openssh: Update to 9.9p2

This release exists primarily to fix two security bugs. The fixes have
been independently imported into FreeBSD. This import serves to update
the ssh and sshd version numb

openssh: Update to 9.9p2

This release exists primarily to fix two security bugs. The fixes have
been independently imported into FreeBSD. This import serves to update
the ssh and sshd version number.

A few minor bug fixes are also included; see the upstream release notes
for full details of the 9.9p2 release
(https://www.openssh.com/releasenotes.html).

Sponsored by: The FreeBSD Foundation

show more ...

openssh: Update to 9.9p1

Highlights from the release notes are reproduced below. Bug fixes and
improvements that were previously merged into FreeBSD have been elided.

See the upstream release note

openssh: Update to 9.9p1

Highlights from the release notes are reproduced below. Bug fixes and
improvements that were previously merged into FreeBSD have been elided.

See the upstream release notes for full details of the 9.9p1 release
(https://www.openssh.com/releasenotes.html).

---

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.

Potentially-incompatible changes
--------------------------------

* ssh(1): remove support for pre-authentication compression.

* ssh(1), sshd(8): processing of the arguments to the "Match"
configuration directive now follows more shell-like rules for
quoted strings, including allowing nested quotes and \-escaped
characters.

New features
------------

* ssh(1), sshd(8): add support for a new hybrid post-quantum key
exchange based on the FIPS 203 Module-Lattice Key Enapsulation
mechanism (ML-KEM) combined with X25519 ECDH as described by
https://datatracker.ietf.org/doc/html/draft-kampanakis-curdle-ssh-pq-ke-03
This algorithm "mlkem768x25519-sha256" is available by default.

* ssh(1), sshd(8), ssh-agent(1): prevent private keys from being
included in core dump files for most of their lifespans. This is
in addition to pre-existing controls in ssh-agent(1) and sshd(8)
that prevented coredumps. This feature is supported on OpenBSD,
Linux and FreeBSD.

* All: convert key handling to use the libcrypto EVP_PKEY API, with
the exception of DSA.

Bugfixes
--------

* sshd(8): do not apply authorized_keys options when signature
verification fails. Prevents more restrictive key options being
incorrectly applied to subsequent keys in authorized_keys. bz3733

* ssh-keygen(1): include pathname in some of ssh-keygen's passphrase
prompts. Helps the user know what's going on when ssh-keygen is
invoked via other tools. Requested in GHPR503

* ssh(1), ssh-add(1): make parsing user@host consistently look for
the last '@' in the string rather than the first. This makes it
possible to more consistently use usernames that contain '@'
characters.

* ssh(1), sshd(8): be more strict in parsing key type names. Only
allow short names (e.g "rsa") in user-interface code and require
full SSH protocol names (e.g. "ssh-rsa") everywhere else. bz3725

* ssh-keygen(1): clarify that ed25519 is the default key type
generated and clarify that rsa-sha2-512 is the default signature
scheme when RSA is in use. GHPR505

---

Reviewed by: jlduran (build infrastructure)
Reviewed by: cy (build infrastructure)
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48947

show more ...

openssh: Update to 9.8p1

Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes

openssh: Update to 9.8p1

Highlights from the release notes are reproduced below. Some security
and bug fixes were previously merged into FreeBSD and have been elided.
See the upstream release notes for full details
(https://www.openssh.com/releasenotes.html).

---

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025.

Potentially-incompatible changes
--------------------------------

* sshd(8): the server will now block client addresses that
repeatedly fail authentication, repeatedly connect without ever
completing authentication or that crash the server. See the
discussion of PerSourcePenalties below for more information.
Operators of servers that accept connections from many users, or
servers that accept connections from addresses behind NAT or
proxies may need to consider these settings.

* sshd(8): the server has been split into a listener binary, sshd(8),
and a per-session binary "sshd-session". This allows for a much
smaller listener binary, as it no longer needs to support the SSH
protocol. As part of this work, support for disabling privilege
separation (which previously required code changes to disable) and
disabling re-execution of sshd(8) has been removed. Further
separation of sshd-session into additional, minimal binaries is
planned for the future.

* sshd(8): several log messages have changed. In particular, some
log messages will be tagged with as originating from a process
named "sshd-session" rather than "sshd".

* ssh-keyscan(1): this tool previously emitted comment lines
containing the hostname and SSH protocol banner to standard error.
This release now emits them to standard output, but adds a new
"-q" flag to silence them altogether.

* sshd(8): (portable OpenSSH only) sshd will no longer use argv[0]
as the PAM service name. A new "PAMServiceName" sshd_config(5)
directive allows selecting the service name at runtime. This
defaults to "sshd". bz2101

New features
------------

* sshd(8): sshd(8) will now penalise client addresses that, for various
reasons, do not successfully complete authentication. This feature is
controlled by a new sshd_config(5) PerSourcePenalties option and is
on by default.

* ssh(8): allow the HostkeyAlgorithms directive to disable the
implicit fallback from certificate host key to plain host keys.

Portability
-----------

* sshd(8): expose SSH_AUTH_INFO_0 always to PAM auth modules
unconditionally. The previous behaviour was to expose it only when
particular authentication methods were in use.

* ssh(1), ssh-agent(8): allow the presence of the WAYLAND_DISPLAY
environment variable to enable SSH_ASKPASS, similarly to the X11
DISPLAY environment variable. GHPR479

---

Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48914

show more ...

ssh: Update config.h for OpenSSL ED25519

OpenSSH-portable had a configure bug that prevented it from detecting
OpenSSL ED25519 support, fixed in 8d0e46c1ddb5 ("Fix OpenSSL ED25519
support detection"

ssh: Update config.h for OpenSSL ED25519

OpenSSH-portable had a configure bug that prevented it from detecting
OpenSSL ED25519 support, fixed in 8d0e46c1ddb5 ("Fix OpenSSL ED25519
support detection"). This will come in with the OpenSSH 9.8p1 update,
but fix the error in config.h now.

Reported by: jlduran
Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48942

show more ...

ssh: Disable support for DSA keys

This is the upstream default -- from the 9.8p1 release notes:

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA sign

ssh: Disable support for DSA keys

This is the upstream default -- from the 9.8p1 release notes:

Future deprecation notice
=========================

OpenSSH plans to remove support for the DSA signature algorithm in
early 2025. This release disables DSA by default at compile time.

DSA, as specified in the SSHv2 protocol, is inherently weak - being
limited to a 160 bit private key and use of the SHA1 digest. Its
estimated security level is only 80 bits symmetric equivalent.

OpenSSH has disabled DSA keys by default since 2015 but has retained
run-time optional support for them. DSA was the only mandatory-to-
implement algorithm in the SSHv2 RFCs, mostly because alternative
algorithms were encumbered by patents when the SSHv2 protocol was
specified.

This has not been the case for decades at this point and better
algorithms are well supported by all actively-maintained SSH
implementations. We do not consider the costs of maintaining DSA
in OpenSSH to be justified and hope that removing it from OpenSSH
can accelerate its wider deprecation in supporting cryptography
libraries.

This release, and its deactivation of DSA by default at compile-time,
marks the second step in our timeline to finally deprecate DSA. The
final step of removing DSA support entirely is planned for the first
OpenSSH release of 2025.

---

The config.h comment /* DSA keys explicitly enabled */ is somewhat
confusing, but this is what upstream's ./configure generates.

Reviewed by: jlduran
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48910

show more ...

ssh: Move XAUTH_PATH setting to ssh.mk

XAUTH_PATH is normally set (in the upstream build infrastructure) in
config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE
is set, and over

ssh: Move XAUTH_PATH setting to ssh.mk

XAUTH_PATH is normally set (in the upstream build infrastructure) in
config.h. We previously set it in ssh and sshd's Makefiles if LOCALBASE
is set, and over time have sometimes also defined it in config.h.

Leave it unset in config.h and move the CFLAGS logic to to ssh.mk so
that it will be set when building all ssh libraries and programs but
still be set by LOCALBASE.

Reviewed by: jlduran
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D48907

show more ...

openssh: use '' instead of `' in config.h

Autoconf 2.72 uses '' rather tha `' in comments in config.h, from
autoconf commit 64df9b4523fe ("Autoconf now quotes 'like this' instead
of `like this'").

openssh: use '' instead of `' in config.h

Autoconf 2.72 uses '' rather tha `' in comments in config.h, from
autoconf commit 64df9b4523fe ("Autoconf now quotes 'like this' instead
of `like this'").

Switch quoting style now to minimize diffs on the next OpenSSH update
and config.h regen.

Reviewed by: gordon, philip
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D45840

show more ...

ssh: Update to OpenSSH 9.7p1

This release contains mostly bugfixes.

It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year an

ssh: Update to OpenSSH 9.7p1

This release contains mostly bugfixes.

It also makes support for the DSA signature algorithm a compile-time
option, with plans to disable it upstream later this year and remove
support entirely in 2025.

Full release notes at https://www.openssh.com/txt/release-9.7

Relnotes: Yes
Sponsored by: The FreeBSD Foundation

show more ...

ssh: Update to OpenSSH 9.6p1

From the release notes,

> This release contains a number of security fixes, some small features
> and bugfixes.

The most significant change in 9.6p1 is a set of fixes

ssh: Update to OpenSSH 9.6p1

From the release notes,

> This release contains a number of security fixes, some small features
> and bugfixes.

The most significant change in 9.6p1 is a set of fixes for a newly-
discovered weakness in the SSH transport protocol. The fix was already
merged into FreeBSD and released as FreeBSD-SA-23:19.openssh.

Full release notes at https://www.openssh.com/txt/release-9.6

Relnotes: Yes
Sponsored by: The FreeBSD Foundation

show more ...

ssh: Update to OpenSSH 9.4p1

Excerpts from the release notes:

* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system

ssh: Update to OpenSSH 9.4p1

Excerpts from the release notes:

* ssh-agent(1): PKCS#11 modules must now be specified by their full
paths. Previously dlopen(3) could search for them in system
library directories.

* ssh(1): allow forwarding Unix Domain sockets via ssh -W.

* ssh(1): add support for configuration tags to ssh(1).
This adds a ssh_config(5) "Tag" directive and corresponding
"Match tag" predicate that may be used to select blocks of
configuration similar to the pf.conf(5) keywords of the same
name.

* ssh(1): add a "match localnetwork" predicate. This allows matching
on the addresses of available network interfaces and may be used to
vary the effective client configuration based on network location.

* ssh-agent(1): improve isolation between loaded PKCS#11 modules
by running separate ssh-pkcs11-helpers for each loaded provider.

* ssh-agent(1), ssh(1): improve defences against invalid PKCS#11
modules being loaded by checking that the requested module
contains the required symbol before loading it.

* ssh(1): don't incorrectly disable hostname canonicalization when
CanonicalizeHostname=yes and ProxyJump was expicitly set to
"none". bz3567

Full release notes at https://www.openssh.com/txt/release-9.4

Relnotes: Yes
Sponsored by: The FreeBSD Foundation

show more ...

openssh: restore PrintLastLog option

Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not
exist, but PrintLastLog also works with utmpx and other mechanisms.

Reported upstream at
ht

openssh: restore PrintLastLog option

Upstream's autoconf sets DISABLE_LASTLOG if lastlog.ll_line does not
exist, but PrintLastLog also works with utmpx and other mechanisms.

Reported upstream at
https://lists.mindrot.org/pipermail/openssh-unix-dev/2022-May/040242.html

PR: 209441
Sponsored by: The FreeBSD Foundation

show more ...

ssh: fix SIZEOF_TIME_T #define on i386

Reported by: imp
Reviewed by: imp
MFC after: 3 days
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D38443

ssh: update to OpenSSH 9.2p1

Release notes are available at https://www.openssh.com/txt/release-9.2

OpenSSH 9.2 contains fixes for two security problems and a memory safety
problem. The memory saf

ssh: update to OpenSSH 9.2p1

Release notes are available at https://www.openssh.com/txt/release-9.2

OpenSSH 9.2 contains fixes for two security problems and a memory safety
problem. The memory safety problem is not believed to be exploitable.
These fixes have already been committed to OpenSSH 9.1 in FreeBSD.

Some other notable items from the release notes:

* ssh(1): add a new EnableEscapeCommandline ssh_config(5) option that
controls whether the client-side ~C escape sequence that provides a
command-line is available. Among other things, the ~C command-line
could be used to add additional port-forwards at runtime.

* sshd(8): add support for channel inactivity timeouts via a new
sshd_config(5) ChannelTimeout directive. This allows channels that
have not seen traffic in a configurable interval to be
automatically closed. Different timeouts may be applied to session,
X11, agent and TCP forwarding channels.

* sshd(8): add a sshd_config UnusedConnectionTimeout option to
terminate client connections that have no open channels for a
length of time. This complements the ChannelTimeout option above.

* sshd(8): add a -V (version) option to sshd like the ssh client has.

* scp(1), sftp(1): add a -X option to both scp(1) and sftp(1) to
allow control over some SFTP protocol parameters: the copy buffer
length and the number of in-flight requests, both of which are used
during upload/download. Previously these could be controlled in
sftp(1) only. This makes them available in both SFTP protocol
clients using the same option character sequence.

* ssh-keyscan(1): allow scanning of complete CIDR address ranges,
e.g. "ssh-keyscan 192.168.0.0/24". If a CIDR range is passed, then
it will be expanded to all possible addresses in the range
including the all-0s and all-1s addresses. bz#976

* ssh(1): support dynamic remote port forwarding in escape
command-line's -R processing. bz#3499

MFC after: 1 week
Sponsored by: The FreeBSD Foundation

show more ...

ssh: update to OpenSSH 9.1p1

Release notes are available at https://www.openssh.com/txt/release-9.1

9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the c

ssh: update to OpenSSH 9.1p1

Release notes are available at https://www.openssh.com/txt/release-9.1

9.1 contains fixes for three minor memory safety problems; these have
lready been merged to the copy of OpenSSH 9.0 that is in the FreeBSD base
system.

Some highlights copied from the release notes:

Potentially-incompatible changes
--------------------------------

* ssh(1), sshd(8): SetEnv directives in ssh_config and sshd_config
are now first-match-wins to match other directives. Previously
if an environment variable was multiply specified the last set
value would have been used. bz3438

* ssh-keygen(8): ssh-keygen -A (generate all default host key types)
will no longer generate DSA keys, as these are insecure and have
not been used by default for some years.

New features
------------

* ssh(1), sshd(8): add a RequiredRSASize directive to set a minimum
RSA key length. Keys below this length will be ignored for user
authentication and for host authentication in sshd(8).

* sftp-server(8): add a "users-groups-by-id@openssh.com" extension
request that allows the client to obtain user/group names that
correspond to a set of uids/gids.

* sftp(1): use "users-groups-by-id@openssh.com" sftp-server
extension (when available) to fill in user/group names for
directory listings.

* sftp-server(8): support the "home-directory" extension request
defined in draft-ietf-secsh-filexfer-extensions-00. This overlaps
a bit with the existing "expand-path@openssh.com", but some other
clients support it.

* ssh-keygen(1), sshd(8): allow certificate validity intervals,
sshsig verification times and authorized_keys expiry-time options
to accept dates in the UTC time zone in addition to the default
of interpreting them in the system time zone. YYYYMMDD and
YYMMDDHHMM[SS] dates/times will be interpreted as UTC if suffixed
with a 'Z' character.

Also allow certificate validity intervals to be specified in raw
seconds-since-epoch as hex value, e.g. -V 0x1234:0x4567890. This
is intended for use by regress tests and other tools that call
ssh-keygen as part of a CA workflow. bz3468

* sftp(1): allow arguments to the sftp -D option, e.g. sftp -D
"/usr/libexec/sftp-server -el debug3"

* ssh-keygen(1): allow the existing -U (use agent) flag to work
with "-Y sign" operations, where it will be interpreted to require
that the private keys is hosted in an agent; bz3429

MFC after: 2 weeks
Relnotes: Yes
Sponsored by: The FreeBSD Foundation

show more ...

ssh: update to OpenSSH v9.0p1

Release notes are available at https://www.openssh.com/txt/release-9.0

Some highlights:

* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exch

ssh: update to OpenSSH v9.0p1

Release notes are available at https://www.openssh.com/txt/release-9.0

Some highlights:

* ssh(1), sshd(8): use the hybrid Streamlined NTRU Prime + x25519 key
exchange method by default ("sntrup761x25519-sha512@openssh.com").
The NTRU algorithm is believed to resist attacks enabled by future
quantum computers and is paired with the X25519 ECDH key exchange
(the previous default) as a backstop against any weaknesses in
NTRU Prime that may be discovered in the future. The combination
ensures that the hybrid exchange offers at least as good security
as the status quo.

* sftp-server(8): support the "copy-data" extension to allow server-
side copying of files/data, following the design in
draft-ietf-secsh-filexfer-extensions-00. bz2948

* sftp(1): add a "cp" command to allow the sftp client to perform
server-side file copies.

This commit excludes the scp(1) change to use the SFTP protocol by
default; that change will immediately follow.

MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation

show more ...

ssh: update to OpenSSH v8.9p1

Release notes are available at https://www.openssh.com/txt/release-8.9

Some highlights:

* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting

ssh: update to OpenSSH v8.9p1

Release notes are available at https://www.openssh.com/txt/release-8.9

Some highlights:

* ssh(1), sshd(8), ssh-add(1), ssh-agent(1): add a system for
restricting forwarding and use of keys added to ssh-agent(1)

* ssh(1), sshd(8): add the sntrup761x25519-sha512@openssh.com hybrid
ECDH/x25519 + Streamlined NTRU Prime post-quantum KEX to the
default KEXAlgorithms list (after the ECDH methods but before the
prime-group DH ones). The next release of OpenSSH is likely to
make this key exchange the default method.

* sshd(8), portable OpenSSH only: this release removes in-built
support for MD5-hashed passwords. If you require these on your
system then we recommend linking against libxcrypt or similar.

Future deprecation notice
=========================

A near-future release of OpenSSH will switch scp(1) from using the
legacy scp/rcp protocol to using SFTP by default.

Legacy scp/rcp performs wildcard expansion of remote filenames (e.g.
"scp host:* .") through the remote shell. This has the side effect of
requiring double quoting of shell meta-characters in file names
included on scp(1) command-lines, otherwise they could be interpreted
as shell commands on the remote side.

MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation

show more ...

ssh: update to OpenSSH v8.8p1

OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes.

The security update was already

ssh: update to OpenSSH v8.8p1

OpenSSH v8.8p1 was motivated primarily by a security update and
deprecation of RSA/SHA1 signatures. It also has a few minor bug fixes.

The security update was already applied to FreeBSD as an independent
change, and the RSA/SHA1 deprecation is excluded from this commit but
will immediately follow.

MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation

show more ...

openssh: regen config.h

Fixes: 19261079b743 ("openssh: update to OpenSSH v8.7p1")
Reported by: O. Hartmann
Sponsored by: The FreeBSD Foundation

openssh: update to OpenSSH v8.7p1

Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new ho

openssh: update to OpenSSH v8.7p1

Some notable changes, from upstream's release notes:

- sshd(8): Remove support for obsolete "host/port" syntax.
- ssh(1): When prompting whether to record a new host key, accept the key
fingerprint as a synonym for "yes".
- ssh-keygen(1): when acting as a CA and signing certificates with an RSA
key, default to using the rsa-sha2-512 signature algorithm.
- ssh(1), sshd(8), ssh-keygen(1): this release removes the "ssh-rsa"
(RSA/SHA1) algorithm from those accepted for certificate signatures.
- ssh-sk-helper(8): this is a new binary. It is used by the FIDO/U2F
support to provide address-space isolation for token middleware
libraries (including the internal one).
- ssh(1): this release enables UpdateHostkeys by default subject to some
conservative preconditions.
- scp(1): this release changes the behaviour of remote to remote copies
(e.g. "scp host-a:/path host-b:") to transfer through the local host
by default.
- scp(1): experimental support for transfers using the SFTP protocol as
a replacement for the venerable SCP/RCP protocol that it has
traditionally used.

Additional integration work is needed to support FIDO/U2F in the base
system.

Deprecation Notice
------------------

OpenSSH will disable the ssh-rsa signature scheme by default in the
next release.

Reviewed by: imp
MFC after: 1 month
Relnotes: Yes
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D29985

show more ...

openssh: regenerate config.h

Since config.h was last regenerated FreeBSD has added (a stub) libdl,
and has removed sys/dir.h. Regenerate config.h to avoid spurious
additional changes when OpenSSH i

openssh: regenerate config.h

Since config.h was last regenerated FreeBSD has added (a stub) libdl,
and has removed sys/dir.h. Regenerate config.h to avoid spurious
additional changes when OpenSSH is next updated.

There should be no issue if this change is MFC'd, but I don't plan to do
so. Although configure checks for libdl HAVE_LIBDL isn't even used, and
sys/dir.h was non-functional before being removed. The state of these
two config.h settings should make no difference in the built OpenSSH.

Sponsored by: The FreeBSD Foundation

show more ...

openssh: simplify login class restrictions

Login class-based restrictions were introduced in 5b400a39b8ad. The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, incl

openssh: simplify login class restrictions

Login class-based restrictions were introduced in 5b400a39b8ad. The
code was adapted for sshd's Capsicum sandbox and received many changes
over time, including at least fc3c19a9fcee, bd393de91cc3, and
e8c56fba2926.

During an attempt to upstream the work a much simpler approach was
suggested. Adopt it now in the in-tree OpenSSH to reduce conflicts with
future updates.

Submitted by: Yuchiro Naito (against OpenSSH-portable on GitHub)
Obtained from: https://github.com/openssh/openssh-portable/pull/262
Reviewed by: allanjude, kevans
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D31760

show more ...

Merge ^/head r339015 through r339669.

Merge the remainder of the projects/openssl111 branch to head.

- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved b

Merge the remainder of the projects/openssl111 branch to head.

- Update OpenSSL to version 1.1.1.
- Update Kerberos/Heimdal API for OpenSSL 1.1.1 compatibility.
- Bump __FreeBSD_version.

Approved by: re (kib)
Sponsored by: The FreeBSD Foundation

show more ...

openssh: cherry-pick OpenSSL 1.1.1 compatibility

Compatibility with existing OpenSSL versions is maintained.

Upstream commits:
482d23bcac upstream: hold our collective noses and use the openssl-1.1

openssh: cherry-pick OpenSSL 1.1.1 compatibility

Compatibility with existing OpenSSL versions is maintained.

Upstream commits:
482d23bcac upstream: hold our collective noses and use the openssl-1.1.x
48f54b9d12 adapt -portable to OpenSSL 1.1x API
86e0a9f3d2 upstream: use only openssl-1.1.x API here too
a3fd8074e2 upstream: missed a bit of openssl-1.0.x API in this unittest
cce8cbe0ed Fix openssl-1.1 fallout for --without-openssl.

Trivial conflicts in sshkey.c and test_sshkey.c were resolved.

Connect libressl-api-compat.c to the build, and regenerate config.h

Reviewed by: des
Approved by: re (rgrimes)
MFC after: 2 seeks
Sponsored by: The FreeBSD Foundation
Differential Revision: https://reviews.freebsd.org/D17444

show more ...

openssh: connect libressl-api-compat.c and regen config.h

Differential Revision: https://reviews.freebsd.org/D17390