resolve warnings in port_linux.c

openssh-5.8p1-entropy.patch

@@ -1,7 +1,15 @@
 diff -up openssh-5.8p1/entropy.c.entropy openssh-5.8p1/entropy.c
 --- openssh-5.8p1/entropy.c.entropy	2011-01-13 11:05:29.000000000 +0100
-+++ openssh-5.8p1/entropy.c	2011-03-28 16:22:37.422648742 +0200
-@@ -144,6 +144,9 @@ seed_rng(void)
++++ openssh-5.8p1/entropy.c	2011-04-01 10:23:58.318648953 +0200
+@@ -50,6 +50,7 @@
+ #include "pathnames.h"
+ #include "log.h"
+ #include "buffer.h"
++#include "openbsd-compat/port-linux.h"
+ 
+ /*
+  * Portable OpenSSH PRNG seeding:
+@@ -144,6 +145,9 @@ seed_rng(void)
  	memset(buf, '\0', sizeof(buf));
  
  #endif /* OPENSSL_PRNG_ONLY */
@@ -13,7 +21,7 @@ diff -up openssh-5.8p1/entropy.c.entropy openssh-5.8p1/entropy.c
  }
 diff -up openssh-5.8p1/openbsd-compat/Makefile.in.entropy openssh-5.8p1/openbsd-compat/Makefile.in
 --- openssh-5.8p1/openbsd-compat/Makefile.in.entropy	2010-10-07 13:19:24.000000000 +0200
-+++ openssh-5.8p1/openbsd-compat/Makefile.in	2011-03-28 16:22:37.484648793 +0200
++++ openssh-5.8p1/openbsd-compat/Makefile.in	2011-04-01 10:21:38.251648364 +0200
 @@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
  
  COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@@ -23,10 +31,22 @@ diff -up openssh-5.8p1/openbsd-compat/Makefile.in.entropy openssh-5.8p1/openbsd-
  
  .c.o:
  	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
+diff -up openssh-5.8p1/openbsd-compat/port-linux.h.entropy openssh-5.8p1/openbsd-compat/port-linux.h
+--- openssh-5.8p1/openbsd-compat/port-linux.h.entropy	2011-04-01 10:22:10.165648950 +0200
++++ openssh-5.8p1/openbsd-compat/port-linux.h	2011-04-01 10:22:36.965648719 +0200
+@@ -19,6 +19,8 @@
+ #ifndef _PORT_LINUX_H
+ #define _PORT_LINUX_H
+ 
++void linux_seed(void);
++
+ #ifdef WITH_SELINUX
+ int ssh_selinux_enabled(void);
+ void ssh_selinux_setup_pty(char *, const char *);
 diff -up openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p1/openbsd-compat/port-linux-prng.c
---- openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy	2011-03-28 16:22:37.508648739 +0200
-+++ openssh-5.8p1/openbsd-compat/port-linux-prng.c	2011-03-28 16:22:37.520650578 +0200
-@@ -0,0 +1,55 @@
+--- openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy	2011-04-01 10:21:38.302648133 +0200
++++ openssh-5.8p1/openbsd-compat/port-linux-prng.c	2011-04-01 10:21:38.311648282 +0200
+@@ -0,0 +1,56 @@
 +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
 +
 +/*
@@ -55,6 +75,7 @@ diff -up openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p1/op
 +#include <stdarg.h>
 +#include <string.h>
 +#include <stdio.h>
++#include <openssl/rand.h>
 +
 +#include "log.h"
 +#include "xmalloc.h"
@@ -84,7 +105,7 @@ diff -up openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p1/op
 +}
 diff -up openssh-5.8p1/ssh.1.entropy openssh-5.8p1/ssh.1
 --- openssh-5.8p1/ssh.1.entropy	2010-11-20 05:21:03.000000000 +0100
-+++ openssh-5.8p1/ssh.1	2011-03-28 16:22:37.621648461 +0200
++++ openssh-5.8p1/ssh.1	2011-04-01 10:21:38.352648197 +0200
 @@ -1250,6 +1250,15 @@ For more information, see the
  .Cm PermitUserEnvironment
  option in
@@ -103,7 +124,7 @@ diff -up openssh-5.8p1/ssh.1.entropy openssh-5.8p1/ssh.1
  .It Pa ~/.rhosts
 diff -up openssh-5.8p1/ssh-add.1.entropy openssh-5.8p1/ssh-add.1
 --- openssh-5.8p1/ssh-add.1.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/ssh-add.1	2011-03-28 16:22:37.674648474 +0200
++++ openssh-5.8p1/ssh-add.1	2011-04-01 10:21:38.416648713 +0200
 @@ -157,6 +157,15 @@ to make this work.)
  Identifies the path of a
  .Ux Ns -domain
@@ -122,7 +143,7 @@ diff -up openssh-5.8p1/ssh-add.1.entropy openssh-5.8p1/ssh-add.1
  .Bl -tag -width Ds
 diff -up openssh-5.8p1/ssh-agent.1.entropy openssh-5.8p1/ssh-agent.1
 --- openssh-5.8p1/ssh-agent.1.entropy	2010-12-01 01:50:35.000000000 +0100
-+++ openssh-5.8p1/ssh-agent.1	2011-03-28 16:22:37.729648529 +0200
++++ openssh-5.8p1/ssh-agent.1	2011-04-01 10:21:38.459648714 +0200
 @@ -198,6 +198,18 @@ sockets used to contain the connection t
  These sockets should only be readable by the owner.
  The sockets should get automatically removed when the agent exits.
@@ -144,7 +165,7 @@ diff -up openssh-5.8p1/ssh-agent.1.entropy openssh-5.8p1/ssh-agent.1
  .Xr ssh-add 1 ,
 diff -up openssh-5.8p1/sshd.8.entropy openssh-5.8p1/sshd.8
 --- openssh-5.8p1/sshd.8.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/sshd.8	2011-03-28 16:22:37.789648521 +0200
++++ openssh-5.8p1/sshd.8	2011-04-01 10:21:38.505648778 +0200
 @@ -937,6 +937,18 @@ concurrently for different ports, this c
  started last).
  The content of this file is not sensitive; it can be world-readable.
@@ -166,7 +187,7 @@ diff -up openssh-5.8p1/sshd.8.entropy openssh-5.8p1/sshd.8
  .Xr sftp 1 ,
 diff -up openssh-5.8p1/ssh-keygen.1.entropy openssh-5.8p1/ssh-keygen.1
 --- openssh-5.8p1/ssh-keygen.1.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/ssh-keygen.1	2011-03-28 16:22:37.845648487 +0200
++++ openssh-5.8p1/ssh-keygen.1	2011-04-01 10:21:38.554648691 +0200
 @@ -655,6 +655,18 @@ Contains Diffie-Hellman groups used for 
  The file format is described in
  .Xr moduli 5 .
@@ -188,7 +209,7 @@ diff -up openssh-5.8p1/ssh-keygen.1.entropy openssh-5.8p1/ssh-keygen.1
  .Xr ssh-add 1 ,
 diff -up openssh-5.8p1/ssh-keysign.8.entropy openssh-5.8p1/ssh-keysign.8
 --- openssh-5.8p1/ssh-keysign.8.entropy	2010-08-31 14:41:14.000000000 +0200
-+++ openssh-5.8p1/ssh-keysign.8	2011-03-28 16:22:37.900648475 +0200
++++ openssh-5.8p1/ssh-keysign.8	2011-04-01 10:21:38.606648660 +0200
 @@ -78,6 +78,18 @@ must be set-uid root if host-based authe
  If these files exist they are assumed to contain public certificate
  information corresponding with the private keys above.

openssh-5.8p1-fips.patch

@@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
 --- openssh-5.8p1/authfile.c.fips	2010-12-01 02:03:39.000000000 +0100
-+++ openssh-5.8p1/authfile.c	2011-02-25 09:23:19.000000000 +0100
++++ openssh-5.8p1/authfile.c	2011-04-01 09:34:12.136698711 +0200
 @@ -145,8 +145,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
  	/* Allocate space for the private part of the key in the buffer. */
  	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@@ -35,8 +35,8 @@ diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
  	    buffer_ptr(blob), buffer_len(blob));
  	cipher_cleanup(&ciphercontext);
 diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
---- openssh-5.8p1/cipher.c.fips	2011-02-25 09:23:18.000000000 +0100
-+++ openssh-5.8p1/cipher.c	2011-02-25 09:23:19.000000000 +0100
+--- openssh-5.8p1/cipher.c.fips	2011-04-01 09:34:05.444648701 +0200
++++ openssh-5.8p1/cipher.c	2011-04-01 09:34:12.184648648 +0200
 @@ -40,6 +40,7 @@
  #include <sys/types.h>
  
@@ -123,7 +123,7 @@ diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
  /*
 diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
 --- openssh-5.8p1/cipher-ctr.c.fips	2010-10-07 13:06:42.000000000 +0200
-+++ openssh-5.8p1/cipher-ctr.c	2011-02-25 09:23:19.000000000 +0100
++++ openssh-5.8p1/cipher-ctr.c	2011-04-01 09:34:12.228648747 +0200
 @@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
  	aes_ctr.do_cipher = ssh_aes_ctr;
  #ifndef SSH_OLD_EVP
@@ -135,8 +135,8 @@ diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
  	return (&aes_ctr);
  }
 diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
---- openssh-5.8p1/cipher.h.fips	2011-02-25 09:23:18.000000000 +0100
-+++ openssh-5.8p1/cipher.h	2011-02-25 09:23:19.000000000 +0100
+--- openssh-5.8p1/cipher.h.fips	2011-04-01 09:34:05.488648661 +0200
++++ openssh-5.8p1/cipher.h	2011-04-01 09:34:12.270648743 +0200
 @@ -87,7 +87,7 @@ void	 cipher_init(CipherContext *, Ciphe
      const u_char *, u_int, int);
  void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@@ -147,8 +147,8 @@ diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
  u_int	 cipher_keylen(const Cipher *);
  u_int	 cipher_is_cbc(const Cipher *);
 diff -up openssh-5.8p1/key.c.fips openssh-5.8p1/key.c
---- openssh-5.8p1/key.c.fips	2011-02-25 09:23:19.000000000 +0100
-+++ openssh-5.8p1/key.c	2011-02-25 09:24:35.000000000 +0100
+--- openssh-5.8p1/key.c.fips	2011-04-01 09:34:07.105648513 +0200
++++ openssh-5.8p1/key.c	2011-04-01 09:34:12.329648473 +0200
 @@ -40,6 +40,7 @@
  #include <sys/types.h>
  
@@ -175,8 +175,8 @@ diff -up openssh-5.8p1/key.c.fips openssh-5.8p1/key.c
  	}
  	return rv;
 diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
---- openssh-5.8p1/mac.c.fips	2011-02-25 09:23:18.000000000 +0100
-+++ openssh-5.8p1/mac.c	2011-02-25 09:23:19.000000000 +0100
+--- openssh-5.8p1/mac.c.fips	2011-04-01 09:34:06.204648928 +0200
++++ openssh-5.8p1/mac.c	2011-04-01 09:34:12.379648663 +0200
 @@ -28,6 +28,7 @@
  #include <sys/types.h>
  
@@ -227,9 +227,9 @@ diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
  	for (i = 0; macs[i].name; i++) {
  		if (strcmp(name, macs[i].name) == 0) {
 diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
---- openssh-5.8p1/Makefile.in.fips	2011-02-25 09:23:19.000000000 +0100
-+++ openssh-5.8p1/Makefile.in	2011-02-25 09:23:19.000000000 +0100
-@@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
+--- openssh-5.8p1/Makefile.in.fips	2011-04-01 09:34:09.725648593 +0200
++++ openssh-5.8p1/Makefile.in	2011-04-01 09:34:12.422658984 +0200
+@@ -146,25 +146,25 @@ libssh.a: $(LIBSSH_OBJS)
  	$(RANLIB) $@
  
  ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@@ -261,7 +261,7 @@ diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
  
  ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
  	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -172,7 +172,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
+@@ -173,7 +173,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
  	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
  
  ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@@ -272,7 +272,7 @@ diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
  	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
 --- openssh-5.8p1/myproposal.h.fips	2011-01-13 12:00:22.000000000 +0100
-+++ openssh-5.8p1/myproposal.h	2011-02-25 09:23:19.000000000 +0100
++++ openssh-5.8p1/myproposal.h	2011-04-01 09:34:12.583648839 +0200
 @@ -81,7 +81,12 @@
  	"hmac-sha1-96,hmac-md5-96"
  #define	KEX_DEFAULT_COMP	"none,zlib@openssh.com,zlib"
@@ -289,51 +289,65 @@ diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
  	KEX_DEFAULT_KEX,
 diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbsd-compat/bsd-arc4random.c
 --- openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips	2010-03-25 22:52:02.000000000 +0100
-+++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c	2011-02-25 09:23:19.000000000 +0100
-@@ -39,6 +39,7 @@
- static int rc4_ready = 0;
- static RC4_KEY rc4;
++++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c	2011-04-01 09:36:17.282648749 +0200
+@@ -37,25 +37,18 @@
+ #define REKEY_BYTES	(1 << 24)
+ 
+ static int rc4_ready = 0;
+-static RC4_KEY rc4;
  
-+#if 0
  unsigned int
  arc4random(void)
  {
-@@ -82,6 +83,32 @@ arc4random_stir(void)
- 
- 	rc4_ready = REKEY_BYTES;
- }
-+#else
-+unsigned int
-+arc4random(void)
-+{
-+	unsigned int r = 0;
+ 	unsigned int r = 0;
+-	static int first_time = 1;
 +	void *rp = &r;
-+
+ 
+-	if (rc4_ready <= 0) {
+-		if (first_time)
+-			seed_rng();
+-		first_time = 0;
 +	if (!rc4_ready) {
-+		arc4random_stir();
-+	}
+ 		arc4random_stir();
+ 	}
 +	RAND_bytes(rp, sizeof(r));
-+
-+	return(r);
-+}
-+
-+void
-+arc4random_stir(void)
-+{
-+	unsigned char rand_buf[SEED_SIZE];
-+
-+	if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
-+		fatal("Couldn't obtain random bytes (error %ld)",
-+		    ERR_get_error());
+ 
+-	RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
+-
+-	rc4_ready -= sizeof(r);
+-	
+ 	return(r);
+ }
+ 
+@@ -63,24 +56,11 @@ void
+ arc4random_stir(void)
+ {
+ 	unsigned char rand_buf[SEED_SIZE];
+-	int i;
+ 
+-	memset(&rc4, 0, sizeof(rc4));
+ 	if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
+ 		fatal("Couldn't obtain random bytes (error %ld)",
+ 		    ERR_get_error());
+-	RC4_set_key(&rc4, sizeof(rand_buf), rand_buf);
+-
+-	/*
+-	 * Discard early keystream, as per recommendations in:
+-	 * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
+-	 */
+-	for(i = 0; i <= 256; i += sizeof(rand_buf))
+-		RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf);
+-
+-	memset(rand_buf, 0, sizeof(rand_buf));
+-
+-	rc4_ready = REKEY_BYTES;
 +	rc4_ready = 1;
-+}
-+#endif
+ }
  #endif /* !HAVE_ARC4RANDOM */
  
- #ifndef HAVE_ARC4RANDOM_BUF
 diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
 --- openssh-5.8p1/ssh.c.fips	2011-02-04 01:42:15.000000000 +0100
-+++ openssh-5.8p1/ssh.c	2011-02-25 09:23:19.000000000 +0100
++++ openssh-5.8p1/ssh.c	2011-04-01 09:34:12.689648154 +0200
 @@ -73,6 +73,8 @@
  
  #include <openssl/evp.h>
@@ -397,8 +411,8 @@ diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
  	if (ssh_connect(host, &hostaddr, options.port,
  	    options.address_family, options.connection_attempts, &timeout_ms,
 diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
---- openssh-5.8p1/sshconnect2.c.fips	2011-02-25 09:23:18.000000000 +0100
-+++ openssh-5.8p1/sshconnect2.c	2011-02-25 09:23:19.000000000 +0100
+--- openssh-5.8p1/sshconnect2.c.fips	2011-04-01 09:34:03.780648205 +0200
++++ openssh-5.8p1/sshconnect2.c	2011-04-01 09:34:12.739648223 +0200
 @@ -44,6 +44,8 @@
  #include <vis.h>
  #endif
@@ -432,8 +446,8 @@ diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
  		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
  		    options.hostkeyalgorithms;
 diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
---- openssh-5.8p1/sshd.c.fips	2011-02-25 09:23:19.000000000 +0100
-+++ openssh-5.8p1/sshd.c	2011-02-25 09:23:19.000000000 +0100
+--- openssh-5.8p1/sshd.c.fips	2011-04-01 09:34:11.218648712 +0200
++++ openssh-5.8p1/sshd.c	2011-04-01 09:34:12.835695243 +0200
 @@ -76,6 +76,8 @@
  #include <openssl/bn.h>
  #include <openssl/md5.h>
@@ -443,7 +457,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  #include "openbsd-compat/openssl-compat.h"
  
  #ifdef HAVE_SECUREWARE
-@@ -1364,6 +1366,12 @@ main(int ac, char **av)
+@@ -1368,6 +1370,12 @@ main(int ac, char **av)
  	(void)set_auth_parameters(ac, av);
  #endif
  	__progname = ssh_get_progname(av[0]);
@@ -456,7 +470,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  	init_rng();
  
  	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1525,8 +1533,6 @@ main(int ac, char **av)
+@@ -1529,8 +1537,6 @@ main(int ac, char **av)
  	else
  		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
  
@@ -465,7 +479,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  	/*
  	 * Force logging to stderr until we have loaded the private host
  	 * key (unless started from inetd)
-@@ -1645,6 +1651,10 @@ main(int ac, char **av)
+@@ -1649,6 +1655,10 @@ main(int ac, char **av)
  		debug("private host key: #%d type %d %s", i, key->type,
  		    key_type(key));
  	}
@@ -476,7 +490,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
  		logit("Disabling protocol version 1. Could not load host key");
  		options.protocol &= ~SSH_PROTO_1;
-@@ -1809,6 +1819,10 @@ main(int ac, char **av)
+@@ -1813,6 +1823,10 @@ main(int ac, char **av)
  	/* Initialize the random number generator. */
  	arc4random_stir();
  
@@ -487,7 +501,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  	/* Chdir to the root directory so that the current disk can be
  	   unmounted if desired. */
  	chdir("/");
-@@ -2350,6 +2364,9 @@ do_ssh2_kex(void)
+@@ -2355,6 +2369,9 @@ do_ssh2_kex(void)
  	if (options.ciphers != NULL) {
  		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@@ -497,7 +511,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
  	}
  	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
  	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2359,6 +2376,9 @@ do_ssh2_kex(void)
+@@ -2364,6 +2381,9 @@ do_ssh2_kex(void)
  	if (options.macs != NULL) {
  		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
  		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;

openssh-5.8p1-pwchange.patch

@@ -6,7 +6,7 @@ diff -up openssh-5.8p1/session.c.pwchange openssh-5.8p1/session.c
  		fprintf(stderr,
  		    "You must change your password now and login again!\n");
 +#ifdef __linux__
-+		execl("/bin/sh", "sh", "-c", "passwd", s->pw->pw_name,
++		execl("/bin/sh", "sh", "-c", _PATH_PASSWD_PROG, s->pw->pw_name,
 +		    (char *)NULL);
 +#else
  #ifdef PASSWD_NEEDS_USERNAME

openssh-nukeacss.sh

@@ -7,11 +7,12 @@
 patch -sp0 << EOF
 --- cipher.c.orig       2005-07-17 09:02:10.000000000 +0200
 +++ cipher.c    2005-09-06 14:52:06.000000000 +0200
-@@ -45,6 +45,8 @@
+@@ -45,6 +45,9 @@
 
  /* compatibility with old or broken OpenSSL versions */
  #include "openbsd-compat/openssl-compat.h"
 +#undef USE_CIPHER_ACSS
++#undef EVP_acss
 +#define EVP_acss NULL
 
  extern const EVP_CIPHER *evp_ssh1_bf(void);