From 96b8844e9efe0cd768c9fdcd565453eea4bd7fd4 Mon Sep 17 00:00:00 2001
From: Markus Friedl <mfriedl@gmail.com>
Date: Fri, 28 Sep 2012 18:19:46 +0200
Subject: [PATCH] sync cvs as of 2012-10-05

---
 regress/CVS/Entries     |   8 ++--
 regress/cipher-speed.sh |   6 +--
 regress/multiplex.sh    |   6 +--
 regress/try-ciphers.sh  |   6 +--
 ssh/CVS/Entries         |  38 +++++++--------
 ssh/lib/CVS/Entries     |   2 +-
 ssh/lib/Makefile        |  13 ++++-
 ssh/mac.c               |  15 +++++-
 ssh/monitor_wrap.c      |   2 +-
 ssh/myproposal.h        |   3 +-
 ssh/packet.c            |   5 +-
 ssh/sftp.c              |  30 ++++++++++--
 ssh/ssh-keygen.c        |   4 +-
 ssh/ssh.1               | 103 ++++++++++++++++++++++++++++------------
 ssh/ssh/CVS/Entries     |   2 +-
 ssh/ssh_config.5        |   6 +--
 ssh/sshd.8              |   6 +--
 ssh/sshd_config.5       |   6 +--
 ssh/umac.h              |   8 +++-
 19 files changed, 182 insertions(+), 87 deletions(-)

diff --git a/regress/CVS/Entries b/regress/CVS/Entries
index 740a04b..cf7f928 100644
--- a/regress/CVS/Entries
+++ b/regress/CVS/Entries
@@ -1,6 +1,5 @@
 /Makefile/1.58/Thu Jan  6 22:46:21 2011//
 /host-expand.sh/1.1/Thu Jan  6 22:46:21 2011//
-/sshd-log-wrapper.sh/1.2/Sun Feb 27 11:40:30 2005//
 /agent-getpeereid.sh/1.4/Mon Mar 26 21:06:58 2012//
 /agent-pkcs11.sh/1.1/Mon Mar 26 21:06:58 2012//
 /agent-ptrace.sh/1.1/Mon Mar 26 21:06:58 2012//
@@ -60,10 +59,11 @@
 /transfer.sh/1.1/Mon Mar 26 21:06:58 2012//
 /yes-head.sh/1.4/Mon Mar 26 21:06:58 2012//
 /addrmatch.sh/1.4/Thu Aug  9 18:41:57 2012//
-/cipher-speed.sh/1.5/Thu Aug  9 18:41:57 2012//
 /connect-privsep.sh/1.4/Thu Aug  9 18:41:57 2012//
 /forwarding.sh/1.8/Thu Aug  9 18:41:57 2012//
-/multiplex.sh/1.16/Fri Sep 14 16:58:13 2012//
 /sftp-cmds.sh/1.12/Thu Aug  9 18:41:57 2012//
-/try-ciphers.sh/1.14/Fri Sep 14 16:58:13 2012//
+/cipher-speed.sh/1.6/Fri Oct  5 12:38:36 2012//
+/multiplex.sh/1.17/Fri Oct  5 12:38:36 2012//
+/sshd-log-wrapper.sh/1.2/Fri Sep 21 10:04:07 2012//
+/try-ciphers.sh/1.15/Fri Oct  5 12:38:36 2012//
 D
diff --git a/regress/cipher-speed.sh b/regress/cipher-speed.sh
index 9cc2613..c332fd7 100644
--- a/regress/cipher-speed.sh
+++ b/regress/cipher-speed.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: cipher-speed.sh,v 1.5 2012/06/28 05:07:45 dtucker Exp $
+#	$OpenBSD: cipher-speed.sh,v 1.6 2012/10/05 02:20:48 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="cipher speed"
@@ -16,8 +16,8 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
 	arcfour128 arcfour256 arcfour 
 	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
 	aes128-ctr aes192-ctr aes256-ctr"
-macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96
-	hmac-sha2-256 hmac-sha2-512"
+macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
+	hmac-sha1-96 hmac-md5-96 hmac-sha2-256 hmac-sha2-512"
 
 for c in $ciphers; do for m in $macs; do
 	trace "proto 2 cipher $c mac $m"
diff --git a/regress/multiplex.sh b/regress/multiplex.sh
index 2bb8e30..d95ab49 100644
--- a/regress/multiplex.sh
+++ b/regress/multiplex.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: multiplex.sh,v 1.16 2012/09/10 01:51:19 dtucker Exp $
+#	$OpenBSD: multiplex.sh,v 1.17 2012/10/05 02:05:30 dtucker Exp $
 #	Placed in the Public Domain.
 
 CTL=$OBJ/ctl-sock
@@ -91,7 +91,7 @@ ${SSH} -F $OBJ/ssh_config -S $CTL -Oexit otherhost >>$TEST_SSH_LOGFILE 2>&1 \
 
 # Wait for master to exit
 wait $MASTER_PID
-ps -p $MASTER_PID >/dev/null && fail "exit command failed"
+kill -0 $MASTER_PID >/dev/null 2>&1 && fail "exit command failed"
 
 # Restart master and test -O stop command with master using -N
 verbose "test $tid: cmd stop"
@@ -112,4 +112,4 @@ wait $SLEEP_PID
 [ $! != 0 ] || fail "waiting for concurrent command"
 wait $MASTER_PID
 [ $! != 0 ] || fail "waiting for master stop"
-ps -p $MASTER_PID >/dev/null && fail "stop command failed"
+kill -0 $MASTER_PID >/dev/null 2>&1 && fail "stop command failed"
diff --git a/regress/try-ciphers.sh b/regress/try-ciphers.sh
index feb35d3..cbd7d7a 100644
--- a/regress/try-ciphers.sh
+++ b/regress/try-ciphers.sh
@@ -1,4 +1,4 @@
-#	$OpenBSD: try-ciphers.sh,v 1.14 2012/09/06 04:11:07 dtucker Exp $
+#	$OpenBSD: try-ciphers.sh,v 1.15 2012/10/05 02:20:48 dtucker Exp $
 #	Placed in the Public Domain.
 
 tid="try ciphers"
@@ -7,8 +7,8 @@ ciphers="aes128-cbc 3des-cbc blowfish-cbc cast128-cbc
 	arcfour128 arcfour256 arcfour 
 	aes192-cbc aes256-cbc rijndael-cbc@lysator.liu.se
 	aes128-ctr aes192-ctr aes256-ctr"
-macs="hmac-sha1 hmac-md5 umac-64@openssh.com hmac-sha1-96 hmac-md5-96
-	hmac-sha2-256 hmac-sha2-512"
+macs="hmac-sha1 hmac-md5 umac-64@openssh.com umac-128@openssh.com
+	hmac-sha1-96 hmac-md5-96 hmac-sha2-256 hmac-sha2-512"
 
 for c in $ciphers; do
 	for m in $macs; do
diff --git a/ssh/CVS/Entries b/ssh/CVS/Entries
index 31a7d8c..931faa8 100644
--- a/ssh/CVS/Entries
+++ b/ssh/CVS/Entries
@@ -41,11 +41,6 @@ D/sshd////
 /authfd.c/1.86/Fri Jan  6 10:00:45 2012//
 /authfd.h/1.37/Fri Jan  6 10:00:45 2012//
 /authfile.h/1.16/Fri Jan  6 10:00:45 2012//
-/bufaux.c/1.50/Fri Jan  6 10:00:45 2012//
-/bufbn.c/1.6/Fri Jan  6 10:00:45 2012//
-/bufec.c/1.1/Fri Jan  6 10:00:45 2012//
-/buffer.c/1.32/Fri Jan  6 10:00:45 2012//
-/buffer.h/1.21/Fri Jan  6 10:00:45 2012//
 /canohost.c/1.66/Fri Jan  6 10:00:45 2012//
 /canohost.h/1.11/Fri Jan  6 10:00:45 2012//
 /cipher-3des1.c/1.7/Fri Jan  6 10:00:45 2012//
@@ -66,7 +61,6 @@ D/sshd////
 /match.c/1.27/Fri Jan  6 10:00:47 2012//
 /misc.c/1.86/Fri Jan  6 10:00:47 2012//
 /misc.h/1.48/Fri Jan  6 10:00:47 2012//
-/monitor_wrap.c/1.73/Fri Jan  6 10:00:48 2012//
 /monitor_wrap.h/1.23/Fri Jan  6 10:00:48 2012//
 /nchan.c/1.63/Fri Jan  6 10:00:48 2012//
 /readconf.c/1.194/Fri Jan  6 10:00:48 2012//
@@ -115,7 +109,6 @@ D/sshd////
 /gss-serv.c/1.23/Mon Mar 19 16:04:54 2012//
 /jpake.h/1.2/Mon Mar 19 16:04:54 2012//
 /key.h/1.34/Result of merge//
-/mac.c/1.18/Result of merge//
 /match.h/1.15/Mon Mar 19 16:04:54 2012//
 /monitor.h/1.16/Mon Mar 19 16:04:54 2012//
 /monitor_fdpass.c/1.19/Mon Mar 19 16:04:54 2012//
@@ -133,7 +126,6 @@ D/sshd////
 /readpass.c/1.48/Mon Mar 19 16:04:54 2012//
 /roaming.h/1.6/Mon Mar 19 16:04:54 2012//
 /roaming_common.c/1.9/Mon Mar 19 16:04:54 2012//
-/roaming_serv.c/1.1/Mon Mar 19 16:04:54 2012//
 /sandbox-rlimit.c/1.3/Mon Mar 19 16:04:54 2012//
 /schnorr.c/1.5/Wed Mar 21 09:25:01 2012//
 /schnorr.h/1.1/Mon Mar 19 16:04:54 2012//
@@ -174,7 +166,6 @@ D/sshd////
 /ttymodes.h/1.14/Mon Mar 19 16:04:54 2012//
 /uidswap.c/1.35/Mon Mar 19 16:04:54 2012//
 /uidswap.h/1.13/Mon Mar 19 16:04:54 2012//
-/umac.h/1.1/Wed Mar 21 09:25:01 2012//
 /uuencode.c/1.26/Mon Mar 19 16:04:54 2012//
 /uuencode.h/1.14/Mon Mar 19 16:04:54 2012//
 /xmalloc.c/1.27/Mon Mar 19 16:04:54 2012//
@@ -189,29 +180,38 @@ D/sshd////
 /jpake.c/1.7/Thu Aug  9 18:41:57 2012//
 /key.c/1.99/Result of merge//
 /log.c/1.43/Result of merge//
-/log.h/1.19/Fri Sep 14 16:41:13 2012//
 /moduli.c/1.26/Thu Aug  9 18:41:57 2012//
 /monitor.c/1.117/Result of merge//
 /mux.c/1.37/Result of merge//
-/myproposal.h/1.29/Thu Aug  9 18:41:57 2012//
-/packet.c/1.176/Result of merge//
 /packet.h/1.57/Result of merge//
 /sandbox-systrace.c/1.6/Thu Aug  9 18:41:57 2012//
 /servconf.c/1.230/Fri Sep 14 16:41:14 2012//
 /servconf.h/1.103/Thu Aug  9 18:41:57 2012//
 /sftp-client.c/1.97/Thu Aug  9 18:41:57 2012//
-/sftp.c/1.136/Thu Aug  9 18:41:57 2012//
-/ssh-keygen.1/1.110/Fri Sep 14 16:41:14 2012//
-/ssh-keygen.c/1.217/Result of merge//
 /ssh-keyscan.1/1.30/Thu Aug  9 18:41:57 2012//
 /ssh-pkcs11-helper.c/1.4/Result of merge//
-/ssh.1/1.328/Fri Sep 14 16:41:15 2012//
 /ssh.c/1.370/Result of merge//
-/ssh_config.5/1.157/Thu Aug  9 18:41:57 2012//
-/sshd.8/1.266/Thu Aug  9 18:41:57 2012//
 /sshd.c/1.393/Result of merge//
 /sshd_config/1.87/Thu Aug  9 18:41:57 2012//
-/sshd_config.5/1.144/Thu Aug  9 18:41:57 2012//
 /version.h/1.65/Thu Aug  9 18:41:57 2012//
 /kex.c/1.87/Result of merge//
 /sshconnect.c/1.236/Result of merge//
+/bufaux.c/1.50/Tue Sep 25 15:24:07 2012//
+/bufbn.c/1.6/Tue Sep 25 15:24:07 2012//
+/bufec.c/1.1/Tue Sep 25 15:24:07 2012//
+/buffer.c/1.32/Tue Sep 25 15:24:07 2012//
+/buffer.h/1.21/Tue Sep 25 15:24:07 2012//
+/log.h/1.19/Mon Sep 17 19:41:04 2012//
+/roaming_serv.c/1.1/Thu Sep 20 21:50:47 2012//
+/ssh-keygen.1/1.110/Mon Sep 17 19:41:04 2012//
+/packet.c/1.177/Result of merge//
+/mac.c/1.19/Result of merge//
+/ssh-keygen.c/1.218/Result of merge//
+/monitor_wrap.c/1.74/Result of merge//
+/myproposal.h/1.30/Thu Oct  4 13:30:40 2012//
+/sftp.c/1.141/Result of merge//
+/ssh.1/1.330/Thu Oct  4 13:30:40 2012//
+/ssh_config.5/1.158/Thu Oct  4 13:30:40 2012//
+/sshd.8/1.267/Thu Oct  4 13:30:40 2012//
+/sshd_config.5/1.145/Thu Oct  4 13:30:40 2012//
+/umac.h/1.2/Thu Oct  4 13:30:40 2012//
diff --git a/ssh/lib/CVS/Entries b/ssh/lib/CVS/Entries
index 994c1a4..4aa211a 100644
--- a/ssh/lib/CVS/Entries
+++ b/ssh/lib/CVS/Entries
@@ -1,2 +1,2 @@
-/Makefile/1.64/Result of merge//
+/Makefile/1.65/Result of merge//
 D
diff --git a/ssh/lib/Makefile b/ssh/lib/Makefile
index f8bea4e..aee76dc 100644
--- a/ssh/lib/Makefile
+++ b/ssh/lib/Makefile
@@ -1,4 +1,4 @@
-#	$OpenBSD: Makefile,v 1.64 2012/08/02 13:38:39 okan Exp $
+#	$OpenBSD: Makefile,v 1.65 2012/10/04 13:21:50 markus Exp $
 
 .PATH:		${.CURDIR}/..
 
@@ -23,6 +23,17 @@ SRCS+=	kexdhs.c kexgexs.c kexecdhs.c
 SRCS+=	ssh_api.c
 SRCS+=	roaming_dummy.c
 
+SRCS+=	umac128.c
+CLEANFILES+=   umac128.c
+umac128.c: umac.c Makefile
+	sed \
+	    -e "s/^#define UMAC_OUTPUT_LEN     8/#define UMAC_OUTPUT_LEN 16/" \
+	    -e s/umac_new/umac128_new/g \
+	    -e s/umac_update/umac128_update/g \
+	    -e s/umac_final/umac128_final/g \
+	    -e s/umac_delete/umac128_delete/g \
+	    < ${.CURDIR}/../umac.c > ${.TARGET}
+
 DEBUGLIBS= no
 NOPROFILE= yes
 
diff --git a/ssh/mac.c b/ssh/mac.c
index 4edbd96..080d9a9 100644
--- a/ssh/mac.c
+++ b/ssh/mac.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mac.c,v 1.18 2012/06/28 05:07:45 dtucker Exp $ */
+/* $OpenBSD: mac.c,v 1.19 2012/10/04 13:21:50 markus Exp $ */
 /*
  * Copyright (c) 2001 Markus Friedl.  All rights reserved.
  *
@@ -42,6 +42,7 @@
 
 #define SSH_EVP		1	/* OpenSSL EVP-based MAC */
 #define SSH_UMAC	2	/* UMAC (not integrated with OpenSSL) */
+#define SSH_UMAC128	3
 
 struct {
 	char		*name;
@@ -60,6 +61,7 @@ struct {
 	{ "hmac-ripemd160",		SSH_EVP, EVP_ripemd160, 0, -1, -1 },
 	{ "hmac-ripemd160@openssh.com",	SSH_EVP, EVP_ripemd160, 0, -1, -1 },
 	{ "umac-64@openssh.com",	SSH_UMAC, NULL, 0, 128, 64 },
+	{ "umac-128@openssh.com",	SSH_UMAC128, NULL, 0, 128, 128 },
 	{ NULL,				0, NULL, 0, -1, -1 }
 };
 
@@ -118,6 +120,9 @@ mac_init(Mac *mac)
 		if ((mac->umac_ctx = umac_new(mac->key)) == NULL)
 			return SSH_ERR_ALLOC_FAIL;
 		return 0;
+	case SSH_UMAC128:
+		mac->umac_ctx = umac128_new(mac->key);
+		return 0;
 	default:
 		return SSH_ERR_INVALID_ARGUMENT;
 	}
@@ -148,6 +153,11 @@ mac_compute(Mac *mac, u_int32_t seqno, u_char *data, int datalen,
 		umac_update(mac->umac_ctx, data, datalen);
 		umac_final(mac->umac_ctx, m, nonce);
 		break;
+	case SSH_UMAC128:
+		put_u64(nonce, seqno);
+		umac128_update(mac->umac_ctx, data, datalen);
+		umac128_final(mac->umac_ctx, m, nonce);
+		break;
 	default:
 		return SSH_ERR_INVALID_ARGUMENT;
 	}
@@ -165,6 +175,9 @@ mac_clear(Mac *mac)
 	if (mac->type == SSH_UMAC) {
 		if (mac->umac_ctx != NULL)
 			umac_delete(mac->umac_ctx);
+	} else if (mac->type == SSH_UMAC128) {
+		if (mac->umac_ctx != NULL)
+			umac128_delete(mac->umac_ctx);
 	} else if (mac->evp_md != NULL)
 		HMAC_cleanup(&mac->evp_ctx);
 	mac->evp_md = NULL;
diff --git a/ssh/monitor_wrap.c b/ssh/monitor_wrap.c
index 1c49879..6c92c08 100644
--- a/ssh/monitor_wrap.c
+++ b/ssh/monitor_wrap.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: monitor_wrap.c,v 1.73 2011/06/17 21:44:31 djm Exp $ */
+/* $OpenBSD: monitor_wrap.c,v 1.74 2012/10/01 13:59:51 naddy Exp $ */
 /*
  * Copyright 2002 Niels Provos <provos@citi.umich.edu>
  * Copyright 2002 Markus Friedl <markus@openbsd.org>
diff --git a/ssh/myproposal.h b/ssh/myproposal.h
index a714358..39df7a1 100644
--- a/ssh/myproposal.h
+++ b/ssh/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.29 2012/06/28 05:07:45 dtucker Exp $ */
+/* $OpenBSD: myproposal.h,v 1.30 2012/10/04 13:21:50 markus Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -56,6 +56,7 @@
 	"hmac-md5," \
 	"hmac-sha1," \
 	"umac-64@openssh.com," \
+	"umac-128@openssh.com," \
 	"hmac-sha2-256," \
 	"hmac-sha2-512," \
 	"hmac-ripemd160," \
diff --git a/ssh/packet.c b/ssh/packet.c
index c65f1a4..055fddf 100644
--- a/ssh/packet.c
+++ b/ssh/packet.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: packet.c,v 1.176 2012/01/25 19:40:09 markus Exp $ */
+/* $OpenBSD: packet.c,v 1.177 2012/09/17 13:04:11 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -925,6 +925,9 @@ ssh_set_newkeys(struct ssh *ssh, int mode)
 		mac  = &state->newkeys[mode]->mac;
 		comp = &state->newkeys[mode]->comp;
 		mac_clear(mac);
+		memset(enc->iv,  0, enc->block_size);
+		memset(enc->key, 0, enc->key_len);
+		memset(mac->key, 0, mac->key_len);
 		free(enc->name);
 		free(enc->iv);
 		free(enc->key);
diff --git a/ssh/sftp.c b/ssh/sftp.c
index d2beb57..256d1cf 100644
--- a/ssh/sftp.c
+++ b/ssh/sftp.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.136 2012/06/22 14:36:33 dtucker Exp $ */
+/* $OpenBSD: sftp.c,v 1.141 2012/10/05 12:34:39 markus Exp $ */
 /*
  * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
  *
@@ -969,6 +969,10 @@ makeargv(const char *arg, int *argcp, int sloppy, char *lastquote,
 	state = MA_START;
 	i = j = 0;
 	for (;;) {
+		if ((size_t)argc >= sizeof(argv) / sizeof(*argv)){
+			error("Too many arguments.");
+			return NULL;
+		}
 		if (isspace(arg[i])) {
 			if (state == MA_UNQUOTED) {
 				/* Terminate current argument */
@@ -1672,7 +1676,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
 {
 	glob_t g;
 	char *tmp, *tmp2, ins[3];
-	u_int i, hadglob, pwdlen, len, tmplen, filelen;
+	u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs;
 	const LineInfo *lf;
 	
 	/* Glob from "file" location */
@@ -1681,6 +1685,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
 	else
 		xasprintf(&tmp, "%s*", file);
 
+	/* Check if the path is absolute. */
+	isabs = tmp[0] == '/';
+
 	memset(&g, 0, sizeof(g));
 	if (remote != LOCAL) {
 		tmp = make_absolute(tmp, remote_path);
@@ -1715,7 +1722,7 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
 		goto out;
 
 	tmp2 = complete_ambiguous(file, g.gl_pathv, g.gl_matchc);
-	tmp = path_strip(tmp2, remote_path);
+	tmp = path_strip(tmp2, isabs ? NULL : remote_path);
 	xfree(tmp2);
 
 	if (tmp == NULL)
@@ -1724,8 +1731,18 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
 	tmplen = strlen(tmp);
 	filelen = strlen(file);
 
-	if (tmplen > filelen)  {
-		tmp2 = tmp + filelen;
+	/* Count the number of escaped characters in the input string. */
+	cesc = isesc = 0;
+	for (i = 0; i < filelen; i++) {
+		if (!isesc && file[i] == '\\' && i + 1 < filelen){
+			isesc = 1;
+			cesc++;
+		} else
+			isesc = 0;
+	}
+
+	if (tmplen > (filelen - cesc)) {
+		tmp2 = tmp + filelen - cesc;
 		len = strlen(tmp2); 
 		/* quote argument on way out */
 		for (i = 0; i < len; i++) {
@@ -1739,6 +1756,8 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
 			case '\t':
 			case '[':
 			case ' ':
+			case '#':
+			case '*':
 				if (quote == '\0' || tmp2[i] == quote) {
 					if (el_insertstr(el, ins) == -1)
 						fatal("el_insertstr "
@@ -1891,6 +1910,7 @@ interactive_loop(struct sftp_conn *conn, char *file1, char *file2)
 				return (-1);
 			}
 		} else {
+			/* XXX this is wrong wrt quoting */
 			if (file2 == NULL)
 				snprintf(cmd, sizeof cmd, "get %s", dir);
 			else
diff --git a/ssh/ssh-keygen.c b/ssh/ssh-keygen.c
index 5fb925a..3bc80f9 100644
--- a/ssh/ssh-keygen.c
+++ b/ssh/ssh-keygen.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-keygen.c,v 1.217 2012/08/17 01:25:58 djm Exp $ */
+/* $OpenBSD: ssh-keygen.c,v 1.218 2012/10/02 07:07:45 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1994 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2020,7 +2020,7 @@ main(int argc, char **argv)
 	}
 
 	while ((opt = getopt(argc, argv, "AegiqpclBHLhvxXyF:b:f:t:D:I:J:j:K:P:"
-	    "m:N:n:O:C:r:g:R:T:G:M:S:s:a:V:W:z")) != -1) {
+	    "m:N:n:O:C:r:g:R:T:G:M:S:s:a:V:W:z:")) != -1) {
 		switch (opt) {
 		case 'A':
 			gen_all_hostkeys = 1;
diff --git a/ssh/ssh.1 b/ssh/ssh.1
index b218e11..a5576ed 100644
--- a/ssh/ssh.1
+++ b/ssh/ssh.1
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.328 2012/09/06 13:57:42 jmc Exp $
-.Dd $Mdocdate: September 6 2012 $
+.\" $OpenBSD: ssh.1,v 1.330 2012/10/04 13:21:50 markus Exp $
+.Dd $Mdocdate: October 4 2012 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -674,7 +674,7 @@ it provides additional mechanisms for confidentiality
 (the traffic is encrypted using AES, 3DES, Blowfish, CAST128, or Arcfour)
 and integrity (hmac-md5, hmac-sha1,
 hmac-sha2-256, hmac-sha2-512,
-umac-64, hmac-ripemd160).
+umac-64, umac-128, hmac-ripemd160).
 Protocol 1 lacks a strong mechanism for ensuring the
 integrity of the connection.
 .Pp
@@ -1434,77 +1434,118 @@ if an error occurred.
 .Xr ssh_config 5 ,
 .Xr ssh-keysign 8 ,
 .Xr sshd 8
+.Sh STANDARDS
 .Rs
+.%A S. Lehtinen
+.%A C. Lonvick
+.%D January 2006
 .%R RFC 4250
-.%T "The Secure Shell (SSH) Protocol Assigned Numbers"
-.%D 2006
+.%T The Secure Shell (SSH) Protocol Assigned Numbers
 .Re
+.Pp
 .Rs
+.%A T. Ylonen
+.%A C. Lonvick
+.%D January 2006
 .%R RFC 4251
-.%T "The Secure Shell (SSH) Protocol Architecture"
-.%D 2006
+.%T The Secure Shell (SSH) Protocol Architecture
 .Re
+.Pp
 .Rs
+.%A T. Ylonen
+.%A C. Lonvick
+.%D January 2006
 .%R RFC 4252
-.%T "The Secure Shell (SSH) Authentication Protocol"
-.%D 2006
+.%T The Secure Shell (SSH) Authentication Protocol
 .Re
+.Pp
 .Rs
+.%A T. Ylonen
+.%A C. Lonvick
+.%D January 2006
 .%R RFC 4253
-.%T "The Secure Shell (SSH) Transport Layer Protocol"
-.%D 2006
+.%T The Secure Shell (SSH) Transport Layer Protocol
 .Re
+.Pp
 .Rs
+.%A T. Ylonen
+.%A C. Lonvick
+.%D January 2006
 .%R RFC 4254
-.%T "The Secure Shell (SSH) Connection Protocol"
-.%D 2006
+.%T The Secure Shell (SSH) Connection Protocol
 .Re
+.Pp
 .Rs
+.%A J. Schlyter
+.%A W. Griffin
+.%D January 2006
 .%R RFC 4255
-.%T "Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints"
-.%D 2006
+.%T Using DNS to Securely Publish Secure Shell (SSH) Key Fingerprints
 .Re
+.Pp
 .Rs
+.%A F. Cusack
+.%A M. Forssen
+.%D January 2006
 .%R RFC 4256
-.%T "Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)"
-.%D 2006
+.%T Generic Message Exchange Authentication for the Secure Shell Protocol (SSH)
 .Re
+.Pp
 .Rs
+.%A J. Galbraith
+.%A P. Remaker
+.%D January 2006
 .%R RFC 4335
-.%T "The Secure Shell (SSH) Session Channel Break Extension"
-.%D 2006
+.%T The Secure Shell (SSH) Session Channel Break Extension
 .Re
+.Pp
 .Rs
+.%A M. Bellare
+.%A T. Kohno
+.%A C. Namprempre
+.%D January 2006
 .%R RFC 4344
-.%T "The Secure Shell (SSH) Transport Layer Encryption Modes"
-.%D 2006
+.%T The Secure Shell (SSH) Transport Layer Encryption Modes
 .Re
+.Pp
 .Rs
+.%A B. Harris
+.%D January 2006
 .%R RFC 4345
-.%T "Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol"
-.%D 2006
+.%T Improved Arcfour Modes for the Secure Shell (SSH) Transport Layer Protocol
 .Re
+.Pp
 .Rs
+.%A M. Friedl
+.%A N. Provos
+.%A W. Simpson
+.%D March 2006
 .%R RFC 4419
-.%T "Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol"
-.%D 2006
+.%T Diffie-Hellman Group Exchange for the Secure Shell (SSH) Transport Layer Protocol
 .Re
+.Pp
 .Rs
+.%A J. Galbraith
+.%A R. Thayer
+.%D November 2006
 .%R RFC 4716
-.%T "The Secure Shell (SSH) Public Key File Format"
-.%D 2006
+.%T The Secure Shell (SSH) Public Key File Format
 .Re
+.Pp
 .Rs
+.%A D. Stebila
+.%A J. Green
+.%D December 2009
 .%R RFC 5656
-.%T "Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer"
-.%D 2009
+.%T Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer
 .Re
+.Pp
 .Rs
-.%T "Hash Visualization: a New Technique to improve Real-World Security"
 .%A A. Perrig
 .%A D. Song
 .%D 1999
-.%O "International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)"
+.%O International Workshop on Cryptographic Techniques and E-Commerce (CrypTEC '99)
+.%T Hash Visualization: a New Technique to improve Real-World Security
 .Re
 .Sh AUTHORS
 OpenSSH is a derivative of the original and free
diff --git a/ssh/ssh/CVS/Entries b/ssh/ssh/CVS/Entries
index c07a84e..6914cfc 100644
--- a/ssh/ssh/CVS/Entries
+++ b/ssh/ssh/CVS/Entries
@@ -1,2 +1,2 @@
-/Makefile/1.56/Fri Sep 14 16:41:15 2012//
+/Makefile/1.56/Mon Sep 17 19:41:04 2012//
 D
diff --git a/ssh/ssh_config.5 b/ssh/ssh_config.5
index 36b1af1..d3e801d 100644
--- a/ssh/ssh_config.5
+++ b/ssh/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.157 2012/06/29 13:57:25 naddy Exp $
-.Dd $Mdocdate: June 29 2012 $
+.\" $OpenBSD: ssh_config.5,v 1.158 2012/10/04 13:21:50 markus Exp $
+.Dd $Mdocdate: October 4 2012 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -792,7 +792,7 @@ for data integrity protection.
 Multiple algorithms must be comma-separated.
 The default is:
 .Bd -literal -offset indent
-hmac-md5,hmac-sha1,umac-64@openssh.com,
+hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
 hmac-sha1-96,hmac-md5-96
 .Ed
diff --git a/ssh/sshd.8 b/ssh/sshd.8
index 34123ce..984f74e 100644
--- a/ssh/sshd.8
+++ b/ssh/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.266 2012/06/18 12:07:07 dtucker Exp $
-.Dd $Mdocdate: June 18 2012 $
+.\" $OpenBSD: sshd.8,v 1.267 2012/10/04 13:21:50 markus Exp $
+.Dd $Mdocdate: October 4 2012 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -316,7 +316,7 @@ The client selects the encryption algorithm
 to use from those offered by the server.
 Additionally, session integrity is provided
 through a cryptographic message authentication code
-(hmac-md5, hmac-sha1, umac-64, hmac-ripemd160,
+(hmac-md5, hmac-sha1, umac-64, umac-128, hmac-ripemd160,
 hmac-sha2-256 or hmac-sha2-512).
 .Pp
 Finally, the server and the client enter an authentication dialog.
diff --git a/ssh/sshd_config.5 b/ssh/sshd_config.5
index d1431e6..18f6a2f 100644
--- a/ssh/sshd_config.5
+++ b/ssh/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.144 2012/06/29 13:57:25 naddy Exp $
-.Dd $Mdocdate: June 29 2012 $
+.\" $OpenBSD: sshd_config.5,v 1.145 2012/10/04 13:21:50 markus Exp $
+.Dd $Mdocdate: October 4 2012 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -657,7 +657,7 @@ for data integrity protection.
 Multiple algorithms must be comma-separated.
 The default is:
 .Bd -literal -offset indent
-hmac-md5,hmac-sha1,umac-64@openssh.com,
+hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,
 hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,
 hmac-sha1-96,hmac-md5-96
 .Ed
diff --git a/ssh/umac.h b/ssh/umac.h
index 055c705..6795112 100644
--- a/ssh/umac.h
+++ b/ssh/umac.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: umac.h,v 1.1 2007/06/07 19:37:34 pvalchev Exp $ */
+/* $OpenBSD: umac.h,v 1.2 2012/10/04 13:21:50 markus Exp $ */
 /* -----------------------------------------------------------------------
  * 
  * umac.h -- C Implementation UMAC Message Authentication
@@ -116,6 +116,12 @@ int uhash(uhash_ctx_t ctx,
 
 #endif
 
+/* matching umac-128 API, we reuse umac_ctx, since it's opaque */
+struct umac_ctx *umac128_new(u_char key[]);
+int umac128_update(struct umac_ctx *ctx, u_char *input, long len);
+int umac128_final(struct umac_ctx *ctx, u_char tag[], u_char nonce[8]);
+int umac128_delete(struct umac_ctx *ctx);
+
 #ifdef __cplusplus
     }
 #endif