Merge branch 'cryptlib-3.4.8' into 'master'

Update Cryptlib to 3.4.8 See merge request !473

Merge branch 'cryptlib-3.4.8' into 'master'
5d5017cb · Rob Swindell · 753ec4a9 · a3c6d153 · 5d5017cb · 5d5017cb
Commit 5d5017cb authored 3 months ago by Rob Swindell
--- a/3rdp/build/CMakeLists-cl.txt
+++ b/3rdp/build/CMakeLists-cl.txt
@@ -32,7 +32,6 @@ else()
 endif()

 set(PATCHES
-	cl-fix-test-select.patch
 	cl-terminal-params.patch
 	cl-ranlib.patch
 	cl-vcxproj.patch
@@ -49,7 +48,6 @@ set(PATCHES
 	cl-SSL-fix.patch
 	cl-bigger-maxattribute.patch
 	cl-mingw-vcver.patch
-	cl-win32-build-fix.patch
 	cl-no-odbc.patch
 	cl-noasm-defines.patch
 	cl-bn-noasm64-fix.patch
@@ -58,14 +56,11 @@ set(PATCHES
 	cl-clear-GCM-flag.patch
 	cl-use-ssh-ctr.patch
 	cl-ssh-list-ctr-modes.patch
-	cl-ssl-suite-blocksizes.patch
 	cl-no-tpm.patch
 	cl-no-via-aes.patch
-	cl-fix-ssh-ecc-ephemeral.patch
 	cl-just-use-cc.patch
 	cl-no-safe-stack.patch
 	cl-allow-pkcs12.patch
-	cl-openbsd-threads.patch
 	cl-allow-none-auth.patch
 	cl-poll-not-select.patch
 	cl-good-sockets.patch
@@ -92,7 +87,6 @@ set(PATCHES
 	cl-fix-shell-exec-types.patch
 	cl-ssh-eof-half-close.patch
 	cl-fix-mb-w-conv-warnings.patch
-	cl-fix-ssh-header-read.patch
 	cl-ssh-service-type-for-channel.patch
 	cl-ssh-sbbs-id-string.patch
 	cl-channel-select-both.patch
@@ -412,6 +406,7 @@ set(SOURCE
 	session/tls_cli.c
 	session/tls_crypt.c
 	session/tls_ext.c
+	session/tls_ext_rw.c
 	session/tls_hello.c
 	session/tls_hscomplete.c
 	session/tls_keymgt.c

--- a/3rdp/build/CMakeLists.txt
+++ b/3rdp/build/CMakeLists.txt
@@ -5,7 +5,6 @@ project (Cryptlib C)
 include(FetchContent)

 set(PATCHES
-	${CMAKE_CURRENT_SOURCE_DIR}/cl-fix-test-select.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-terminal-params.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-ranlib.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-vcxproj.patch
@@ -22,7 +21,6 @@ set(PATCHES
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-SSL-fix.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-bigger-maxattribute.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-mingw-vcver.patch
-	${CMAKE_CURRENT_SOURCE_DIR}/cl-win32-build-fix.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-no-odbc.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-noasm-defines.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-bn-noasm64-fix.patch
@@ -31,14 +29,11 @@ set(PATCHES
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-clear-GCM-flag.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-use-ssh-ctr.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-ssh-list-ctr-modes.patch
-	${CMAKE_CURRENT_SOURCE_DIR}/cl-ssl-suite-blocksizes.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-no-tpm.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-no-via-aes.patch
-	${CMAKE_CURRENT_SOURCE_DIR}/cl-fix-ssh-ecc-ephemeral.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-just-use-cc.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-no-safe-stack.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-allow-pkcs12.patch
-	${CMAKE_CURRENT_SOURCE_DIR}/cl-openbsd-threads.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-allow-none-auth.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-poll-not-select.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-good-sockets.patch
@@ -65,7 +60,6 @@ set(PATCHES
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-fix-shell-exec-types.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-ssh-eof-half-close.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-fix-mb-w-conv-warnings.patch
-	${CMAKE_CURRENT_SOURCE_DIR}/cl-fix-ssh-header-read.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-ssh-service-type-for-channel.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-ssh-sbbs-id-string.patch
 	${CMAKE_CURRENT_SOURCE_DIR}/cl-channel-select-both.patch

--- a/3rdp/build/GNUmakefile
+++ b/3rdp/build/GNUmakefile
@@ -112,12 +112,11 @@ $(CRYPT_SRC): | $(3RDPSRCDIR)
 $(CRYPT_IDIR): | $(3RDPODIR)
 	$(QUIET)$(IFNOTEXIST) mkdir $(CRYPT_IDIR)

-$(CRYPTLIB_BUILD): $(3RDP_ROOT)/dist/cryptlib.zip $(3RDP_ROOT)/build/cl-fix-test-select.patch $(3RDP_ROOT)/build/cl-terminal-params.patch $(3RDP_ROOT)/build/cl-mingw32-static.patch $(3RDP_ROOT)/build/cl-ranlib.patch $(3RDP_ROOT)/build/cl-win32-noasm.patch $(3RDP_ROOT)/build/cl-zz-country.patch $(3RDP_ROOT)/build/cl-algorithms.patch $(3RDP_ROOT)/build/cl-allow-duplicate-ext.patch $(3RDP_ROOT)/build/cl-macosx-minver.patch $(3RDP_ROOT)/build/cl-posix-me-gently.patch $(3RDP_ROOT)/build/cl-PAM-noprompts.patch $(3RDP_ROOT)/build/cl-zlib.patch $(3RDP_ROOT)/build/cl-Dynamic-linked-static-lib.patch $(3RDP_ROOT)/build/cl-SSL-fix.patch $(3RDP_ROOT)/build/cl-bigger-maxattribute.patch $(3RDP_ROOT)/build/cl-endian.patch $(3RDP_ROOT)/build/cl-vcxproj.patch $(3RDP_ROOT)/build/cl-mingw-vcver.patch $(3RDP_ROOT)/build/cl-win32-build-fix.patch $(3RDP_ROOT)/build/cl-no-odbc.patch $(3RDP_ROOT)/build/cl-noasm-defines.patch $(3RDP_ROOT)/build/cl-bn-noasm64-fix.patch $(3RDP_ROOT)/build/cl-prefer-ECC.patch $(3RDP_ROOT)/build/cl-prefer-ECC-harder.patch $(3RDP_ROOT)/build/cl-clear-GCM-flag.patch $(3RDP_ROOT)/build/cl-use-ssh-ctr.patch $(3RDP_ROOT)/build/cl-ssl-suite-blocksizes.patch $(3RDP_ROOT)/build/cl-no-tpm.patch $(3RDP_ROOT)/build/cl-no-via-aes.patch $(3RDP_ROOT)/build/cl-fix-ssh-ecc-ephemeral.patch $(3RDP_ROOT)/build/cl-just-use-cc.patch $(3RDP_ROOT)/build/cl-no-safe-stack.patch $(3RDP_ROOT)/build/cl-allow-pkcs12.patch $(3RDP_ROOT)/build/cl-openbsd-threads.patch $(3RDP_ROOT)/build/cl-allow-none-auth.patch $(3RDP_ROOT)/build/cl-mingw-add-m32.patch $(3RDP_ROOT)/build/cl-poll-not-select.patch $(3RDP_ROOT)/build/cl-good-sockets.patch $(3RDP_ROOT)/build/cl-moar-objects.patch $(3RDP_ROOT)/build/cl-server-term-support.patch $(3RDP_ROOT)/build/cl-add-pubkey-attribute.patch $(3RDP_ROOT)/build/cl-allow-ssh-auth-retries.patch $(3RDP_ROOT)/build/cl-fix-ssh-channel-close.patch $(3RDP_ROOT)/build/cl-vt-lt-2005-always-defined.patch $(3RDP_ROOT)/build/cl-no-pie.patch $(3RDP_ROOT)/build/cl-no-testobjs.patch $(3RDP_ROOT)/build/cl-win32-lean-and-mean.patch $(3RDP_ROOT)/build/cl-thats-not-asm.patch $(3RDP_ROOT)/build/cl-make-channels-work.patch $(3RDP_ROOT)/build/cl-allow-ssh-2.0-go.patch $(3RDP_ROOT)/build/cl-read-timeout-every-time.patch $(3RDP_ROOT)/build/cl-allow-servercheck-pubkeys.patch $(3RDP_ROOT)/build/cl-pass-after-pubkey.patch $(3RDP_ROOT)/build/cl-ssh-list-ctr-modes.patch $(3RDP_ROOT)/build/cl-double-delete-fine-on-close.patch $(3RDP_ROOT)/build/cl-handle-unsupported-pubkey.patch $(3RDP_ROOT)/build/cl-add-patches-info.patch $(3RDP_ROOT)/build/cl-netbsd-hmac-symbol.patch $(3RDP_ROOT)/build/cl-netbsd-no-getfsstat.patch GNUmakefile $(3RDP_ROOT)/build/cl-remove-march.patch $(3RDP_ROOT)/build/cl-fix-shell-exec-types.patch $(3RDP_ROOT)/build/cl-ssh-eof-half-close.patch $(3RDP_ROOT)/build/cl-add-win64.patch $(3RDP_ROOT)/build/cl-fix-mb-w-conv-warnings.patch $(3RDP_ROOT)/build/cl-fix-ssh-header-read.patch $(3RDP_ROOT)/build/cl-ssh-service-type-for-channel.patch $(3RDP_ROOT)/build/cl-ssh-sbbs-id-string.patch $(3RDP_ROOT)/build/cl-channel-select-both.patch $(3RDP_ROOT)/build/cl-allow-none-auth-svr.patch $(3RDP_ROOT)/build/cl-quote-cc.patch $(3RDP_ROOT)/build/cl-mingw64-thread-handles.patch $(3RDP_ROOT)/build/cl-mingw64-is-really-new.patch $(3RDP_ROOT)/build/cl-lowercase-versionhelpers.patch $(3RDP_ROOT)/build/cl-fix-cpuid-order.patch $(3RDP_ROOT)/build/cl-fix-cbli-incompatible.patch $(3RDP_ROOT)/build/cl-mingw64-unicode-gibble.patch | $(CRYPT_SRC) $(CRYPT_IDIR)
+$(CRYPTLIB_BUILD): $(3RDP_ROOT)/dist/cryptlib.zip $(3RDP_ROOT)/build/cl-terminal-params.patch $(3RDP_ROOT)/build/cl-mingw32-static.patch $(3RDP_ROOT)/build/cl-ranlib.patch $(3RDP_ROOT)/build/cl-win32-noasm.patch $(3RDP_ROOT)/build/cl-zz-country.patch $(3RDP_ROOT)/build/cl-algorithms.patch $(3RDP_ROOT)/build/cl-allow-duplicate-ext.patch $(3RDP_ROOT)/build/cl-macosx-minver.patch $(3RDP_ROOT)/build/cl-posix-me-gently.patch $(3RDP_ROOT)/build/cl-PAM-noprompts.patch $(3RDP_ROOT)/build/cl-zlib.patch $(3RDP_ROOT)/build/cl-Dynamic-linked-static-lib.patch $(3RDP_ROOT)/build/cl-SSL-fix.patch $(3RDP_ROOT)/build/cl-bigger-maxattribute.patch $(3RDP_ROOT)/build/cl-endian.patch $(3RDP_ROOT)/build/cl-vcxproj.patch $(3RDP_ROOT)/build/cl-mingw-vcver.patch $(3RDP_ROOT)/build/cl-no-odbc.patch $(3RDP_ROOT)/build/cl-noasm-defines.patch $(3RDP_ROOT)/build/cl-bn-noasm64-fix.patch $(3RDP_ROOT)/build/cl-prefer-ECC.patch $(3RDP_ROOT)/build/cl-prefer-ECC-harder.patch $(3RDP_ROOT)/build/cl-clear-GCM-flag.patch $(3RDP_ROOT)/build/cl-use-ssh-ctr.patch $(3RDP_ROOT)/build/cl-no-tpm.patch $(3RDP_ROOT)/build/cl-no-via-aes.patch $(3RDP_ROOT)/build/cl-just-use-cc.patch $(3RDP_ROOT)/build/cl-no-safe-stack.patch $(3RDP_ROOT)/build/cl-allow-pkcs12.patch $(3RDP_ROOT)/build/cl-allow-none-auth.patch $(3RDP_ROOT)/build/cl-mingw-add-m32.patch $(3RDP_ROOT)/build/cl-poll-not-select.patch $(3RDP_ROOT)/build/cl-good-sockets.patch $(3RDP_ROOT)/build/cl-moar-objects.patch $(3RDP_ROOT)/build/cl-server-term-support.patch $(3RDP_ROOT)/build/cl-add-pubkey-attribute.patch $(3RDP_ROOT)/build/cl-allow-ssh-auth-retries.patch $(3RDP_ROOT)/build/cl-fix-ssh-channel-close.patch $(3RDP_ROOT)/build/cl-vt-lt-2005-always-defined.patch $(3RDP_ROOT)/build/cl-no-pie.patch $(3RDP_ROOT)/build/cl-no-testobjs.patch $(3RDP_ROOT)/build/cl-win32-lean-and-mean.patch $(3RDP_ROOT)/build/cl-thats-not-asm.patch $(3RDP_ROOT)/build/cl-make-channels-work.patch $(3RDP_ROOT)/build/cl-allow-ssh-2.0-go.patch $(3RDP_ROOT)/build/cl-read-timeout-every-time.patch $(3RDP_ROOT)/build/cl-allow-servercheck-pubkeys.patch $(3RDP_ROOT)/build/cl-pass-after-pubkey.patch $(3RDP_ROOT)/build/cl-ssh-list-ctr-modes.patch $(3RDP_ROOT)/build/cl-double-delete-fine-on-close.patch $(3RDP_ROOT)/build/cl-handle-unsupported-pubkey.patch $(3RDP_ROOT)/build/cl-add-patches-info.patch $(3RDP_ROOT)/build/cl-netbsd-hmac-symbol.patch $(3RDP_ROOT)/build/cl-netbsd-no-getfsstat.patch GNUmakefile $(3RDP_ROOT)/build/cl-remove-march.patch $(3RDP_ROOT)/build/cl-fix-shell-exec-types.patch $(3RDP_ROOT)/build/cl-ssh-eof-half-close.patch $(3RDP_ROOT)/build/cl-add-win64.patch $(3RDP_ROOT)/build/cl-fix-mb-w-conv-warnings.patch $(3RDP_ROOT)/build/cl-ssh-service-type-for-channel.patch $(3RDP_ROOT)/build/cl-ssh-sbbs-id-string.patch $(3RDP_ROOT)/build/cl-channel-select-both.patch $(3RDP_ROOT)/build/cl-allow-none-auth-svr.patch $(3RDP_ROOT)/build/cl-quote-cc.patch $(3RDP_ROOT)/build/cl-mingw64-thread-handles.patch $(3RDP_ROOT)/build/cl-mingw64-is-really-new.patch $(3RDP_ROOT)/build/cl-lowercase-versionhelpers.patch $(3RDP_ROOT)/build/cl-fix-cpuid-order.patch $(3RDP_ROOT)/build/cl-fix-cbli-incompatible.patch $(3RDP_ROOT)/build/cl-mingw64-unicode-gibble.patch | $(CRYPT_SRC) $(CRYPT_IDIR)
 	@echo Creating $@ ...
 	$(QUIET)-rm -rf $(CRYPT_SRC)/*
 	$(QUIET)unzip -oa $(3RDPDISTDIR)/cryptlib.zip -d $(CRYPT_SRC)
 	$(QUIET)perl -pi.bak -e 's/\r//' $(CRYPT_SRC)/crypt32.vcxproj
-	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-fix-test-select.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-terminal-params.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-mingw32-static.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-ranlib.patch
@@ -135,7 +134,6 @@ $(CRYPTLIB_BUILD): $(3RDP_ROOT)/dist/cryptlib.zip $(3RDP_ROOT)/build/cl-fix-test
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-SSL-fix.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-bigger-maxattribute.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-mingw-vcver.patch
-	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-win32-build-fix.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-no-odbc.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-noasm-defines.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-bn-noasm64-fix.patch
@@ -144,14 +142,11 @@ $(CRYPTLIB_BUILD): $(3RDP_ROOT)/dist/cryptlib.zip $(3RDP_ROOT)/build/cl-fix-test
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-clear-GCM-flag.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-use-ssh-ctr.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-ssh-list-ctr-modes.patch
-	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-ssl-suite-blocksizes.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-no-tpm.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-no-via-aes.patch
-	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-fix-ssh-ecc-ephemeral.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-just-use-cc.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-no-safe-stack.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-allow-pkcs12.patch
-	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-openbsd-threads.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-allow-none-auth.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-mingw-add-m32.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-poll-not-select.patch
@@ -181,7 +176,6 @@ $(CRYPTLIB_BUILD): $(3RDP_ROOT)/dist/cryptlib.zip $(3RDP_ROOT)/build/cl-fix-test
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-ssh-eof-half-close.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-add-win64.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-fix-mb-w-conv-warnings.patch
-	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-fix-ssh-header-read.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-ssh-service-type-for-channel.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-ssh-sbbs-id-string.patch
 	$(QUIET)patch -b -p0 -d $(CRYPT_SRC) < cl-channel-select-both.patch

--- a/3rdp/build/cl-Dynamic-linked-static-lib.patch
+++ b/3rdp/build/cl-Dynamic-linked-static-lib.patch
--- ../tmp2/tools/ccopts.sh	2019-03-04 16:32:32.000000000 -0500
-+++ tools/ccopts.sh	2019-06-03 16:56:55.005703000 -0400
-@@ -393,7 +393,6 @@
+--- ./tools/ccopts.sh.orig	2024-10-31 00:50:21.757200000 -0400
+++ ./tools/ccopts.sh	2024-10-31 00:50:21.784137000 -0400
+@@ -697,7 +697,6 @@
 # of large-displacement jumps, so if you're tuning the code for size/speed
 # you can try -fpic to see if you get any improvement.
 
 -if [ $SHARED -gt 0 ] ; then
 	case $OSNAME in
 		'Darwin')
- 			CCARGS="$CCARGS -fPIC -fno-common" ;;
-@@ -420,7 +419,6 @@
+ 			CCARGS="$CCARGS -fPIC -fno-common -mmacosx-version-min=%%MIN_MAC_OSX_VERSION%%" ;;
+@@ -725,7 +724,6 @@
 		*)
 			CCARGS="$CCARGS -fPIC" ;;
 	esac ;

--- a/3rdp/build/cl-PAM-noprompts.patch
+++ b/3rdp/build/cl-PAM-noprompts.patch
--- ../tmp2/session/ssh2_authcli.c	2018-12-14 17:31:34.000000000 -0500
-+++ session/ssh2_authcli.c	2019-06-03 16:41:49.956986000 -0400
-@@ -868,7 +868,7 @@
+--- ./session/ssh2_authcli.c.orig	2024-09-04 01:05:30.000000000 -0400
+++ ./session/ssh2_authcli.c	2024-10-31 00:50:21.731447000 -0400
+@@ -897,7 +897,7 @@
 		if( !cryptStatusError( status ) )
 			{
 			status = CRYPT_OK;	/* readUint32() returns a count value */
@@ -9,7 +9,7 @@
 				{
 				/* Requesting zero or more than a small number of prompts is 
 				   suspicious */
-@@ -876,49 +876,52 @@
+@@ -905,49 +905,52 @@
 				}
 			}
 		}

--- a/3rdp/build/cl-SSL-fix.patch
+++ b/3rdp/build/cl-SSL-fix.patch
--- ../tmp2/session/sess_attr.c	2019-02-05 18:18:28.000000000 -0500
-+++ session/sess_attr.c	2019-06-03 17:06:34.378151000 -0400
-@@ -102,11 +102,13 @@
+--- ./session/sess_attr.c.orig	2024-10-31 00:50:21.397162000 -0400
+++ ./session/sess_attr.c	2024-10-31 00:50:21.810708000 -0400
+@@ -235,11 +235,13 @@
 
 	/* If there's already a network socket specified then we can't set a 
 	   server name as well */
@@ -13,4 +13,4 @@
 +*/
 
 	/* Parse the server name.  The PKI protocols all use HTTP as their 
- 	   substrate so if it's not SSH or SSL/TLS we require HTTP */
+ 	   substrate so if it's not SSH or TLS we require HTTP */
--- a/3rdp/build/cl-add-patches-info.patch
+++ b/3rdp/build/cl-add-patches-info.patch
--- ./kernel/attr_acl.c.orig	2024-01-22 17:04:32.412926000 -0500
-+++ ./kernel/attr_acl.c	2024-01-22 17:08:33.630148000 -0500
+--- ./cryptlib.h.orig	2024-10-31 00:50:23.029627000 -0400
+++ ./cryptlib.h	2024-10-31 00:50:23.170930000 -0400
+@@ -502,6 +502,7 @@
+ 	CRYPT_OPTION_INFO_MAJORVERSION,	/* Major release version */
+ 	CRYPT_OPTION_INFO_MINORVERSION,	/* Minor release version */
+ 	CRYPT_OPTION_INFO_STEPPING,		/* Release stepping */
+	CRYPT_OPTION_INFO_PATCHES,		/* MD5Sum of patches applied */
+ 
+ 	/* Encryption options */
+ 	CRYPT_OPTION_ENCR_ALGO,			/* Conventional encryption algorithm */
+--- ./kernel/attr_acl.c.orig	2024-10-31 00:50:23.034531000 -0400
+++ ./kernel/attr_acl.c	2024-10-31 00:50:23.162378000 -0400
 @@ -339,6 +339,12 @@
 		MKPERM( Rxx_Rxx ),
 		ROUTE( OBJECT_TYPE_USER ),
@@ -13,23 +23,13 @@
 
 	MKACL_SS(	/* Encryption algorithm */
 		/* We restrict the subrange to disallow the selection of the
--- ./misc/user_config.c.orig	2024-01-22 17:08:01.812451000 -0500
-+++ ./misc/user_config.c	2024-01-22 17:06:08.338812000 -0500
+--- ./misc/user_config.c.orig	2024-09-04 00:36:16.000000000 -0400
+++ ./misc/user_config.c	2024-10-31 00:50:23.167081000 -0400
 @@ -78,6 +78,7 @@
 	MK_OPTION( CRYPT_OPTION_INFO_MAJORVERSION, 3, CRYPT_UNUSED ),
 	MK_OPTION( CRYPT_OPTION_INFO_MINORVERSION, 4, CRYPT_UNUSED ),
- 	MK_OPTION( CRYPT_OPTION_INFO_STEPPING, 7, CRYPT_UNUSED ),
+ 	MK_OPTION( CRYPT_OPTION_INFO_STEPPING, 8, CRYPT_UNUSED ),
 +	MK_OPTION_S( CRYPT_OPTION_INFO_PATCHES, CRYPTLIB_PATCHES, 32, CRYPT_UNUSED ),
 
 	/* Context options, base = 0 */
 	/* Algorithm = Conventional encryption/hash/MAC options */
--- cryptlib.h.orig	2024-01-22 17:03:52.690137000 -0500
-+++ cryptlib.h	2024-01-22 17:09:36.542496000 -0500
-@@ -502,6 +502,7 @@
- 	CRYPT_OPTION_INFO_MAJORVERSION,	/* Major release version */
- 	CRYPT_OPTION_INFO_MINORVERSION,	/* Minor release version */
- 	CRYPT_OPTION_INFO_STEPPING,		/* Release stepping */
-+	CRYPT_OPTION_INFO_PATCHES,		/* MD5Sum of patches applied */
- 
- 	/* Encryption options */
- 	CRYPT_OPTION_ENCR_ALGO,			/* Conventional encryption algorithm */
--- a/3rdp/build/cl-add-pubkey-attribute.patch
+++ b/3rdp/build/cl-add-pubkey-attribute.patch
-diff -ur ../cl-old/context/keyload.c ./context/keyload.c
--- ../cl-old/context/keyload.c	2023-12-28 05:19:27.069792000 -0500
-+++ ./context/keyload.c	2023-12-28 05:41:08.270975000 -0500
-@@ -39,6 +39,7 @@
- 		{ CRYPT_IATTRIBUTE_KEY_PGP_PARTIAL, KEYFORMAT_PGP },
- 		{ CRYPT_IATTRIBUTE_KEY_SPKI, KEYFORMAT_CERT },
- 		{ CRYPT_IATTRIBUTE_KEY_SPKI_PARTIAL, KEYFORMAT_CERT },
-+		{ CRYPT_CTXINFO_SSH_PUBLIC_KEY, KEYFORMAT_SSH },
- 		{ CRYPT_ERROR, 0 }, { CRYPT_ERROR, 0 }
- 		};
- 	int value, status;
-diff -ur ../cl-old/cryptlib.h ./cryptlib.h
--- ../cl-old/cryptlib.h	2023-12-28 05:19:25.405198000 -0500
-+++ ./cryptlib.h	2023-12-28 05:41:08.275709000 -0500
-@@ -562,6 +562,7 @@
+--- ./cryptlib.h.orig	2024-10-31 00:50:22.444476000 -0400
+++ ./cryptlib.h	2024-10-31 00:50:22.528176000 -0400
+@@ -592,6 +592,7 @@
 	/* Misc.information */
 	CRYPT_CTXINFO_LABEL,			/* Label for private/secret key */
 	CRYPT_CTXINFO_PERSISTENT,		/* Obj.is backed by device or keyset */
@@ -20,10 +8,9 @@ diff -ur ../cl-old/cryptlib.h ./cryptlib.h
 
 	/* Used internally */
 	CRYPT_CTXINFO_LAST, CRYPT_CERTINFO_FIRST = 2000,
-diff -ur ../cl-old/kernel/attr_acl.c ./kernel/attr_acl.c
--- ../cl-old/kernel/attr_acl.c	2023-12-28 05:19:27.269520000 -0500
-+++ ./kernel/attr_acl.c	2023-12-28 05:48:43.951684000 -0500
-@@ -760,6 +760,11 @@
+--- ./kernel/attr_acl.c.orig	2024-10-31 00:50:22.454000000 -0400
+++ ./kernel/attr_acl.c	2024-10-31 00:50:22.534228000 -0400
+@@ -779,6 +779,11 @@
 		MKPERM( Rxx_RWD ),
 		ROUTE( OBJECT_TYPE_CONTEXT ),
 		subACL_CtxinfoPersistent ),
@@ -35,8 +22,8 @@ diff -ur ../cl-old/kernel/attr_acl.c ./kernel/attr_acl.c
 	MKACL_END(), MKACL_END()
 	};
 
--- context/ctx_attr.c.orig	2023-02-08 05:36:06.000000000 -0500
-+++ context/ctx_attr.c	2024-01-07 19:38:26.173540000 -0500
+--- ./context/ctx_attr.c.orig	2023-08-24 00:04:00.000000000 -0400
+++ ./context/ctx_attr.c	2024-10-31 00:50:22.539343000 -0400
 @@ -422,6 +422,11 @@
 				}
 			STDC_FALLTHROUGH;
@@ -49,3 +36,13 @@ diff -ur ../cl-old/kernel/attr_acl.c ./kernel/attr_acl.c
 		case CRYPT_IATTRIBUTE_KEY_PGP:
 		case CRYPT_IATTRIBUTE_KEY_SSH:
 		case CRYPT_IATTRIBUTE_KEY_TLS:
+--- ./context/keyload.c.orig	2023-02-26 03:18:06.000000000 -0500
+++ ./context/keyload.c	2024-10-31 00:50:22.524017000 -0400
+@@ -38,6 +38,7 @@
+ 		{ CRYPT_IATTRIBUTE_KEY_PGP_PARTIAL, KEYFORMAT_PGP },
+ 		{ CRYPT_IATTRIBUTE_KEY_SPKI, KEYFORMAT_CERT },
+ 		{ CRYPT_IATTRIBUTE_KEY_SPKI_PARTIAL, KEYFORMAT_CERT },
+		{ CRYPT_CTXINFO_SSH_PUBLIC_KEY, KEYFORMAT_SSH },
+ 		{ CRYPT_ERROR, 0 }, { CRYPT_ERROR, 0 }
+ 		};
+ 	int value, status;
--- a/3rdp/build/cl-add-win64.patch
+++ b/3rdp/build/cl-add-win64.patch
--- makefile.orig	2024-02-20 20:08:15.914584000 -0500
-+++ makefile	2024-02-20 20:09:10.012487000 -0500
-@@ -2140,6 +2140,15 @@
- 	$(MAKE) OSNAME=win32 $(DEFINES) EXTRAOBJS="$(WIN32ASMOBJS)" \
- 		CFLAGS="$(XCFLAGS) -O2 -m32 -Wl,--subsystem,windows,--output-def,cl32.def -DSTATIC_LIB"
+--- ./makefile.orig	2024-10-31 00:50:22.799649000 -0400
+++ ./makefile	2024-10-31 00:50:23.320196000 -0400
+@@ -2185,6 +2185,15 @@
+ 	$(MAKE) OSNAME=win64 $(DEFINES) \
+ 		CFLAGS="$(XCFLAGS) -O2 -m64 -Wl,--subsystem,windows,--output-def,cl32.def -DSTATIC_LIB"
 
 +MINGW64_NT-5.1:
 +	$(MAKE) OSNAME=win64 target-init

--- a/3rdp/build/cl-algorithms.patch
+++ b/3rdp/build/cl-algorithms.patch
--- misc/config.h.orig	2018-02-15 02:26:59.017103000 -0500
-+++ misc/config.h	2018-02-15 02:27:50.400787000 -0500
-@@ -9,6 +9,9 @@
- 
- #define _CONFIG_DEFINED
+--- ./misc/config.h.orig	2024-10-23 03:26:52.000000000 -0400
+++ ./misc/config.h	2024-10-31 00:50:21.624076000 -0400
+@@ -61,6 +61,9 @@
+   /* Handled by undefining USE_ERRMSGS at the end */
+ #endif /* CONFIG_TEST_xxx options */
 
 +#define USE_PROBLEMATIC_ALGORITHMS
 +#define USE_SSH_EXTENDED

--- a/3rdp/build/cl-allow-duplicate-ext.patch
+++ b/3rdp/build/cl-allow-duplicate-ext.patch
--- cert/ext_add.c.orig	2018-02-24 01:38:55.995138000 -0500
-+++ cert/ext_add.c	2018-02-24 01:39:08.783152000 -0500
-@@ -451,9 +451,11 @@
+--- ./cert/ext_add.c.orig	2024-09-22 01:53:38.000000000 -0400
+++ ./cert/ext_add.c	2024-10-31 00:50:21.650592000 -0400
+@@ -622,9 +622,11 @@
 	   a non-blob.  In addition it forces the caller to use the (recommended)
 	   normal attribute handling mechanism, which allows for proper type
 	   checking */

--- a/3rdp/build/cl-allow-none-auth-svr.patch
+++ b/3rdp/build/cl-allow-none-auth-svr.patch
--- session/ssh2_authsvr.c.orig	2024-02-27 23:34:46.193489000 -0500
-+++ session/ssh2_authsvr.c	2024-02-27 23:41:23.757054000 -0500
+--- ./session/ssh2_authsvr.c.orig	2024-10-31 00:50:23.133300000 -0400
+++ ./session/ssh2_authsvr.c	2024-10-31 00:50:23.469147000 -0400
 @@ -969,6 +969,21 @@
 		{
 		sMemDisconnect( &stream );
@@ -22,9 +22,9 @@
 		/* Tell the client which authentication methods can continue */
 		status = sendResponseFailureInfo( sessionInfoPtr, allowPubkeyAuth );
 		if( cryptStatusError( status ) )
--- kernel/attr_acl.c.orig	2024-02-27 23:48:28.589935000 -0500
-+++ kernel/attr_acl.c	2024-02-27 23:48:44.993835000 -0500
-@@ -3900,7 +3900,7 @@
+--- ./kernel/attr_acl.c.orig	2024-10-31 00:50:23.162378000 -0400
+++ ./kernel/attr_acl.c	2024-10-31 00:50:23.473375000 -0400
+@@ -3931,7 +3931,7 @@
 		ROUTE( OBJECT_TYPE_SESSION ), RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
 	MKACL_N(	/* SSH protocol options */
 		CRYPT_SESSINFO_SSH_OPTIONS,

--- a/3rdp/build/cl-allow-none-auth.patch
+++ b/3rdp/build/cl-allow-none-auth.patch
--- ./cryptlib.h.orig	2023-12-31 09:28:53.203654000 -0500
-+++ ./cryptlib.h	2023-12-31 09:38:13.586441000 -0500
+--- ./cryptlib.h.orig	2024-10-31 00:50:21.388918000 -0400
+++ ./cryptlib.h	2024-10-31 00:50:22.228018000 -0400
 @@ -1262,6 +1262,7 @@
 	CRYPT_SESSINFO_SSH_CHANNEL_ARG2,/* SSH channel argument 2 */
 	CRYPT_SESSINFO_SSH_CHANNEL_ACTIVE,/* SSH channel active */
@@ -8,7 +8,7 @@
 	CRYPT_SESSINFO_TLS_OPTIONS,		/* SSL/TLS protocol options */
 		CRYPT_SESSINFO_SSL_OPTIONS = CRYPT_SESSINFO_TLS_OPTIONS,
 	CRYPT_SESSINFO_TLS_SUBPROTOCOL,	/* SSL/TLS additional sub-protocol */
-@@ -1762,6 +1763,14 @@
+@@ -1763,6 +1764,14 @@
 #define CRYPT_TLSOPTION_SUITEB_256			0x200	/*  vanish in future releases) */
 #ifdef _CRYPT_DEFINED
 #define CRYPT_TLSOPTION_MAX					0x07F	/* Defines for range checking */
@@ -23,32 +23,8 @@
 #endif /* _CRYPT_DEFINED */
 
 /****************************************************************************
--- ./kernel/attr_acl.c.orig	2023-12-31 09:39:13.241750000 -0500
-+++ ./kernel/attr_acl.c	2023-12-31 09:40:15.337914000 -0500
-@@ -3883,6 +3883,12 @@
- 		ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR,
- 		MKPERM_SSH( Rxx_RWD ),
- 		ROUTE( OBJECT_TYPE_SESSION ), RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
-+	MKACL_N(	/* SSH protocol options */
-+		CRYPT_SESSINFO_SSH_OPTIONS,
-+		ST_NONE, ST_NONE, ST_SESS_SSH, 
-+		MKPERM_SESSIONS( Rxx_RWx ),
-+		ROUTE( OBJECT_TYPE_SESSION ),
-+		RANGE( CRYPT_SSHOPTION_NONE, CRYPT_SSHOPTION_MAX ) ),
- 
- 	MKACL_N(        /* TLS protocol options */
- 		CRYPT_SESSINFO_TLS_OPTIONS,
-@@ -4883,7 +4889,7 @@
- 	static_assert( CRYPT_CERTINFO_FIRST_EXTENSION == 2200, "Attribute value" );
- 	static_assert( CRYPT_CERTINFO_FIRST_CMS == 2500, "Attribute value" );
- 	static_assert( CRYPT_SESSINFO_FIRST_SPECIFIC == 6017, "Attribute value" );
-	static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6035, "Attribute value" );
-+	static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6036, "Attribute value" );
- 	static_assert( CRYPT_CERTFORMAT_LAST == 13, "Attribute value" );
- 
- 	/* Perform a consistency check on the attribute ACLs.  The ACLs are
--- ./session/ssh2_authcli.c.orig	2023-12-31 09:44:20.876065000 -0500
-+++ ./session/ssh2_authcli.c	2023-12-31 09:46:41.813246000 -0500
+--- ./session/ssh2_authcli.c.orig	2024-10-31 00:50:21.731447000 -0400
+++ ./session/ssh2_authcli.c	2024-10-31 00:50:22.232051000 -0400
 @@ -334,13 +334,22 @@
 	assert( isWritePtr( authType, sizeof( SSH_AUTHTYPE_TYPE ) ) );
 	assert( isWritePtr( furtherAuthRequired, sizeof( BOOLEAN ) ) );
@@ -82,7 +58,7 @@
 	if( usePasswordAuth )
 		{
 		/*	byte	type = SSH_MSG_USERAUTH_REQUEST
-@@ -1251,6 +1262,11 @@
+@@ -1255,6 +1266,11 @@
 	   auth required */
 	if( !hasPassword )
 		{
@@ -94,8 +70,8 @@
 		return( reportAuthFailure( sessionInfoPtr, SSH_AUTHTYPE_PUBKEY, 
 								   requiredAuthType, TRUE ) );
 		}
--- session/ssh.c.orig	2023-05-06 19:14:38.000000000 -0400
-+++ session/ssh.c	2024-01-07 21:22:26.535903000 -0500
+--- ./session/ssh.c.orig	2024-10-07 00:23:28.000000000 -0400
+++ ./session/ssh.c	2024-10-31 00:50:22.236542000 -0400
 @@ -540,6 +540,7 @@
 			  type == CRYPT_SESSINFO_SSH_CHANNEL_ARG1 || \
 			  type == CRYPT_SESSINFO_SSH_CHANNEL_ARG2 || \
@@ -156,7 +132,7 @@
 	/* If we 're setting the channel-active attribute, this implicitly
 	   activates or deactivates the channel rather than setting any
 	   attribute value */
-@@ -776,8 +799,6 @@
+@@ -778,8 +801,6 @@
 		 SESSION_PROTOCOL_FIXEDSIZECREDENTIALS,	/* Flags */
 		SSH_PORT,					/* SSH port */
 		SESSION_NEEDS_USERID |		/* Client attributes */
@@ -165,3 +141,27 @@
 			SESSION_NEEDS_PRIVKEYSIGN,
 				/* The client private key is optional, but if present it has
 				   to be signature-capable */
+--- ./kernel/attr_acl.c.orig	2024-10-31 00:50:21.402631000 -0400
+++ ./kernel/attr_acl.c	2024-10-31 00:50:22.241228000 -0400
+@@ -3866,6 +3866,12 @@
+ 		ST_NONE, ST_NONE, ST_SESS_SSH | ST_SESS_SSH_SVR, 
+ 		MKPERM_SSH( Rxx_RWD ),
+ 		ROUTE( OBJECT_TYPE_SESSION ), RANGE( 2, CRYPT_MAX_TEXTSIZE ) ),
+	MKACL_N(	/* SSH protocol options */
+		CRYPT_SESSINFO_SSH_OPTIONS,
+		ST_NONE, ST_NONE, ST_SESS_SSH, 
+		MKPERM_SESSIONS( Rxx_RWx ),
+		ROUTE( OBJECT_TYPE_SESSION ),
+		RANGE( CRYPT_SSHOPTION_NONE, CRYPT_SSHOPTION_MAX ) ),
+ 
+ 	MKACL_N(	/* TLS protocol options */
+ 		CRYPT_SESSINFO_TLS_OPTIONS,
+@@ -4914,7 +4920,7 @@
+ 	static_assert( CRYPT_CERTINFO_FIRST_EXTENSION == 2200, "Attribute value" );
+ 	static_assert( CRYPT_CERTINFO_FIRST_CMS == 2500, "Attribute value" );
+ 	static_assert( CRYPT_SESSINFO_FIRST_SPECIFIC == 6017, "Attribute value" );
+-	static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6035, "Attribute value" );
+	static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6036, "Attribute value" );
+ 	static_assert( CRYPT_CERTFORMAT_LAST == 13, "Attribute value" );
+ 
+ 	/* Perform a consistency check on the attribute ACLs.  The ACLs are
--- a/3rdp/build/cl-allow-pkcs12.patch
+++ b/3rdp/build/cl-allow-pkcs12.patch
--- ./misc/config.h.orig	2023-12-31 08:00:17.038610000 -0500
-+++ ./misc/config.h	2023-12-31 08:01:00.988147000 -0500
-@@ -602,7 +602,7 @@
+--- ./misc/config.h.orig	2024-10-31 00:50:22.047853000 -0400
+++ ./misc/config.h	2024-10-31 00:50:22.201744000 -0400
+@@ -633,7 +633,7 @@
    manner you must immediately obtain and use an original, unmodified 
    version */
 
@@ -9,7 +9,7 @@
 
 /* Going beyond the PKCS #12 read capability which exists solely to allow 
    the import of keys supplied in that format by third parties, cryptlib has
-@@ -620,7 +620,7 @@
+@@ -651,7 +651,7 @@
    PKCS #12 write is an unsupported facility with special-case usage 
    restrictions that doesn't work like any normal keyset */
 

--- a/3rdp/build/cl-allow-servercheck-pubkeys.patch
+++ b/3rdp/build/cl-allow-servercheck-pubkeys.patch
--- cryptlib.h.orig	2024-01-18 23:57:53.642105000 -0500
-+++ cryptlib.h	2024-01-18 23:58:23.323178000 -0500
+--- ./cryptlib.h.orig	2024-10-31 00:50:22.829934000 -0400
+++ ./cryptlib.h	2024-10-31 00:50:23.029627000 -0400
 @@ -1236,6 +1236,7 @@
 	CRYPT_SESSINFO_PASSWORD,		/* Password */
 	CRYPT_SESSINFO_AUTHTOKEN,		/* Authentication token, e.g. TOTP */
@@ -8,49 +8,8 @@
 	CRYPT_SESSINFO_KEYSET,			/* Certificate store */
 	CRYPT_SESSINFO_AUTHRESPONSE,	/* Session authorisation OK */
 
--- kernel/attr_acl.c.orig	2024-01-19 00:01:33.318597000 -0500
-+++ kernel/attr_acl.c	2024-01-19 00:06:16.927122000 -0500
-@@ -3739,6 +3739,15 @@
- 		MKPERM_SESSIONS( xWx_xWx ),
- 		ROUTE( OBJECT_TYPE_SESSION ),
- 		subACL_SessinfoPrivatekey ),
-+	MKACL_S(	/* Other side public key */
-+		/* We can read this attribute in the low state because we might be
-+		   going back to the caller for confirmation before we transition
-+		   into the high state */
-+		CRYPT_SESSINFO_PUBLICKEY,
-+		ST_NONE, ST_NONE, ST_SESS_SSH_SVR, 
-+		MKPERM_SESSIONS( Rxx_Rxx ),
-+		ROUTE( OBJECT_TYPE_SESSION ),
-+		RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
- 	MKACL_ST(	/* Certificate store/auth.keyset */
- 		CRYPT_SESSINFO_KEYSET,
- 		ST_NONE, ST_NONE, MK_ST_EXCEPTION( ST_SESS_ANY_SVR, ST_SESS_TSP_SVR ) | \
-@@ -4942,8 +4951,8 @@
- 	static_assert( CRYPT_CERTINFO_LAST_GENERALNAME == 2115, "Attribute value" );
- 	static_assert( CRYPT_CERTINFO_FIRST_EXTENSION == 2200, "Attribute value" );
- 	static_assert( CRYPT_CERTINFO_FIRST_CMS == 2500, "Attribute value" );
-	static_assert( CRYPT_SESSINFO_FIRST_SPECIFIC == 6017, "Attribute value" );
-	static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6040, "Attribute value" );
-+	static_assert( CRYPT_SESSINFO_FIRST_SPECIFIC == 6018, "Attribute value" );
-+	static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6041, "Attribute value" );
- 	static_assert( CRYPT_CERTFORMAT_LAST == 13, "Attribute value" );
- 
- 	/* Perform a consistency check on the attribute ACLs.  The ACLs are
--- session/sess_iattr.c.orig	2024-01-19 02:24:29.979555000 -0500
-+++ session/sess_iattr.c	2024-01-19 02:25:37.172862000 -0500
-@@ -327,7 +327,8 @@
- 			attributeListPtr = DATAPTR_GET( attributeListPtr->next );
- 			if( attributeListPtr == NULL || \
- 				( attributeListPtr->attributeID != CRYPT_SESSINFO_PASSWORD && \
-				  attributeListPtr->attributeID != CRYPT_SESSINFO_AUTHTOKEN ) )
-+				  attributeListPtr->attributeID != CRYPT_SESSINFO_AUTHTOKEN && \
-+				  attributeListPtr->attributeID != CRYPT_SESSINFO_PUBLICKEY ) )
- 				{
- 				/* We report the missing attribute as a password, which is 
- 				   more likely and more understandable than a missing 
--- session/ssh2_authsvr.c.orig	2023-02-26 03:33:26.000000000 -0500
-+++ session/ssh2_authsvr.c	2024-01-19 12:21:51.007398000 -0500
+--- ./session/ssh2_authsvr.c.orig	2023-02-26 03:33:26.000000000 -0500
+++ ./session/ssh2_authsvr.c	2024-10-31 00:50:23.044734000 -0400
 @@ -396,7 +396,7 @@
 	/* If we've already seen a standard authentication method then the new 
 	   method must be the same */
@@ -278,9 +237,9 @@
 		}
 	sMemDisconnect( &stream );
 	CFI_CHECK_UPDATE( "SSH_AUTHTYPE_PUBKEY" );
--- session/sess_attr.c.orig	2024-01-19 15:00:59.583402000 -0500
-+++ session/sess_attr.c	2024-01-19 15:01:28.125584000 -0500
-@@ -884,6 +884,7 @@
+--- ./session/sess_attr.c.orig	2024-10-31 00:50:22.601581000 -0400
+++ ./session/sess_attr.c	2024-10-31 00:50:23.048496000 -0400
+@@ -913,6 +913,7 @@
 		case CRYPT_SESSINFO_SERVER_FINGERPRINT_SHA1:
 		case CRYPT_SESSINFO_SERVER_NAME:
 		case CRYPT_SESSINFO_CLIENT_NAME:
@@ -288,3 +247,44 @@
 			attributeListPtr = findSessionInfo( sessionInfoPtr, attribute );
 			if( attributeListPtr == NULL )
 				return( exitErrorNotInited( sessionInfoPtr, attribute ) );
+--- ./session/sess_iattr.c.orig	2023-06-06 00:20:48.000000000 -0400
+++ ./session/sess_iattr.c	2024-10-31 00:50:23.040192000 -0400
+@@ -327,7 +327,8 @@
+ 			attributeListPtr = DATAPTR_GET( attributeListPtr->next );
+ 			if( attributeListPtr == NULL || \
+ 				( attributeListPtr->attributeID != CRYPT_SESSINFO_PASSWORD && \
+-				  attributeListPtr->attributeID != CRYPT_SESSINFO_AUTHTOKEN ) )
+				  attributeListPtr->attributeID != CRYPT_SESSINFO_AUTHTOKEN && \
+				  attributeListPtr->attributeID != CRYPT_SESSINFO_PUBLICKEY ) )
+ 				{
+ 				/* We report the missing attribute as a password, which is 
+ 				   more likely and more understandable than a missing 
+--- ./kernel/attr_acl.c.orig	2024-10-31 00:50:22.675666000 -0400
+++ ./kernel/attr_acl.c	2024-10-31 00:50:23.034531000 -0400
+@@ -3770,6 +3770,15 @@
+ 		MKPERM_SESSIONS( xWx_xWx ),
+ 		ROUTE( OBJECT_TYPE_SESSION ),
+ 		subACL_SessinfoPrivatekey ),
+	MKACL_S(	/* Other side public key */
+		/* We can read this attribute in the low state because we might be
+		   going back to the caller for confirmation before we transition
+		   into the high state */
+		CRYPT_SESSINFO_PUBLICKEY,
+		ST_NONE, ST_NONE, ST_SESS_SSH_SVR, 
+		MKPERM_SESSIONS( Rxx_Rxx ),
+		ROUTE( OBJECT_TYPE_SESSION ),
+		RANGE( 1, CRYPT_MAX_TEXTSIZE ) ),
+ 	MKACL_ST(	/* Certificate store/auth.keyset */
+ 		CRYPT_SESSINFO_KEYSET,
+ 		ST_NONE, ST_NONE, MK_ST_EXCEPTION( ST_SESS_ANY_SVR, ST_SESS_TSP_SVR ) | \
+@@ -4973,8 +4982,8 @@
+ 	static_assert( CRYPT_CERTINFO_LAST_GENERALNAME == 2115, "Attribute value" );
+ 	static_assert( CRYPT_CERTINFO_FIRST_EXTENSION == 2200, "Attribute value" );
+ 	static_assert( CRYPT_CERTINFO_FIRST_CMS == 2500, "Attribute value" );
+-	static_assert( CRYPT_SESSINFO_FIRST_SPECIFIC == 6017, "Attribute value" );
+-	static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6040, "Attribute value" );
+	static_assert( CRYPT_SESSINFO_FIRST_SPECIFIC == 6018, "Attribute value" );
+	static_assert( CRYPT_SESSINFO_LAST_SPECIFIC == 6041, "Attribute value" );
+ 	static_assert( CRYPT_CERTFORMAT_LAST == 13, "Attribute value" );
+ 
+ 	/* Perform a consistency check on the attribute ACLs.  The ACLs are
--- a/3rdp/build/cl-allow-ssh-2.0-go.patch
+++ b/3rdp/build/cl-allow-ssh-2.0-go.patch
--- session/ssh2_id.c.orig	2024-01-14 12:27:01.156907000 -0500
-+++ session/ssh2_id.c	2024-01-14 12:26:48.539941000 -0500
-@@ -901,7 +901,7 @@
+--- ./session/ssh2_id.c.orig	2024-05-09 02:26:06.000000000 -0400
+++ ./session/ssh2_id.c	2024-10-31 00:50:22.949703000 -0400
+@@ -919,7 +919,7 @@
 		versionStringLength = length - startOffset;
 		}
 	if( cryptStatusError( status ) || \

--- a/3rdp/build/cl-allow-ssh-auth-retries.patch
+++ b/3rdp/build/cl-allow-ssh-auth-retries.patch
--- ./session/ssh2_authcli.c.orig	2023-12-28 09:41:49.741680000 -0500
-+++ ./session/ssh2_authcli.c	2023-12-28 09:48:19.999152000 -0500
-@@ -583,7 +583,5 @@
+--- ./session/sess_attr.c.orig	2024-10-31 00:50:22.448890000 -0400
+++ ./session/sess_attr.c	2024-10-31 00:50:22.601581000 -0400
+@@ -442,6 +442,7 @@
+ 			   back out of, and leads to exceptions to exceptions, so we 
+ 			   keep it simple and only allow passwords to be added if 
+ 			   there's an immediately preceding username */
+#if 0
+ 			if( cryptStatusError( status ) )
+ 				{
+ 				return( exitErrorNotInited( sessionInfoPtr, 
+@@ -455,6 +456,7 @@
+ 				return( exitErrorNotInited( sessionInfoPtr, 
+ 											CRYPT_SESSINFO_USERNAME ) );
+ 				}
+#endif
+ 
+ 			break;
+ 
+--- ./session/ssh2_authcli.c.orig	2024-10-31 00:50:22.232051000 -0400
+++ ./session/ssh2_authcli.c	2024-10-31 00:50:22.587803000 -0400
+@@ -606,9 +606,7 @@
 					  "Server requested password authentication but only a "
 					  "public/private key was available" ) );
 			}
@@ -8,21 +26,12 @@
 -				( CRYPT_ERROR_WRONGKEY, SESSION_ERRINFO, 
 -				  "Server reported: Invalid public-key authentication" ) );
 +		return CRYPT_ENVELOPE_RESOURCE;
-		}
--- kernel/attr_acl.c.orig	2023-12-29 11:53:27.990291000 -0500
-+++ kernel/attr_acl.c	2023-12-29 11:54:01.468829000 -0500
-@@ -3655,7 +3655,7 @@
- 		subACL_SessinfoKeyset ),
- 	MKACL_SL(	/* Session authorisation OK */
- 		CRYPT_SESSINFO_AUTHRESPONSE, 
-		ST_NONE, ST_NONE, ST_SESS_TLS | ST_SESS_TLS_SVR | ST_SESS_SSH_SVR, 
-+		ST_NONE, ST_NONE, ST_SESS_TLS | ST_SESS_TLS_SVR | ST_SESS_SSH | ST_SESS_SSH_SVR, 
- 		MKPERM_SESSIONS( RWx_RWx ), 
- 		ROUTE( OBJECT_TYPE_SESSION ),
- 		RANGE_ALLOWEDVALUES, allowedAuthResponses ),
--- session/ssh.c.orig	2023-12-29 12:02:24.938661000 -0500
-+++ session/ssh.c	2023-12-29 12:05:44.619757000 -0500
-@@ -861,6 +861,18 @@
+ 		}
+ 	if( requiredAuthType == SSH_AUTHTYPE_PUBKEY )
+ 		{
+--- ./session/ssh.c.orig	2024-10-31 00:50:22.459542000 -0400
+++ ./session/ssh.c	2024-10-31 00:50:22.598316000 -0400
+@@ -403,6 +403,18 @@
 
 	REQUIRES( sanityCheckSessionSSH( sessionInfoPtr ) );
 
@@ -41,27 +50,9 @@
 	shutdownFunction = ( SES_SHUTDOWN_FUNCTION ) \
 					   FNPTR_GET( sessionInfoPtr->shutdownFunction );
 	REQUIRES( shutdownFunction != NULL );
--- ./session/sess_attr.c.orig	2023-12-31 09:02:53.666275000 -0500
-+++ ./session/sess_attr.c	2023-12-31 09:06:17.870218000 -0500
-@@ -442,6 +442,7 @@
- 			   back out of, and leads to exceptions to exceptions, so we 
- 			   keep it simple and only allow passwords to be added if 
- 			   there's an immediately preceding username */
-+#if 0
- 			if( cryptStatusError( status ) )
- 				{
- 				return( exitErrorNotInited( sessionInfoPtr, 
-@@ -455,6 +456,7 @@
- 				return( exitErrorNotInited( sessionInfoPtr, 
- 											CRYPT_SESSINFO_USERNAME ) );
- 				}
-+#endif
- 
- 			break;
- 
--- ./session/ssh2_cli.c.orig	2023-02-25 00:51:44.000000000 -0500
-+++ ./session/ssh2_cli.c	2023-12-31 09:10:49.225311000 -0500
-@@ -985,232 +985,239 @@
+--- ./session/ssh2_cli.c.orig	2024-10-07 00:22:20.000000000 -0400
+++ ./session/ssh2_cli.c	2024-10-31 00:50:22.605912000 -0400
+@@ -988,234 +988,241 @@
 	REQUIRES( sanityCheckSessionSSH( sessionInfoPtr ) );
 	REQUIRES( sanityCheckSSHHandshakeInfo( handshakeInfo ) );
 
@@ -115,7 +106,7 @@
 +		SET_FLAG( sessionInfoPtr->flags, SESSION_FLAG_ISSECURE_WRITE );
 +		CFI_CHECK_UPDATE( "SSH_MSG_NEWKEYS" );
 
-#if 0
+ #if 0
 -	/*   byte       SSH_MSG_EXT_INFO
 -	     uint32     nr-extensions
 -	       string   extension-name
@@ -125,7 +116,6 @@
 -		status = continuePacketStreamSSH( &stream, SSH_MSG_EXT_INFO, 
 -										  &packetOffset );
 -		if( cryptStatusOK( status ) )
-+#if 0
 +		/*   byte       SSH_MSG_EXT_INFO
 +		     uint32     nr-extensions
 +		       string   extension-name
@@ -405,6 +395,7 @@
 +							 "negotiated during the handshake" ) );
 +				}
 			}
+-#ifdef USE_SSH_EXTENDED
 -		if( sessionInfoPtr->sessionSSH->packetType == SSH_MSG_EXT_INFO )
 +		else
 			{
@@ -436,6 +427,7 @@
 +								  ID_SIZE + UINT32_SIZE );
 			if( cryptStatusError( status ) )
 -				return( status );
+-			}
 +				{
 +				/* This is the first message after the change cipherspec, a 
 +				   basic packet format error is more likely to be due to an 
@@ -447,6 +439,7 @@
 +							 "probably due to incorrect encryption keys being "
 +							 "negotiated during the handshake" ) );
 +				}
+#ifdef USE_SSH_EXTENDED
 +			if( sessionInfoPtr->sessionSSH->packetType == SSH_MSG_EXT_INFO )
 +				{
 +				/* The server sent extension information, process it */
@@ -463,6 +456,20 @@
 +				if( cryptStatusError( status ) )
 +					return( status );
 +				}
+ #endif /* USE_SSH_EXTENDED */
+-		sMemConnect( &stream, sessionInfoPtr->receiveBuffer, length );
+-		status = readString32( &stream, stringBuffer, CRYPT_MAX_TEXTSIZE,
+-							   &stringLength );
+-		sMemDisconnect( &stream );
+-		if( cryptStatusError( status ) || \
+-			stringLength != 12 || \
+-			memcmp( stringBuffer, "ssh-userauth", 12 ) )
+-			{
+-			/* More of a sanity check than anything else, the MAC should 
+-			   have caught any keying problems */
+-			retExt( CRYPT_ERROR_BADDATA,
+-					( CRYPT_ERROR_BADDATA, SESSION_ERRINFO, 
+-					  "Invalid service accept packet" ) );
 +			sMemConnect( &stream, sessionInfoPtr->receiveBuffer, length );
 +			status = readString32( &stream, stringBuffer, CRYPT_MAX_TEXTSIZE,
 +								   &stringLength );
@@ -478,32 +485,17 @@
 +						  "Invalid service accept packet" ) );
 +				}
 			}
-		sMemConnect( &stream, sessionInfoPtr->receiveBuffer, length );
-		status = readString32( &stream, stringBuffer, CRYPT_MAX_TEXTSIZE,
-							   &stringLength );
-		sMemDisconnect( &stream );
-		if( cryptStatusError( status ) || \
-			stringLength != 12 || \
-			memcmp( stringBuffer, "ssh-userauth", 12 ) )
-			{
-			/* More of a sanity check than anything else, the MAC should 
-			   have caught any keying problems */
-			retExt( CRYPT_ERROR_BADDATA,
-					( CRYPT_ERROR_BADDATA, SESSION_ERRINFO, 
-					  "Invalid service accept packet" ) );
-			}
-		}
-	CFI_CHECK_UPDATE( "serviceAccept" );
 +		CFI_CHECK_UPDATE( "serviceAccept" );
 +		REQUIRES( CFI_CHECK_SEQUENCE_5( "initSecurityInfo", "SSH_MSG_NEWKEYS",
 +										"SSH_MSG_SERVICE_REQUEST",
 +										"readHSPacketSSH2", "serviceAccept") );
 +		CFI_CHECK_VALUE = CFI_CHECK_INIT;
-+	}
+ 		}
+-	CFI_CHECK_UPDATE( "serviceAccept" );
 
 	/* Try and authenticate ourselves to the server */
 	status = processClientAuth( sessionInfoPtr, handshakeInfo );
-@@ -1235,10 +1242,7 @@
+@@ -1240,10 +1247,7 @@
 		return( status );
 	CFI_CHECK_UPDATE( "sendChannelOpen" );
 
@@ -515,3 +507,14 @@
 								   "sendChannelOpen" ) );
 	return( CRYPT_OK );
 #else	/* Test handling of OpenSSH "no-more-sessions@openssh.com" */
+--- ./kernel/attr_acl.c.orig	2024-10-31 00:50:22.534228000 -0400
+++ ./kernel/attr_acl.c	2024-10-31 00:50:22.593469000 -0400
+@@ -3779,7 +3779,7 @@
+ 		subACL_SessinfoKeyset ),
+ 	MKACL_SL(	/* Session authorisation OK */
+ 		CRYPT_SESSINFO_AUTHRESPONSE, 
+-		ST_NONE, ST_NONE, ST_SESS_TLS | ST_SESS_TLS_SVR | ST_SESS_SSH_SVR, 
+		ST_NONE, ST_NONE, ST_SESS_TLS | ST_SESS_TLS_SVR | ST_SESS_SSH | ST_SESS_SSH_SVR, 
+ 		MKPERM_SESSIONS( RWx_RWx ), 
+ 		ROUTE( OBJECT_TYPE_SESSION ),
+ 		allowedAuthResponses ),
--- a/3rdp/build/cl-bigger-maxattribute.patch
+++ b/3rdp/build/cl-bigger-maxattribute.patch
--- ../tmp2/misc/consts.h	2019-02-22 19:36:36.000000000 -0500
-+++ misc/consts.h	2019-06-03 18:05:43.345982000 -0400
-@@ -226,7 +226,7 @@
+--- ./misc/consts.h.orig	2023-01-31 01:25:14.000000000 -0500
+++ ./misc/consts.h	2024-10-31 00:50:21.837815000 -0400
+@@ -247,7 +247,7 @@
    creating things like certs containing MPEGs of themselves playing with
    their cat */
 

--- a/3rdp/build/cl-bn-noasm64-fix.patch
+++ b/3rdp/build/cl-bn-noasm64-fix.patch
--- bn/bn_asm.c.orig	2019-07-15 17:03:25.346831000 -0400
-+++ bn/bn_asm.c	2019-07-15 17:03:40.227005000 -0400
+--- ./bn/bn_asm.c.orig	2019-10-05 15:56:28.000000000 -0400
+++ ./bn/bn_asm.c	2024-10-31 00:50:21.942046000 -0400
 @@ -81,7 +81,7 @@
 
 #ifndef BN_ASM				/* pcg */

--- a/3rdp/build/cl-channel-select-both.patch
+++ b/3rdp/build/cl-channel-select-both.patch
--- session/ssh2_channel.c.orig	2024-02-26 21:17:09.598879000 -0500
-+++ session/ssh2_channel.c	2024-02-26 21:17:23.741869000 -0500
+--- ./session/ssh2_channel.c.orig	2024-10-31 00:50:23.103563000 -0400
+++ ./session/ssh2_channel.c	2024-10-31 00:50:23.443226000 -0400
 @@ -660,7 +660,7 @@
 		if( channelInfoPtr == NULL )
 			return( CRYPT_ERROR_NOTFOUND );