rebase for openssh-6.3p1, remove unused patches (#1007769)

2013-10-14 15:54:41 +02:00 · 2013-10-14 15:54:41 +02:00 · 84822b5dec
commit 84822b5dec
parent c33ef551ca
19 changed files with 2100 additions and 3401 deletions
--- a/openssh-6.2p1-aarch64.patch
+++ b/openssh-6.2p1-aarch64.patch
--- a/openssh-6.2p1-modpipe-cflags.patch
+++ b/openssh-6.2p1-modpipe-cflags.patch
@ -1,12 +0,0 @@
 diff -up openssh-6.2p1/Makefile.in.modpipe-pie openssh-6.2p1/Makefile.in
 --- openssh-6.2p1/Makefile.in.modpipe-pie	2013-04-04 14:44:26.293745777 +0200
 +++ openssh-6.2p1/Makefile.in	2013-04-04 14:44:49.483647020 +0200
@@ -418,7 +418,7 @@ uninstall:
 regress/modpipe$(EXEEXT): $(srcdir)/regress/modpipe.c
 	[ -d `pwd`/regress ]  ||  mkdir -p `pwd`/regress; \
 -	$(CC) $(CPPFLAGS) -o $@ $? \
 +	$(CC) $(CPPFLAGS) $(CFLAGS) -o $@ $? \
 	$(LDFLAGS) -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
 tests interop-tests:	$(TARGETS) regress/modpipe$(EXEEXT)
--- a/openssh-6.2p2-sftp-multibyte.patch
+++ b/openssh-6.2p2-sftp-multibyte.patch
@ -1,64 +0,0 @@
 diff --git a/ChangeLog b/ChangeLog
 index f5e2df0..74a03f8 100644
 --- a/ChangeLog
 +++ b/ChangeLog
@@ -1,3 +1,11 @@
 +20130605
 +   - dtucker@cvs.openbsd.org 2013/06/04 20:42:36
 +     [sftp.c]
 +     Make sftp's libedit interface marginally multibyte aware by building up
 +     the quoted string by character instead of by byte.  Prevents failures
 +     when linked against a libedit built with wide character support (bz#1990).
 +     "looks ok" djm
 +
 20130516
  - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be
    executed if mktemp failed; bz#2105 ok dtucker@
 diff --git a/sftp.c b/sftp.c
 index 25c35fa..c9a9919 100644
 --- a/sftp.c
 +++ b/sftp.c
@@ -38,6 +38,7 @@
 #ifdef HAVE_LIBGEN_H
 #include <libgen.h>
 #endif
 +#include <locale.h>
 #ifdef USE_LIBEDIT
 #include <histedit.h>
 #else
@@ -1694,8 +1695,9 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
     char *file, int remote, int lastarg, char quote, int terminated)
 {
 	glob_t g;
 -	char *tmp, *tmp2, ins[3];
 +	char *tmp, *tmp2, ins[8];
 	u_int i, hadglob, pwdlen, len, tmplen, filelen, cesc, isesc, isabs;
 +	int clen;
 	const LineInfo *lf;
 	/* Glob from "file" location */
@@ -1764,10 +1766,13 @@ complete_match(EditLine *el, struct sftp_conn *conn, char *remote_path,
 		tmp2 = tmp + filelen - cesc;
 		len = strlen(tmp2); 
 		/* quote argument on way out */
 -		for (i = 0; i < len; i++) {
 +		for (i = 0; i < len; i += clen) {
 +			if ((clen = mblen(tmp2 + i, len - i)) < 0 ||
 +			    (size_t)clen > sizeof(ins) - 2)
 +				fatal("invalid multibyte character");
 			ins[0] = '\\';
 -			ins[1] = tmp2[i];
 -			ins[2] = '\0';
 +			memcpy(ins + 1, tmp2 + i, clen);
 +			ins[clen + 1] = '\0';
 			switch (tmp2[i]) {
 			case '\'':
 			case '"':
@@ -2112,6 +2117,7 @@ main(int argc, char **argv)
 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
 	sanitise_stdfd();
 +	setlocale(LC_CTYPE, "");
 	__progname = ssh_get_progname(argv[0]);
 	memset(&args, '\0', sizeof(args));
--- a/openssh-6.2p2-ssh_gai_strerror.patch
+++ b/openssh-6.2p2-ssh_gai_strerror.patch
@ -1,23 +0,0 @@
 diff -U0 openssh-6.2p2/ChangeLog.ssh_gai_strerror openssh-6.2p2/ChangeLog
 --- openssh-6.2p2/ChangeLog.ssh_gai_strerror	2013-07-23 12:03:41.467902339 +0200
 +++ openssh-6.2p2/ChangeLog	2013-07-23 12:06:03.414281151 +0200
@@ -0,0 +1,7 @@
 +20130718
 +   - djm@cvs.openbsd.org 2013/07/12 00:43:50
 +     [misc.c]
 +     in ssh_gai_strerror() don't fallback to strerror for EAI_SYSTEM when
 +     errno == 0. Avoids confusing error message in some broken resolver
 +     cases. bz#2122 patch from plautrba AT redhat.com; ok dtucker
 +
 diff -up openssh-6.2p2/misc.c.ssh_gai_strerror openssh-6.2p2/misc.c
 --- openssh-6.2p2/misc.c.ssh_gai_strerror	2013-07-23 12:03:41.321902978 +0200
 +++ openssh-6.2p2/misc.c	2013-07-23 12:03:41.467902339 +0200
@@ -127,7 +127,7 @@ unset_nonblock(int fd)
 const char *
 ssh_gai_strerror(int gaierr)
 {
 -	if (gaierr == EAI_SYSTEM)
 +	if (gaierr == EAI_SYSTEM && errno != 0)
 		return strerror(errno);
 	return gai_strerror(gaierr);
 }
--- a/openssh-6.3p1-audit.patch
+++ b/openssh-6.3p1-audit.patch
--- a/openssh-6.3p1-coverity.patch
+++ b/openssh-6.3p1-coverity.patch
@ -1,6 +1,6 @@
-diff -up openssh-6.2p1/auth-pam.c.coverity openssh-6.2p1/auth-pam.c
+diff -up openssh-6.3p1/auth-pam.c.coverity openssh-6.3p1/auth-pam.c
--- openssh-6.2p1/auth-pam.c.coverity	2009-07-12 14:07:21.000000000 +0200
+--- openssh-6.3p1/auth-pam.c.coverity	2013-06-02 00:07:32.000000000 +0200
-+++ openssh-6.2p1/auth-pam.c	2013-03-22 09:49:37.341595458 +0100
+++ openssh-6.3p1/auth-pam.c	2013-10-07 13:20:36.288298063 +0200
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
 	if (sshpam_thread_status != -1)
 		return (sshpam_thread_status);
@ -15,10 +15,10 @@ diff -up openssh-6.2p1/auth-pam.c.coverity openssh-6.2p1/auth-pam.c
 	return (status);
 }
 #endif
-diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c
+diff -up openssh-6.3p1/channels.c.coverity openssh-6.3p1/channels.c
--- openssh-6.2p1/channels.c.coverity	2012-12-02 23:50:55.000000000 +0100
+--- openssh-6.3p1/channels.c.coverity	2013-09-13 08:19:31.000000000 +0200
-+++ openssh-6.2p1/channels.c	2013-03-22 09:49:37.344595444 +0100
+++ openssh-6.3p1/channels.c	2013-10-07 13:20:36.289298058 +0200
-@@ -232,11 +232,11 @@ channel_register_fds(Channel *c, int rfd
+@@ -233,11 +233,11 @@ channel_register_fds(Channel *c, int rfd
 	channel_max_fd = MAX(channel_max_fd, wfd);
 	channel_max_fd = MAX(channel_max_fd, efd);
@ -33,7 +33,7 @@ diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c
 		fcntl(efd, F_SETFD, FD_CLOEXEC);
 	c->rfd = rfd;
-@@ -251,11 +251,11 @@ channel_register_fds(Channel *c, int rfd
+@@ -255,11 +255,11 @@ channel_register_fds(Channel *c, int rfd
 	/* enable nonblocking mode */
 	if (nonblock) {
@ -48,10 +48,10 @@ diff -up openssh-6.2p1/channels.c.coverity openssh-6.2p1/channels.c
 			set_nonblock(efd);
 	}
 }
-diff -up openssh-6.2p1/clientloop.c.coverity openssh-6.2p1/clientloop.c
+diff -up openssh-6.3p1/clientloop.c.coverity openssh-6.3p1/clientloop.c
--- openssh-6.2p1/clientloop.c.coverity	2013-01-09 05:55:51.000000000 +0100
+--- openssh-6.3p1/clientloop.c.coverity	2013-06-10 05:07:12.000000000 +0200
-+++ openssh-6.2p1/clientloop.c	2013-03-22 09:49:37.342595453 +0100
+++ openssh-6.3p1/clientloop.c	2013-10-07 13:20:36.289298058 +0200
-@@ -2061,14 +2061,15 @@ client_input_global_request(int type, u_
+@@ -2068,14 +2068,15 @@ client_input_global_request(int type, u_
 	char *rtype;
 	int want_reply;
 	int success = 0;
@ -69,10 +69,10 @@ diff -up openssh-6.2p1/clientloop.c.coverity openssh-6.2p1/clientloop.c
 		packet_send();
 		packet_write_wait();
 	}
-diff -up openssh-6.2p1/key.c.coverity openssh-6.2p1/key.c
+diff -up openssh-6.3p1/key.c.coverity openssh-6.3p1/key.c
--- openssh-6.2p1/key.c.coverity	2013-01-18 01:44:05.000000000 +0100
+--- openssh-6.3p1/key.c.coverity	2013-06-01 23:41:51.000000000 +0200
-+++ openssh-6.2p1/key.c	2013-03-22 09:49:37.345595440 +0100
+++ openssh-6.3p1/key.c	2013-10-07 13:20:36.290298054 +0200
-@@ -808,8 +808,10 @@ key_read(Key *ret, char **cpp)
+@@ -807,8 +807,10 @@ key_read(Key *ret, char **cpp)
 		success = 1;
 /*XXXX*/
 		key_free(k);
@ -83,9 +83,9 @@ diff -up openssh-6.2p1/key.c.coverity openssh-6.2p1/key.c
 		/* advance cp: skip whitespace and data */
 		while (*cp == ' ' || *cp == '\t')
 			cp++;
-diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
+diff -up openssh-6.3p1/monitor.c.coverity openssh-6.3p1/monitor.c
--- openssh-6.2p1/monitor.c.coverity	2012-12-12 00:44:39.000000000 +0100
+--- openssh-6.3p1/monitor.c.coverity	2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.2p1/monitor.c	2013-03-22 12:19:55.189921353 +0100
+++ openssh-6.3p1/monitor.c	2013-10-07 13:54:36.761314042 +0200
@@ -449,7 +449,7 @@ monitor_child_preauth(Authctxt *_authctx
 	mm_get_keystate(pmonitor);
@ -95,7 +95,7 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
 		;
 	close(pmonitor->m_sendfd);
-@@ -1194,6 +1194,10 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1202,6 +1202,10 @@ mm_answer_keyallowed(int sock, Buffer *m
 			break;
 		}
 	}
@ -106,8 +106,8 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
 	if (key != NULL)
 		key_free(key);
-@@ -1216,9 +1220,6 @@ mm_answer_keyallowed(int sock, Buffer *m
+@@ -1223,9 +1227,6 @@ mm_answer_keyallowed(int sock, Buffer *m
- 		xfree(chost);
+ 		free(chost);
 	}
 -	debug3("%s: key %p is %s",
@ -116,10 +116,10 @@ diff -up openssh-6.2p1/monitor.c.coverity openssh-6.2p1/monitor.c
 	buffer_clear(m);
 	buffer_put_int(m, allowed);
 	buffer_put_int(m, forced_command != NULL);
-diff -up openssh-6.2p1/monitor_wrap.c.coverity openssh-6.2p1/monitor_wrap.c
+diff -up openssh-6.3p1/monitor_wrap.c.coverity openssh-6.3p1/monitor_wrap.c
--- openssh-6.2p1/monitor_wrap.c.coverity	2013-01-09 06:12:19.000000000 +0100
+--- openssh-6.3p1/monitor_wrap.c.coverity	2013-06-02 00:07:32.000000000 +0200
-+++ openssh-6.2p1/monitor_wrap.c	2013-03-22 09:49:37.347595431 +0100
+++ openssh-6.3p1/monitor_wrap.c	2013-10-07 13:20:36.291298049 +0200
-@@ -708,10 +708,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
+@@ -710,10 +710,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
 		error("%s: cannot allocate fds for pty", __func__);
@ -133,9 +133,9 @@ diff -up openssh-6.2p1/monitor_wrap.c.coverity openssh-6.2p1/monitor_wrap.c
 		return 0;
 	}
 	close(tmp1);
-diff -up openssh-6.2p1/openbsd-compat/bindresvport.c.coverity openssh-6.2p1/openbsd-compat/bindresvport.c
+diff -up openssh-6.3p1/openbsd-compat/bindresvport.c.coverity openssh-6.3p1/openbsd-compat/bindresvport.c
--- openssh-6.2p1/openbsd-compat/bindresvport.c.coverity	2010-12-03 00:50:26.000000000 +0100
+--- openssh-6.3p1/openbsd-compat/bindresvport.c.coverity	2010-12-03 00:50:26.000000000 +0100
-+++ openssh-6.2p1/openbsd-compat/bindresvport.c	2013-03-22 09:49:37.347595431 +0100
+++ openssh-6.3p1/openbsd-compat/bindresvport.c	2013-10-07 13:20:36.291298049 +0200
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
 	struct sockaddr_in6 *in6;
 	u_int16_t *portp;
@ -145,10 +145,10 @@ diff -up openssh-6.2p1/openbsd-compat/bindresvport.c.coverity openssh-6.2p1/open
 	int i;
 	if (sa == NULL) {
-diff -up openssh-6.2p1/packet.c.coverity openssh-6.2p1/packet.c
+diff -up openssh-6.3p1/packet.c.coverity openssh-6.3p1/packet.c
--- openssh-6.2p1/packet.c.coverity	2013-02-12 01:03:59.000000000 +0100
+--- openssh-6.3p1/packet.c.coverity	2013-07-18 08:12:45.000000000 +0200
-+++ openssh-6.2p1/packet.c	2013-03-22 09:49:37.348595426 +0100
+++ openssh-6.3p1/packet.c	2013-10-07 13:20:36.291298049 +0200
-@@ -1192,6 +1192,7 @@ packet_read_poll1(void)
+@@ -1199,6 +1199,7 @@ packet_read_poll1(void)
 		case DEATTACK_DETECTED:
 			packet_disconnect("crc32 compensation attack: "
 			    "network attack detected");
@ -156,18 +156,9 @@ diff -up openssh-6.2p1/packet.c.coverity openssh-6.2p1/packet.c
 		case DEATTACK_DOS_DETECTED:
 			packet_disconnect("deattack denial of "
 			    "service detected");
-@@ -1728,7 +1729,7 @@ void
+diff -up openssh-6.3p1/progressmeter.c.coverity openssh-6.3p1/progressmeter.c
- packet_write_wait(void)
+--- openssh-6.3p1/progressmeter.c.coverity	2013-06-02 15:46:24.000000000 +0200
- {
+++ openssh-6.3p1/progressmeter.c	2013-10-07 13:42:32.377850691 +0200
 	fd_set *setp;
 -	int ret, ms_remain;
 +	int ret, ms_remain = 0;
 	struct timeval start, timeout, *timeoutp = NULL;
 	setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
 diff -up openssh-6.2p1/progressmeter.c.coverity openssh-6.2p1/progressmeter.c
 --- openssh-6.2p1/progressmeter.c.coverity	2006-08-05 04:39:40.000000000 +0200
 +++ openssh-6.2p1/progressmeter.c	2013-03-22 09:49:37.349595422 +0100
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
 static time_t start;		/* start progress */
@ -184,11 +175,11 @@ diff -up openssh-6.2p1/progressmeter.c.coverity openssh-6.2p1/progressmeter.c
 -start_progress_meter(char *f, off_t filesize, off_t *ctr)
 +start_progress_meter(const char *f, off_t filesize, off_t *ctr)
 {
- 	start = last_update = time(NULL);
+ 	start = last_update = monotime();
 	file = f;
-diff -up openssh-6.2p1/progressmeter.h.coverity openssh-6.2p1/progressmeter.h
+diff -up openssh-6.3p1/progressmeter.h.coverity openssh-6.3p1/progressmeter.h
--- openssh-6.2p1/progressmeter.h.coverity	2006-03-26 05:30:02.000000000 +0200
+--- openssh-6.3p1/progressmeter.h.coverity	2006-03-26 05:30:02.000000000 +0200
-+++ openssh-6.2p1/progressmeter.h	2013-03-22 09:49:37.349595422 +0100
+++ openssh-6.3p1/progressmeter.h	2013-10-07 13:20:36.292298044 +0200
@@ -23,5 +23,5 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
@ -196,9 +187,9 @@ diff -up openssh-6.2p1/progressmeter.h.coverity openssh-6.2p1/progressmeter.h
 -void	start_progress_meter(char *, off_t, off_t *);
 +void	start_progress_meter(const char *, off_t, off_t *);
 void	stop_progress_meter(void);
-diff -up openssh-6.2p1/scp.c.coverity openssh-6.2p1/scp.c
+diff -up openssh-6.3p1/scp.c.coverity openssh-6.3p1/scp.c
--- openssh-6.2p1/scp.c.coverity	2013-03-20 02:55:15.000000000 +0100
+--- openssh-6.3p1/scp.c.coverity	2013-07-18 08:11:25.000000000 +0200
-+++ openssh-6.2p1/scp.c	2013-03-22 09:49:37.349595422 +0100
+++ openssh-6.3p1/scp.c	2013-10-07 13:20:36.292298044 +0200
@@ -155,7 +155,7 @@ killchild(int signo)
 {
 	if (do_cmd_pid > 1) {
@ -208,10 +199,10 @@ diff -up openssh-6.2p1/scp.c.coverity openssh-6.2p1/scp.c
 	}
 	if (signo)
-diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c
+diff -up openssh-6.3p1/servconf.c.coverity openssh-6.3p1/servconf.c
--- openssh-6.2p1/servconf.c.coverity	2013-02-12 01:02:08.000000000 +0100
+--- openssh-6.3p1/servconf.c.coverity	2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.2p1/servconf.c	2013-03-22 09:49:37.350595418 +0100
+++ openssh-6.3p1/servconf.c	2013-10-07 13:20:36.293298039 +0200
-@@ -1268,7 +1268,7 @@ process_server_config_line(ServerOptions
+@@ -1323,7 +1323,7 @@ process_server_config_line(ServerOptions
 			fatal("%s line %d: Missing subsystem name.",
 			    filename, linenum);
 		if (!*activep) {
@ -220,7 +211,7 @@ diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c
 			break;
 		}
 		for (i = 0; i < options->num_subsystems; i++)
-@@ -1359,8 +1359,9 @@ process_server_config_line(ServerOptions
+@@ -1414,8 +1414,9 @@ process_server_config_line(ServerOptions
 		if (*activep && *charptr == NULL) {
 			*charptr = tilde_expand_filename(arg, getuid());
 			/* increase optional counter */
@ -232,16 +223,16 @@ diff -up openssh-6.2p1/servconf.c.coverity openssh-6.2p1/servconf.c
 		}
 		break;
-diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
+diff -up openssh-6.3p1/serverloop.c.coverity openssh-6.3p1/serverloop.c
--- openssh-6.2p1/serverloop.c.coverity	2012-12-07 03:07:47.000000000 +0100
+--- openssh-6.3p1/serverloop.c.coverity	2013-07-18 08:12:45.000000000 +0200
-+++ openssh-6.2p1/serverloop.c	2013-03-22 09:49:37.351595413 +0100
+++ openssh-6.3p1/serverloop.c	2013-10-07 13:43:36.620537138 +0200
@@ -147,13 +147,13 @@ notify_setup(void)
 static void
 notify_parent(void)
 {
 -	if (notify_pipe[1] != -1)
 +	if (notify_pipe[1] >= 0)
- 		write(notify_pipe[1], "", 1);
+ 		(void)write(notify_pipe[1], "", 1);
 }
 static void
 notify_prepare(fd_set *readset)
@ -307,7 +298,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
 			if (fdin != fdout)
 				close(fdin);
 			else
-@@ -741,15 +741,15 @@ server_loop(pid_t pid, int fdin_arg, int
+@@ -739,15 +739,15 @@ server_loop(pid_t pid, int fdin_arg, int
 	buffer_free(&stderr_buffer);
 	/* Close the file descriptors. */
@ -326,7 +317,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
 		close(fdin);
 	fdin = -1;
-@@ -943,7 +943,7 @@ server_input_window_size(int type, u_int
+@@ -946,7 +946,7 @@ server_input_window_size(int type, u_int
 	debug("Window change received.");
 	packet_check_eom();
@ -335,7 +326,7 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
 		pty_change_window_size(fdin, row, col, xpixel, ypixel);
 }
-@@ -1003,7 +1003,7 @@ server_request_tun(void)
+@@ -1006,7 +1006,7 @@ server_request_tun(void)
 	}
 	tun = packet_get_int();
@ -344,111 +335,9 @@ diff -up openssh-6.2p1/serverloop.c.coverity openssh-6.2p1/serverloop.c
 		if (tun != SSH_TUNID_ANY && forced_tun_device != tun)
 			goto done;
 		tun = forced_tun_device;
-diff -up openssh-6.2p1/sftp.c.coverity openssh-6.2p1/sftp.c
+diff -up openssh-6.3p1/sftp-client.c.coverity openssh-6.3p1/sftp-client.c
--- openssh-6.2p1/sftp.c.coverity	2013-02-22 23:12:24.000000000 +0100
+--- openssh-6.3p1/sftp-client.c.coverity	2013-07-26 00:40:00.000000000 +0200
-+++ openssh-6.2p1/sftp.c	2013-03-22 09:49:37.352595409 +0100
+++ openssh-6.3p1/sftp-client.c	2013-10-07 13:48:45.885027420 +0200
@@ -202,7 +202,7 @@ killchild(int signo)
 {
 	if (sshpid > 1) {
 		kill(sshpid, SIGTERM);
 -		waitpid(sshpid, NULL, 0);
 +		(void) waitpid(sshpid, NULL, 0);
 	}
 	_exit(1);
@@ -312,7 +312,7 @@ local_do_ls(const char *args)
 /* Strip one path (usually the pwd) from the start of another */
 static char *
 -path_strip(char *path, char *strip)
 +path_strip(const char *path, const char *strip)
 {
 	size_t len;
@@ -330,7 +330,7 @@ path_strip(char *path, char *strip)
 }
 static char *
 -make_absolute(char *p, char *pwd)
 +make_absolute(char *p, const char *pwd)
 {
 	char *abs_str;
@@ -478,7 +478,7 @@ parse_df_flags(const char *cmd, char **a
 }
 static int
 -is_dir(char *path)
 +is_dir(const char *path)
 {
 	struct stat sb;
@@ -490,7 +490,7 @@ is_dir(char *path)
 }
 static int
 -remote_is_dir(struct sftp_conn *conn, char *path)
 +remote_is_dir(struct sftp_conn *conn, const char *path)
 {
 	Attrib *a;
@@ -504,7 +504,7 @@ remote_is_dir(struct sftp_conn *conn, ch
 /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
 static int
 -pathname_is_dir(char *pathname)
 +pathname_is_dir(const char *pathname)
 {
 	size_t l = strlen(pathname);
@@ -512,7 +512,7 @@ pathname_is_dir(char *pathname)
 }
 static int
 -process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
 +process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
     int pflag, int rflag)
 {
 	char *abs_src = NULL;
@@ -586,7 +586,7 @@ out:
 }
 static int
 -process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
 +process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
     int pflag, int rflag)
 {
 	char *tmp_dst = NULL;
@@ -691,7 +691,7 @@ sdirent_comp(const void *aa, const void
 /* sftp ls.1 replacement for directories */
 static int
 -do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
 +do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
 {
 	int n;
 	u_int c = 1, colspace = 0, columns = 1;
@@ -776,7 +776,7 @@ do_ls_dir(struct sftp_conn *conn, char *
 /* sftp ls.1 replacement which handles path globs */
 static int
 -do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
 +do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
     int lflag)
 {
 	char *fname, *lname;
@@ -857,7 +857,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
 }
 static int
 -do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
 +do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
 {
 	struct sftp_statvfs st;
 	char s_used[FMT_SCALED_STRSIZE];
 diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
 --- openssh-6.2p1/sftp-client.c.coverity	2012-07-02 14:15:39.000000000 +0200
 +++ openssh-6.2p1/sftp-client.c	2013-03-22 09:49:37.353595404 +0100
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
 }
@ -599,28 +488,28 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
 int
 -do_download(struct sftp_conn *conn, char *remote_path, char *local_path,
 +do_download(struct sftp_conn *conn, const char *remote_path, const char *local_path,
-     Attrib *a, int pflag)
+     Attrib *a, int pflag, int resume)
 {
 	Attrib junk;
-@@ -1226,7 +1226,7 @@ do_download(struct sftp_conn *conn, char
+@@ -1255,7 +1255,7 @@ do_download(struct sftp_conn *conn, char
 }
 static int
 -download_dir_internal(struct sftp_conn *conn, char *src, char *dst,
 +download_dir_internal(struct sftp_conn *conn, const char *src, const char *dst,
-     Attrib *dirattrib, int pflag, int printflag, int depth)
+     Attrib *dirattrib, int pflag, int printflag, int depth, int resume)
 {
 	int i, ret = 0;
-@@ -1316,7 +1316,7 @@ download_dir_internal(struct sftp_conn *
+@@ -1345,7 +1345,7 @@ download_dir_internal(struct sftp_conn *
 }
 int
 -download_dir(struct sftp_conn *conn, char *src, char *dst,
 +download_dir(struct sftp_conn *conn, const char *src, const char *dst,
-     Attrib *dirattrib, int pflag, int printflag)
+     Attrib *dirattrib, int pflag, int printflag, int resume)
 {
 	char *src_canon;
-@@ -1334,7 +1334,7 @@ download_dir(struct sftp_conn *conn, cha
+@@ -1363,7 +1363,7 @@ download_dir(struct sftp_conn *conn, cha
 }
 int
@ -629,7 +518,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
     int pflag)
 {
 	int local_fd;
-@@ -1517,7 +1517,7 @@ do_upload(struct sftp_conn *conn, char *
+@@ -1548,7 +1548,7 @@ do_upload(struct sftp_conn *conn, char *
 }
 static int
@ -638,7 +527,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
     int pflag, int printflag, int depth)
 {
 	int ret = 0, status;
-@@ -1608,7 +1608,7 @@ upload_dir_internal(struct sftp_conn *co
+@@ -1639,7 +1639,7 @@ upload_dir_internal(struct sftp_conn *co
 }
 int
@ -647,7 +536,7 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
     int pflag)
 {
 	char *dst_canon;
-@@ -1625,7 +1625,7 @@ upload_dir(struct sftp_conn *conn, char
+@@ -1656,7 +1656,7 @@ upload_dir(struct sftp_conn *conn, char
 }
 char *
@ -656,9 +545,9 @@ diff -up openssh-6.2p1/sftp-client.c.coverity openssh-6.2p1/sftp-client.c
 {
 	char *ret;
 	size_t len = strlen(p1) + strlen(p2) + 2;
-diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h
+diff -up openssh-6.3p1/sftp-client.h.coverity openssh-6.3p1/sftp-client.h
--- openssh-6.2p1/sftp-client.h.coverity	2010-12-04 23:02:48.000000000 +0100
+--- openssh-6.3p1/sftp-client.h.coverity	2013-07-25 03:56:52.000000000 +0200
-+++ openssh-6.2p1/sftp-client.h	2013-03-22 09:49:37.353595404 +0100
+++ openssh-6.3p1/sftp-client.h	2013-10-07 13:45:10.108080813 +0200
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
 u_int sftp_proto_version(struct sftp_conn *);
@ -727,15 +616,15 @@ diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h
  * Download 'remote_path' to 'local_path'. Preserve permissions and times
  * if 'pflag' is set
  */
-int do_download(struct sftp_conn *, char *, char *, Attrib *, int);
+-int do_download(struct sftp_conn *, char *, char *, Attrib *, int, int);
-+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int);
+int do_download(struct sftp_conn *, const char *, const char *, Attrib *, int, int);
 /*
  * Recursively download 'remote_directory' to 'local_directory'. Preserve 
  * times if 'pflag' is set
  */
-int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int);
+-int download_dir(struct sftp_conn *, char *, char *, Attrib *, int, int, int);
-+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int);
+int download_dir(struct sftp_conn *, const char *, const char *, Attrib *, int, int, int);
 /*
  * Upload 'local_path' to 'remote_path'. Preserve permissions and times
@ -756,10 +645,112 @@ diff -up openssh-6.2p1/sftp-client.h.coverity openssh-6.2p1/sftp-client.h
 +char *path_append(const char *, const char *);
 #endif
-diff -up openssh-6.2p1/ssh-agent.c.coverity openssh-6.2p1/ssh-agent.c
+diff -up openssh-6.3p1/sftp.c.coverity openssh-6.3p1/sftp.c
--- openssh-6.2p1/ssh-agent.c.coverity	2011-06-03 06:14:16.000000000 +0200
+--- openssh-6.3p1/sftp.c.coverity	2013-07-25 03:56:52.000000000 +0200
-+++ openssh-6.2p1/ssh-agent.c	2013-03-22 09:49:37.354595400 +0100
+++ openssh-6.3p1/sftp.c	2013-10-07 13:49:47.322727449 +0200
-@@ -1147,8 +1147,8 @@ main(int ac, char **av)
+@@ -213,7 +213,7 @@ killchild(int signo)
 {
 	if (sshpid > 1) {
 		kill(sshpid, SIGTERM);
 -		waitpid(sshpid, NULL, 0);
 +		(void) waitpid(sshpid, NULL, 0);
 	}
 	_exit(1);
@@ -324,7 +324,7 @@ local_do_ls(const char *args)
 /* Strip one path (usually the pwd) from the start of another */
 static char *
 -path_strip(char *path, char *strip)
 +path_strip(const char *path, const char *strip)
 {
 	size_t len;
@@ -342,7 +342,7 @@ path_strip(char *path, char *strip)
 }
 static char *
 -make_absolute(char *p, char *pwd)
 +make_absolute(char *p, const char *pwd)
 {
 	char *abs_str;
@@ -493,7 +493,7 @@ parse_df_flags(const char *cmd, char **a
 }
 static int
 -is_dir(char *path)
 +is_dir(const char *path)
 {
 	struct stat sb;
@@ -505,7 +505,7 @@ is_dir(char *path)
 }
 static int
 -remote_is_dir(struct sftp_conn *conn, char *path)
 +remote_is_dir(struct sftp_conn *conn, const char *path)
 {
 	Attrib *a;
@@ -519,7 +519,7 @@ remote_is_dir(struct sftp_conn *conn, ch
 /* Check whether path returned from glob(..., GLOB_MARK, ...) is a directory */
 static int
 -pathname_is_dir(char *pathname)
 +pathname_is_dir(const char *pathname)
 {
 	size_t l = strlen(pathname);
@@ -527,7 +527,7 @@ pathname_is_dir(char *pathname)
 }
 static int
 -process_get(struct sftp_conn *conn, char *src, char *dst, char *pwd,
 +process_get(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
     int pflag, int rflag, int resume)
 {
 	char *abs_src = NULL;
@@ -605,7 +605,7 @@ out:
 }
 static int
 -process_put(struct sftp_conn *conn, char *src, char *dst, char *pwd,
 +process_put(struct sftp_conn *conn, const char *src, const char *dst, const char *pwd,
     int pflag, int rflag)
 {
 	char *tmp_dst = NULL;
@@ -709,7 +709,7 @@ sdirent_comp(const void *aa, const void
 /* sftp ls.1 replacement for directories */
 static int
 -do_ls_dir(struct sftp_conn *conn, char *path, char *strip_path, int lflag)
 +do_ls_dir(struct sftp_conn *conn, const char *path, const char *strip_path, int lflag)
 {
 	int n;
 	u_int c = 1, colspace = 0, columns = 1;
@@ -794,7 +794,7 @@ do_ls_dir(struct sftp_conn *conn, char *
 /* sftp ls.1 replacement which handles path globs */
 static int
 -do_globbed_ls(struct sftp_conn *conn, char *path, char *strip_path,
 +do_globbed_ls(struct sftp_conn *conn, const char *path, const char *strip_path,
     int lflag)
 {
 	char *fname, *lname;
@@ -875,7 +875,7 @@ do_globbed_ls(struct sftp_conn *conn, ch
 }
 static int
 -do_df(struct sftp_conn *conn, char *path, int hflag, int iflag)
 +do_df(struct sftp_conn *conn, const char *path, int hflag, int iflag)
 {
 	struct sftp_statvfs st;
 	char s_used[FMT_SCALED_STRSIZE];
 diff -up openssh-6.3p1/ssh-agent.c.coverity openssh-6.3p1/ssh-agent.c
 --- openssh-6.3p1/ssh-agent.c.coverity	2013-07-20 05:22:49.000000000 +0200
 +++ openssh-6.3p1/ssh-agent.c	2013-10-07 13:20:36.296298024 +0200
@@ -1143,8 +1143,8 @@ main(int ac, char **av)
 	sanitise_stdfd();
 	/* drop */
@ -770,37 +761,28 @@ diff -up openssh-6.2p1/ssh-agent.c.coverity openssh-6.2p1/ssh-agent.c
 #if defined(HAVE_PRCTL) && defined(PR_SET_DUMPABLE)
 	/* Disable ptrace on Linux without sgid bit */
-diff -up openssh-6.2p1/sshd.c.coverity openssh-6.2p1/sshd.c
+diff -up openssh-6.3p1/sshd.c.coverity openssh-6.3p1/sshd.c
--- openssh-6.2p1/sshd.c.coverity	2013-02-12 01:04:48.000000000 +0100
+--- openssh-6.3p1/sshd.c.coverity	2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.2p1/sshd.c	2013-03-22 09:49:37.355595396 +0100
+++ openssh-6.3p1/sshd.c	2013-10-07 13:20:36.296298024 +0200
-@@ -691,8 +691,10 @@ privsep_preauth(Authctxt *authctxt)
+@@ -699,8 +699,10 @@ privsep_preauth(Authctxt *authctxt)
 		if (getuid() == 0 || geteuid() == 0)
 			privsep_preauth_child();
 		setproctitle("%s", "[net]");
 -		if (box != NULL)
 +		if (box != NULL) {
 			ssh_sandbox_child(box);
-+			xfree(box);
+			free(box);
 +		}
 		return 0;
 	}
-@@ -1320,6 +1322,9 @@ server_accept_loop(int *sock_in, int *so
+@@ -1345,6 +1347,9 @@ server_accept_loop(int *sock_in, int *so
 		if (num_listen_socks < 0)
 			break;
 	}
 +
 +	if (fdset != NULL)
-+		xfree(fdset);
+		free(fdset);
 }
@@ -1806,7 +1811,7 @@ main(int ac, char **av)
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
 -	chdir("/");
 +	(void) chdir("/");
 	/* ignore SIGPIPE */
 	signal(SIGPIPE, SIG_IGN);
--- a/openssh-6.3p1-ctr-cavstest.patch
+++ b/openssh-6.3p1-ctr-cavstest.patch
@ -185,8 +185,8 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
 +
 +	cipher_init(&cc, c, key, keylen, iv, ivlen, encrypt);
 +
-+        xfree(key);
+        free(key);
-+        xfree(iv);
+        free(iv);
 +
 +	outdata = malloc(datalen);
 +	if(outdata == NULL) {
@ -196,7 +196,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
 +
 +	cipher_crypt(&cc, outdata, data, datalen, 0, 0);
 +
-+        xfree(data);
+        free(data);
 +
 +	cipher_cleanup(&cc);
 +
@ -204,7 +204,7 @@ diff -up openssh-6.2p1/ctr-cavstest.c.ctr-cavs openssh-6.2p1/ctr-cavstest.c
 +		printf("%02X", (unsigned char)*p);
 +	}
 +
-+        xfree(outdata);
+        free(outdata);
 +
 +        printf("\n");
 +        return 0;
--- a/openssh-6.3p1-ctr-evp-fast.patch
+++ b/openssh-6.3p1-ctr-evp-fast.patch
@ -97,5 +97,5 @@ diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c
 	if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
 +		EVP_CIPHER_CTX_cleanup(&c->ecbctx);
 		memset(c, 0, sizeof(*c));
- 		xfree(c);
+ 		free(c);
 		EVP_CIPHER_CTX_set_app_data(ctx, NULL);
--- a/openssh-6.3p1-fingerprint.patch
+++ b/openssh-6.3p1-fingerprint.patch
@ -1,7 +1,24 @@
-diff -up openssh-6.2p1/auth2-hostbased.c.fingerprint openssh-6.2p1/auth2-hostbased.c
+diff -up openssh-6.3p1/auth-rsa.c.fingerprint openssh-6.3p1/auth-rsa.c
--- openssh-6.2p1/auth2-hostbased.c.fingerprint	2010-08-05 05:04:50.000000000 +0200
+diff -up openssh-6.3p1/auth.c.fingerprint openssh-6.3p1/auth.c
-+++ openssh-6.2p1/auth2-hostbased.c	2013-03-22 12:20:49.009685008 +0100
+--- openssh-6.3p1/auth.c.fingerprint	2013-10-07 14:02:36.998968153 +0200
-@@ -196,16 +196,18 @@ hostbased_key_allowed(struct passwd *pw,
+++ openssh-6.3p1/auth.c	2013-10-07 15:42:05.243812405 +0200
@@ -685,9 +685,10 @@ auth_key_is_revoked(Key *key)
 	case 1:
  revoked:
 		/* Key revoked */
 -		key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
 +		key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
 		error("WARNING: authentication attempt with a revoked "
 -		    "%s key %s ", key_type(key), key_fp);
 +		    "%s key %s%s ", key_type(key),
 +		    key_fingerprint_prefix(), key_fp);
 		free(key_fp);
 		return 1;
 	}
 diff -up openssh-6.3p1/auth2-hostbased.c.fingerprint openssh-6.3p1/auth2-hostbased.c
 --- openssh-6.3p1/auth2-hostbased.c.fingerprint	2013-10-07 14:02:36.998968153 +0200
 +++ openssh-6.3p1/auth2-hostbased.c	2013-10-07 15:43:49.747355927 +0200
@@ -200,16 +200,18 @@ hostbased_key_allowed(struct passwd *pw,
 	if (host_status == HOST_OK) {
 		if (key_is_cert(key)) {
@ -25,12 +42,12 @@ diff -up openssh-6.2p1/auth2-hostbased.c.fingerprint openssh-6.2p1/auth2-hostbas
 +			    key_type(key), key_fingerprint_prefix(),
 +			    fp, cuser, lookup);
 		}
- 		xfree(fp);
+ 		free(fp);
 	}
-diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c
+diff -up openssh-6.3p1/auth2-pubkey.c.fingerprint openssh-6.3p1/auth2-pubkey.c
--- openssh-6.2p1/auth2-pubkey.c.fingerprint	2013-02-15 00:28:56.000000000 +0100
+--- openssh-6.3p1/auth2-pubkey.c.fingerprint	2013-07-18 08:10:10.000000000 +0200
-+++ openssh-6.2p1/auth2-pubkey.c	2013-03-22 12:20:49.009685008 +0100
+++ openssh-6.3p1/auth2-pubkey.c	2013-10-07 15:50:44.617495624 +0200
-@@ -317,10 +317,10 @@ check_authkeys_file(FILE *f, char *file,
+@@ -359,10 +359,10 @@ check_authkeys_file(FILE *f, char *file,
 				continue;
 			if (!key_is_cert_authority)
 				continue;
@ -45,20 +62,20 @@ diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c
 			/*
 			 * If the user has specified a list of principals as
 			 * a key option, then prefer that list to matching
-@@ -360,9 +360,9 @@ check_authkeys_file(FILE *f, char *file,
+@@ -400,9 +400,9 @@ check_authkeys_file(FILE *f, char *file,
 			if (key_is_cert_authority)
 				continue;
 			found_key = 1;
 			debug("matching key found: file %s, line %lu",
 			    file, linenum);
 -			fp = key_fingerprint(found, SSH_FP_MD5, SSH_FP_HEX);
-			verbose("Found matching %s key: %s",
+-			debug("matching key found: file %s, line %lu %s %s",
-			    key_type(found), fp);
+-			    file, linenum, key_type(found), fp);
 +			fp = key_selected_fingerprint(found, SSH_FP_HEX);
 +			verbose("Found matching %s key: %s%s",
 +			    key_type(found), key_fingerprint_prefix(), fp);
- 			xfree(fp);
+ 			free(fp);
 			break;
 		}
-@@ -384,13 +384,13 @@ user_cert_trusted_ca(struct passwd *pw,
+@@ -425,13 +425,13 @@ user_cert_trusted_ca(struct passwd *pw,
 	if (!key_is_cert(key) || options.trusted_user_ca_keys == NULL)
 		return 0;
@ -76,42 +93,10 @@ diff -up openssh-6.2p1/auth2-pubkey.c.fingerprint openssh-6.2p1/auth2-pubkey.c
 		    options.trusted_user_ca_keys);
 		goto out;
 	}
-diff -up openssh-6.2p1/auth.c.fingerprint openssh-6.2p1/auth.c
+diff -up openssh-6.3p1/key.c.fingerprint openssh-6.3p1/key.c
--- openssh-6.2p1/auth.c.fingerprint	2013-03-12 01:31:05.000000000 +0100
+--- openssh-6.3p1/key.c.fingerprint	2013-10-07 14:02:36.971968285 +0200
-+++ openssh-6.2p1/auth.c	2013-03-22 12:22:32.515230386 +0100
+++ openssh-6.3p1/key.c	2013-10-07 14:02:36.999968148 +0200
-@@ -663,9 +663,10 @@ auth_key_is_revoked(Key *key)
+@@ -598,6 +598,34 @@ key_fingerprint(const Key *k, enum fp_ty
 	case 1:
  revoked:
 		/* Key revoked */
 -		key_fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
 +		key_fp = key_selected_fingerprint(key, SSH_FP_HEX);
 		error("WARNING: authentication attempt with a revoked "
 -		    "%s key %s ", key_type(key), key_fp);
 +		    "%s key %s%s ", key_type(key),
 +		    key_fingerprint_prefix(), key_fp);
 		xfree(key_fp);
 		return 1;
 	}
 diff -up openssh-6.2p1/auth-rsa.c.fingerprint openssh-6.2p1/auth-rsa.c
 --- openssh-6.2p1/auth-rsa.c.fingerprint	2012-10-30 22:58:59.000000000 +0100
 +++ openssh-6.2p1/auth-rsa.c	2013-03-22 12:20:49.011684999 +0100
@@ -328,9 +328,9 @@ auth_rsa(Authctxt *authctxt, BIGNUM *cli
 	 * options; this will be reset if the options cause the
 	 * authentication to be rejected.
 	 */
 -	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
 -	verbose("Found matching %s key: %s",
 -	    key_type(key), fp);
 +	fp = key_selected_fingerprint(key, SSH_FP_HEX);
 +	verbose("Found matching %s key: %s%s",
 +	    key_type(key), key_fingerprint_prefix(), fp);
 	xfree(fp);
 	key_free(key);
 diff -up openssh-6.2p1/key.c.fingerprint openssh-6.2p1/key.c
 --- openssh-6.2p1/key.c.fingerprint	2013-03-22 12:20:48.971685175 +0100
 +++ openssh-6.2p1/key.c	2013-03-22 12:20:49.012684995 +0100
@@ -599,6 +599,34 @@ key_fingerprint(Key *k, enum fp_type dgs
 	return retval;
 }
@ -146,12 +131,12 @@ diff -up openssh-6.2p1/key.c.fingerprint openssh-6.2p1/key.c
 /*
  * Reads a multiple-precision integer in decimal from the buffer, and advances
  * the pointer.  The integer must already be initialized.  This function is
-diff -up openssh-6.2p1/key.h.fingerprint openssh-6.2p1/key.h
+diff -up openssh-6.3p1/key.h.fingerprint openssh-6.3p1/key.h
--- openssh-6.2p1/key.h.fingerprint	2013-01-18 01:44:05.000000000 +0100
+--- openssh-6.3p1/key.h.fingerprint	2013-10-07 14:02:36.999968148 +0200
-+++ openssh-6.2p1/key.h	2013-03-22 12:23:35.308954528 +0100
+++ openssh-6.3p1/key.h	2013-10-07 15:44:17.574233450 +0200
@@ -97,6 +97,9 @@ int		 key_equal_public(const Key *, cons
 int		 key_equal(const Key *, const Key *);
- char		*key_fingerprint(Key *, enum fp_type, enum fp_rep);
+ char		*key_fingerprint(const Key *, enum fp_type, enum fp_rep);
 u_char		*key_fingerprint_raw(const Key *, enum fp_type, u_int *);
 +enum fp_type	 key_fingerprint_selection(void);
 +char		*key_selected_fingerprint(Key *, enum fp_rep);
@ -159,9 +144,9 @@ diff -up openssh-6.2p1/key.h.fingerprint openssh-6.2p1/key.h
 const char	*key_type(const Key *);
 const char	*key_cert_type(const Key *);
 int		 key_write(const Key *, FILE *);
-diff -up openssh-6.2p1/ssh-add.c.fingerprint openssh-6.2p1/ssh-add.c
+diff -up openssh-6.3p1/ssh-add.c.fingerprint openssh-6.3p1/ssh-add.c
--- openssh-6.2p1/ssh-add.c.fingerprint	2012-12-07 03:07:03.000000000 +0100
+--- openssh-6.3p1/ssh-add.c.fingerprint	2013-10-07 14:02:37.000968143 +0200
-+++ openssh-6.2p1/ssh-add.c	2013-03-22 12:20:49.029684920 +0100
+++ openssh-6.3p1/ssh-add.c	2013-10-07 14:44:57.466515766 +0200
@@ -326,10 +326,10 @@ list_identities(AuthenticationConnection
 		    key = ssh_get_next_identity(ac, &comment, version)) {
 			had_identities = 1;
@ -174,13 +159,13 @@ diff -up openssh-6.2p1/ssh-add.c.fingerprint openssh-6.2p1/ssh-add.c
 +				printf("%d %s%s %s (%s)\n",
 +				    key_size(key), key_fingerprint_prefix(),
 +				    fp, comment, key_type(key));
- 				xfree(fp);
+ 				free(fp);
 			} else {
 				if (!key_write(key, stdout))
-diff -up openssh-6.2p1/ssh-agent.c.fingerprint openssh-6.2p1/ssh-agent.c
+diff -up openssh-6.3p1/ssh-agent.c.fingerprint openssh-6.3p1/ssh-agent.c
--- openssh-6.2p1/ssh-agent.c.fingerprint	2013-03-22 12:20:48.979685140 +0100
+--- openssh-6.3p1/ssh-agent.c.fingerprint	2013-10-07 14:02:37.000968143 +0200
-+++ openssh-6.2p1/ssh-agent.c	2013-03-22 12:20:49.030684916 +0100
+++ openssh-6.3p1/ssh-agent.c	2013-10-07 15:41:11.627044336 +0200
-@@ -199,9 +199,9 @@ confirm_key(Identity *id)
+@@ -198,9 +198,9 @@ confirm_key(Identity *id)
 	char *p;
 	int ret = -1;
@ -191,134 +176,11 @@ diff -up openssh-6.2p1/ssh-agent.c.fingerprint openssh-6.2p1/ssh-agent.c
 +	if (ask_permission("Allow use of key %s?\nKey fingerprint %s%s.",
 +	    id->comment, key_fingerprint_prefix(), p))
 		ret = 0;
- 	xfree(p);
+ 	free(p);
-diff -up openssh-6.2p1/sshconnect2.c.fingerprint openssh-6.2p1/sshconnect2.c
+diff -up openssh-6.3p1/ssh-keygen.c.fingerprint openssh-6.3p1/ssh-keygen.c
--- openssh-6.2p1/sshconnect2.c.fingerprint	2013-03-20 02:55:15.000000000 +0100
+--- openssh-6.3p1/ssh-keygen.c.fingerprint	2013-07-20 05:22:32.000000000 +0200
-+++ openssh-6.2p1/sshconnect2.c	2013-03-22 12:20:49.031684912 +0100
+++ openssh-6.3p1/ssh-keygen.c	2013-10-07 14:25:52.864145038 +0200
@@ -592,8 +592,9 @@ input_userauth_pk_ok(int type, u_int32_t
 		    key->type, pktype);
 		goto done;
 	}
 -	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
 -	debug2("input_userauth_pk_ok: fp %s", fp);
 +	fp = key_selected_fingerprint(key, SSH_FP_HEX);
 +	debug2("input_userauth_pk_ok: fp %s%s",
 +	    key_fingerprint_prefix(), fp);
 	xfree(fp);
 	/*
@@ -1205,8 +1206,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
 	int have_sig = 1;
 	char *fp;
 -	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
 -	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
 +	fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
 +	debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
 +	    key_fingerprint_prefix(), fp);
 	xfree(fp);
 	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
 diff -up openssh-6.2p1/sshconnect.c.fingerprint openssh-6.2p1/sshconnect.c
 --- openssh-6.2p1/sshconnect.c.fingerprint	2012-09-17 05:25:44.000000000 +0200
 +++ openssh-6.2p1/sshconnect.c	2013-03-22 12:20:49.032684907 +0100
@@ -824,10 +824,10 @@ check_host_key(char *hostname, struct so
 				    "key for IP address '%.128s' to the list "
 				    "of known hosts.", type, ip);
 		} else if (options.visual_host_key) {
 -			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 -			ra = key_fingerprint(host_key, SSH_FP_MD5,
 -			    SSH_FP_RANDOMART);
 -			logit("Host key fingerprint is %s\n%s\n", fp, ra);
 +			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 +			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
 +			logit("Host key fingerprint is %s%s\n%s\n",
 +			    key_fingerprint_prefix(), fp, ra);
 			xfree(ra);
 			xfree(fp);
 		}
@@ -865,9 +865,8 @@ check_host_key(char *hostname, struct so
 			else
 				snprintf(msg1, sizeof(msg1), ".");
 			/* The default */
 -			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 -			ra = key_fingerprint(host_key, SSH_FP_MD5,
 -			    SSH_FP_RANDOMART);
 +			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 +			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
 			msg2[0] = '\0';
 			if (options.verify_host_key_dns) {
 				if (matching_host_key_dns)
@@ -882,10 +881,11 @@ check_host_key(char *hostname, struct so
 			snprintf(msg, sizeof(msg),
 			    "The authenticity of host '%.200s (%s)' can't be "
 			    "established%s\n"
 -			    "%s key fingerprint is %s.%s%s\n%s"
 +			    "%s key fingerprint is %s%s.%s%s\n%s"
 			    "Are you sure you want to continue connecting "
 			    "(yes/no)? ",
 -			    host, ip, msg1, type, fp,
 +			    host, ip, msg1, type,
 +			    key_fingerprint_prefix(), fp,
 			    options.visual_host_key ? "\n" : "",
 			    options.visual_host_key ? ra : "",
 			    msg2);
@@ -1130,8 +1130,9 @@ verify_host_key(char *host, struct socka
 	int flags = 0;
 	char *fp;
 -	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 -	debug("Server host key: %s %s", key_type(host_key), fp);
 +	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 +	debug("Server host key: %s %s%s", key_type(host_key),
 +	    key_fingerprint_prefix(), fp);
 	xfree(fp);
 	/* XXX certs are not yet supported for DNS */
@@ -1232,14 +1233,15 @@ show_other_keys(struct hostkeys *hostkey
 			continue;
 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
 			continue;
 -		fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
 -		ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
 +		fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
 +		ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
 		logit("WARNING: %s key found for host %s\n"
 		    "in %s:%lu\n"
 -		    "%s key fingerprint %s.",
 +		    "%s key fingerprint %s%s.",
 		    key_type(found->key),
 		    found->host, found->file, found->line,
 -		    key_type(found->key), fp);
 +		    key_type(found->key),
 +		    key_fingerprint_prefix(), fp);
 		if (options.visual_host_key)
 			logit("%s", ra);
 		xfree(ra);
@@ -1254,7 +1256,7 @@ warn_changed_key(Key *host_key)
 {
 	char *fp;
 -	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 +	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
 	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
@@ -1262,8 +1264,8 @@ warn_changed_key(Key *host_key)
 	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
 	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
 	error("It is also possible that a host key has just been changed.");
 -	error("The fingerprint for the %s key sent by the remote host is\n%s.",
 -	    key_type(host_key), fp);
 +	error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
 +	    key_type(host_key),key_fingerprint_prefix(),  fp);
 	error("Please contact your system administrator.");
 	xfree(fp);
 diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
 --- openssh-6.2p1/ssh-keygen.c.fingerprint	2013-02-12 01:03:36.000000000 +0100
 +++ openssh-6.2p1/ssh-keygen.c	2013-03-22 12:20:49.033684903 +0100
@@ -767,13 +767,14 @@ do_fingerprint(struct passwd *pw)
 {
 	FILE *f;
@ -378,7 +240,7 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
 		    key_type(public));
 		if (log_level >= SYSLOG_LEVEL_VERBOSE)
 			printf("%s\n", ra);
-@@ -1854,16 +1857,17 @@ do_show_cert(struct passwd *pw)
+@@ -1855,16 +1858,17 @@ do_show_cert(struct passwd *pw)
 		fatal("%s is not a certificate", identity_file);
 	v00 = key->type == KEY_RSA_CERT_V00 || key->type == KEY_DSA_CERT_V00;
@ -402,7 +264,7 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
 	printf("        Key ID: \"%s\"\n", key->cert->key_id);
 	if (!v00) {
 		printf("        Serial: %llu\n",
-@@ -2651,13 +2655,12 @@ passphrase_again:
+@@ -2655,13 +2659,12 @@ passphrase_again:
 	fclose(f);
 	if (!quiet) {
@ -418,4 +280,127 @@ diff -up openssh-6.2p1/ssh-keygen.c.fingerprint openssh-6.2p1/ssh-keygen.c
 +		printf("%s%s %s\n", key_fingerprint_prefix(), fp, comment);
 		printf("The key's randomart image is:\n");
 		printf("%s\n", ra);
- 		xfree(ra);
+ 		free(ra);
 diff -up openssh-6.3p1/sshconnect.c.fingerprint openssh-6.3p1/sshconnect.c
 --- openssh-6.3p1/sshconnect.c.fingerprint	2013-06-01 23:31:19.000000000 +0200
 +++ openssh-6.3p1/sshconnect.c	2013-10-07 14:43:54.859822036 +0200
@@ -830,10 +830,10 @@ check_host_key(char *hostname, struct so
 				    "key for IP address '%.128s' to the list "
 				    "of known hosts.", type, ip);
 		} else if (options.visual_host_key) {
 -			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 -			ra = key_fingerprint(host_key, SSH_FP_MD5,
 -			    SSH_FP_RANDOMART);
 -			logit("Host key fingerprint is %s\n%s\n", fp, ra);
 +			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 +			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
 +			logit("Host key fingerprint is %s%s\n%s\n",
 +			    key_fingerprint_prefix(), fp, ra);
 			free(ra);
 			free(fp);
 		}
@@ -871,9 +871,8 @@ check_host_key(char *hostname, struct so
 			else
 				snprintf(msg1, sizeof(msg1), ".");
 			/* The default */
 -			fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 -			ra = key_fingerprint(host_key, SSH_FP_MD5,
 -			    SSH_FP_RANDOMART);
 +			fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 +			ra = key_selected_fingerprint(host_key, SSH_FP_RANDOMART);
 			msg2[0] = '\0';
 			if (options.verify_host_key_dns) {
 				if (matching_host_key_dns)
@@ -888,10 +887,11 @@ check_host_key(char *hostname, struct so
 			snprintf(msg, sizeof(msg),
 			    "The authenticity of host '%.200s (%s)' can't be "
 			    "established%s\n"
 -			    "%s key fingerprint is %s.%s%s\n%s"
 +			    "%s key fingerprint is %s%s.%s%s\n%s"
 			    "Are you sure you want to continue connecting "
 			    "(yes/no)? ",
 -			    host, ip, msg1, type, fp,
 +			    host, ip, msg1, type,
 +			    key_fingerprint_prefix(), fp,
 			    options.visual_host_key ? "\n" : "",
 			    options.visual_host_key ? ra : "",
 			    msg2);
@@ -1136,8 +1136,9 @@ verify_host_key(char *host, struct socka
 	int flags = 0;
 	char *fp;
 -	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 -	debug("Server host key: %s %s", key_type(host_key), fp);
 +	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 +	debug("Server host key: %s %s%s", key_type(host_key),
 +	    key_fingerprint_prefix(), fp);
 	free(fp);
 	/* XXX certs are not yet supported for DNS */
@@ -1238,14 +1239,15 @@ show_other_keys(struct hostkeys *hostkey
 			continue;
 		if (!lookup_key_in_hostkeys_by_type(hostkeys, type[i], &found))
 			continue;
 -		fp = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_HEX);
 -		ra = key_fingerprint(found->key, SSH_FP_MD5, SSH_FP_RANDOMART);
 +		fp = key_selected_fingerprint(found->key, SSH_FP_HEX);
 +		ra = key_selected_fingerprint(found->key, SSH_FP_RANDOMART);
 		logit("WARNING: %s key found for host %s\n"
 		    "in %s:%lu\n"
 -		    "%s key fingerprint %s.",
 +		    "%s key fingerprint %s%s.",
 		    key_type(found->key),
 		    found->host, found->file, found->line,
 -		    key_type(found->key), fp);
 +		    key_type(found->key),
 +		    key_fingerprint_prefix(), fp);
 		if (options.visual_host_key)
 			logit("%s", ra);
 		free(ra);
@@ -1260,7 +1262,7 @@ warn_changed_key(Key *host_key)
 {
 	char *fp;
 -	fp = key_fingerprint(host_key, SSH_FP_MD5, SSH_FP_HEX);
 +	fp = key_selected_fingerprint(host_key, SSH_FP_HEX);
 	error("@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@");
 	error("@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @");
@@ -1268,8 +1270,8 @@ warn_changed_key(Key *host_key)
 	error("IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!");
 	error("Someone could be eavesdropping on you right now (man-in-the-middle attack)!");
 	error("It is also possible that a host key has just been changed.");
 -	error("The fingerprint for the %s key sent by the remote host is\n%s.",
 -	    key_type(host_key), fp);
 +	error("The fingerprint for the %s key sent by the remote host is\n%s%s.",
 +	    key_type(host_key),key_fingerprint_prefix(),  fp);
 	error("Please contact your system administrator.");
 	free(fp);
 diff -up openssh-6.3p1/sshconnect2.c.fingerprint openssh-6.3p1/sshconnect2.c
 --- openssh-6.3p1/sshconnect2.c.fingerprint	2013-10-07 14:02:37.001968139 +0200
 +++ openssh-6.3p1/sshconnect2.c	2013-10-07 15:20:09.403234714 +0200
@@ -590,8 +590,9 @@ input_userauth_pk_ok(int type, u_int32_t
 		    key->type, pktype);
 		goto done;
 	}
 -	fp = key_fingerprint(key, SSH_FP_MD5, SSH_FP_HEX);
 -	debug2("input_userauth_pk_ok: fp %s", fp);
 +	fp = key_selected_fingerprint(key, SSH_FP_HEX);
 +	debug2("input_userauth_pk_ok: fp %s%s",
 +	    key_fingerprint_prefix(), fp);
 	free(fp);
 	/*
@@ -1202,8 +1203,9 @@ sign_and_send_pubkey(Authctxt *authctxt,
 	int have_sig = 1;
 	char *fp;
 -	fp = key_fingerprint(id->key, SSH_FP_MD5, SSH_FP_HEX);
 -	debug3("sign_and_send_pubkey: %s %s", key_type(id->key), fp);
 +	fp = key_selected_fingerprint(id->key, SSH_FP_HEX);
 +	debug3("sign_and_send_pubkey: %s %s%s", key_type(id->key),
 +	    key_fingerprint_prefix(), fp);
 	free(fp);
 	if (key_to_blob(id->key, &blob, &bloblen) == 0) {
--- a/openssh-6.3p1-fips.patch
+++ b/openssh-6.3p1-fips.patch
@ -1,6 +1,50 @@
-diff -up openssh-6.2p1/authfile.c.fips openssh-6.2p1/authfile.c
+diff -up openssh-6.3p1/Makefile.in.fips openssh-6.3p1/Makefile.in
--- openssh-6.2p1/authfile.c.fips	2013-03-27 13:14:49.164683482 +0100
+--- openssh-6.3p1/Makefile.in.fips	2013-10-11 22:24:32.850031186 +0200
-+++ openssh-6.2p1/authfile.c	2013-03-27 13:14:49.177683431 +0100
+++ openssh-6.3p1/Makefile.in	2013-10-11 22:24:32.870031092 +0200
@@ -147,25 +147,25 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
 -	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
 +	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
 -	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
 -	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
 -	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
 -	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -177,7 +177,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
 	$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
 -	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 +	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff -up openssh-6.3p1/authfile.c.fips openssh-6.3p1/authfile.c
 --- openssh-6.3p1/authfile.c.fips	2013-10-11 22:24:32.857031153 +0200
 +++ openssh-6.3p1/authfile.c	2013-10-11 22:24:32.870031092 +0200
@@ -148,8 +148,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
 	/* Allocate space for the private part of the key in the buffer. */
 	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -34,9 +78,22 @@ diff -up openssh-6.2p1/authfile.c.fips openssh-6.2p1/authfile.c
 	cipher_crypt(&ciphercontext, cp,
 	    buffer_ptr(&copy), buffer_len(&copy), 0, 0);
 	cipher_cleanup(&ciphercontext);
-diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
+diff -up openssh-6.3p1/cipher-ctr.c.fips openssh-6.3p1/cipher-ctr.c
--- openssh-6.2p1/cipher.c.fips	2013-03-27 13:14:49.087683788 +0100
+--- openssh-6.3p1/cipher-ctr.c.fips	2013-06-02 00:07:32.000000000 +0200
-+++ openssh-6.2p1/cipher.c	2013-03-27 13:14:49.177683431 +0100
+++ openssh-6.3p1/cipher-ctr.c	2013-10-11 22:24:32.870031092 +0200
@@ -138,7 +138,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
 	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
 -	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
 +	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
 +	    EVP_CIPH_FLAG_FIPS;
 #endif
 	return (&aes_ctr);
 }
 diff -up openssh-6.3p1/cipher.c.fips openssh-6.3p1/cipher.c
 --- openssh-6.3p1/cipher.c.fips	2013-10-11 22:24:32.820031327 +0200
 +++ openssh-6.3p1/cipher.c	2013-10-11 22:24:32.871031087 +0200
@@ -40,6 +40,7 @@
 #include <sys/types.h>
@ -45,54 +102,63 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
 #include <string.h>
 #include <stdarg.h>
-@@ -89,6 +90,27 @@ struct Cipher ciphers[] = {
+@@ -86,6 +87,27 @@ static const struct Cipher ciphers[] = {
 	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 };
-+struct Cipher fips_ciphers[] = {
+static const struct Cipher fips_ciphers[] = {
-+	{ "none",		SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
+	{ "none",	SSH_CIPHER_NONE, 8, 0, 0, 0, 0, 0, EVP_enc_null },
-+	{ "3des",		SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
+	{ "des",	SSH_CIPHER_DES, 8, 8, 0, 0, 0, 1, EVP_des_cbc },
-+
+	{ "3des",	SSH_CIPHER_3DES, 8, 16, 0, 0, 0, 1, evp_ssh1_3des },
-+	{ "3des-cbc",		SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
+	{ "3des-cbc",	SSH_CIPHER_SSH2, 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc },
-+	{ "aes128-cbc",		SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
+	{ "aes128-cbc",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc },
-+	{ "aes192-cbc",		SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
+	{ "aes192-cbc",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc },
-+	{ "aes256-cbc",		SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+	{ "aes256-cbc",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
 +	{ "rijndael-cbc@lysator.liu.se",
-+				SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
+			SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc },
-+	{ "aes128-ctr",		SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
+	{ "aes128-ctr",	SSH_CIPHER_SSH2, 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr },
-+	{ "aes192-ctr",		SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_128_ctr },
+	{ "aes192-ctr",	SSH_CIPHER_SSH2, 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr },
-+	{ "aes256-ctr",		SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_128_ctr },
+	{ "aes256-ctr",	SSH_CIPHER_SSH2, 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr },
 +#ifdef OPENSSL_HAVE_EVPGCM
 +	{ "aes128-gcm@openssh.com",
 +			SSH_CIPHER_SSH2, 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm },
 +	{ "aes256-gcm@openssh.com",
 +			SSH_CIPHER_SSH2, 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm },
 +#endif
-+	{ NULL,			SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, NULL }
+	{ NULL,		SSH_CIPHER_INVALID, 0, 0, 0, 0, 0, 0, NULL }
 +};
 /*--*/
- u_int
+ /* Returns a comma-separated list of supported ciphers. */
-@@ -143,7 +165,7 @@ Cipher *
+@@ -96,7 +118,7 @@ cipher_alg_list(void)
 	size_t nlen, rlen = 0;
 	const Cipher *c;
 -	for (c = ciphers; c->name != NULL; c++) {
 +	for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++) {
 		if (c->number != SSH_CIPHER_SSH2)
 			continue;
 		if (ret != NULL)
@@ -161,7 +183,7 @@ const Cipher *
 cipher_by_name(const char *name)
 {
- 	Cipher *c;
+ 	const Cipher *c;
 -	for (c = ciphers; c->name != NULL; c++)
 +	for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
 		if (strcmp(c->name, name) == 0)
 			return c;
 	return NULL;
-@@ -153,7 +175,7 @@ Cipher *
+@@ -171,7 +193,7 @@ const Cipher *
 cipher_by_number(int id)
 {
- 	Cipher *c;
+ 	const Cipher *c;
 -	for (c = ciphers; c->name != NULL; c++)
 +	for (c = FIPS_mode() ? fips_ciphers : ciphers; c->name != NULL; c++)
 		if (c->number == id)
 			return c;
 	return NULL;
-@@ -197,7 +219,7 @@ cipher_number(const char *name)
+@@ -215,7 +237,7 @@ cipher_number(const char *name)
- 	Cipher *c;
+ 	const Cipher *c;
 	if (name == NULL)
 		return -1;
 -	for (c = ciphers; c->name != NULL; c++)
@ -100,13 +166,13 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
 		if (strcasecmp(c->name, name) == 0)
 			return c->number;
 	return -1;
-@@ -356,14 +378,15 @@ cipher_cleanup(CipherContext *cc)
+@@ -374,14 +396,15 @@ cipher_cleanup(CipherContext *cc)
  * passphrase and using the resulting 16 bytes as the key.
  */
 -void
 +int
- cipher_set_key_string(CipherContext *cc, Cipher *cipher,
+ cipher_set_key_string(CipherContext *cc, const Cipher *cipher,
     const char *passphrase, int do_encrypt)
 {
 	MD5_CTX md;
@ -118,7 +184,7 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
 	MD5_Update(&md, (const u_char *)passphrase, strlen(passphrase));
 	MD5_Final(digest, &md);
-@@ -371,6 +394,7 @@ cipher_set_key_string(CipherContext *cc,
+@@ -389,6 +412,7 @@ cipher_set_key_string(CipherContext *cc,
 	memset(digest, 0, sizeof(digest));
 	memset(&md, 0, sizeof(md));
@ -126,34 +192,21 @@ diff -up openssh-6.2p1/cipher.c.fips openssh-6.2p1/cipher.c
 }
 /*
-diff -up openssh-6.2p1/cipher-ctr.c.fips openssh-6.2p1/cipher-ctr.c
+diff -up openssh-6.3p1/cipher.h.fips openssh-6.3p1/cipher.h
--- openssh-6.2p1/cipher-ctr.c.fips	2013-01-20 12:31:30.000000000 +0100
+--- openssh-6.3p1/cipher.h.fips	2013-10-11 22:24:32.820031327 +0200
-+++ openssh-6.2p1/cipher-ctr.c	2013-03-27 13:14:49.177683431 +0100
+++ openssh-6.3p1/cipher.h	2013-10-11 22:24:32.871031087 +0200
-@@ -138,7 +138,8 @@ evp_aes_128_ctr(void)
+@@ -92,7 +92,7 @@ void	 cipher_init(CipherContext *, const
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
 	aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
 -	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
 +	    EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV |
 +	    EVP_CIPH_FLAG_FIPS;
 #endif
 	return (&aes_ctr);
 }
 diff -up openssh-6.2p1/cipher.h.fips openssh-6.2p1/cipher.h
 --- openssh-6.2p1/cipher.h.fips	2013-03-27 13:14:49.088683784 +0100
 +++ openssh-6.2p1/cipher.h	2013-03-27 13:14:49.177683431 +0100
@@ -91,7 +91,7 @@ void	 cipher_init(CipherContext *, Ciphe
 void	 cipher_crypt(CipherContext *, u_char *, const u_char *,
     u_int, u_int, u_int);
 void	 cipher_cleanup(CipherContext *);
-void	 cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
+-void	 cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
-+int	 cipher_set_key_string(CipherContext *, Cipher *, const char *, int);
+int	 cipher_set_key_string(CipherContext *, const Cipher *, const char *, int);
 u_int	 cipher_blocksize(const Cipher *);
 u_int	 cipher_keylen(const Cipher *);
 u_int	 cipher_authlen(const Cipher *);
-diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c
+diff -up openssh-6.3p1/key.c.fips openssh-6.3p1/key.c
--- openssh-6.2p1/key.c.fips	2013-03-27 13:14:49.100683736 +0100
+--- openssh-6.3p1/key.c.fips	2013-10-11 22:24:32.821031322 +0200
-+++ openssh-6.2p1/key.c	2013-03-27 13:14:49.178683427 +0100
+++ openssh-6.3p1/key.c	2013-10-11 22:24:32.871031087 +0200
@@ -40,6 +40,7 @@
 #include <sys/types.h>
@ -162,7 +215,7 @@ diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c
 #include <openbsd-compat/openssl-compat.h>
 #include <stdarg.h>
-@@ -607,9 +608,13 @@ key_fingerprint_selection(void)
+@@ -606,9 +607,13 @@ key_fingerprint_selection(void)
 	char *env;
 	if (!rv_defined) {
@ -179,9 +232,9 @@ diff -up openssh-6.2p1/key.c.fips openssh-6.2p1/key.c
 		rv_defined = 1;
 	}
 	return rv;
-diff -up openssh-6.2p1/mac.c.fips openssh-6.2p1/mac.c
+diff -up openssh-6.3p1/mac.c.fips openssh-6.3p1/mac.c
--- openssh-6.2p1/mac.c.fips	2013-03-27 13:14:49.093683764 +0100
+--- openssh-6.3p1/mac.c.fips	2013-10-11 22:24:32.821031322 +0200
-+++ openssh-6.2p1/mac.c	2013-03-27 13:16:33.524266158 +0100
+++ openssh-6.3p1/mac.c	2013-10-11 22:25:35.394737186 +0200
@@ -28,6 +28,7 @@
 #include <sys/types.h>
@ -190,102 +243,56 @@ diff -up openssh-6.2p1/mac.c.fips openssh-6.2p1/mac.c
 #include <stdarg.h>
 #include <string.h>
-@@ -50,7 +51,7 @@
+@@ -60,7 +61,7 @@ struct macalg {
 #define SSH_UMAC	2	/* UMAC (not integrated with OpenSSL) */
 #define SSH_UMAC128	3
 -struct {
 +struct Macs {
 	char		*name;
 	int		type;
 	const EVP_MD *	(*mdfunc)(void);
@@ -58,7 +59,9 @@ struct {
 	int		key_len;	/* just for UMAC */
 	int		len;		/* just for UMAC */
 	int		etm;		/* Encrypt-then-MAC */
-} macs[] = {
+ };
-+};
+ 
-+
+-static const struct macalg macs[] = {
-+struct Macs all_macs[] = {
+static const struct macalg all_macs[] = {
 	/* Encrypt-and-MAC (encrypt-and-authenticate) variants */
 	{ "hmac-sha1",				SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
 	{ "hmac-sha1-96",			SSH_EVP, EVP_sha1, 96, 0, 0, 0 },
-@@ -89,9 +92,19 @@ struct {
+@@ -91,6 +92,18 @@ static const struct macalg macs[] = {
 	{ NULL,					0, NULL, 0, 0, 0, 0 }
 };
-+struct Macs fips_macs[] = {
+static const struct macalg fips_macs[] = {
-+	{ "hmac-sha1",			SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
+	{ "hmac-sha1",				SSH_EVP, EVP_sha1, 0, 0, 0, 0 },
 +	{ "hmac-sha1-etm@openssh.com",		SSH_EVP, EVP_sha1, 0, 0, 0, 1 },
 +#ifdef HAVE_EVP_SHA256
-+	{ "hmac-sha2-256",		SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
+	{ "hmac-sha2-256",			SSH_EVP, EVP_sha256, 0, 0, 0, 0 },
-+	{ "hmac-sha2-512",		SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
+	{ "hmac-sha2-512",			SSH_EVP, EVP_sha512, 0, 0, 0, 0 },
 +	{ "hmac-sha2-256-etm@openssh.com",	SSH_EVP, EVP_sha256, 0, 0, 0, 1 },
 +	{ "hmac-sha2-512-etm@openssh.com",	SSH_EVP, EVP_sha512, 0, 0, 0, 1 },
 +#endif
-+	{ NULL,				0, NULL, 0, -1, -1 }
+	{ NULL,					0, NULL, 0, 0, 0, 0 }
 +};
 +
- static void
+ /* Returns a comma-separated list of supported MACs. */
- mac_setup_by_id(Mac *mac, int which)
+ char *
 mac_alg_list(void)
@@ -99,7 +112,7 @@ mac_alg_list(void)
 	size_t nlen, rlen = 0;
 	const struct macalg *m;
 -	for (m = macs; m->name != NULL; m++) {
 +	for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
 		if (ret != NULL)
 			ret[rlen++] = '\n';
 		nlen = strlen(m->name);
@@ -136,7 +149,7 @@ mac_setup(Mac *mac, char *name)
 {
-+	struct Macs *macs = FIPS_mode() ? fips_macs : all_macs;
+ 	const struct macalg *m;
 	int evp_len;
 	mac->type = macs[which].type;
 	if (mac->type == SSH_EVP) {
@@ -113,6 +126,7 @@ int
 mac_setup(Mac *mac, char *name)
 {
 	int i;
 +	struct Macs *macs = FIPS_mode() ? fips_macs : all_macs;
- 	for (i = 0; macs[i].name; i++) {
+-	for (m = macs; m->name != NULL; m++) {
- 		if (strcmp(name, macs[i].name) == 0) {
+	for (m = FIPS_mode() ? fips_macs : all_macs; m->name != NULL; m++) {
-diff -up openssh-6.2p1/Makefile.in.fips openssh-6.2p1/Makefile.in
+ 		if (strcmp(name, m->name) != 0)
--- openssh-6.2p1/Makefile.in.fips	2013-03-27 13:14:49.155683518 +0100
+ 			continue;
-+++ openssh-6.2p1/Makefile.in	2013-03-27 13:14:49.178683427 +0100
+ 		if (mac != NULL)
-@@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
+diff -up openssh-6.3p1/myproposal.h.fips openssh-6.3p1/myproposal.h
- 	$(RANLIB) $@
+--- openssh-6.3p1/myproposal.h.fips	2013-06-11 04:10:02.000000000 +0200
- 
+++ openssh-6.3p1/myproposal.h	2013-10-11 22:24:32.872031082 +0200
- ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
+@@ -114,6 +114,19 @@
 -	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHLIBS) $(LIBS) $(GSSLIBS)
 +	$(LD) -o $@ $(SSHOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHLIBS) $(LIBS) $(GSSLIBS)
 sshd$(EXEEXT): libssh.a	$(LIBCOMPAT) $(SSHDOBJS)
 -	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 +	$(LD) -o $@ $(SSHDOBJS) $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(SSHDLIBS) $(LIBS) $(GSSLIBS) $(K5LIBS)
 scp$(EXEEXT): $(LIBCOMPAT) libssh.a scp.o progressmeter.o
 	$(LD) -o $@ scp.o progressmeter.o bufaux.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-add.o
 -	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-add.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-agent.o ssh-pkcs11-client.o
 -	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-agent.o ssh-pkcs11-client.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keygen.o
 -	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-keygen.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-keysign$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keysign.o roaming_dummy.o readconf.o
 -	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 +	$(LD) -o $@ ssh-keysign.o readconf.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
@@ -175,7 +175,7 @@ ssh-keycat$(EXEEXT): $(LIBCOMPAT) libssh
 	$(LD) -o $@ ssh-keycat.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(SSHDLIBS)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
 -	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
 +	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lfipscheck $(LIBS)
 sftp-server$(EXEEXT): $(LIBCOMPAT) libssh.a sftp.o sftp-common.o sftp-server.o sftp-server-main.o
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff -up openssh-6.2p1/myproposal.h.fips openssh-6.2p1/myproposal.h
 --- openssh-6.2p1/myproposal.h.fips	2013-01-09 06:12:19.000000000 +0100
 +++ openssh-6.2p1/myproposal.h	2013-03-27 13:14:49.178683427 +0100
@@ -106,6 +106,19 @@
 #define	KEX_DEFAULT_COMP	"none,zlib@openssh.com,zlib"
 #define	KEX_DEFAULT_LANG	""
@ -305,9 +312,9 @@ diff -up openssh-6.2p1/myproposal.h.fips openssh-6.2p1/myproposal.h
 static char *myproposal[PROPOSAL_MAX] = {
 	KEX_DEFAULT_KEX,
-diff -up openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.2p1/openbsd-compat/bsd-arc4random.c
+diff -up openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.3p1/openbsd-compat/bsd-arc4random.c
--- openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips	2010-03-25 22:52:02.000000000 +0100
+--- openssh-6.3p1/openbsd-compat/bsd-arc4random.c.fips	2010-03-25 22:52:02.000000000 +0100
-+++ openssh-6.2p1/openbsd-compat/bsd-arc4random.c	2013-03-27 13:14:49.179683423 +0100
+++ openssh-6.3p1/openbsd-compat/bsd-arc4random.c	2013-10-11 22:24:32.872031082 +0200
@@ -37,25 +37,18 @@
 #define REKEY_BYTES	(1 << 24)
@ -363,9 +370,9 @@ diff -up openssh-6.2p1/openbsd-compat/bsd-arc4random.c.fips openssh-6.2p1/openbs
 }
 #endif /* !HAVE_ARC4RANDOM */
-diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
+diff -up openssh-6.3p1/ssh.c.fips openssh-6.3p1/ssh.c
--- openssh-6.2p2/ssh.c.fips	2013-04-05 02:22:36.000000000 +0200
+--- openssh-6.3p1/ssh.c.fips	2013-07-25 03:55:53.000000000 +0200
-+++ openssh-6.2p2/ssh.c	2013-10-08 17:21:26.894761211 +0200
+++ openssh-6.3p1/ssh.c	2013-10-11 22:24:32.872031082 +0200
@@ -73,6 +73,8 @@
 #include <openssl/evp.h>
@ -389,8 +396,8 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
 #ifndef HAVE_SETPROCTITLE
 	/* Prepare for later setproctitle emulation */
-@@ -329,6 +338,9 @@ main(int ac, char **av)
+@@ -330,6 +339,9 @@ main(int ac, char **av)
- 	    "ACD:F:I:KL:MNO:PR:S:TVw:W:XYy")) != -1) {
+ 	    "ACD:E:F:I:KL:MNO:PQ:R:S:TVw:W:XYy")) != -1) {
 		switch (opt) {
 		case '1':
 +			if (FIPS_mode()) {
@ -399,7 +406,7 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
 			options.protocol = SSH_PROTO_1;
 			break;
 		case '2':
-@@ -628,7 +640,6 @@ main(int ac, char **av)
+@@ -647,7 +659,6 @@ main(int ac, char **av)
 	if (!host)
 		usage();
@ -407,7 +414,7 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
 	ERR_load_crypto_strings();
 	/* Initialize the command to execute on remote host. */
-@@ -719,6 +730,10 @@ main(int ac, char **av)
+@@ -748,6 +759,10 @@ main(int ac, char **av)
 	seed_rng();
@ -418,7 +425,7 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
 	if (options.user == NULL)
 		options.user = xstrdup(pw->pw_name);
-@@ -787,6 +802,12 @@ main(int ac, char **av)
+@@ -816,6 +831,12 @@ main(int ac, char **av)
 	timeout_ms = options.connection_timeout * 1000;
@ -431,9 +438,9 @@ diff -up openssh-6.2p2/ssh.c.fips openssh-6.2p2/ssh.c
 	/* Open a connection to the remote host. */
 	if (ssh_connect(host, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts, &timeout_ms,
-diff -up openssh-6.2p1/sshconnect2.c.fips openssh-6.2p1/sshconnect2.c
+diff -up openssh-6.3p1/sshconnect2.c.fips openssh-6.3p1/sshconnect2.c
--- openssh-6.2p1/sshconnect2.c.fips	2013-03-27 13:14:49.066683871 +0100
+--- openssh-6.3p1/sshconnect2.c.fips	2013-10-11 22:24:32.810031374 +0200
-+++ openssh-6.2p1/sshconnect2.c	2013-03-27 13:14:49.179683423 +0100
+++ openssh-6.3p1/sshconnect2.c	2013-10-11 22:24:32.873031077 +0200
@@ -44,6 +44,8 @@
 #include <vis.h>
 #endif
@ -466,9 +473,9 @@ diff -up openssh-6.2p1/sshconnect2.c.fips openssh-6.2p1/sshconnect2.c
 	if (options.hostkeyalgorithms != NULL)
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    options.hostkeyalgorithms;
-diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
+diff -up openssh-6.3p1/sshd.c.fips openssh-6.3p1/sshd.c
--- openssh-6.2p2/sshd.c.fips	2013-10-08 17:14:05.455864248 +0200
+--- openssh-6.3p1/sshd.c.fips	2013-10-11 22:24:32.842031223 +0200
-+++ openssh-6.2p2/sshd.c	2013-10-08 17:22:15.897527827 +0200
+++ openssh-6.3p1/sshd.c	2013-10-11 22:24:32.873031077 +0200
@@ -76,6 +76,8 @@
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@ -478,7 +485,7 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
 #include "openbsd-compat/openssl-compat.h"
 #ifdef HAVE_SECUREWARE
-@@ -1423,6 +1425,14 @@ main(int ac, char **av)
+@@ -1450,6 +1452,14 @@ main(int ac, char **av)
 #endif
 	__progname = ssh_get_progname(av[0]);
@ -493,18 +500,18 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
 	saved_argc = ac;
 	rexec_argc = ac;
-@@ -1571,8 +1581,6 @@ main(int ac, char **av)
+@@ -1601,8 +1611,6 @@ main(int ac, char **av)
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
 -	OpenSSL_add_all_algorithms();
 -
- 	/*
+ 	/* If requested, redirect the logs to the specified logfile. */
- 	 * Force logging to stderr until we have loaded the private host
+ 	if (logfile != NULL) {
- 	 * key (unless started from inetd)
+ 		log_redirect_stderr_to(logfile);
-@@ -1715,6 +1723,10 @@ main(int ac, char **av)
+@@ -1773,6 +1781,10 @@ main(int ac, char **av)
- 		debug("private host key: #%d type %d %s", i, key->type,
+ 		debug("private host key: #%d type %d %s", i, keytype,
- 		    key_type(key));
+ 		    key_type(key ? key : pubkey));
 	}
 +	if ((options.protocol & SSH_PROTO_1) && FIPS_mode()) {
 +		logit("Disabling protocol version 1. Not allowed in the FIPS mode.");
@ -513,7 +520,7 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
-@@ -1878,6 +1890,10 @@ main(int ac, char **av)
+@@ -1936,6 +1948,10 @@ main(int ac, char **av)
 	/* Initialize the random number generator. */
 	arc4random_stir();
@ -523,8 +530,8 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
 +
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
- 	(void) chdir("/");
+ 	if (chdir("/") == -1)
-@@ -2420,6 +2436,9 @@ do_ssh2_kex(void)
+@@ -2498,6 +2514,9 @@ do_ssh2_kex(void)
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -534,7 +541,7 @@ diff -up openssh-6.2p2/sshd.c.fips openssh-6.2p2/sshd.c
 	}
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2429,6 +2448,9 @@ do_ssh2_kex(void)
+@@ -2507,6 +2526,9 @@ do_ssh2_kex(void)
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
--- a/openssh-6.3p1-force_krb.patch
+++ b/openssh-6.3p1-force_krb.patch
@ -1,6 +1,6 @@
-diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
+diff -up openssh-6.3p1/gss-serv-krb5.c.force_krb openssh-6.3p1/gss-serv-krb5.c
--- openssh-6.2p1/gss-serv-krb5.c.force_krb	2013-03-25 20:04:53.807817333 +0100
+--- openssh-6.3p1/gss-serv-krb5.c.force_krb	2013-10-11 18:58:51.553948159 +0200
-+++ openssh-6.2p1/gss-serv-krb5.c	2013-03-25 20:04:53.818817403 +0100
+++ openssh-6.3p1/gss-serv-krb5.c	2013-10-11 21:40:49.972337025 +0200
@@ -32,7 +32,9 @@
 #include <sys/types.h>
@ -11,7 +11,7 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
 #include "xmalloc.h"
 #include "key.h"
-@@ -40,12 +42,11 @@
+@@ -40,10 +42,12 @@
 #include "auth.h"
 #include "log.h"
 #include "servconf.h"
@ -20,18 +20,14 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
 #include "buffer.h"
 #include "ssh-gss.h"
-extern ServerOptions options;
+extern Authctxt *the_authctxt;
-
+ extern ServerOptions options;
 #ifdef HEIMDAL
- # include <krb5.h>
+@@ -55,6 +59,13 @@ extern ServerOptions options;
- #else
+ # include <gssapi/gssapi_krb5.h>
@@ -56,6 +57,16 @@ extern ServerOptions options;
 # endif
 #endif
 +extern Authctxt *the_authctxt;
 +extern ServerOptions options;
 +
 +/* all commands are allowed by default */
 +char **k5users_allowed_cmds = NULL;
 +
@ -42,21 +38,16 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
 static krb5_context krb_context = NULL;
 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-@@ -83,10 +94,11 @@ ssh_gssapi_krb5_init(void)
+@@ -87,6 +98,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
  */
 static int
 -ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *name)
 +ssh_gssapi_krb5_userok(ssh_gssapi_client *client, char *luser)
 {
 	krb5_principal princ;
 	int retval;
 	const char *errmsg;
 +	int k5login_exists;
 	if (ssh_gssapi_krb5_init() == 0)
 		return 0;
-@@ -97,10 +109,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -98,10 +110,22 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
- 		    krb5_get_err_text(krb_context, retval));
+ 		krb5_free_error_message(krb_context, errmsg);
 		return 0;
 	}
 -	if (krb5_kuserok(krb_context, princ, name)) {
@ -66,21 +57,20 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
 +	/* NOTE: .k5login and .k5users must opened as root, not the user,
 +	 * because if they are on a krb5-protected filesystem, user credentials
 +	 * to access these files aren't available yet. */
-+	if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
+	if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
 		retval = 1;
 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
-		    name, (char *)client->displayname.value);
+ 		    name, (char *)client->displayname.value);
 +		    luser, (char *)client->displayname.value);
 +	} else if (ssh_gssapi_krb5_cmdok(princ, client->exportedname.value,
-+		luser, k5login_exists)) {
+		name, k5login_exists)) {
 +		retval = 1;
 +		logit("Authorized to %s, krb5 principal %s "
 +		    "(ssh_gssapi_krb5_cmdok)",
-+		    luser, (char *)client->displayname.value);
+		    name, (char *)client->displayname.value);
 	} else
 		retval = 0;
-@@ -108,6 +132,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -109,6 +133,135 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
 	return retval;
 }
@ -216,9 +206,9 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.force_krb openssh-6.2p1/gss-serv-krb5.c
 /* This writes out any forwarded credentials from the structure populated
  * during userauth. Called after we have setuid to the user */
-diff -up openssh-6.2p1/session.c.force_krb openssh-6.2p1/session.c
+diff -up openssh-6.3p1/session.c.force_krb openssh-6.3p1/session.c
--- openssh-6.2p1/session.c.force_krb	2013-03-25 20:04:53.724816810 +0100
+--- openssh-6.3p1/session.c.force_krb	2013-10-11 18:58:51.487948468 +0200
-+++ openssh-6.2p1/session.c	2013-03-25 20:04:53.818817403 +0100
+++ openssh-6.3p1/session.c	2013-10-11 18:58:51.563948112 +0200
@@ -823,6 +823,29 @@ do_exec(Session *s, const char *command)
 		debug("Forced command (key option) '%.900s'", command);
 	}
@ -249,10 +239,24 @@ diff -up openssh-6.2p1/session.c.force_krb openssh-6.2p1/session.c
 #ifdef SSH_AUDIT_EVENTS
 	if (s->command != NULL || s->command_handle != -1)
 		fatal("do_exec: command already set");
-diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8
+diff -up openssh-6.3p1/ssh-gss.h.force_krb openssh-6.3p1/ssh-gss.h
--- openssh-6.2p1/sshd.8.force_krb	2013-03-25 20:04:53.787817207 +0100
+--- openssh-6.3p1/ssh-gss.h.force_krb	2013-10-11 18:58:51.558948136 +0200
-+++ openssh-6.2p1/sshd.8	2013-03-25 20:04:53.819817409 +0100
+++ openssh-6.3p1/ssh-gss.h	2013-10-11 18:58:51.563948112 +0200
-@@ -323,6 +323,7 @@ Finally, the server and the client enter
+@@ -49,6 +49,10 @@
 #  endif /* !HAVE_DECL_GSS_C_NT_... */
 # endif /* !HEIMDAL */
 +
 +/* .k5users support */
 +extern char **k5users_allowed_cmds;
 +
 #endif /* KRB5 */
 /* draft-ietf-secsh-gsskeyex-06 */
 diff -up openssh-6.3p1/sshd.8.force_krb openssh-6.3p1/sshd.8
 --- openssh-6.3p1/sshd.8.force_krb	2013-10-11 18:58:51.537948234 +0200
 +++ openssh-6.3p1/sshd.8	2013-10-11 18:58:51.563948112 +0200
@@ -326,6 +326,7 @@ Finally, the server and the client enter
 The client tries to authenticate itself using
 host-based authentication,
 public key authentication,
@ -260,7 +264,7 @@ diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8
 challenge-response authentication,
 or password authentication.
 .Pp
-@@ -796,6 +797,12 @@ This file is used in exactly the same wa
+@@ -797,6 +798,12 @@ This file is used in exactly the same wa
 but allows host-based authentication without permitting login with
 rlogin/rsh.
 .Pp
@ -273,17 +277,3 @@ diff -up openssh-6.2p1/sshd.8.force_krb openssh-6.2p1/sshd.8
 .It Pa ~/.ssh/
 This directory is the default location for all user-specific configuration
 and authentication information.
 diff -up openssh-6.2p1/ssh-gss.h.force_krb openssh-6.2p1/ssh-gss.h
 --- openssh-6.2p1/ssh-gss.h.force_krb	2013-03-25 20:04:53.819817409 +0100
 +++ openssh-6.2p1/ssh-gss.h	2013-03-25 20:05:26.463023197 +0100
@@ -49,6 +49,10 @@
 #  endif /* !HAVE_DECL_GSS_C_NT_... */
 # endif /* !HEIMDAL */
 +
 +/* .k5users support */
 +extern char **k5users_allowed_cmds;
 +
 #endif /* KRB5 */
 /* draft-ietf-secsh-gsskeyex-06 */
--- a/openssh-6.3p1-gsskex.patch
+++ b/openssh-6.3p1-gsskex.patch
--- a/openssh-6.3p1-keycat.patch
+++ b/openssh-6.3p1-keycat.patch
@ -1,24 +1,6 @@
-diff -up openssh-6.2p1/auth2-pubkey.c.keycat openssh-6.2p1/auth2-pubkey.c
+diff -up openssh-6.3p1/HOWTO.ssh-keycat.keycat openssh-6.3p1/HOWTO.ssh-keycat
--- openssh-6.2p1/auth2-pubkey.c.keycat	2013-03-25 21:34:17.779978851 +0100
+--- openssh-6.3p1/HOWTO.ssh-keycat.keycat	2013-10-10 15:16:33.445566916 +0200
-+++ openssh-6.2p1/auth2-pubkey.c	2013-03-25 21:34:17.798978973 +0100
+++ openssh-6.3p1/HOWTO.ssh-keycat	2013-10-10 15:16:33.445566916 +0200
@@ -573,6 +573,14 @@ user_key_command_allowed2(struct passwd
 			_exit(1);
 		}
 +#ifdef WITH_SELINUX
 +		if (ssh_selinux_setup_env_variables() < 0) {
 +			error ("failed to copy environment:  %s",
 +			    strerror(errno));
 +			_exit(127);
 +		}
 +#endif
 +
 		execl(options.authorized_keys_command,
 		    options.authorized_keys_command, user_pw->pw_name, NULL);
 diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat
 --- openssh-6.2p1/HOWTO.ssh-keycat.keycat	2013-03-25 21:34:17.798978973 +0100
 +++ openssh-6.2p1/HOWTO.ssh-keycat	2013-03-25 21:34:17.798978973 +0100
@@ -0,0 +1,12 @@
 +The ssh-keycat retrieves the content of the ~/.ssh/authorized_keys
 +of an user in any environment. This includes environments with
@ -32,9 +14,9 @@ diff -up openssh-6.2p1/HOWTO.ssh-keycat.keycat openssh-6.2p1/HOWTO.ssh-keycat
 +        PubkeyAuthentication yes
 +
 +
-diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
+diff -up openssh-6.3p1/Makefile.in.keycat openssh-6.3p1/Makefile.in
--- openssh-6.2p1/Makefile.in.keycat	2013-03-25 21:34:17.793978941 +0100
+--- openssh-6.3p1/Makefile.in.keycat	2013-10-10 15:16:33.442566930 +0200
-+++ openssh-6.2p1/Makefile.in	2013-03-25 21:35:48.282559562 +0100
+++ openssh-6.3p1/Makefile.in	2013-10-10 15:16:33.445566916 +0200
@@ -27,6 +27,7 @@ SFTP_SERVER=$(libexecdir)/sftp-server
 SSH_KEYSIGN=$(libexecdir)/ssh-keysign
 SSH_LDAP_HELPER=$(libexecdir)/ssh-ldap-helper
@ -52,7 +34,7 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
 LIBSSH_OBJS=authfd.o authfile.o bufaux.o bufbn.o buffer.o \
 	canohost.o channels.o cipher.o cipher-aes.o \
-@@ -170,6 +171,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
+@@ -172,6 +173,9 @@ ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT)
 ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o
 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
@ -62,7 +44,7 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
 	$(LD) -o $@ ssh-keyscan.o roaming_dummy.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh $(LIBS)
-@@ -276,6 +280,7 @@ install-files:
+@@ -279,6 +283,7 @@ install-files:
 		$(INSTALL) -m 0700 $(STRIP_OPT) ssh-ldap-helper $(DESTDIR)$(SSH_LDAP_HELPER) ; \
 		$(INSTALL) -m 0700 ssh-ldap-wrapper $(DESTDIR)$(SSH_LDAP_WRAPPER) ; \
 	fi
@ -70,10 +52,28 @@ diff -up openssh-6.2p1/Makefile.in.keycat openssh-6.2p1/Makefile.in
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp$(EXEEXT) $(DESTDIR)$(bindir)/sftp$(EXEEXT)
 	$(INSTALL) -m 0755 $(STRIP_OPT) sftp-server$(EXEEXT) $(DESTDIR)$(SFTP_SERVER)$(EXEEXT)
 	$(INSTALL) -m 644 ssh.1.out $(DESTDIR)$(mandir)/$(mansubdir)1/ssh.1
-diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-compat/port-linux.c
+diff -up openssh-6.3p1/auth2-pubkey.c.keycat openssh-6.3p1/auth2-pubkey.c
--- openssh-6.2p1/openbsd-compat/port-linux.c.keycat	2013-03-25 21:34:17.785978890 +0100
+--- openssh-6.3p1/auth2-pubkey.c.keycat	2013-10-10 15:16:33.429566992 +0200
-+++ openssh-6.2p1/openbsd-compat/port-linux.c	2013-03-25 21:34:17.800978986 +0100
+++ openssh-6.3p1/auth2-pubkey.c	2013-10-10 15:16:33.445566916 +0200
-@@ -315,7 +315,7 @@ ssh_selinux_getctxbyname(char *pwname,
+@@ -606,6 +606,14 @@ user_key_command_allowed2(struct passwd
 			_exit(1);
 		}
 +#ifdef WITH_SELINUX
 +		if (ssh_selinux_setup_env_variables() < 0) {
 +			error ("failed to copy environment:  %s",
 +			    strerror(errno));
 +			_exit(127);
 +		}
 +#endif
 +
 		execl(options.authorized_keys_command,
 		    options.authorized_keys_command, user_pw->pw_name, NULL);
 diff -up openssh-6.3p1/openbsd-compat/port-linux.c.keycat openssh-6.3p1/openbsd-compat/port-linux.c
 --- openssh-6.3p1/openbsd-compat/port-linux.c.keycat	2013-10-10 15:16:33.435566964 +0200
 +++ openssh-6.3p1/openbsd-compat/port-linux.c	2013-10-10 15:32:19.946065189 +0200
@@ -313,7 +313,7 @@ ssh_selinux_getctxbyname(char *pwname,
 /* Setup environment variables for pam_selinux */
 static int
@ -82,7 +82,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-
 {
 	const char *reqlvl;
 	char *role;
-@@ -326,16 +326,16 @@ ssh_selinux_setup_pam_variables(void)
+@@ -324,16 +324,16 @@ ssh_selinux_setup_pam_variables(void)
 	ssh_selinux_get_role_level(&role, &reqlvl);
@ -101,8 +101,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-
 +	rv = rv || set_it("SELINUX_USE_CURRENT_RANGE", use_current);
 	if (role != NULL)
- 		xfree(role);
+ 		free(role);
-@@ -343,6 +343,24 @@ ssh_selinux_setup_pam_variables(void)
+@@ -341,6 +341,24 @@ ssh_selinux_setup_pam_variables(void)
 	return rv;
 }
@ -127,9 +127,9 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.keycat openssh-6.2p1/openbsd-
 /* Set the execution context to the default for the specified user */
 void
 ssh_selinux_setup_exec_context(char *pwname)
-diff -up openssh-6.2p1/ssh-keycat.c.keycat openssh-6.2p1/ssh-keycat.c
+diff -up openssh-6.3p1/ssh-keycat.c.keycat openssh-6.3p1/ssh-keycat.c
--- openssh-6.2p1/ssh-keycat.c.keycat	2013-03-25 21:34:17.800978986 +0100
+--- openssh-6.3p1/ssh-keycat.c.keycat	2013-10-10 15:16:33.446566911 +0200
-+++ openssh-6.2p1/ssh-keycat.c	2013-03-25 21:34:17.800978986 +0100
+++ openssh-6.3p1/ssh-keycat.c	2013-10-10 15:16:33.446566911 +0200
@@ -0,0 +1,238 @@
 +/*
 + * Redistribution and use in source and binary forms, with or without
--- a/openssh-6.3p1-kuserok.patch
+++ b/openssh-6.3p1-kuserok.patch
@ -1,6 +1,6 @@
-diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c
+diff -up openssh-6.3p1/auth-krb5.c.kuserok openssh-6.3p1/auth-krb5.c
--- openssh-6.2p1/auth-krb5.c.kuserok	2013-03-25 20:06:51.295558062 +0100
+--- openssh-6.3p1/auth-krb5.c.kuserok	2013-10-11 21:41:42.889087613 +0200
-+++ openssh-6.2p1/auth-krb5.c	2013-03-25 20:06:51.318558207 +0100
+++ openssh-6.3p1/auth-krb5.c	2013-10-11 21:41:42.905087537 +0200
@@ -55,6 +55,20 @@
 extern ServerOptions	 options;
@ -22,7 +22,7 @@ diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c
 static int
 krb5_init(void *context)
 {
-@@ -147,7 +161,7 @@ auth_krb5_password(Authctxt *authctxt, c
+@@ -159,7 +173,7 @@ auth_krb5_password(Authctxt *authctxt, c
 	if (problem)
 		goto out;
@ -31,10 +31,10 @@ diff -up openssh-6.2p1/auth-krb5.c.kuserok openssh-6.2p1/auth-krb5.c
 		problem = -1;
 		goto out;
 	}
-diff -up openssh-6.2p1/gss-serv-krb5.c.kuserok openssh-6.2p1/gss-serv-krb5.c
+diff -up openssh-6.3p1/gss-serv-krb5.c.kuserok openssh-6.3p1/gss-serv-krb5.c
--- openssh-6.2p1/gss-serv-krb5.c.kuserok	2013-03-25 20:06:51.311558163 +0100
+--- openssh-6.3p1/gss-serv-krb5.c.kuserok	2013-10-11 21:41:42.901087556 +0200
-+++ openssh-6.2p1/gss-serv-krb5.c	2013-03-25 20:06:51.319558214 +0100
+++ openssh-6.3p1/gss-serv-krb5.c	2013-10-11 21:46:42.898673597 +0200
-@@ -68,6 +68,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
+@@ -67,6 +67,7 @@ static int ssh_gssapi_krb5_cmdok(krb5_pr
     int);
 static krb5_context krb_context = NULL;
@ -42,19 +42,19 @@ diff -up openssh-6.2p1/gss-serv-krb5.c.kuserok openssh-6.2p1/gss-serv-krb5.c
 /* Initialise the krb5 library, for the stuff that GSSAPI won't do */
-@@ -115,7 +116,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
+@@ -116,7 +117,7 @@ ssh_gssapi_krb5_userok(ssh_gssapi_client
 	/* NOTE: .k5login and .k5users must opened as root, not the user,
 	 * because if they are on a krb5-protected filesystem, user credentials
 	 * to access these files aren't available yet. */
-	if (krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
+-	if (krb5_kuserok(krb_context, princ, name) && k5login_exists) {
-+	if (ssh_krb5_kuserok(krb_context, princ, luser) && k5login_exists) {
+	if (ssh_krb5_kuserok(krb_context, princ, name) && k5login_exists) {
 		retval = 1;
 		logit("Authorized to %s, krb5 principal %s (krb5_kuserok)",
- 		    luser, (char *)client->displayname.value);
+ 		    name, (char *)client->displayname.value);
-diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
+diff -up openssh-6.3p1/servconf.c.kuserok openssh-6.3p1/servconf.c
--- openssh-6.2p1/servconf.c.kuserok	2013-03-25 20:06:51.305558125 +0100
+--- openssh-6.3p1/servconf.c.kuserok	2013-10-11 21:41:42.896087580 +0200
-+++ openssh-6.2p1/servconf.c	2013-03-25 20:06:51.319558214 +0100
+++ openssh-6.3p1/servconf.c	2013-10-11 21:48:24.664194016 +0200
-@@ -150,6 +150,7 @@ initialize_server_options(ServerOptions
+@@ -157,6 +157,7 @@ initialize_server_options(ServerOptions
 	options->ip_qos_interactive = -1;
 	options->ip_qos_bulk = -1;
 	options->version_addendum = NULL;
@ -62,7 +62,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
 }
 void
-@@ -299,6 +300,8 @@ fill_default_server_options(ServerOption
+@@ -310,6 +311,8 @@ fill_default_server_options(ServerOption
 		options->version_addendum = xstrdup("");
 	if (options->show_patchlevel == -1)
 		options->show_patchlevel = 0;
@ -71,7 +71,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
 	/* Turn privilege separation on by default */
 	if (use_privsep == -1)
-@@ -325,7 +328,7 @@ typedef enum {
+@@ -336,7 +339,7 @@ typedef enum {
 	sPermitRootLogin, sLogFacility, sLogLevel,
 	sRhostsRSAAuthentication, sRSAAuthentication,
 	sKerberosAuthentication, sKerberosOrLocalPasswd, sKerberosTicketCleanup,
@ -80,7 +80,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
 	sKerberosTgtPassing, sChallengeResponseAuthentication,
 	sPasswordAuthentication, sKbdInteractiveAuthentication,
 	sListenAddress, sAddressFamily,
-@@ -397,11 +400,13 @@ static struct {
+@@ -409,11 +412,13 @@ static struct {
 #else
 	{ "kerberosgetafstoken", sUnsupported, SSHCFG_GLOBAL },
 #endif
@ -94,7 +94,7 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
 #endif
 	{ "kerberostgtpassing", sUnsupported, SSHCFG_GLOBAL },
 	{ "afstokenpassing", sUnsupported, SSHCFG_GLOBAL },
-@@ -1460,6 +1465,10 @@ process_server_config_line(ServerOptions
+@@ -1515,6 +1520,10 @@ process_server_config_line(ServerOptions
 		*activep = value;
 		break;
@ -105,15 +105,15 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
 	case sPermitOpen:
 		arg = strdelim(&cp);
 		if (!arg || *arg == '\0')
-@@ -1761,6 +1770,7 @@ copy_set_server_options(ServerOptions *d
+@@ -1815,6 +1824,7 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(max_authtries);
 	M_CP_INTOPT(ip_qos_interactive);
 	M_CP_INTOPT(ip_qos_bulk);
 +	M_CP_INTOPT(use_kuserok);
 	M_CP_INTOPT(rekey_limit);
 	M_CP_INTOPT(rekey_interval);
- 	/* See comment in servconf.h */
+@@ -2055,6 +2065,7 @@ dump_config(ServerOptions *o)
 	COPY_MATCH_STRING_OPTS();
@@ -1999,6 +2009,7 @@ dump_config(ServerOptions *o)
 	dump_cfg_fmtint(sUseDNS, o->use_dns);
 	dump_cfg_fmtint(sAllowTcpForwarding, o->allow_tcp_forwarding);
 	dump_cfg_fmtint(sUsePrivilegeSeparation, use_privsep);
@ -121,10 +121,10 @@ diff -up openssh-6.2p1/servconf.c.kuserok openssh-6.2p1/servconf.c
 	/* string arguments */
 	dump_cfg_string(sPidFile, o->pid_file);
-diff -up openssh-6.2p1/servconf.h.kuserok openssh-6.2p1/servconf.h
+diff -up openssh-6.3p1/servconf.h.kuserok openssh-6.3p1/servconf.h
--- openssh-6.2p1/servconf.h.kuserok	2013-03-25 20:06:51.305558125 +0100
+--- openssh-6.3p1/servconf.h.kuserok	2013-10-11 21:41:42.896087580 +0200
-+++ openssh-6.2p1/servconf.h	2013-03-25 20:06:51.320558220 +0100
+++ openssh-6.3p1/servconf.h	2013-10-11 21:41:42.907087528 +0200
-@@ -173,6 +173,7 @@ typedef struct {
+@@ -174,6 +174,7 @@ typedef struct {
 	int	num_permitted_opens;
@ -132,21 +132,10 @@ diff -up openssh-6.2p1/servconf.h.kuserok openssh-6.2p1/servconf.h
 	char   *chroot_directory;
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
-diff -up openssh-6.2p1/sshd_config.kuserok openssh-6.2p1/sshd_config
+diff -up openssh-6.3p1/sshd_config.5.kuserok openssh-6.3p1/sshd_config.5
--- openssh-6.2p1/sshd_config.kuserok	2013-03-25 20:06:51.308558144 +0100
+--- openssh-6.3p1/sshd_config.5.kuserok	2013-10-11 21:41:42.898087571 +0200
-+++ openssh-6.2p1/sshd_config	2013-03-25 20:06:51.320558220 +0100
+++ openssh-6.3p1/sshd_config.5	2013-10-11 21:41:42.907087528 +0200
-@@ -83,6 +83,7 @@ ChallengeResponseAuthentication no
+@@ -675,6 +675,10 @@ Specifies whether to automatically destr
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 +#KerberosUseKuserok yes
 # GSSAPI options
 #GSSAPIAuthentication no
 diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5
 --- openssh-6.2p1/sshd_config.5.kuserok	2013-03-25 20:06:51.308558144 +0100
 +++ openssh-6.2p1/sshd_config.5	2013-03-25 20:08:34.249207272 +0100
@@ -660,6 +660,10 @@ Specifies whether to automatically destr
 file on logout.
 The default is
 .Dq yes .
@ -157,7 +146,7 @@ diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5
 .It Cm KexAlgorithms
 Specifies the available KEX (Key Exchange) algorithms.
 Multiple algorithms must be comma-separated.
-@@ -819,6 +823,7 @@ Available keywords are
+@@ -833,6 +837,7 @@ Available keywords are
 .Cm HostbasedUsesNameFromPacketOnly ,
 .Cm KbdInteractiveAuthentication ,
 .Cm KerberosAuthentication ,
@ -165,3 +154,14 @@ diff -up openssh-6.2p1/sshd_config.5.kuserok openssh-6.2p1/sshd_config.5
 .Cm MaxAuthTries ,
 .Cm MaxSessions ,
 .Cm PasswordAuthentication ,
 diff -up openssh-6.3p1/sshd_config.kuserok openssh-6.3p1/sshd_config
 --- openssh-6.3p1/sshd_config.kuserok	2013-10-11 21:41:42.898087571 +0200
 +++ openssh-6.3p1/sshd_config	2013-10-11 21:41:42.907087528 +0200
@@ -86,6 +86,7 @@ ChallengeResponseAuthentication no
 #KerberosOrLocalPasswd yes
 #KerberosTicketCleanup yes
 #KerberosGetAFSToken no
 +#KerberosUseKuserok yes
 # GSSAPI options
 #GSSAPIAuthentication no
--- a/openssh-6.3p1-ldap.patch
+++ b/openssh-6.3p1-ldap.patch
@ -383,7 +383,7 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
 +				if ((logfile = fopen (logfilename, "a")) == NULL)
 +				    fatal ("cannot append to %s: %s", logfilename, strerror (errno));
 +				debug3 ("LDAP debug into %s", logfilename);
-+				xfree (logfilename);
+				free (logfilename);
 +				ber_set_option (NULL, LBER_OPT_LOG_PRINT_FILE, logfile);
 +			}
 +#endif
@ -672,12 +672,12 @@ diff -up openssh-6.2p1/ldapbody.c.ldap openssh-6.2p1/ldapbody.c
 +	timeout.tv_usec = 0;
 +	if ((rc = ldap_search_st(ld, options.base, options.scope, buffer, attrs, 0, &timeout, &res)) != LDAP_SUCCESS) {
 +		error ("ldap_search_st(): %s", ldap_err2string (rc));
-+		xfree (buffer);
+		free (buffer);
 +		return;
 +	}
 +
 +	/* free */
-+	xfree (buffer);
+	free (buffer);
 +
 +	for (e = ldap_first_entry(ld, res); e != NULL; e = ldap_next_entry(ld, e)) {
 +		int num;
--- a/openssh-6.3p1-privsep-selinux.patch
+++ b/openssh-6.3p1-privsep-selinux.patch
@ -1,8 +1,8 @@
-diff -up openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.1p1/openbsd-compat/port-linux.c
+diff -up openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.c
--- openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux	2012-11-05 14:46:39.334809203 +0100
+--- openssh-6.3p1/openbsd-compat/port-linux.c.privsep-selinux	2013-10-10 14:58:20.634762245 +0200
-+++ openssh-6.1p1/openbsd-compat/port-linux.c	2012-11-05 14:54:32.614504884 +0100
+++ openssh-6.3p1/openbsd-compat/port-linux.c	2013-10-10 15:13:57.864306950 +0200
-@@ -505,6 +505,25 @@ ssh_selinux_change_context(const char *n
+@@ -503,6 +503,25 @@ ssh_selinux_change_context(const char *n
- 	xfree(newctx);
+ 	free(newctx);
 }
 +void
@ -27,9 +27,9 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.c.privsep-selinux openssh-6.1p1
 #endif /* WITH_SELINUX */
 #ifdef LINUX_OOM_ADJUST
-diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1/openbsd-compat/port-linux.h
+diff -up openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.3p1/openbsd-compat/port-linux.h
--- openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux	2011-01-25 02:16:18.000000000 +0100
+--- openssh-6.3p1/openbsd-compat/port-linux.h.privsep-selinux	2011-01-25 02:16:18.000000000 +0100
-+++ openssh-6.1p1/openbsd-compat/port-linux.h	2012-11-05 14:46:39.339809234 +0100
+++ openssh-6.3p1/openbsd-compat/port-linux.h	2013-10-10 14:58:20.634762245 +0200
@@ -24,6 +24,7 @@ int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
 void ssh_selinux_setup_exec_context(char *);
@ -38,10 +38,10 @@ diff -up openssh-6.1p1/openbsd-compat/port-linux.h.privsep-selinux openssh-6.1p1
 void ssh_selinux_setfscreatecon(const char *);
 #endif
-diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
+diff -up openssh-6.3p1/session.c.privsep-selinux openssh-6.3p1/session.c
--- openssh-6.1p1/session.c.privsep-selinux	2012-12-03 09:43:11.727505761 +0100
+--- openssh-6.3p1/session.c.privsep-selinux	2013-10-10 14:58:20.617762326 +0200
-+++ openssh-6.1p1/session.c	2012-12-03 09:54:50.455688902 +0100
+++ openssh-6.3p1/session.c	2013-10-10 15:13:16.520503590 +0200
-@@ -1519,6 +1519,9 @@ do_setusercontext(struct passwd *pw)
+@@ -1522,6 +1522,9 @@ do_setusercontext(struct passwd *pw)
 			    pw->pw_uid);
 			chroot_path = percent_expand(tmp, "h", pw->pw_dir,
 			    "u", pw->pw_name, (char *)NULL);
@ -51,7 +51,7 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
 			safely_chroot(chroot_path, pw->pw_uid);
 			free(tmp);
 			free(chroot_path);
-@@ -1533,6 +1536,12 @@ do_setusercontext(struct passwd *pw)
+@@ -1544,6 +1547,12 @@ do_setusercontext(struct passwd *pw)
 		/* Permanently switch to the desired uid. */
 		permanently_set_uid(pw);
 #endif
@ -61,10 +61,10 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
 +		    strcasecmp(options.chroot_directory, "none") == 0)
 +			ssh_selinux_copy_context();
 +#endif
- 	}
+ 	} else if (options.chroot_directory != NULL &&
- 
+ 	    strcasecmp(options.chroot_directory, "none") != 0) {
- 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+ 		fatal("server lacks privileges to chroot to ChrootDirectory");
-@@ -1787,9 +1796,6 @@ do_child(Session *s, const char *command
+@@ -1808,9 +1817,6 @@ do_child(Session *s, const char *command
 		argv[i] = NULL;
 		optind = optreset = 1;
 		__progname = argv[0];
@ -74,10 +74,10 @@ diff -up openssh-6.1p1/session.c.privsep-selinux openssh-6.1p1/session.c
 		exit(sftp_server_main(i, argv, s->pw));
 	}
-diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
+diff -up openssh-6.3p1/sshd.c.privsep-selinux openssh-6.3p1/sshd.c
--- openssh-6.1p1/sshd.c.privsep-selinux	2013-02-24 11:29:32.997823377 +0100
+--- openssh-6.3p1/sshd.c.privsep-selinux	2013-10-10 14:58:20.632762255 +0200
-+++ openssh-6.1p1/sshd.c	2013-02-24 11:43:34.171182720 +0100
+++ openssh-6.3p1/sshd.c	2013-10-10 14:58:20.635762241 +0200
-@@ -653,6 +653,10 @@ privsep_preauth_child(void)
+@@ -668,6 +668,10 @@ privsep_preauth_child(void)
 	/* Demote the private keys to public keys. */
 	demote_sensitive_data();
@ -88,7 +88,7 @@ diff -up openssh-6.1p1/sshd.c.privsep-selinux openssh-6.1p1/sshd.c
 	/* Change our root directory */
 	if (chroot(_PATH_PRIVSEP_CHROOT_DIR) == -1)
 		fatal("chroot(\"%s\"): %s", _PATH_PRIVSEP_CHROOT_DIR,
-@@ -794,6 +798,13 @@ privsep_postauth(Authctxt *authctxt)
+@@ -811,6 +815,13 @@ privsep_postauth(Authctxt *authctxt)
 	do_setusercontext(authctxt->pw);
  skip:
--- a/openssh-6.3p1-redhat.patch
+++ b/openssh-6.3p1-redhat.patch
@ -1,10 +1,10 @@
-diff -up openssh-6.1p1/ssh_config.redhat openssh-6.1p1/ssh_config
+diff -up openssh-6.3p1/ssh_config.redhat openssh-6.3p1/ssh_config
--- openssh-6.1p1/ssh_config.redhat	2010-01-12 09:40:27.000000000 +0100
+--- openssh-6.3p1/ssh_config.redhat	2013-10-11 14:51:18.345876648 +0200
-+++ openssh-6.1p1/ssh_config	2012-10-26 16:28:51.820340584 +0200
+++ openssh-6.3p1/ssh_config	2013-10-11 15:13:05.429829266 +0200
-@@ -45,3 +45,14 @@
+@@ -46,3 +46,14 @@
 #   PermitLocalCommand no
 #   VisualHostKey no
 #   ProxyCommand ssh -q -W %h:%p gateway.example.com
 #   RekeyLimit 1G 1h
 +Host *
 +	GSSAPIAuthentication yes
 +# If this option is set to yes then remote X11 clients will have full access
@ -16,10 +16,10 @@ diff -up openssh-6.1p1/ssh_config.redhat openssh-6.1p1/ssh_config
 +	SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
 +	SendEnv LC_IDENTIFICATION LC_ALL LANGUAGE
 +	SendEnv XMODIFIERS
-diff -up openssh-6.1p1/sshd_config.0.redhat openssh-6.1p1/sshd_config.0
+diff -up openssh-6.3p1/sshd_config.0.redhat openssh-6.3p1/sshd_config.0
--- openssh-6.1p1/sshd_config.0.redhat	2012-10-26 16:28:51.762340584 +0200
+--- openssh-6.3p1/sshd_config.0.redhat	2013-09-13 08:20:43.000000000 +0200
-+++ openssh-6.1p1/sshd_config.0	2012-10-26 16:28:51.821340584 +0200
+++ openssh-6.3p1/sshd_config.0	2013-10-11 14:51:18.345876648 +0200
-@@ -583,9 +583,9 @@ DESCRIPTION
+@@ -653,9 +653,9 @@ DESCRIPTION
      SyslogFacility
              Gives the facility code that is used when logging messages from
@ -32,10 +32,10 @@ diff -up openssh-6.1p1/sshd_config.0.redhat openssh-6.1p1/sshd_config.0
      TCPKeepAlive
              Specifies whether the system should send TCP keepalive messages
-diff -up openssh-6.1p1/sshd_config.5.redhat openssh-6.1p1/sshd_config.5
+diff -up openssh-6.3p1/sshd_config.5.redhat openssh-6.3p1/sshd_config.5
--- openssh-6.1p1/sshd_config.5.redhat	2012-10-26 16:28:51.763340584 +0200
+--- openssh-6.3p1/sshd_config.5.redhat	2013-07-20 05:21:53.000000000 +0200
-+++ openssh-6.1p1/sshd_config.5	2012-10-26 16:28:51.822340584 +0200
+++ openssh-6.3p1/sshd_config.5	2013-10-11 14:51:18.346876643 +0200
-@@ -1015,7 +1015,7 @@ Note that this option applies to protoco
+@@ -1095,7 +1095,7 @@ Note that this option applies to protoco
 .It Cm SyslogFacility
 Gives the facility code that is used when logging messages from
 .Xr sshd 8 .
@ -44,9 +44,9 @@ diff -up openssh-6.1p1/sshd_config.5.redhat openssh-6.1p1/sshd_config.5
 LOCAL3, LOCAL4, LOCAL5, LOCAL6, LOCAL7.
 The default is AUTH.
 .It Cm TCPKeepAlive
-diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
+diff -up openssh-6.3p1/sshd_config.redhat openssh-6.3p1/sshd_config
--- openssh-6.1p1/sshd_config.redhat	2012-10-26 16:28:51.819340584 +0200
+--- openssh-6.3p1/sshd_config.redhat	2013-10-11 14:51:18.343876657 +0200
-+++ openssh-6.1p1/sshd_config	2012-10-26 16:31:44.773340564 +0200
+++ openssh-6.3p1/sshd_config	2013-10-11 14:51:18.346876643 +0200
@@ -10,6 +10,10 @@
 # possible, but leave them commented.  Uncommented options override the
 # default value.
@ -58,7 +58,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
 #Port 22
 #AddressFamily any
 #ListenAddress 0.0.0.0
-@@ -32,6 +36,7 @@
+@@ -35,6 +39,7 @@
 # Logging
 # obsoletes QuietMode and FascistLogging
 #SyslogFacility AUTH
@ -66,7 +66,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
 #LogLevel INFO
 # Authentication:
-@@ -67,9 +72,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -70,9 +75,11 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # To disable tunneled clear text passwords, change to no here!
 #PasswordAuthentication yes
 #PermitEmptyPasswords no
@ -78,7 +78,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
 # Kerberos options
 #KerberosAuthentication no
-@@ -79,7 +86,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -82,7 +89,9 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # GSSAPI options
 #GSSAPIAuthentication no
@ -88,7 +88,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
 # Set this to 'yes' to enable PAM authentication, account processing, 
 # and session processing. If this is enabled, PAM authentication will 
-@@ -91,11 +100,13 @@ AuthorizedKeysFile	.ssh/authorized_keys
+@@ -94,11 +103,13 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # PAM authentication, then enable this but set PasswordAuthentication
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
@ -102,7 +102,7 @@ diff -up openssh-6.1p1/sshd_config.redhat openssh-6.1p1/sshd_config
 #X11DisplayOffset 10
 #X11UseLocalhost yes
 #PrintMotd yes
-@@ -117,6 +128,12 @@ UsePrivilegeSeparation sandbox		# Defaul
+@@ -120,6 +131,12 @@ UsePrivilegeSeparation sandbox		# Defaul
 # no default banner path
 #Banner none
--- a/openssh-6.3p1-role-mls.patch
+++ b/openssh-6.3p1-role-mls.patch
@ -1,20 +1,7 @@
-diff -up openssh-6.2p1/auth.h.role-mls openssh-6.2p1/auth.h
+diff -up openssh-6.3p1/auth-pam.c.role-mls openssh-6.3p1/auth-pam.c
--- openssh-6.2p1/auth.h.role-mls	2013-03-25 17:47:00.565746862 +0100
+--- openssh-6.3p1/auth-pam.c.role-mls	2013-10-10 14:34:43.799494546 +0200
-+++ openssh-6.2p1/auth.h	2013-03-25 17:47:00.602747073 +0100
+++ openssh-6.3p1/auth-pam.c	2013-10-10 14:34:43.835494375 +0200
-@@ -59,6 +59,9 @@ struct Authctxt {
+@@ -1071,7 +1071,7 @@ is_pam_session_open(void)
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
 +#ifdef WITH_SELINUX
 +	char		*role;
 +#endif
 	void		*kbdintctxt;
 	void		*jpake_ctx;
 #ifdef BSD_AUTH
 diff -up openssh-6.2p1/auth-pam.c.role-mls openssh-6.2p1/auth-pam.c
 --- openssh-6.2p1/auth-pam.c.role-mls	2013-03-25 17:47:00.535746690 +0100
 +++ openssh-6.2p1/auth-pam.c	2013-03-25 17:47:00.602747073 +0100
@@ -1074,7 +1074,7 @@ is_pam_session_open(void)
  * during the ssh authentication process.
  */
 int
@ -23,9 +10,9 @@ diff -up openssh-6.2p1/auth-pam.c.role-mls openssh-6.2p1/auth-pam.c
 {
 	int ret = 1;
 #ifdef HAVE_PAM_PUTENV
-diff -up openssh-6.2p1/auth-pam.h.role-mls openssh-6.2p1/auth-pam.h
+diff -up openssh-6.3p1/auth-pam.h.role-mls openssh-6.3p1/auth-pam.h
--- openssh-6.2p1/auth-pam.h.role-mls	2004-09-11 14:17:26.000000000 +0200
+--- openssh-6.3p1/auth-pam.h.role-mls	2004-09-11 14:17:26.000000000 +0200
-+++ openssh-6.2p1/auth-pam.h	2013-03-25 17:47:00.602747073 +0100
+++ openssh-6.3p1/auth-pam.h	2013-10-10 14:34:43.835494375 +0200
@@ -38,7 +38,7 @@ void do_pam_session(void);
 void do_pam_set_tty(const char *);
 void do_pam_setcred(int );
@ -35,10 +22,23 @@ diff -up openssh-6.2p1/auth-pam.h.role-mls openssh-6.2p1/auth-pam.h
 char ** fetch_pam_environment(void);
 char ** fetch_pam_child_environment(void);
 void free_pam_environment(char **);
-diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c
+diff -up openssh-6.3p1/auth.h.role-mls openssh-6.3p1/auth.h
--- openssh-6.2p1/auth1.c.role-mls	2012-12-02 23:53:20.000000000 +0100
+--- openssh-6.3p1/auth.h.role-mls	2013-10-10 14:34:43.834494379 +0200
-+++ openssh-6.2p1/auth1.c	2013-03-25 17:47:00.600747062 +0100
+++ openssh-6.3p1/auth.h	2013-10-10 14:38:45.060348227 +0200
-@@ -386,6 +386,9 @@ do_authentication(Authctxt *authctxt)
+@@ -59,6 +59,9 @@ struct Authctxt {
 	char		*service;
 	struct passwd	*pw;		/* set if 'valid' */
 	char		*style;
 +#ifdef WITH_SELINUX
 +	char		*role;
 +#endif
 	void		*kbdintctxt;
 	char		*info;		/* Extra info for next auth_log */
 	void		*jpake_ctx;
 diff -up openssh-6.3p1/auth1.c.role-mls openssh-6.3p1/auth1.c
 --- openssh-6.3p1/auth1.c.role-mls	2013-06-02 00:01:24.000000000 +0200
 +++ openssh-6.3p1/auth1.c	2013-10-10 14:34:43.835494375 +0200
@@ -381,6 +381,9 @@ do_authentication(Authctxt *authctxt)
 {
 	u_int ulen;
 	char *user, *style = NULL;
@ -48,7 +48,7 @@ diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c
 	/* Get the name of the user that we wish to log in as. */
 	packet_read_expect(SSH_CMSG_USER);
-@@ -394,11 +397,24 @@ do_authentication(Authctxt *authctxt)
+@@ -389,11 +392,24 @@ do_authentication(Authctxt *authctxt)
 	user = packet_get_cstring(&ulen);
 	packet_check_eom();
@ -73,52 +73,10 @@ diff -up openssh-6.2p1/auth1.c.role-mls openssh-6.2p1/auth1.c
 	/* Verify that the user is a valid user. */
 	if ((authctxt->pw = PRIVSEP(getpwnamallow(user))) != NULL)
-diff -up openssh-6.2p1/auth2.c.role-mls openssh-6.2p1/auth2.c
+diff -up openssh-6.3p1/auth2-gss.c.role-mls openssh-6.3p1/auth2-gss.c
--- openssh-6.2p1/auth2.c.role-mls	2013-03-25 17:47:00.556746810 +0100
+--- openssh-6.3p1/auth2-gss.c.role-mls	2013-06-01 23:31:18.000000000 +0200
-+++ openssh-6.2p1/auth2.c	2013-03-25 17:47:00.600747062 +0100
+++ openssh-6.3p1/auth2-gss.c	2013-10-10 14:34:43.836494370 +0200
-@@ -218,6 +218,9 @@ input_userauth_request(int type, u_int32
+@@ -256,6 +256,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ctxt;
 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
 +#ifdef WITH_SELINUX
 +	char *role = NULL;
 +#endif
 	int authenticated = 0;
 	if (authctxt == NULL)
@@ -229,6 +232,11 @@ input_userauth_request(int type, u_int32
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 +#ifdef WITH_SELINUX
 +	if ((role = strchr(user, '/')) != NULL)
 +		*role++ = 0;
 +#endif
 +
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
@@ -251,8 +259,15 @@ input_userauth_request(int type, u_int32
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
 -		if (use_privsep)
 +#ifdef WITH_SELINUX
 +		authctxt->role = role ? xstrdup(role) : NULL;
 +#endif
 +		if (use_privsep) {
 			mm_inform_authserv(service, style);
 +#ifdef WITH_SELINUX
 +			mm_inform_authrole(role);
 +#endif
 +		}
 		userauth_banner();
 		if (auth2_setup_methods_lists(authctxt) != 0)
 			packet_disconnect("no authentication methods enabled");
 diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c
 --- openssh-6.2p1/auth2-gss.c.role-mls	2012-12-02 23:53:20.000000000 +0100
 +++ openssh-6.2p1/auth2-gss.c	2013-03-25 17:47:00.601747067 +0100
@@ -260,6 +260,7 @@ input_gssapi_mic(int type, u_int32_t ple
 	Authctxt *authctxt = ctxt;
 	Gssctxt *gssctxt;
 	int authenticated = 0;
@ -126,7 +84,7 @@ diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c
 	Buffer b;
 	gss_buffer_desc mic, gssbuf;
 	u_int len;
-@@ -272,7 +273,13 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -268,7 +269,13 @@ input_gssapi_mic(int type, u_int32_t ple
 	mic.value = packet_get_string(&len);
 	mic.length = len;
@ -141,18 +99,18 @@ diff -up openssh-6.2p1/auth2-gss.c.role-mls openssh-6.2p1/auth2-gss.c
 	    "gssapi-with-mic");
 	gssbuf.value = buffer_ptr(&b);
-@@ -284,6 +291,8 @@ input_gssapi_mic(int type, u_int32_t ple
+@@ -280,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple
 		logit("GSSAPI MIC check failed");
 	buffer_free(&b);
 +	if (micuser != authctxt->user)
-+		xfree(micuser);
+		free(micuser);
- 	xfree(mic.value);
+ 	free(mic.value);
 	authctxt->postponed = 0;
-diff -up openssh-6.2p1/auth2-hostbased.c.role-mls openssh-6.2p1/auth2-hostbased.c
+diff -up openssh-6.3p1/auth2-hostbased.c.role-mls openssh-6.3p1/auth2-hostbased.c
--- openssh-6.2p1/auth2-hostbased.c.role-mls	2013-03-25 17:47:00.565746862 +0100
+--- openssh-6.3p1/auth2-hostbased.c.role-mls	2013-10-10 14:34:43.818494455 +0200
-+++ openssh-6.2p1/auth2-hostbased.c	2013-03-25 17:47:00.601747067 +0100
+++ openssh-6.3p1/auth2-hostbased.c	2013-10-10 14:34:43.836494370 +0200
@@ -106,7 +106,15 @@ userauth_hostbased(Authctxt *authctxt)
 	buffer_put_string(&b, session_id2, session_id2_len);
 	/* reconstruct packet */
@ -170,30 +128,69 @@ diff -up openssh-6.2p1/auth2-hostbased.c.role-mls openssh-6.2p1/auth2-hostbased.
 	buffer_put_cstring(&b, service);
 	buffer_put_cstring(&b, "hostbased");
 	buffer_put_string(&b, pkalg, alen);
-diff -up openssh-6.2p1/auth2-pubkey.c.role-mls openssh-6.2p1/auth2-pubkey.c
+diff -up openssh-6.3p1/auth2-pubkey.c.role-mls openssh-6.3p1/auth2-pubkey.c
--- openssh-6.2p1/auth2-pubkey.c.role-mls	2013-03-25 17:47:00.565746862 +0100
+--- openssh-6.3p1/auth2-pubkey.c.role-mls	2013-10-10 14:34:43.836494370 +0200
-+++ openssh-6.2p1/auth2-pubkey.c	2013-03-25 17:47:00.601747067 +0100
+++ openssh-6.3p1/auth2-pubkey.c	2013-10-10 14:57:17.452062486 +0200
-@@ -127,7 +127,15 @@ userauth_pubkey(Authctxt *authctxt)
+@@ -127,9 +127,11 @@ userauth_pubkey(Authctxt *authctxt)
 		}
 		/* reconstruct packet */
 		buffer_put_char(&b, SSH2_MSG_USERAUTH_REQUEST);
-		buffer_put_cstring(&b, authctxt->user);
+-		xasprintf(&userstyle, "%s%s%s", authctxt->user,
-+#ifdef WITH_SELINUX
+		xasprintf(&userstyle, "%s%s%s%s%s", authctxt->user,
-+		if (authctxt->role) {
+ 		    authctxt->style ? ":" : "",
-+			buffer_put_int(&b, strlen(authctxt->user)+strlen(authctxt->role)+1);
+-		    authctxt->style ? authctxt->style : "");
-+			buffer_append(&b, authctxt->user, strlen(authctxt->user));
+		    authctxt->style ? authctxt->style : "",
-+			buffer_put_char(&b, '/');
+		    authctxt->role ? "/" : "",
-+			buffer_append(&b, authctxt->role, strlen(authctxt->role));
+		    authctxt->role ? authctxt->role : "");
-+		} else 
+ 		buffer_put_cstring(&b, userstyle);
-+#endif
+ 		free(userstyle);
 +			buffer_put_cstring(&b, authctxt->user);
 		buffer_put_cstring(&b,
- 		    datafellows & SSH_BUG_PKSERVICE ?
+diff -up openssh-6.3p1/auth2.c.role-mls openssh-6.3p1/auth2.c
- 		    "ssh-userauth" :
+--- openssh-6.3p1/auth2.c.role-mls	2013-10-10 14:34:43.819494451 +0200
-diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c
+++ openssh-6.3p1/auth2.c	2013-10-10 14:34:43.835494375 +0200
--- openssh-6.2p1/misc.c.role-mls	2011-09-22 13:34:36.000000000 +0200
+@@ -221,6 +221,9 @@ input_userauth_request(int type, u_int32
-+++ openssh-6.2p1/misc.c	2013-03-25 17:47:00.603747079 +0100
+ 	Authctxt *authctxt = ctxt;
-@@ -427,6 +427,7 @@ char *
+ 	Authmethod *m = NULL;
 	char *user, *service, *method, *style = NULL;
 +#ifdef WITH_SELINUX
 +	char *role = NULL;
 +#endif
 	int authenticated = 0;
 	if (authctxt == NULL)
@@ -232,6 +235,11 @@ input_userauth_request(int type, u_int32
 	debug("userauth-request for user %s service %s method %s", user, service, method);
 	debug("attempt %d failures %d", authctxt->attempt, authctxt->failures);
 +#ifdef WITH_SELINUX
 +	if ((role = strchr(user, '/')) != NULL)
 +		*role++ = 0;
 +#endif
 +
 	if ((style = strchr(user, ':')) != NULL)
 		*style++ = 0;
@@ -254,8 +262,15 @@ input_userauth_request(int type, u_int32
 		    use_privsep ? " [net]" : "");
 		authctxt->service = xstrdup(service);
 		authctxt->style = style ? xstrdup(style) : NULL;
 -		if (use_privsep)
 +#ifdef WITH_SELINUX
 +		authctxt->role = role ? xstrdup(role) : NULL;
 +#endif
 +		if (use_privsep) {
 			mm_inform_authserv(service, style);
 +#ifdef WITH_SELINUX
 +			mm_inform_authrole(role);
 +#endif
 +		}
 		userauth_banner();
 		if (auth2_setup_methods_lists(authctxt) != 0)
 			packet_disconnect("no authentication methods enabled");
 diff -up openssh-6.3p1/misc.c.role-mls openssh-6.3p1/misc.c
 --- openssh-6.3p1/misc.c.role-mls	2013-08-08 04:50:06.000000000 +0200
 +++ openssh-6.3p1/misc.c	2013-10-10 14:34:43.836494370 +0200
@@ -429,6 +429,7 @@ char *
 colon(char *cp)
 {
 	int flag = 0;
@ -201,7 +198,7 @@ diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c
 	if (*cp == ':')		/* Leading colon is part of file name. */
 		return NULL;
-@@ -442,6 +443,13 @@ colon(char *cp)
+@@ -444,6 +445,13 @@ colon(char *cp)
 			return (cp);
 		if (*cp == '/')
 			return NULL;
@ -215,10 +212,10 @@ diff -up openssh-6.2p1/misc.c.role-mls openssh-6.2p1/misc.c
 	}
 	return NULL;
 }
-diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
+diff -up openssh-6.3p1/monitor.c.role-mls openssh-6.3p1/monitor.c
--- openssh-6.2p1/monitor.c.role-mls	2013-03-25 17:47:00.587746987 +0100
+--- openssh-6.3p1/monitor.c.role-mls	2013-10-10 14:34:43.821494441 +0200
-+++ openssh-6.2p1/monitor.c	2013-03-25 17:47:00.604747085 +0100
+++ openssh-6.3p1/monitor.c	2013-10-10 14:54:57.933725463 +0200
-@@ -148,6 +148,9 @@ int mm_answer_sign(int, Buffer *);
+@@ -149,6 +149,9 @@ int mm_answer_sign(int, Buffer *);
 int mm_answer_pwnamallow(int, Buffer *);
 int mm_answer_auth2_read_banner(int, Buffer *);
 int mm_answer_authserv(int, Buffer *);
@ -228,7 +225,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
 int mm_answer_authpassword(int, Buffer *);
 int mm_answer_bsdauthquery(int, Buffer *);
 int mm_answer_bsdauthrespond(int, Buffer *);
-@@ -232,6 +235,9 @@ struct mon_table mon_dispatch_proto20[]
+@@ -233,6 +236,9 @@ struct mon_table mon_dispatch_proto20[]
     {MONITOR_REQ_SIGN, MON_ONCE, mm_answer_sign},
     {MONITOR_REQ_PWNAM, MON_ONCE, mm_answer_pwnamallow},
     {MONITOR_REQ_AUTHSERV, MON_ONCE, mm_answer_authserv},
@ -238,7 +235,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
     {MONITOR_REQ_AUTH2_READ_BANNER, MON_ONCE, mm_answer_auth2_read_banner},
     {MONITOR_REQ_AUTHPASSWORD, MON_AUTH, mm_answer_authpassword},
 #ifdef USE_PAM
-@@ -846,6 +852,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
+@@ -853,6 +859,9 @@ mm_answer_pwnamallow(int sock, Buffer *m
 	else {
 		/* Allow service/style information on the auth context */
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTHSERV, 1);
@ -248,7 +245,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
 		monitor_permit(mon_dispatch, MONITOR_REQ_AUTH2_READ_BANNER, 1);
 	}
 #ifdef USE_PAM
-@@ -889,6 +898,25 @@ mm_answer_authserv(int sock, Buffer *m)
+@@ -894,6 +903,25 @@ mm_answer_authserv(int sock, Buffer *m)
 	return (0);
 }
@ -263,7 +260,7 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
 +	    __func__, authctxt->role);
 +
 +	if (strlen(authctxt->role) == 0) {
-+		xfree(authctxt->role);
+		free(authctxt->role);
 +		authctxt->role = NULL;
 +	}
 +
@ -274,45 +271,45 @@ diff -up openssh-6.2p1/monitor.c.role-mls openssh-6.2p1/monitor.c
 int
 mm_answer_authpassword(int sock, Buffer *m)
 {
-@@ -1262,7 +1290,7 @@ static int
+@@ -1269,7 +1297,7 @@ static int
 monitor_valid_userblob(u_char *data, u_int datalen)
 {
 	Buffer b;
-	char *p;
+-	char *p, *userstyle;
-+	char *p, *r;
+	char *p, *r, *userstyle;
 	u_int len;
 	int fail = 0;
-@@ -1288,6 +1316,8 @@ monitor_valid_userblob(u_char *data, u_i
+@@ -1295,6 +1323,8 @@ monitor_valid_userblob(u_char *data, u_i
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
- 	p = buffer_get_string(&b, NULL);
+ 	p = buffer_get_cstring(&b, NULL);
 +	if ((r = strchr(p, '/')) != NULL)
 +		*r = '\0';
- 	if (strcmp(authctxt->user, p) != 0) {
+ 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
- 		logit("wrong user name passed to monitor: expected %s != %.100s",
+ 	    authctxt->style ? ":" : "",
- 		    authctxt->user, p);
+ 	    authctxt->style ? authctxt->style : "");
-@@ -1319,7 +1349,7 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1330,7 +1360,7 @@ monitor_valid_hostbasedblob(u_char *data
     char *chost)
 {
 	Buffer b;
-	char *p;
+-	char *p, *userstyle;
-+	char *p, *r;
+	char *p, *r, *userstyle;
 	u_int len;
 	int fail = 0;
-@@ -1336,6 +1366,8 @@ monitor_valid_hostbasedblob(u_char *data
+@@ -1347,6 +1377,8 @@ monitor_valid_hostbasedblob(u_char *data
 	if (buffer_get_char(&b) != SSH2_MSG_USERAUTH_REQUEST)
 		fail++;
- 	p = buffer_get_string(&b, NULL);
+ 	p = buffer_get_cstring(&b, NULL);
 +	if ((r = strchr(p, '/')) != NULL)
 +		*r = '\0';
- 	if (strcmp(authctxt->user, p) != 0) {
+ 	xasprintf(&userstyle, "%s%s%s", authctxt->user,
- 		logit("wrong user name passed to monitor: expected %s != %.100s",
+ 	    authctxt->style ? ":" : "",
- 		    authctxt->user, p);
+ 	    authctxt->style ? authctxt->style : "");
-diff -up openssh-6.2p1/monitor.h.role-mls openssh-6.2p1/monitor.h
+diff -up openssh-6.3p1/monitor.h.role-mls openssh-6.3p1/monitor.h
--- openssh-6.2p1/monitor.h.role-mls	2013-03-25 17:47:00.605747090 +0100
+--- openssh-6.3p1/monitor.h.role-mls	2013-10-10 14:34:43.821494441 +0200
-+++ openssh-6.2p1/monitor.h	2013-03-25 17:50:00.824775483 +0100
+++ openssh-6.3p1/monitor.h	2013-10-10 14:34:43.837494365 +0200
@@ -61,6 +61,9 @@ enum monitor_reqtype {
 	MONITOR_REQ_JPAKE_STEP2 = 56, MONITOR_ANS_JPAKE_STEP2 = 57,
 	MONITOR_REQ_JPAKE_KEY_CONFIRM = 58, MONITOR_ANS_JPAKE_KEY_CONFIRM = 59,
@ -323,10 +320,10 @@ diff -up openssh-6.2p1/monitor.h.role-mls openssh-6.2p1/monitor.h
 	MONITOR_REQ_PAM_START = 100,
 	MONITOR_REQ_PAM_ACCOUNT = 102, MONITOR_ANS_PAM_ACCOUNT = 103,
-diff -up openssh-6.2p1/monitor_wrap.c.role-mls openssh-6.2p1/monitor_wrap.c
+diff -up openssh-6.3p1/monitor_wrap.c.role-mls openssh-6.3p1/monitor_wrap.c
--- openssh-6.2p1/monitor_wrap.c.role-mls	2013-03-25 17:47:00.588746993 +0100
+--- openssh-6.3p1/monitor_wrap.c.role-mls	2013-10-10 14:34:43.822494436 +0200
-+++ openssh-6.2p1/monitor_wrap.c	2013-03-25 17:47:00.605747090 +0100
+++ openssh-6.3p1/monitor_wrap.c	2013-10-10 14:34:43.838494360 +0200
-@@ -336,6 +336,25 @@ mm_inform_authserv(char *service, char *
+@@ -338,6 +338,25 @@ mm_inform_authserv(char *service, char *
 	buffer_free(&m);
 }
@ -352,9 +349,9 @@ diff -up openssh-6.2p1/monitor_wrap.c.role-mls openssh-6.2p1/monitor_wrap.c
 /* Do the password authentication */
 int
 mm_auth_password(Authctxt *authctxt, char *password)
-diff -up openssh-6.2p1/monitor_wrap.h.role-mls openssh-6.2p1/monitor_wrap.h
+diff -up openssh-6.3p1/monitor_wrap.h.role-mls openssh-6.3p1/monitor_wrap.h
--- openssh-6.2p1/monitor_wrap.h.role-mls	2013-03-25 17:47:00.588746993 +0100
+--- openssh-6.3p1/monitor_wrap.h.role-mls	2013-10-10 14:34:43.822494436 +0200
-+++ openssh-6.2p1/monitor_wrap.h	2013-03-25 17:47:00.605747090 +0100
+++ openssh-6.3p1/monitor_wrap.h	2013-10-10 14:34:43.838494360 +0200
@@ -42,6 +42,9 @@ int mm_is_monitor(void);
 DH *mm_choose_dh(int, int, int);
 int mm_key_sign(Key *, u_char **, u_int *, u_char *, u_int);
@ -365,9 +362,9 @@ diff -up openssh-6.2p1/monitor_wrap.h.role-mls openssh-6.2p1/monitor_wrap.h
 struct passwd *mm_getpwnamallow(const char *);
 char *mm_auth2_read_banner(void);
 int mm_auth_password(struct Authctxt *, char *);
-diff -up openssh-6.2p1/openbsd-compat/Makefile.in.role-mls openssh-6.2p1/openbsd-compat/Makefile.in
+diff -up openssh-6.3p1/openbsd-compat/Makefile.in.role-mls openssh-6.3p1/openbsd-compat/Makefile.in
--- openssh-6.2p1/openbsd-compat/Makefile.in.role-mls	2013-03-25 17:47:00.606747096 +0100
+--- openssh-6.3p1/openbsd-compat/Makefile.in.role-mls	2013-05-10 08:28:56.000000000 +0200
-+++ openssh-6.2p1/openbsd-compat/Makefile.in	2013-03-25 17:50:36.024979473 +0100
+++ openssh-6.3p1/openbsd-compat/Makefile.in	2013-10-10 14:34:43.838494360 +0200
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -377,9 +374,9 @@ diff -up openssh-6.2p1/openbsd-compat/Makefile.in.role-mls openssh-6.2p1/openbsd
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
-diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbsd-compat/port-linux.c
+diff -up openssh-6.3p1/openbsd-compat/port-linux.c.role-mls openssh-6.3p1/openbsd-compat/port-linux.c
--- openssh-6.2p1/openbsd-compat/port-linux.c.role-mls	2012-03-09 00:25:18.000000000 +0100
+--- openssh-6.3p1/openbsd-compat/port-linux.c.role-mls	2013-06-02 00:07:32.000000000 +0200
-+++ openssh-6.2p1/openbsd-compat/port-linux.c	2013-03-25 17:47:00.606747096 +0100
+++ openssh-6.3p1/openbsd-compat/port-linux.c	2013-10-10 14:40:41.841793347 +0200
@@ -31,68 +31,271 @@
 #include "log.h"
@ -419,7 +416,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
 +static int
 +send_audit_message(int success, security_context_t default_context,
 +		       security_context_t selected_context)
-+{
+ {
 -	static int enabled = -1;
 +	int rc=0;
 +#ifdef HAVE_LINUX_AUDIT
 +	char *msg = NULL;
@ -465,8 +463,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
 +
 +static int
 +mls_range_allowed(security_context_t src, security_context_t dst)
- {
+{
 -	static int enabled = -1;
 +	struct av_decision avd;
 +	int retval;
 +	unsigned int bit = CONTEXT__CONTAINS;
@ -683,13 +680,13 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
 	}
 #ifdef HAVE_GETSEUSERBYNAME
-@@ -102,7 +305,42 @@ ssh_selinux_getctxbyname(char *pwname)
+@@ -100,7 +303,42 @@ ssh_selinux_getctxbyname(char *pwname)
- 		xfree(lvl);
+ 	free(lvl);
 #endif
 -	return sc;
 +	if (role != NULL)
-+		xfree(role);
+		free(role);
 +	if (con)
 +		context_free(con);
 +
@ -721,13 +718,13 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
 +	rv = rv || do_pam_putenv("SELINUX_USE_CURRENT_RANGE", use_current);
 +
 +	if (role != NULL)
-+		xfree(role);
+		free(role);
 +
 +	return rv;
 }
 /* Set the execution context to the default for the specified user */
-@@ -110,28 +348,71 @@ void
+@@ -108,28 +346,71 @@ void
 ssh_selinux_setup_exec_context(char *pwname)
 {
 	security_context_t user_ctx = NULL;
@ -806,7 +803,7 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
 	debug3("%s: done", __func__);
 }
-@@ -149,7 +430,10 @@ ssh_selinux_setup_pty(char *pwname, cons
+@@ -147,7 +428,10 @@ ssh_selinux_setup_pty(char *pwname, cons
 	debug3("%s: setting TTY context on %s", __func__, tty);
@ -818,8 +815,8 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
 	/* XXX: should these calls fatal() upon failure in enforcing mode? */
-@@ -221,21 +505,6 @@ ssh_selinux_change_context(const char *n
+@@ -219,21 +503,6 @@ ssh_selinux_change_context(const char *n
- 	xfree(newctx);
+ 	free(newctx);
 }
 -void
@ -840,9 +837,9 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux.c.role-mls openssh-6.2p1/openbs
 #endif /* WITH_SELINUX */
 #ifdef LINUX_OOM_ADJUST
-diff -up openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.2p1/openbsd-compat/port-linux_part_2.c
+diff -up openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.3p1/openbsd-compat/port-linux_part_2.c
--- openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls	2013-03-25 17:47:00.607747102 +0100
+--- openssh-6.3p1/openbsd-compat/port-linux_part_2.c.role-mls	2013-10-10 14:34:43.839494355 +0200
-+++ openssh-6.2p1/openbsd-compat/port-linux_part_2.c	2013-03-25 17:47:00.607747102 +0100
+++ openssh-6.3p1/openbsd-compat/port-linux_part_2.c	2013-10-10 14:34:43.839494355 +0200
@@ -0,0 +1,75 @@
 +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
 +
@ -919,10 +916,10 @@ diff -up openssh-6.2p1/openbsd-compat/port-linux_part_2.c.role-mls openssh-6.2p1
 +#endif /* WITH_SELINUX */
 +
 +#endif /* WITH_SELINUX || LINUX_OOM_ADJUST */
-diff -up openssh-6.2p1/sshd.c.role-mls openssh-6.2p1/sshd.c
+diff -up openssh-6.3p1/sshd.c.role-mls openssh-6.3p1/sshd.c
--- openssh-6.2p1/sshd.c.role-mls	2013-03-25 17:47:00.589746999 +0100
+--- openssh-6.3p1/sshd.c.role-mls	2013-10-10 14:34:43.824494427 +0200
-+++ openssh-6.2p1/sshd.c	2013-03-25 17:47:00.607747102 +0100
+++ openssh-6.3p1/sshd.c	2013-10-10 14:34:43.839494355 +0200
-@@ -2118,6 +2118,9 @@ main(int ac, char **av)
+@@ -2179,6 +2179,9 @@ main(int ac, char **av)
 		restore_uid();
 	}
 #endif
--- a/openssh.spec
+++ b/openssh.spec
@ -92,9 +92,9 @@ Source13: sshd-keygen
 Patch0: openssh-5.9p1-wIm.patch
 #?
-Patch100: openssh-6.2p1-coverity.patch
+Patch100: openssh-6.3p1-coverity.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1872
-Patch101: openssh-6.2p1-fingerprint.patch
+Patch101: openssh-6.3p1-fingerprint.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1894
 #https://bugzilla.redhat.com/show_bug.cgi?id=735889
 Patch102: openssh-5.8p1-getaddrinfo.patch
@ -102,7 +102,7 @@ Patch102: openssh-5.8p1-getaddrinfo.patch
 Patch103: openssh-5.8p1-packet.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1402
-Patch200: openssh-6.2p1-audit.patch
+Patch200: openssh-6.3p1-audit.patch
 # --- pam_ssh-agent ---
 # make it build reusing the openssh sources
@ -112,14 +112,14 @@ Patch301: pam_ssh_agent_auth-0.9.2-seteuid.patch
 # explicitly make pam callbacks visible
 Patch302: pam_ssh_agent_auth-0.9.2-visibility.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1641 (WONTFIX)
-Patch400: openssh-6.2p1-role-mls.patch
+Patch400: openssh-6.3p1-role-mls.patch
 #https://bugzilla.redhat.com/show_bug.cgi?id=781634
-Patch404: openssh-6.1p1-privsep-selinux.patch
+Patch404: openssh-6.3p1-privsep-selinux.patch
 #?-- unwanted child :(
-Patch501: openssh-6.2p1-ldap.patch
+Patch501: openssh-6.3p1-ldap.patch
 #?
-Patch502: openssh-6.2p1-keycat.patch
+Patch502: openssh-6.3p1-keycat.patch
 #http6://bugzilla.mindrot.org/show_bug.cgi?id=1644
 Patch601: openssh-5.2p1-allow-ip-opts.patch
@ -141,7 +141,7 @@ Patch608: openssh-6.1p1-askpass-ld.patch
 Patch609: openssh-5.5p1-x11.patch
 #?
-Patch700: openssh-6.2p1-fips.patch
+Patch700: openssh-6.3p1-fips.patch
 #?
 Patch701: openssh-5.6p1-exit-deadlock.patch
 #?
@ -155,7 +155,7 @@ Patch705: openssh-5.1p1-scp-manpage.patch
 #?
 Patch706: openssh-5.8p1-localdomain.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1635 (WONTFIX)
-Patch707: openssh-6.1p1-redhat.patch
+Patch707: openssh-6.3p1-redhat.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1890 (WONTFIX) need integration to prng helper which is discontinued :)
 Patch708: openssh-6.2p1-entropy.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1640 (WONTFIX)
@ -163,29 +163,19 @@ Patch709: openssh-6.2p1-vendor.patch
 # warn users for unsupported UsePAM=no (#757545)
 Patch711: openssh-6.1p1-log-usepam-no.patch
 # make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
-Patch712: openssh-5.9p1-ctr-evp-fast.patch
+Patch712: openssh-6.3p1-ctr-evp-fast.patch
 # add cavs test binary for the aes-ctr
-Patch713: openssh-6.2p1-ctr-cavstest.patch
+Patch713: openssh-6.3p1-ctr-cavstest.patch
 #http://www.sxw.org.uk/computing/patches/openssh.html
 #changed cache storage type - #848228
-Patch800: openssh-6.2p1-gsskex.patch
+Patch800: openssh-6.3p1-gsskex.patch
 #http://www.mail-archive.com/kerberos@mit.edu/msg17591.html
-Patch801: openssh-6.2p1-force_krb.patch
+Patch801: openssh-6.3p1-force_krb.patch
 Patch900: openssh-6.1p1-gssapi-canohost.patch
 #https://bugzilla.mindrot.org/show_bug.cgi?id=1780
-Patch901: openssh-6.2p1-kuserok.patch
+Patch901: openssh-6.3p1-kuserok.patch
 # build regress/modpipe tests with $(CFLAGS), based on
 # http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-March/031167.html
 Patch905: openssh-6.2p1-modpipe-cflags.patch
 # add latest config.{sub,guess} to support aarch64 (#926284)
 Patch907: openssh-6.2p1-aarch64.patch
 # make sftp's libedit interface marginally multibyte aware (#841771)
 Patch908: openssh-6.2p2-sftp-multibyte.patch
 # don't show Success for EAI_SYSTEM (#985964)
 Patch909: openssh-6.2p2-ssh_gai_strerror.patch
 License: BSD
@ -404,10 +394,6 @@ popd
 %patch900 -p1 -b .canohost
 %patch901 -p1 -b .kuserok
 %patch905 -p1 -b .modpipe-cflags
 %patch907 -p1 -b .aarch64
 %patch908 -p1 -b .sftp-multibyte
 %patch909 -p1 -b .ssh_gai_strerror
 %if 0
 # Nothing here yet