 +
 +/* Define to 1 if you have the `endutent' function. */
 +/* #undef HAVE_ENDUTENT */
 +
 +/* Define to 1 if you have the `endutxent' function. */
 +#define HAVE_ENDUTXENT 1
 +
 +/* Define to 1 if you have the `err' function. */
 +#define HAVE_ERR 1
 +
 +/* Define to 1 if you have the `errx' function. */
 +#define HAVE_ERRX 1
 +
 +/* Define to 1 if you have the <err.h> header file. */
 +#define HAVE_ERR_H 1
 +
 +/* Define if your system has /etc/default/login */
 +/* #undef HAVE_ETC_DEFAULT_LOGIN */
 +
 +/* Define to 1 if you have the `EVP_chacha20' function. */
 +#define HAVE_EVP_CHACHA20 1
 +
 +/* Define to 1 if you have the `EVP_CIPHER_CTX_get_iv' function. */
 +/* #undef HAVE_EVP_CIPHER_CTX_GET_IV */
*** 11214 LINES SKIPPED ***