sync with OpenBSD -current

lib/libcrypto/chacha/chacha-merged.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: chacha-merged.c,v 1.11 2023/07/07 19:37:53 beck Exp $ */
+/* $OpenBSD: chacha-merged.c,v 1.12 2024/06/01 17:56:44 tb Exp $ */
 /*
 chacha-merged.c version 20080118
 D. J. Bernstein
@@ -7,6 +7,10 @@ Public domain.
 
 #include <stdint.h>
 
+#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__OpenBSD__)
+#define __bounded__(x, y, z)
+#endif
+
 #define CHACHA_MINKEYLEN	16
 #define CHACHA_NONCELEN		8
 #define CHACHA_CTRLEN		8

lib/libcrypto/hmac/hmac.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: hmac.c,v 1.34 2024/03/30 10:10:58 tb Exp $ */
+/* $OpenBSD: hmac.c,v 1.35 2024/06/01 07:36:16 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -263,11 +263,8 @@ HMAC(const EVP_MD *evp_md, const void *key, int key_len, const unsigned char *d,
     size_t n, unsigned char *md, unsigned int *md_len)
 {
 	HMAC_CTX c;
-	static unsigned char m[EVP_MAX_MD_SIZE];
 	const unsigned char dummy_key[1] = { 0 };
 
-	if (md == NULL)
-		md = m;
 	if (key == NULL) {
 		key = dummy_key;
 		key_len = 0;

lib/libcrypto/hmac/hmac.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: hmac.h,v 1.17 2023/04/25 15:48:48 tb Exp $ */
+/* $OpenBSD: hmac.h,v 1.18 2024/06/01 07:36:16 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -85,7 +85,8 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, int len, const EVP_MD *md,
 int HMAC_Update(HMAC_CTX *ctx, const unsigned char *data, size_t len);
 int HMAC_Final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len);
 unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len,
-    const unsigned char *d, size_t n, unsigned char *md, unsigned int *md_len);
+    const unsigned char *d, size_t n, unsigned char *md, unsigned int *md_len)
+    __attribute__((__nonnull__ (6)));
 int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx);
 
 void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags);

lib/libcrypto/man/SHA1.3

@@ -1,4 +1,4 @@
-.\"	$OpenBSD: SHA1.3,v 1.8 2024/05/26 09:54:16 tb Exp $
+.\"	$OpenBSD: SHA1.3,v 1.9 2024/06/01 12:35:23 tb Exp $
 .\"	OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400
 .\"
 .\" This file was written by Ulf Moeller <ulf@openssl.org> and
@@ -49,7 +49,7 @@
 .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 .\" OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: May 26 2024 $
+.Dd $Mdocdate: June 1 2024 $
 .Dt SHA1 3
 .Os
 .Sh NAME
@@ -237,9 +237,6 @@ bytes.
 Applications should use the higher level functions
 .Xr EVP_DigestInit 3
 etc.  instead of calling the hash functions directly.
-.Pp
-The predecessor of SHA-1, SHA, is also implemented, but it should be
-used only when backward compatibility is required.
 .Sh RETURN VALUES
 .Fn SHA1 ,
 .Fn SHA224 ,
@@ -254,9 +251,13 @@ The other functions return 1 for success or 0 otherwise.
 .Xr HMAC 3 ,
 .Xr RIPEMD160 3
 .Sh STANDARDS
-SHA: US Federal Information Processing Standard FIPS PUB 180 (Secure
-Hash Standard), SHA-1: US Federal Information Processing Standard FIPS
-PUB 180-1 (Secure Hash Standard), ANSI X9.30
+.Rs
+.%T Secure Hash Standard (SHS)
+.%R NIST FIPS Publication
+.%N 180-4
+.%U https://doi.org/10.6028/NIST.FIPS.180-4
+.%D 2015
+.Re
 .Sh HISTORY
 .Fn SHA1 ,
 .Fn SHA1_Init ,

lib/libcrypto/md4/md4.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: md4.c,v 1.17 2024/03/28 08:00:07 jsing Exp $ */
+/* $OpenBSD: md4.c,v 1.18 2024/06/01 07:36:16 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -336,10 +336,7 @@ unsigned char *
 MD4(const unsigned char *d, size_t n, unsigned char *md)
 {
 	MD4_CTX c;
-	static unsigned char m[MD4_DIGEST_LENGTH];
 
-	if (md == NULL)
-		md = m;
 	if (!MD4_Init(&c))
 		return NULL;
 	MD4_Update(&c, d, n);

lib/libcrypto/md4/md4.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: md4.h,v 1.17 2023/07/08 06:47:26 jsing Exp $ */
+/* $OpenBSD: md4.h,v 1.21 2024/06/01 18:42:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,6 +61,10 @@
 #ifndef HEADER_MD4_H
 #define HEADER_MD4_H
 
+#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__OpenBSD__)
+#define __bounded__(x, y, z)
+#endif
+
 #include <openssl/opensslconf.h>
 
 #ifdef  __cplusplus
@@ -91,9 +95,12 @@ typedef struct MD4state_st {
 } MD4_CTX;
 
 int MD4_Init(MD4_CTX *c);
-int MD4_Update(MD4_CTX *c, const void *data, size_t len);
+int MD4_Update(MD4_CTX *c, const void *data, size_t len)
+    __attribute__ ((__bounded__(__buffer__, 2, 3)));
 int MD4_Final(unsigned char *md, MD4_CTX *c);
-unsigned char *MD4(const unsigned char *d, size_t n, unsigned char *md);
+unsigned char *MD4(const unsigned char *d, size_t n, unsigned char *md)
+    __attribute__ ((__bounded__(__buffer__, 1, 2)))
+    __attribute__ ((__nonnull__(3)));
 void MD4_Transform(MD4_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
 }

lib/libcrypto/md5/md5.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: md5.c,v 1.22 2024/03/28 08:00:08 jsing Exp $ */
+/* $OpenBSD: md5.c,v 1.23 2024/06/01 07:36:16 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -371,10 +371,7 @@ unsigned char *
 MD5(const unsigned char *d, size_t n, unsigned char *md)
 {
 	MD5_CTX c;
-	static unsigned char m[MD5_DIGEST_LENGTH];
 
-	if (md == NULL)
-		md = m;
 	if (!MD5_Init(&c))
 		return NULL;
 	MD5_Update(&c, d, n);

lib/libcrypto/md5/md5.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: md5.h,v 1.21 2023/07/08 06:50:38 jsing Exp $ */
+/* $OpenBSD: md5.h,v 1.23 2024/06/01 07:44:11 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -98,7 +98,8 @@ int MD5_Update(MD5_CTX *c, const void *data, size_t len)
     __attribute__ ((__bounded__(__buffer__, 2, 3)));
 int MD5_Final(unsigned char *md, MD5_CTX *c);
 unsigned char *MD5(const unsigned char *d, size_t n, unsigned char *md)
-    __attribute__ ((__bounded__(__buffer__, 1, 2)));
+    __attribute__ ((__bounded__(__buffer__, 1, 2)))
+    __attribute__ ((__nonnull__(3)));
 void MD5_Transform(MD5_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
 }

lib/libcrypto/ripemd/ripemd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ripemd.c,v 1.18 2024/03/28 23:54:15 joshua Exp $ */
+/* $OpenBSD: ripemd.c,v 1.19 2024/06/01 07:36:16 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -483,14 +483,10 @@ RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c)
 LCRYPTO_ALIAS(RIPEMD160_Final);
 
 unsigned char *
-RIPEMD160(const unsigned char *d, size_t n,
-    unsigned char *md)
+RIPEMD160(const unsigned char *d, size_t n, unsigned char *md)
 {
 	RIPEMD160_CTX c;
-	static unsigned char m[RIPEMD160_DIGEST_LENGTH];
 
-	if (md == NULL)
-		md = m;
 	if (!RIPEMD160_Init(&c))
 		return NULL;
 	RIPEMD160_Update(&c, d, n);

lib/libcrypto/ripemd/ripemd.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: ripemd.h,v 1.15 2023/07/08 06:52:56 jsing Exp $ */
+/* $OpenBSD: ripemd.h,v 1.19 2024/06/01 18:42:49 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -61,6 +61,10 @@
 #ifndef HEADER_RIPEMD_H
 #define HEADER_RIPEMD_H
 
+#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__OpenBSD__)
+#define __bounded__(x, y, z)
+#endif
+
 #include <openssl/opensslconf.h>
 
 #ifdef  __cplusplus
@@ -92,10 +96,13 @@ typedef struct RIPEMD160state_st {
 } RIPEMD160_CTX;
 
 int RIPEMD160_Init(RIPEMD160_CTX *c);
-int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len);
+int RIPEMD160_Update(RIPEMD160_CTX *c, const void *data, size_t len)
+    __attribute__ ((__bounded__(__buffer__, 2, 3)));
 int RIPEMD160_Final(unsigned char *md, RIPEMD160_CTX *c);
 unsigned char *RIPEMD160(const unsigned char *d, size_t n,
-    unsigned char *md);
+    unsigned char *md)
+    __attribute__ ((__bounded__(__buffer__, 1, 2)))
+    __attribute__ ((__nonnull__(3)));
 void RIPEMD160_Transform(RIPEMD160_CTX *c, const unsigned char *b);
 #ifdef  __cplusplus
 }

lib/libcrypto/sha/sha.h

@@ -1,4 +1,4 @@
-/* $OpenBSD: sha.h,v 1.22 2023/07/08 07:08:11 jsing Exp $ */
+/* $OpenBSD: sha.h,v 1.25 2024/06/01 08:11:44 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -102,7 +102,8 @@ int SHA1_Update(SHA_CTX *c, const void *data, size_t len)
     __attribute__ ((__bounded__(__buffer__, 2, 3)));
 int SHA1_Final(unsigned char *md, SHA_CTX *c);
 unsigned char *SHA1(const unsigned char *d, size_t n, unsigned char *md)
-    __attribute__ ((__bounded__(__buffer__, 1, 2)));
+    __attribute__ ((__bounded__(__buffer__, 1, 2)))
+    __attribute__ ((__nonnull__(3)));
 void SHA1_Transform(SHA_CTX *c, const unsigned char *data);
 #endif
 
@@ -125,13 +126,15 @@ int SHA224_Update(SHA256_CTX *c, const void *data, size_t len)
     __attribute__ ((__bounded__(__buffer__, 2, 3)));
 int SHA224_Final(unsigned char *md, SHA256_CTX *c);
 unsigned char *SHA224(const unsigned char *d, size_t n, unsigned char *md)
-    __attribute__ ((__bounded__(__buffer__, 1, 2)));
+    __attribute__ ((__bounded__(__buffer__, 1, 2)))
+    __attribute__ ((__nonnull__(3)));
 int SHA256_Init(SHA256_CTX *c);
 int SHA256_Update(SHA256_CTX *c, const void *data, size_t len)
     __attribute__ ((__bounded__(__buffer__, 2, 3)));
 int SHA256_Final(unsigned char *md, SHA256_CTX *c);
 unsigned char *SHA256(const unsigned char *d, size_t n, unsigned char *md)
-    __attribute__ ((__bounded__(__buffer__, 1, 2)));
+    __attribute__ ((__bounded__(__buffer__, 1, 2)))
+    __attribute__ ((__nonnull__(3)));
 void SHA256_Transform(SHA256_CTX *c, const unsigned char *data);
 #endif
 
@@ -172,13 +175,15 @@ int SHA384_Update(SHA512_CTX *c, const void *data, size_t len)
     __attribute__ ((__bounded__(__buffer__, 2, 3)));
 int SHA384_Final(unsigned char *md, SHA512_CTX *c);
 unsigned char *SHA384(const unsigned char *d, size_t n, unsigned char *md)
-    __attribute__ ((__bounded__(__buffer__, 1, 2)));
+    __attribute__ ((__bounded__(__buffer__, 1, 2)))
+    __attribute__ ((__nonnull__(3)));
 int SHA512_Init(SHA512_CTX *c);
 int SHA512_Update(SHA512_CTX *c, const void *data, size_t len)
     __attribute__ ((__bounded__(__buffer__, 2, 3)));
 int SHA512_Final(unsigned char *md, SHA512_CTX *c);
 unsigned char *SHA512(const unsigned char *d, size_t n, unsigned char *md)
-    __attribute__ ((__bounded__(__buffer__, 1, 2)));
+    __attribute__ ((__bounded__(__buffer__, 1, 2)))
+    __attribute__ ((__nonnull__(3)));
 void SHA512_Transform(SHA512_CTX *c, const unsigned char *data);
 #endif
 

lib/libcrypto/sha/sha1.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sha1.c,v 1.14 2024/03/28 07:06:12 jsing Exp $ */
+/* $OpenBSD: sha1.c,v 1.15 2024/06/01 07:36:16 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -496,10 +496,6 @@ unsigned char *
 SHA1(const unsigned char *d, size_t n, unsigned char *md)
 {
 	SHA_CTX c;
-	static unsigned char m[SHA_DIGEST_LENGTH];
-
-	if (md == NULL)
-		md = m;
 
 	if (!SHA1_Init(&c))
 		return NULL;

lib/libcrypto/sha/sha256.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sha256.c,v 1.31 2024/03/28 04:23:02 jsing Exp $ */
+/* $OpenBSD: sha256.c,v 1.32 2024/06/01 07:36:16 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -317,10 +317,6 @@ unsigned char *
 SHA224(const unsigned char *d, size_t n, unsigned char *md)
 {
 	SHA256_CTX c;
-	static unsigned char m[SHA224_DIGEST_LENGTH];
-
-	if (md == NULL)
-		md = m;
 
 	SHA224_Init(&c);
 	SHA256_Update(&c, d, n);
@@ -479,10 +475,6 @@ unsigned char *
 SHA256(const unsigned char *d, size_t n, unsigned char *md)
 {
 	SHA256_CTX c;
-	static unsigned char m[SHA256_DIGEST_LENGTH];
-
-	if (md == NULL)
-		md = m;
 
 	SHA256_Init(&c);
 	SHA256_Update(&c, d, n);

lib/libcrypto/sha/sha512.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sha512.c,v 1.41 2023/07/08 12:24:10 beck Exp $ */
+/* $OpenBSD: sha512.c,v 1.42 2024/06/01 07:36:16 tb Exp $ */
 /* ====================================================================
  * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
  *
@@ -345,10 +345,6 @@ unsigned char *
 SHA384(const unsigned char *d, size_t n, unsigned char *md)
 {
 	SHA512_CTX c;
-	static unsigned char m[SHA384_DIGEST_LENGTH];
-
-	if (md == NULL)
-		md = m;
 
 	SHA384_Init(&c);
 	SHA512_Update(&c, d, n);
@@ -498,10 +494,6 @@ unsigned char *
 SHA512(const unsigned char *d, size_t n, unsigned char *md)
 {
 	SHA512_CTX c;
-	static unsigned char m[SHA512_DIGEST_LENGTH];
-
-	if (md == NULL)
-		md = m;
 
 	SHA512_Init(&c);
 	SHA512_Update(&c, d, n);

lib/libcrypto/whrlpool/whirlpool.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: whirlpool.c,v 1.2 2024/03/30 03:45:47 joshua Exp $ */
+/* $OpenBSD: whirlpool.c,v 1.3 2024/06/01 07:36:17 tb Exp $ */
 /**
  * The Whirlpool hashing function.
  *
@@ -846,10 +846,7 @@ unsigned char *
 WHIRLPOOL(const void *inp, size_t bytes, unsigned char *md)
 {
 	WHIRLPOOL_CTX ctx;
-	static unsigned char m[WHIRLPOOL_DIGEST_LENGTH];
 
-	if (md == NULL)
-		md = m;
 	WHIRLPOOL_Init(&ctx);
 	WHIRLPOOL_Update(&ctx, inp, bytes);
 	WHIRLPOOL_Final(md, &ctx);

lib/libcrypto/whrlpool/whrlpool.h

@@ -1,10 +1,14 @@
-/* $OpenBSD: whrlpool.h,v 1.5 2014/07/10 22:45:58 jsing Exp $ */
+/* $OpenBSD: whrlpool.h,v 1.8 2024/06/01 17:56:44 tb Exp $ */
 
 #include <stddef.h>
 
 #ifndef HEADER_WHRLPOOL_H
 #define HEADER_WHRLPOOL_H
 
+#if !defined(HAVE_ATTRIBUTE__BOUNDED__) && !defined(__OpenBSD__)
+#define __bounded__(x, y, z)
+#endif
+
 #include <openssl/opensslconf.h>
 
 #ifdef __cplusplus
@@ -28,10 +32,13 @@ typedef struct	{
 
 #ifndef OPENSSL_NO_WHIRLPOOL
 int WHIRLPOOL_Init	(WHIRLPOOL_CTX *c);
-int WHIRLPOOL_Update	(WHIRLPOOL_CTX *c,const void *inp,size_t bytes);
+int WHIRLPOOL_Update	(WHIRLPOOL_CTX *c,const void *inp,size_t bytes)
+    __attribute__ ((__bounded__(__buffer__, 2, 3)));
 void WHIRLPOOL_BitUpdate(WHIRLPOOL_CTX *c,const void *inp,size_t bits);
 int WHIRLPOOL_Final	(unsigned char *md,WHIRLPOOL_CTX *c);
-unsigned char *WHIRLPOOL(const void *inp,size_t bytes,unsigned char *md);
+unsigned char *WHIRLPOOL(const void *inp,size_t bytes,unsigned char *md)
+    __attribute__ ((__bounded__(__buffer__, 1, 2)))
+    __attribute__ ((__nonnull__(3)));
 #endif
 
 #ifdef __cplusplus

usr.bin/sndiod/dev.c

@@ -1,4 +1,4 @@
-/*	$OpenBSD: dev.c,v 1.116 2024/05/24 15:21:35 ratchov Exp $	*/
+/*	$OpenBSD: dev.c,v 1.117 2024/06/01 09:44:10 ratchov Exp $	*/
 /*
  * Copyright (c) 2008-2012 Alexandre Ratchov <alex@caoua.org>
  *
@@ -1054,8 +1054,6 @@ dev_allocbufs(struct dev *d)
 int
 dev_open(struct dev *d)
 {
-	struct opt *o;
-
 	d->mode = d->reqmode;
 	d->round = d->reqround;
 	d->bufsz = d->reqbufsz;
@@ -1078,18 +1076,6 @@ dev_open(struct dev *d)
 		return 0;
 
 	d->pstate = DEV_INIT;
-
-	/* add server.device if device is opened after opt_ref() call */
-	for (o = opt_list; o != NULL; o = o->next) {
-		if (o->refcnt > 0 && !ctl_find(CTL_OPT_DEV, o, d)) {
-			ctl_new(CTL_OPT_DEV, o, d,
-			    CTL_SEL, dev_getdisplay(d),
-			    o->name, "server", -1, "device",
-			    d->name, -1, 1, o->dev == d);
-			d->refcnt++;
-		}
-	}
-
 	return 1;
 }
 
@@ -1164,14 +1150,6 @@ dev_freebufs(struct dev *d)
 void
 dev_close(struct dev *d)
 {
-	struct opt *o;
-
-	/* remove server.device entries */
-	for (o = opt_list; o != NULL; o = o->next) {
-		if (ctl_del(CTL_OPT_DEV, o, d))
-			d->refcnt--;
-	}
-
 	d->pstate = DEV_CFG;
 	dev_sio_close(d);
 	dev_freebufs(d);

usr.bin/ssh/sshd.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.604 2024/05/31 09:01:08 djm Exp $ */
+/* $OpenBSD: sshd.c,v 1.605 2024/06/01 07:03:37 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001, 2002 Markus Friedl.  All rights reserved.
  * Copyright (c) 2002 Niels Provos.  All rights reserved.
@@ -858,7 +858,7 @@ main(int ac, char **av)
 	char *config_file_name = _PATH_SERVER_CONFIG_FILE;
 	int r, opt, do_dump_cfg = 0, keytype, already_daemon, have_agent = 0;
 	int sock_in = -1, sock_out = -1, newsock = -1, rexec_argc = 0;
-	int config_s[2] = { -1 , -1 }, have_connection_info = 0;
+	int devnull, config_s[2] = { -1 , -1 }, have_connection_info = 0;
 	char *fp, *line, *logfile = NULL, **rexec_argv = NULL;
 	struct stat sb;
 	u_int i, j;
@@ -999,7 +999,16 @@ main(int ac, char **av)
 	}
 	if (!test_flag && !do_dump_cfg && !path_absolute(av[0]))
 		fatal("sshd requires execution with an absolute path");
-	closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
+
+	closefrom(STDERR_FILENO + 1);
+
+	/* Reserve fds we'll need later for reexec things */
+	if ((devnull = open(_PATH_DEVNULL, O_RDWR)) == -1)
+		fatal("open %s: %s", _PATH_DEVNULL, strerror(errno));
+	while (devnull < REEXEC_MIN_FREE_FD) {
+		if ((devnull = dup(devnull)) == -1)
+			fatal("dup %s: %s", _PATH_DEVNULL, strerror(errno));
+	}
 
 #ifdef WITH_OPENSSL
 	OpenSSL_add_all_algorithms();
@@ -1368,22 +1377,25 @@ main(int ac, char **av)
 	    sock_in, sock_out, newsock, startup_pipe, config_s[0], config_s[1]);
 	if (!inetd_flag) {
 		if (dup2(newsock, STDIN_FILENO) == -1)
-			debug3("dup2 stdin: %s", strerror(errno));
+			fatal("dup2 stdin: %s", strerror(errno));
 		if (dup2(STDIN_FILENO, STDOUT_FILENO) == -1)
-			debug3("dup2 stdout: %s", strerror(errno));
+			fatal("dup2 stdout: %s", strerror(errno));
+		if (newsock > STDOUT_FILENO)
+			close(newsock);
 	}
 	if (config_s[1] != REEXEC_CONFIG_PASS_FD) {
 		if (dup2(config_s[1], REEXEC_CONFIG_PASS_FD) == -1)
-			debug3("dup2 config_s: %s", strerror(errno));
+			fatal("dup2 config_s: %s", strerror(errno));
 		close(config_s[1]);
 	}
 	if (startup_pipe == -1)
 		close(REEXEC_STARTUP_PIPE_FD);
 	else if (startup_pipe != REEXEC_STARTUP_PIPE_FD) {
 		if (dup2(startup_pipe, REEXEC_STARTUP_PIPE_FD) == -1)
-			debug3("dup2 startup_p: %s", strerror(errno));
+			fatal("dup2 startup_p: %s", strerror(errno));
 		close(startup_pipe);
 	}
+	closefrom(REEXEC_MIN_FREE_FD);
 
 	ssh_signal(SIGHUP, SIG_IGN); /* avoid reset to SIG_DFL */
 	execv(rexec_argv[0], rexec_argv);