resolve warnings in port_linux.c

2011-04-01 10:54:41 +02:00 · 2011-04-01 10:54:41 +02:00 · 8ecc9b0555
commit 8ecc9b0555
parent 1f6bdc75f1
4 changed files with 108 additions and 72 deletions
--- a/openssh-5.8p1-entropy.patch
+++ b/openssh-5.8p1-entropy.patch
@ -1,7 +1,15 @@
 diff -up openssh-5.8p1/entropy.c.entropy openssh-5.8p1/entropy.c
 --- openssh-5.8p1/entropy.c.entropy	2011-01-13 11:05:29.000000000 +0100
-+++ openssh-5.8p1/entropy.c	2011-03-28 16:22:37.422648742 +0200
+++ openssh-5.8p1/entropy.c	2011-04-01 10:23:58.318648953 +0200
-@@ -144,6 +144,9 @@ seed_rng(void)
+@@ -50,6 +50,7 @@
 #include "pathnames.h"
 #include "log.h"
 #include "buffer.h"
 +#include "openbsd-compat/port-linux.h"
 /*
  * Portable OpenSSH PRNG seeding:
@@ -144,6 +145,9 @@ seed_rng(void)
 	memset(buf, '\0', sizeof(buf));
 #endif /* OPENSSL_PRNG_ONLY */
@ -13,7 +21,7 @@ diff -up openssh-5.8p1/entropy.c.entropy openssh-5.8p1/entropy.c
 }
 diff -up openssh-5.8p1/openbsd-compat/Makefile.in.entropy openssh-5.8p1/openbsd-compat/Makefile.in
 --- openssh-5.8p1/openbsd-compat/Makefile.in.entropy	2010-10-07 13:19:24.000000000 +0200
-+++ openssh-5.8p1/openbsd-compat/Makefile.in	2011-03-28 16:22:37.484648793 +0200
+++ openssh-5.8p1/openbsd-compat/Makefile.in	2011-04-01 10:21:38.251648364 +0200
@@ -20,7 +20,7 @@ OPENBSD=base64.o basename.o bindresvport
 COMPAT=bsd-arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
@ -23,10 +31,22 @@ diff -up openssh-5.8p1/openbsd-compat/Makefile.in.entropy openssh-5.8p1/openbsd-
 .c.o:
 	$(CC) $(CFLAGS) $(CPPFLAGS) -c $<
 diff -up openssh-5.8p1/openbsd-compat/port-linux.h.entropy openssh-5.8p1/openbsd-compat/port-linux.h
 --- openssh-5.8p1/openbsd-compat/port-linux.h.entropy	2011-04-01 10:22:10.165648950 +0200
 +++ openssh-5.8p1/openbsd-compat/port-linux.h	2011-04-01 10:22:36.965648719 +0200
@@ -19,6 +19,8 @@
 #ifndef _PORT_LINUX_H
 #define _PORT_LINUX_H
 +void linux_seed(void);
 +
 #ifdef WITH_SELINUX
 int ssh_selinux_enabled(void);
 void ssh_selinux_setup_pty(char *, const char *);
 diff -up openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p1/openbsd-compat/port-linux-prng.c
--- openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy	2011-03-28 16:22:37.508648739 +0200
+--- openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy	2011-04-01 10:21:38.302648133 +0200
-+++ openssh-5.8p1/openbsd-compat/port-linux-prng.c	2011-03-28 16:22:37.520650578 +0200
+++ openssh-5.8p1/openbsd-compat/port-linux-prng.c	2011-04-01 10:21:38.311648282 +0200
-@@ -0,0 +1,55 @@
+@@ -0,0 +1,56 @@
 +/* $Id: port-linux.c,v 1.11.4.2 2011/02/04 00:43:08 djm Exp $ */
 +
 +/*
@ -55,6 +75,7 @@ diff -up openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p1/op
 +#include <stdarg.h>
 +#include <string.h>
 +#include <stdio.h>
 +#include <openssl/rand.h>
 +
 +#include "log.h"
 +#include "xmalloc.h"
@ -84,7 +105,7 @@ diff -up openssh-5.8p1/openbsd-compat/port-linux-prng.c.entropy openssh-5.8p1/op
 +}
 diff -up openssh-5.8p1/ssh.1.entropy openssh-5.8p1/ssh.1
 --- openssh-5.8p1/ssh.1.entropy	2010-11-20 05:21:03.000000000 +0100
-+++ openssh-5.8p1/ssh.1	2011-03-28 16:22:37.621648461 +0200
+++ openssh-5.8p1/ssh.1	2011-04-01 10:21:38.352648197 +0200
@@ -1250,6 +1250,15 @@ For more information, see the
 .Cm PermitUserEnvironment
 option in
@ -103,7 +124,7 @@ diff -up openssh-5.8p1/ssh.1.entropy openssh-5.8p1/ssh.1
 .It Pa ~/.rhosts
 diff -up openssh-5.8p1/ssh-add.1.entropy openssh-5.8p1/ssh-add.1
 --- openssh-5.8p1/ssh-add.1.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/ssh-add.1	2011-03-28 16:22:37.674648474 +0200
+++ openssh-5.8p1/ssh-add.1	2011-04-01 10:21:38.416648713 +0200
@@ -157,6 +157,15 @@ to make this work.)
 Identifies the path of a
 .Ux Ns -domain
@ -122,7 +143,7 @@ diff -up openssh-5.8p1/ssh-add.1.entropy openssh-5.8p1/ssh-add.1
 .Bl -tag -width Ds
 diff -up openssh-5.8p1/ssh-agent.1.entropy openssh-5.8p1/ssh-agent.1
 --- openssh-5.8p1/ssh-agent.1.entropy	2010-12-01 01:50:35.000000000 +0100
-+++ openssh-5.8p1/ssh-agent.1	2011-03-28 16:22:37.729648529 +0200
+++ openssh-5.8p1/ssh-agent.1	2011-04-01 10:21:38.459648714 +0200
@@ -198,6 +198,18 @@ sockets used to contain the connection t
 These sockets should only be readable by the owner.
 The sockets should get automatically removed when the agent exits.
@ -144,7 +165,7 @@ diff -up openssh-5.8p1/ssh-agent.1.entropy openssh-5.8p1/ssh-agent.1
 .Xr ssh-add 1 ,
 diff -up openssh-5.8p1/sshd.8.entropy openssh-5.8p1/sshd.8
 --- openssh-5.8p1/sshd.8.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/sshd.8	2011-03-28 16:22:37.789648521 +0200
+++ openssh-5.8p1/sshd.8	2011-04-01 10:21:38.505648778 +0200
@@ -937,6 +937,18 @@ concurrently for different ports, this c
 started last).
 The content of this file is not sensitive; it can be world-readable.
@ -166,7 +187,7 @@ diff -up openssh-5.8p1/sshd.8.entropy openssh-5.8p1/sshd.8
 .Xr sftp 1 ,
 diff -up openssh-5.8p1/ssh-keygen.1.entropy openssh-5.8p1/ssh-keygen.1
 --- openssh-5.8p1/ssh-keygen.1.entropy	2010-11-05 00:20:14.000000000 +0100
-+++ openssh-5.8p1/ssh-keygen.1	2011-03-28 16:22:37.845648487 +0200
+++ openssh-5.8p1/ssh-keygen.1	2011-04-01 10:21:38.554648691 +0200
@@ -655,6 +655,18 @@ Contains Diffie-Hellman groups used for 
 The file format is described in
 .Xr moduli 5 .
@ -188,7 +209,7 @@ diff -up openssh-5.8p1/ssh-keygen.1.entropy openssh-5.8p1/ssh-keygen.1
 .Xr ssh-add 1 ,
 diff -up openssh-5.8p1/ssh-keysign.8.entropy openssh-5.8p1/ssh-keysign.8
 --- openssh-5.8p1/ssh-keysign.8.entropy	2010-08-31 14:41:14.000000000 +0200
-+++ openssh-5.8p1/ssh-keysign.8	2011-03-28 16:22:37.900648475 +0200
+++ openssh-5.8p1/ssh-keysign.8	2011-04-01 10:21:38.606648660 +0200
@@ -78,6 +78,18 @@ must be set-uid root if host-based authe
 If these files exist they are assumed to contain public certificate
 information corresponding with the private keys above.
--- a/openssh-5.8p1-fips.patch
+++ b/openssh-5.8p1-fips.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
 --- openssh-5.8p1/authfile.c.fips	2010-12-01 02:03:39.000000000 +0100
-+++ openssh-5.8p1/authfile.c	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/authfile.c	2011-04-01 09:34:12.136698711 +0200
@@ -145,8 +145,14 @@ key_private_rsa1_to_blob(Key *key, Buffe
 	/* Allocate space for the private part of the key in the buffer. */
 	cp = buffer_append_space(&encrypted, buffer_len(&buffer));
@ -35,8 +35,8 @@ diff -up openssh-5.8p1/authfile.c.fips openssh-5.8p1/authfile.c
 	    buffer_ptr(blob), buffer_len(blob));
 	cipher_cleanup(&ciphercontext);
 diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
--- openssh-5.8p1/cipher.c.fips	2011-02-25 09:23:18.000000000 +0100
+--- openssh-5.8p1/cipher.c.fips	2011-04-01 09:34:05.444648701 +0200
-+++ openssh-5.8p1/cipher.c	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/cipher.c	2011-04-01 09:34:12.184648648 +0200
@@ -40,6 +40,7 @@
 #include <sys/types.h>
@ -123,7 +123,7 @@ diff -up openssh-5.8p1/cipher.c.fips openssh-5.8p1/cipher.c
 /*
 diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
 --- openssh-5.8p1/cipher-ctr.c.fips	2010-10-07 13:06:42.000000000 +0200
-+++ openssh-5.8p1/cipher-ctr.c	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/cipher-ctr.c	2011-04-01 09:34:12.228648747 +0200
@@ -140,7 +140,8 @@ evp_aes_128_ctr(void)
 	aes_ctr.do_cipher = ssh_aes_ctr;
 #ifndef SSH_OLD_EVP
@ -135,8 +135,8 @@ diff -up openssh-5.8p1/cipher-ctr.c.fips openssh-5.8p1/cipher-ctr.c
 	return (&aes_ctr);
 }
 diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
--- openssh-5.8p1/cipher.h.fips	2011-02-25 09:23:18.000000000 +0100
+--- openssh-5.8p1/cipher.h.fips	2011-04-01 09:34:05.488648661 +0200
-+++ openssh-5.8p1/cipher.h	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/cipher.h	2011-04-01 09:34:12.270648743 +0200
@@ -87,7 +87,7 @@ void	 cipher_init(CipherContext *, Ciphe
     const u_char *, u_int, int);
 void	 cipher_crypt(CipherContext *, u_char *, const u_char *, u_int);
@ -147,8 +147,8 @@ diff -up openssh-5.8p1/cipher.h.fips openssh-5.8p1/cipher.h
 u_int	 cipher_keylen(const Cipher *);
 u_int	 cipher_is_cbc(const Cipher *);
 diff -up openssh-5.8p1/key.c.fips openssh-5.8p1/key.c
--- openssh-5.8p1/key.c.fips	2011-02-25 09:23:19.000000000 +0100
+--- openssh-5.8p1/key.c.fips	2011-04-01 09:34:07.105648513 +0200
-+++ openssh-5.8p1/key.c	2011-02-25 09:24:35.000000000 +0100
+++ openssh-5.8p1/key.c	2011-04-01 09:34:12.329648473 +0200
@@ -40,6 +40,7 @@
 #include <sys/types.h>
@ -175,8 +175,8 @@ diff -up openssh-5.8p1/key.c.fips openssh-5.8p1/key.c
 	}
 	return rv;
 diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
--- openssh-5.8p1/mac.c.fips	2011-02-25 09:23:18.000000000 +0100
+--- openssh-5.8p1/mac.c.fips	2011-04-01 09:34:06.204648928 +0200
-+++ openssh-5.8p1/mac.c	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/mac.c	2011-04-01 09:34:12.379648663 +0200
@@ -28,6 +28,7 @@
 #include <sys/types.h>
@ -227,9 +227,9 @@ diff -up openssh-5.8p1/mac.c.fips openssh-5.8p1/mac.c
 	for (i = 0; macs[i].name; i++) {
 		if (strcmp(name, macs[i].name) == 0) {
 diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
--- openssh-5.8p1/Makefile.in.fips	2011-02-25 09:23:19.000000000 +0100
+--- openssh-5.8p1/Makefile.in.fips	2011-04-01 09:34:09.725648593 +0200
-+++ openssh-5.8p1/Makefile.in	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/Makefile.in	2011-04-01 09:34:12.422658984 +0200
-@@ -145,25 +145,25 @@ libssh.a: $(LIBSSH_OBJS)
+@@ -146,25 +146,25 @@ libssh.a: $(LIBSSH_OBJS)
 	$(RANLIB) $@
 ssh$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHOBJS)
@ -261,7 +261,7 @@ diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
 ssh-pkcs11-helper$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-pkcs11-helper.o ssh-pkcs11.o
 	$(LD) -o $@ ssh-pkcs11-helper.o ssh-pkcs11.o $(LDFLAGS) -lssh -lopenbsd-compat -lssh -lopenbsd-compat $(LIBS)
-@@ -172,7 +172,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
+@@ -173,7 +173,7 @@ ssh-ldap-helper$(EXEEXT): $(LIBCOMPAT) l
 	$(LD) -o $@ ldapconf.o ldapbody.o ldapmisc.o ldap-helper.o $(LDFLAGS) -lssh -lopenbsd-compat -lfipscheck $(LIBS)
 ssh-keyscan$(EXEEXT): $(LIBCOMPAT) libssh.a ssh-keyscan.o roaming_dummy.o
@ -272,7 +272,7 @@ diff -up openssh-5.8p1/Makefile.in.fips openssh-5.8p1/Makefile.in
 	$(LD) -o $@ sftp-server.o sftp-common.o sftp-server-main.o $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS)
 diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
 --- openssh-5.8p1/myproposal.h.fips	2011-01-13 12:00:22.000000000 +0100
-+++ openssh-5.8p1/myproposal.h	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/myproposal.h	2011-04-01 09:34:12.583648839 +0200
@@ -81,7 +81,12 @@
 	"hmac-sha1-96,hmac-md5-96"
 #define	KEX_DEFAULT_COMP	"none,zlib@openssh.com,zlib"
@ -289,51 +289,65 @@ diff -up openssh-5.8p1/myproposal.h.fips openssh-5.8p1/myproposal.h
 	KEX_DEFAULT_KEX,
 diff -up openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips openssh-5.8p1/openbsd-compat/bsd-arc4random.c
 --- openssh-5.8p1/openbsd-compat/bsd-arc4random.c.fips	2010-03-25 22:52:02.000000000 +0100
-+++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/openbsd-compat/bsd-arc4random.c	2011-04-01 09:36:17.282648749 +0200
-@@ -39,6 +39,7 @@
+@@ -37,25 +37,18 @@
- static int rc4_ready = 0;
+ #define REKEY_BYTES	(1 << 24)
- static RC4_KEY rc4;
+ 
 static int rc4_ready = 0;
 -static RC4_KEY rc4;
 +#if 0
 unsigned int
 arc4random(void)
 {
-@@ -82,6 +83,32 @@ arc4random_stir(void)
+ 	unsigned int r = 0;
- 
+-	static int first_time = 1;
 	rc4_ready = REKEY_BYTES;
 }
 +#else
 +unsigned int
 +arc4random(void)
 +{
 +	unsigned int r = 0;
 +	void *rp = &r;
-+
+ 
 -	if (rc4_ready <= 0) {
 -		if (first_time)
 -			seed_rng();
 -		first_time = 0;
 +	if (!rc4_ready) {
-+		arc4random_stir();
+ 		arc4random_stir();
-+	}
+ 	}
 +	RAND_bytes(rp, sizeof(r));
-+
+ 
-+	return(r);
+-	RC4(&rc4, sizeof(r), (unsigned char *)&r, (unsigned char *)&r);
-+}
+-
-+
+-	rc4_ready -= sizeof(r);
-+void
+-	
-+arc4random_stir(void)
+ 	return(r);
-+{
+ }
-+	unsigned char rand_buf[SEED_SIZE];
+ 
-+
+@@ -63,24 +56,11 @@ void
-+	if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
+ arc4random_stir(void)
-+		fatal("Couldn't obtain random bytes (error %ld)",
+ {
-+		    ERR_get_error());
+ 	unsigned char rand_buf[SEED_SIZE];
 -	int i;
 -	memset(&rc4, 0, sizeof(rc4));
 	if (RAND_bytes(rand_buf, sizeof(rand_buf)) <= 0)
 		fatal("Couldn't obtain random bytes (error %ld)",
 		    ERR_get_error());
 -	RC4_set_key(&rc4, sizeof(rand_buf), rand_buf);
 -
 -	/*
 -	 * Discard early keystream, as per recommendations in:
 -	 * http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps
 -	 */
 -	for(i = 0; i <= 256; i += sizeof(rand_buf))
 -		RC4(&rc4, sizeof(rand_buf), rand_buf, rand_buf);
 -
 -	memset(rand_buf, 0, sizeof(rand_buf));
 -
 -	rc4_ready = REKEY_BYTES;
 +	rc4_ready = 1;
-+}
+ }
 +#endif
 #endif /* !HAVE_ARC4RANDOM */
 #ifndef HAVE_ARC4RANDOM_BUF
 diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
 --- openssh-5.8p1/ssh.c.fips	2011-02-04 01:42:15.000000000 +0100
-+++ openssh-5.8p1/ssh.c	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/ssh.c	2011-04-01 09:34:12.689648154 +0200
@@ -73,6 +73,8 @@
 #include <openssl/evp.h>
@ -397,8 +411,8 @@ diff -up openssh-5.8p1/ssh.c.fips openssh-5.8p1/ssh.c
 	if (ssh_connect(host, &hostaddr, options.port,
 	    options.address_family, options.connection_attempts, &timeout_ms,
 diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
--- openssh-5.8p1/sshconnect2.c.fips	2011-02-25 09:23:18.000000000 +0100
+--- openssh-5.8p1/sshconnect2.c.fips	2011-04-01 09:34:03.780648205 +0200
-+++ openssh-5.8p1/sshconnect2.c	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/sshconnect2.c	2011-04-01 09:34:12.739648223 +0200
@@ -44,6 +44,8 @@
 #include <vis.h>
 #endif
@ -432,8 +446,8 @@ diff -up openssh-5.8p1/sshconnect2.c.fips openssh-5.8p1/sshconnect2.c
 		myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] =
 		    options.hostkeyalgorithms;
 diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
--- openssh-5.8p1/sshd.c.fips	2011-02-25 09:23:19.000000000 +0100
+--- openssh-5.8p1/sshd.c.fips	2011-04-01 09:34:11.218648712 +0200
-+++ openssh-5.8p1/sshd.c	2011-02-25 09:23:19.000000000 +0100
+++ openssh-5.8p1/sshd.c	2011-04-01 09:34:12.835695243 +0200
@@ -76,6 +76,8 @@
 #include <openssl/bn.h>
 #include <openssl/md5.h>
@ -443,7 +457,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 #include "openbsd-compat/openssl-compat.h"
 #ifdef HAVE_SECUREWARE
-@@ -1364,6 +1366,12 @@ main(int ac, char **av)
+@@ -1368,6 +1370,12 @@ main(int ac, char **av)
 	(void)set_auth_parameters(ac, av);
 #endif
 	__progname = ssh_get_progname(av[0]);
@ -456,7 +470,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 	init_rng();
 	/* Save argv. Duplicate so setproctitle emulation doesn't clobber it */
-@@ -1525,8 +1533,6 @@ main(int ac, char **av)
+@@ -1529,8 +1537,6 @@ main(int ac, char **av)
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
@ -465,7 +479,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 	/*
 	 * Force logging to stderr until we have loaded the private host
 	 * key (unless started from inetd)
-@@ -1645,6 +1651,10 @@ main(int ac, char **av)
+@@ -1649,6 +1655,10 @@ main(int ac, char **av)
 		debug("private host key: #%d type %d %s", i, key->type,
 		    key_type(key));
 	}
@ -476,7 +490,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 	if ((options.protocol & SSH_PROTO_1) && !sensitive_data.have_ssh1_key) {
 		logit("Disabling protocol version 1. Could not load host key");
 		options.protocol &= ~SSH_PROTO_1;
-@@ -1809,6 +1819,10 @@ main(int ac, char **av)
+@@ -1813,6 +1823,10 @@ main(int ac, char **av)
 	/* Initialize the random number generator. */
 	arc4random_stir();
@ -487,7 +501,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
 	chdir("/");
-@@ -2350,6 +2364,9 @@ do_ssh2_kex(void)
+@@ -2355,6 +2369,9 @@ do_ssh2_kex(void)
 	if (options.ciphers != NULL) {
 		myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 		myproposal[PROPOSAL_ENC_ALGS_STOC] = options.ciphers;
@ -497,7 +511,7 @@ diff -up openssh-5.8p1/sshd.c.fips openssh-5.8p1/sshd.c
 	}
 	myproposal[PROPOSAL_ENC_ALGS_CTOS] =
 	    compat_cipher_proposal(myproposal[PROPOSAL_ENC_ALGS_CTOS]);
-@@ -2359,6 +2376,9 @@ do_ssh2_kex(void)
+@@ -2364,6 +2381,9 @@ do_ssh2_kex(void)
 	if (options.macs != NULL) {
 		myproposal[PROPOSAL_MAC_ALGS_CTOS] =
 		myproposal[PROPOSAL_MAC_ALGS_STOC] = options.macs;
--- a/openssh-5.8p1-pwchange.patch
+++ b/openssh-5.8p1-pwchange.patch
@ -6,7 +6,7 @@ diff -up openssh-5.8p1/session.c.pwchange openssh-5.8p1/session.c
 		fprintf(stderr,
 		    "You must change your password now and login again!\n");
 +#ifdef __linux__
-+		execl("/bin/sh", "sh", "-c", "passwd", s->pw->pw_name,
+		execl("/bin/sh", "sh", "-c", _PATH_PASSWD_PROG, s->pw->pw_name,
 +		    (char *)NULL);
 +#else
 #ifdef PASSWD_NEEDS_USERNAME
--- a/openssh-nukeacss.sh
+++ b/openssh-nukeacss.sh
@ -7,11 +7,12 @@
 patch -sp0 << EOF
 --- cipher.c.orig       2005-07-17 09:02:10.000000000 +0200
 +++ cipher.c    2005-09-06 14:52:06.000000000 +0200
-@@ -45,6 +45,8 @@
+@@ -45,6 +45,9 @@
 /* compatibility with old or broken OpenSSL versions */
 #include "openbsd-compat/openssl-compat.h"
 +#undef USE_CIPHER_ACSS
 +#undef EVP_acss
 +#define EVP_acss NULL
 extern const EVP_CIPHER *evp_ssh1_bf(void);