coverity upgrade

wipe off nonfunctional nss selinux sandbox tweaking
2011-09-14 17:03:03 +02:00 · 2011-09-14 17:03:03 +02:00 · cff1d0c39d
commit cff1d0c39d
parent c870e661c7
10 changed files with 366 additions and 286 deletions
--- a/openssh-5.8p1-wIm.patch
+++ b/openssh-5.8p1-wIm.patch
@ -1,75 +0,0 @@
 diff -up openssh-5.8p1/log.h.wIm openssh-5.8p1/log.h
 --- openssh-5.8p1/log.h.wIm	2008-06-13 02:22:54.000000000 +0200
 +++ openssh-5.8p1/log.h	2011-02-22 09:21:58.000000000 +0100
@@ -63,6 +63,8 @@ void     verbose(const char *, ...) __at
 void     debug(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
 +void	 _debug_wIm_body(const char *, const char *, const char *, int);
 +#define	debug_wIm(a) _debug_wIm_body(a,__func__,__FILE__,__LINE__)
 void	 do_log(LogLevel, const char *, va_list);
 void	 cleanup_exit(int) __attribute__((noreturn));
 diff -up openssh-5.8p1/Makefile.in.wIm openssh-5.8p1/Makefile.in
 --- openssh-5.8p1/Makefile.in.wIm	2011-02-04 01:42:13.000000000 +0100
 +++ openssh-5.8p1/Makefile.in	2011-02-22 09:20:18.000000000 +0100
@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
 	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
 	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
 	log.o match.o md-sha256.o moduli.o nchan.o packet.o \
 -	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
 +	readpass.o rsa.o ttymodes.o whereIam.o xmalloc.o addrmatch.o \
 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 diff -up openssh-5.8p1/sshd.c.wIm openssh-5.8p1/sshd.c
 --- openssh-5.8p1/sshd.c.wIm	2011-01-11 07:20:31.000000000 +0100
 +++ openssh-5.8p1/sshd.c	2011-02-22 09:20:18.000000000 +0100
@@ -139,6 +139,9 @@ int deny_severity;
 extern char *__progname;
 +/* trace of fork processes */
 +extern int whereIam;
 +
 /* Server configuration options. */
 ServerOptions options;
@@ -652,6 +655,7 @@ privsep_preauth(Authctxt *authctxt)
 	} else {
 		/* child */
 +		whereIam = 1;
 		close(pmonitor->m_sendfd);
 		/* Demote the child */
@@ -693,6 +697,7 @@ privsep_postauth(Authctxt *authctxt)
 		exit(0);
 	}
 +	whereIam = 2;
 	close(pmonitor->m_sendfd);
 	/* Demote the private keys to public keys. */
@@ -1302,6 +1307,8 @@ main(int ac, char **av)
 	Key *key;
 	Authctxt *authctxt;
 +	whereIam = 0;
 +
 #ifdef HAVE_SECUREWARE
 	(void)set_auth_parameters(ac, av);
 #endif
 diff -up openssh-5.8p1/whereIam.c.wIm openssh-5.8p1/whereIam.c
 --- openssh-5.8p1/whereIam.c.wIm	2011-02-22 09:20:18.000000000 +0100
 +++ openssh-5.8p1/whereIam.c	2011-02-22 09:24:01.000000000 +0100
@@ -0,0 +1,9 @@
 +
 +int whereIam = -1;
 +
 +void _debug_wIm_body(const char *txt, const char *func, const char *file, int line)
 +{
 +	debug("%s: %s(%s:%d) wIm = %d, uid=%d, euid=%d", txt, func, file, line, whereIam, getuid(), geteuid());
 +}
 +
 +
--- a/openssh-5.9p1-2auth.patch
+++ b/openssh-5.9p1-2auth.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.9p0/auth.h.2auth openssh-5.9p0/auth.h
+diff -up openssh-5.9p1/auth.h.2auth openssh-5.9p1/auth.h
--- openssh-5.9p0/auth.h.2auth	2011-05-29 13:39:38.000000000 +0200
+--- openssh-5.9p1/auth.h.2auth	2011-05-29 13:39:38.000000000 +0200
-+++ openssh-5.9p0/auth.h	2011-09-05 13:16:00.550626991 +0200
+++ openssh-5.9p1/auth.h	2011-09-13 20:25:22.250474950 +0200
@@ -149,6 +149,8 @@ int	auth_root_allowed(char *);
 char	*auth2_read_banner(void);
@ -10,9 +10,9 @@ diff -up openssh-5.9p0/auth.h.2auth openssh-5.9p0/auth.h
 void	privsep_challenge_enable(void);
 int	auth2_challenge(Authctxt *, char *);
-diff -up openssh-5.9p0/auth2.c.2auth openssh-5.9p0/auth2.c
+diff -up openssh-5.9p1/auth2.c.2auth openssh-5.9p1/auth2.c
--- openssh-5.9p0/auth2.c.2auth	2011-05-05 06:04:11.000000000 +0200
+--- openssh-5.9p1/auth2.c.2auth	2011-05-05 06:04:11.000000000 +0200
-+++ openssh-5.9p0/auth2.c	2011-09-05 13:16:00.640626827 +0200
+++ openssh-5.9p1/auth2.c	2011-09-13 20:25:22.348458588 +0200
@@ -290,6 +290,23 @@ input_userauth_request(int type, u_int32
 }
@ -61,9 +61,9 @@ diff -up openssh-5.9p0/auth2.c.2auth openssh-5.9p0/auth2.c
 		methods = authmethods_get();
 		packet_start(SSH2_MSG_USERAUTH_FAILURE);
 		packet_put_cstring(methods);
-diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
+diff -up openssh-5.9p1/monitor.c.2auth openssh-5.9p1/monitor.c
--- openssh-5.9p0/monitor.c.2auth	2011-08-05 22:15:18.000000000 +0200
+--- openssh-5.9p1/monitor.c.2auth	2011-09-13 20:25:18.031458843 +0200
-+++ openssh-5.9p0/monitor.c	2011-09-05 13:37:35.468502112 +0200
+++ openssh-5.9p1/monitor.c	2011-09-13 20:53:29.345644462 +0200
@@ -165,6 +165,7 @@ int mm_answer_jpake_step1(int, Buffer *)
 int mm_answer_jpake_step2(int, Buffer *);
 int mm_answer_jpake_key_confirm(int, Buffer *);
@ -80,7 +80,7 @@ diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
     {0, 0, NULL}
 };
-@@ -378,9 +380,9 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -378,7 +380,7 @@ monitor_child_preauth(Authctxt *_authctx
 	}
 	/* The first few requests do not require asynchronous access */
@ -89,9 +89,7 @@ diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
 		auth_method = "unknown";
 		authenticated = (monitor_read(pmonitor, mon_dispatch, &ent) == 1);
 		if (authenticated) {
- 			if (!(ent->flags & MON_AUTHDECIDE))
+@@ -390,7 +392,7 @@ monitor_child_preauth(Authctxt *_authctx
 				fatal("%s: unexpected authentication from %d",
@@ -390,7 +393,7 @@ monitor_child_preauth(Authctxt *_authctx
 				authenticated = 0;
 #ifdef USE_PAM
 			/* PAM needs to perform account checks after auth */
@ -100,7 +98,7 @@ diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
 				Buffer m;
 				buffer_init(&m);
-@@ -2000,6 +2006,19 @@ monitor_reinit(struct monitor *mon)
+@@ -2001,6 +2003,24 @@ monitor_reinit(struct monitor *mon)
 	monitor_openfds(mon, 0);
 }
@ -114,15 +112,20 @@ diff -up openssh-5.9p0/monitor.c.2auth openssh-5.9p0/monitor.c
 +
 +	userauth_restart(method);
 +
 +	xfree(method);
 +	buffer_clear(m);
 +
 +	mm_request_send(sock, MONITOR_ANS_USERAUTH_RESTART, m);
 +
 +	return (0);
 +}
 +
 #ifdef GSSAPI
 int
 mm_answer_gss_setup_ctx(int sock, Buffer *m)
-diff -up openssh-5.9p0/monitor.h.2auth openssh-5.9p0/monitor.h
+diff -up openssh-5.9p1/monitor.h.2auth openssh-5.9p1/monitor.h
--- openssh-5.9p0/monitor.h.2auth	2011-06-20 06:42:23.000000000 +0200
+--- openssh-5.9p1/monitor.h.2auth	2011-06-20 06:42:23.000000000 +0200
-+++ openssh-5.9p0/monitor.h	2011-09-05 13:16:00.855502353 +0200
+++ openssh-5.9p1/monitor.h	2011-09-13 20:25:22.615458574 +0200
@@ -66,6 +66,7 @@ enum monitor_reqtype {
 	MONITOR_REQ_JPAKE_STEP2, MONITOR_ANS_JPAKE_STEP2,
 	MONITOR_REQ_JPAKE_KEY_CONFIRM, MONITOR_ANS_JPAKE_KEY_CONFIRM,
@ -131,9 +134,9 @@ diff -up openssh-5.9p0/monitor.h.2auth openssh-5.9p0/monitor.h
 };
 struct mm_master;
-diff -up openssh-5.9p0/monitor_wrap.c.2auth openssh-5.9p0/monitor_wrap.c
+diff -up openssh-5.9p1/monitor_wrap.c.2auth openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p0/monitor_wrap.c.2auth	2011-06-20 06:42:23.000000000 +0200
+--- openssh-5.9p1/monitor_wrap.c.2auth	2011-06-20 06:42:23.000000000 +0200
-+++ openssh-5.9p0/monitor_wrap.c	2011-09-05 13:16:00.968503257 +0200
+++ openssh-5.9p1/monitor_wrap.c	2011-09-13 20:25:22.735468462 +0200
@@ -1173,6 +1173,26 @@ mm_auth_rsa_verify_response(Key *key, BI
 	return (success);
 }
@ -161,9 +164,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.2auth openssh-5.9p0/monitor_wrap.c
 #ifdef SSH_AUDIT_EVENTS
 void
 mm_audit_event(ssh_audit_event_t event)
-diff -up openssh-5.9p0/monitor_wrap.h.2auth openssh-5.9p0/monitor_wrap.h
+diff -up openssh-5.9p1/monitor_wrap.h.2auth openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p0/monitor_wrap.h.2auth	2011-06-20 06:42:23.000000000 +0200
+--- openssh-5.9p1/monitor_wrap.h.2auth	2011-06-20 06:42:23.000000000 +0200
-+++ openssh-5.9p0/monitor_wrap.h	2011-09-05 13:16:01.074502211 +0200
+++ openssh-5.9p1/monitor_wrap.h	2011-09-13 20:25:22.847457505 +0200
@@ -53,6 +53,7 @@ int mm_key_verify(Key *, u_char *, u_int
 int mm_auth_rsa_key_allowed(struct passwd *, BIGNUM *, Key **);
 int mm_auth_rsa_verify_response(Key *, BIGNUM *, u_char *);
@ -172,9 +175,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.2auth openssh-5.9p0/monitor_wrap.h
 #ifdef GSSAPI
 OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
-diff -up openssh-5.9p0/servconf.c.2auth openssh-5.9p0/servconf.c
+diff -up openssh-5.9p1/servconf.c.2auth openssh-5.9p1/servconf.c
--- openssh-5.9p0/servconf.c.2auth	2011-06-23 00:30:03.000000000 +0200
+--- openssh-5.9p1/servconf.c.2auth	2011-09-13 20:25:18.836495701 +0200
-+++ openssh-5.9p0/servconf.c	2011-09-05 13:16:01.223441110 +0200
+++ openssh-5.9p1/servconf.c	2011-09-13 20:25:22.994584169 +0200
@@ -92,6 +92,13 @@ initialize_server_options(ServerOptions
 	options->hostbased_uses_name_from_packet_only = -1;
 	options->rsa_authentication = -1;
@ -328,9 +331,9 @@ diff -up openssh-5.9p0/servconf.c.2auth openssh-5.9p0/servconf.c
 	dump_cfg_fmtint(sPrintMotd, o->print_motd);
 	dump_cfg_fmtint(sPrintLastLog, o->print_lastlog);
 	dump_cfg_fmtint(sX11Forwarding, o->x11_forwarding);
-diff -up openssh-5.9p0/servconf.h.2auth openssh-5.9p0/servconf.h
+diff -up openssh-5.9p1/servconf.h.2auth openssh-5.9p1/servconf.h
--- openssh-5.9p0/servconf.h.2auth	2011-06-23 00:30:03.000000000 +0200
+--- openssh-5.9p1/servconf.h.2auth	2011-06-23 00:30:03.000000000 +0200
-+++ openssh-5.9p0/servconf.h	2011-09-05 13:16:01.352564530 +0200
+++ openssh-5.9p1/servconf.h	2011-09-13 20:25:23.103459846 +0200
@@ -112,6 +112,14 @@ typedef struct {
 					/* If true, permit jpake auth */
 	int     permit_empty_passwd;	/* If false, do not permit empty
@ -346,9 +349,9 @@ diff -up openssh-5.9p0/servconf.h.2auth openssh-5.9p0/servconf.h
 	int     permit_user_env;	/* If true, read ~/.ssh/environment */
 	int     use_login;	/* If true, login(1) is used */
 	int     compression;	/* If true, compression is allowed */
-diff -up openssh-5.9p0/sshd_config.2auth openssh-5.9p0/sshd_config
+diff -up openssh-5.9p1/sshd_config.2auth openssh-5.9p1/sshd_config
--- openssh-5.9p0/sshd_config.2auth	2011-05-29 13:39:39.000000000 +0200
+--- openssh-5.9p1/sshd_config.2auth	2011-05-29 13:39:39.000000000 +0200
-+++ openssh-5.9p0/sshd_config	2011-09-05 13:16:01.461565750 +0200
+++ openssh-5.9p1/sshd_config	2011-09-13 20:25:23.221458447 +0200
@@ -87,6 +87,13 @@ AuthorizedKeysFile	.ssh/authorized_keys
 # and ChallengeResponseAuthentication to 'no'.
 #UsePAM no
@ -363,9 +366,9 @@ diff -up openssh-5.9p0/sshd_config.2auth openssh-5.9p0/sshd_config
 #AllowAgentForwarding yes
 #AllowTcpForwarding yes
 #GatewayPorts no
-diff -up openssh-5.9p0/sshd_config.5.2auth openssh-5.9p0/sshd_config.5
+diff -up openssh-5.9p1/sshd_config.5.2auth openssh-5.9p1/sshd_config.5
--- openssh-5.9p0/sshd_config.5.2auth	2011-08-05 22:17:33.000000000 +0200
+--- openssh-5.9p1/sshd_config.5.2auth	2011-08-05 22:17:33.000000000 +0200
-+++ openssh-5.9p0/sshd_config.5	2011-09-05 13:16:01.572564496 +0200
+++ openssh-5.9p1/sshd_config.5	2011-09-13 20:25:23.416458539 +0200
@@ -726,6 +726,12 @@ Available keywords are
 .Cm PubkeyAuthentication ,
 .Cm RhostsRSAAuthentication ,
--- a/openssh-5.9p1-akc.patch
+++ b/openssh-5.9p1-akc.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
--- openssh-5.9p1/auth2-pubkey.c.akc	2011-09-09 19:27:15.369501615 +0200
+--- openssh-5.9p1/auth2-pubkey.c.akc	2011-09-14 07:24:40.876512251 +0200
-+++ openssh-5.9p1/auth2-pubkey.c	2011-09-09 19:30:32.958509941 +0200
+++ openssh-5.9p1/auth2-pubkey.c	2011-09-14 07:24:43.318458515 +0200
@@ -27,6 +27,7 @@
 #include <sys/types.h>
@ -241,8 +241,8 @@ diff -up openssh-5.9p1/auth2-pubkey.c.akc openssh-5.9p1/auth2-pubkey.c
 		return 0;
 	if (key_is_cert(key) && auth_key_is_revoked(key->cert->signature_key))
 diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
--- openssh-5.9p1/configure.ac.akc	2011-08-18 06:48:24.000000000 +0200
+--- openssh-5.9p1/configure.ac.akc	2011-09-14 07:24:42.863494886 +0200
-+++ openssh-5.9p1/configure.ac	2011-09-09 19:27:17.548440048 +0200
+++ openssh-5.9p1/configure.ac	2011-09-14 07:24:43.441583848 +0200
@@ -1421,6 +1421,18 @@ AC_ARG_WITH([audit],
 	esac ]
 )
@ -262,7 +262,7 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
 dnl    Checks for library functions. Please keep in alphabetical order
 AC_CHECK_FUNCS([ \
 	arc4random \
-@@ -4235,6 +4247,7 @@ echo "                   SELinux support
+@@ -4239,6 +4251,7 @@ echo "                   SELinux support
 echo "                 Smartcard support: $SCARD_MSG"
 echo "                     S/KEY support: $SKEY_MSG"
 echo "              TCP Wrappers support: $TCPW_MSG"
@ -271,8 +271,8 @@ diff -up openssh-5.9p1/configure.ac.akc openssh-5.9p1/configure.ac
 echo "                   libedit support: $LIBEDIT_MSG"
 echo "  Solaris process contract support: $SPC_MSG"
 diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
--- openssh-5.9p1/servconf.c.akc	2011-09-09 19:27:03.490455245 +0200
+--- openssh-5.9p1/servconf.c.akc	2011-09-14 07:24:29.402475399 +0200
-+++ openssh-5.9p1/servconf.c	2011-09-09 19:27:17.666565662 +0200
+++ openssh-5.9p1/servconf.c	2011-09-14 07:56:27.158585590 +0200
@@ -139,6 +139,8 @@ initialize_server_options(ServerOptions
 	options->num_permitted_opens = -1;
 	options->adm_forced_command = NULL;
@ -304,7 +304,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	{ NULL, sBadOption, 0 }
 };
-@@ -1462,6 +1472,20 @@ process_server_config_line(ServerOptions
+@@ -1462,6 +1472,24 @@ process_server_config_line(ServerOptions
 		}
 		break;
@ -318,6 +318,10 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 +		charptr = &options->authorized_keys_command_runas;
 +
 +		arg = strdelim(&cp);
 +		if (!arg || *arg == '\0')
 +			fatal("%s line %d: missing account.",
 +			    filename, linenum);
 +
 +		if (*activep && *charptr == NULL)
 +			*charptr = xstrdup(arg);
 +		break;
@ -325,7 +329,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	case sDeprecated:
 		logit("%s line %d: Deprecated option %s",
 		    filename, linenum, arg);
-@@ -1573,6 +1597,8 @@ copy_set_server_options(ServerOptions *d
+@@ -1573,6 +1601,8 @@ copy_set_server_options(ServerOptions *d
 	M_CP_INTOPT(zero_knowledge_password_authentication);
 	M_CP_INTOPT(second_zero_knowledge_password_authentication);
 	M_CP_INTOPT(two_factor_authentication);
@ -334,7 +338,7 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	M_CP_INTOPT(permit_root_login);
 	M_CP_INTOPT(permit_empty_passwd);
-@@ -1839,6 +1865,8 @@ dump_config(ServerOptions *o)
+@@ -1839,6 +1869,8 @@ dump_config(ServerOptions *o)
 	dump_cfg_string(sRevokedKeys, o->revoked_keys_file);
 	dump_cfg_string(sAuthorizedPrincipalsFile,
 	    o->authorized_principals_file);
@ -344,8 +348,8 @@ diff -up openssh-5.9p1/servconf.c.akc openssh-5.9p1/servconf.c
 	/* string arguments requiring a lookup */
 	dump_cfg_string(sLogLevel, log_level_name(o->log_level));
 diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
--- openssh-5.9p1/servconf.h.akc	2011-09-09 19:27:03.614494286 +0200
+--- openssh-5.9p1/servconf.h.akc	2011-09-14 07:24:29.511480441 +0200
-+++ openssh-5.9p1/servconf.h	2011-09-09 19:27:18.043502934 +0200
+++ openssh-5.9p1/servconf.h	2011-09-14 07:24:43.678459183 +0200
@@ -174,6 +174,8 @@ typedef struct {
 	char   *revoked_keys_file;
 	char   *trusted_user_ca_keys;
@ -357,7 +361,7 @@ diff -up openssh-5.9p1/servconf.h.akc openssh-5.9p1/servconf.h
 /*
 diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
 --- openssh-5.9p1/sshd_config.0.akc	2011-09-07 01:16:30.000000000 +0200
-+++ openssh-5.9p1/sshd_config.0	2011-09-09 19:27:18.168626976 +0200
+++ openssh-5.9p1/sshd_config.0	2011-09-14 07:24:43.791460201 +0200
@@ -71,6 +71,23 @@ DESCRIPTION
              See PATTERNS in ssh_config(5) for more information on patterns.
@ -393,8 +397,8 @@ diff -up openssh-5.9p1/sshd_config.0.akc openssh-5.9p1/sshd_config.0
              GSSAPIAuthentication, HostbasedAuthentication,
              HostbasedUsesNameFromPacketOnly, KbdInteractiveAuthentication,
 diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
--- openssh-5.9p1/sshd_config.5.akc	2011-09-09 19:27:03.912515059 +0200
+--- openssh-5.9p1/sshd_config.5.akc	2011-09-14 07:24:29.793520372 +0200
-+++ openssh-5.9p1/sshd_config.5	2011-09-09 19:27:18.292494317 +0200
+++ openssh-5.9p1/sshd_config.5	2011-09-14 07:24:43.912583678 +0200
@@ -706,6 +706,8 @@ Available keywords are
 .Cm AllowAgentForwarding ,
 .Cm AllowTcpForwarding ,
@ -434,8 +438,8 @@ diff -up openssh-5.9p1/sshd_config.5.akc openssh-5.9p1/sshd_config.5
 Specifies whether rhosts or /etc/hosts.equiv authentication together
 with successful RSA host authentication is allowed.
 diff -up openssh-5.9p1/sshd_config.akc openssh-5.9p1/sshd_config
--- openssh-5.9p1/sshd_config.akc	2011-09-09 19:27:03.754502770 +0200
+--- openssh-5.9p1/sshd_config.akc	2011-09-14 07:24:29.620461608 +0200
-+++ openssh-5.9p1/sshd_config	2011-09-09 19:27:18.446471121 +0200
+++ openssh-5.9p1/sshd_config	2011-09-14 07:24:44.034462546 +0200
@@ -49,6 +49,9 @@
 # but this is overridden so installations will only check .ssh/authorized_keys
 AuthorizedKeysFile	.ssh/authorized_keys
--- a/openssh-5.9p1-audit3.patch
+++ b/openssh-5.9p1-audit3.patch
@ -1,6 +1,6 @@
-diff -up openssh-5.9p0/Makefile.in.audit3 openssh-5.9p0/Makefile.in
+diff -up openssh-5.9p1/Makefile.in.audit3 openssh-5.9p1/Makefile.in
--- openssh-5.9p0/Makefile.in.audit3	2011-08-05 22:15:18.000000000 +0200
+--- openssh-5.9p1/Makefile.in.audit3	2011-08-05 22:15:18.000000000 +0200
-+++ openssh-5.9p0/Makefile.in	2011-09-03 19:28:53.226036039 +0200
+++ openssh-5.9p1/Makefile.in	2011-09-14 07:05:58.337520327 +0200
@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
@ -10,9 +10,9 @@ diff -up openssh-5.9p0/Makefile.in.audit3 openssh-5.9p0/Makefile.in
 SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
 	sshconnect.o sshconnect1.o sshconnect2.o mux.o \
-diff -up openssh-5.9p0/audit-bsm.c.audit3 openssh-5.9p0/audit-bsm.c
+diff -up openssh-5.9p1/audit-bsm.c.audit3 openssh-5.9p1/audit-bsm.c
--- openssh-5.9p0/audit-bsm.c.audit3	2011-09-03 19:28:51.922034646 +0200
+--- openssh-5.9p1/audit-bsm.c.audit3	2011-09-14 07:05:56.719459048 +0200
-+++ openssh-5.9p0/audit-bsm.c	2011-09-03 19:28:53.475151642 +0200
+++ openssh-5.9p1/audit-bsm.c	2011-09-14 07:05:58.430520147 +0200
@@ -396,4 +396,16 @@ audit_event(ssh_audit_event_t event)
 		debug("%s: unhandled event %d", __func__, event);
 	}
@ -30,9 +30,9 @@ diff -up openssh-5.9p0/audit-bsm.c.audit3 openssh-5.9p0/audit-bsm.c
 +	/* not implemented */
 +}
 #endif /* BSM */
-diff -up openssh-5.9p0/audit-linux.c.audit3 openssh-5.9p0/audit-linux.c
+diff -up openssh-5.9p1/audit-linux.c.audit3 openssh-5.9p1/audit-linux.c
--- openssh-5.9p0/audit-linux.c.audit3	2011-09-03 19:28:52.053030306 +0200
+--- openssh-5.9p1/audit-linux.c.audit3	2011-09-14 07:05:56.820460613 +0200
-+++ openssh-5.9p0/audit-linux.c	2011-09-03 19:28:53.583026470 +0200
+++ openssh-5.9p1/audit-linux.c	2011-09-14 07:07:29.651459660 +0200
@@ -40,6 +40,8 @@
 #include "auth.h"
 #include "servconf.h"
@ -42,7 +42,7 @@ diff -up openssh-5.9p0/audit-linux.c.audit3 openssh-5.9p0/audit-linux.c
 #define AUDIT_LOG_SIZE 128
-@@ -269,4 +271,56 @@ audit_event(ssh_audit_event_t event)
+@@ -269,4 +271,60 @@ audit_event(ssh_audit_event_t event)
 	}
 }
@ -52,11 +52,13 @@ diff -up openssh-5.9p0/audit-linux.c.audit3 openssh-5.9p0/audit-linux.c
 +#ifdef AUDIT_CRYPTO_SESSION
 +	char buf[AUDIT_LOG_SIZE];
 +	const static char *name[] = { "cipher", "mac", "comp" };
 +	char *s;
 +	int audit_fd;
 +
 +	snprintf(buf, sizeof(buf), "op=unsupported-%s direction=? cipher=? ksize=? rport=%d laddr=%s lport=%d ",
-+		name[what], get_remote_port(), get_local_ipaddr(packet_get_connection_in()),
+		name[what], get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())),
 +		get_local_port());
 +	xfree(s);
 +	audit_fd = audit_open();
 +	if (audit_fd < 0)
 +		/* no problem, the next instruction will be fatal() */
@ -76,11 +78,13 @@ diff -up openssh-5.9p0/audit-linux.c.audit3 openssh-5.9p0/audit-linux.c
 +	int audit_fd, audit_ok;
 +	const static char *direction[] = { "from-server", "from-client", "both" };
 +	Cipher *cipher = cipher_by_name(enc);
 +	char *s;
 +
 +	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
 +		direction[ctos], enc, cipher ? 8 * cipher->key_len : 0,
 +		(intmax_t)pid, (intmax_t)uid,
-+		get_remote_port(), get_local_ipaddr(packet_get_connection_in()), get_local_port());
+		get_remote_port(), (s = get_local_ipaddr(packet_get_connection_in())), get_local_port());
 +	xfree(s);
 +	audit_fd = audit_open();
 +	if (audit_fd < 0) {
 +		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
@ -99,9 +103,9 @@ diff -up openssh-5.9p0/audit-linux.c.audit3 openssh-5.9p0/audit-linux.c
 +}
 +
 #endif /* USE_LINUX_AUDIT */
-diff -up openssh-5.9p0/audit.c.audit3 openssh-5.9p0/audit.c
+diff -up openssh-5.9p1/audit.c.audit3 openssh-5.9p1/audit.c
--- openssh-5.9p0/audit.c.audit3	2011-09-03 19:28:52.166026259 +0200
+--- openssh-5.9p1/audit.c.audit3	2011-09-14 07:05:56.937585272 +0200
-+++ openssh-5.9p0/audit.c	2011-09-03 19:28:53.673151432 +0200
+++ openssh-5.9p1/audit.c	2011-09-14 07:05:58.646521393 +0200
@@ -28,6 +28,7 @@
 #include <stdarg.h>
@ -165,9 +169,9 @@ diff -up openssh-5.9p0/audit.c.audit3 openssh-5.9p0/audit.c
 +}
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-5.9p0/audit.h.audit3 openssh-5.9p0/audit.h
+diff -up openssh-5.9p1/audit.h.audit3 openssh-5.9p1/audit.h
--- openssh-5.9p0/audit.h.audit3	2011-09-03 19:28:52.286024211 +0200
+--- openssh-5.9p1/audit.h.audit3	2011-09-14 07:05:57.391522394 +0200
-+++ openssh-5.9p0/audit.h	2011-09-03 19:28:53.783027870 +0200
+++ openssh-5.9p1/audit.h	2011-09-14 07:05:58.766586362 +0200
@@ -58,5 +58,9 @@ void 	audit_end_command(int, const char
 ssh_audit_event_t audit_classify_auth(const char *);
 int	audit_keyusage(int, const char *, unsigned, char *, int);
@ -178,9 +182,9 @@ diff -up openssh-5.9p0/audit.h.audit3 openssh-5.9p0/audit.h
 +void	audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
 #endif /* _SSH_AUDIT_H */
-diff -up openssh-5.9p0/auditstub.c.audit3 openssh-5.9p0/auditstub.c
+diff -up openssh-5.9p1/auditstub.c.audit3 openssh-5.9p1/auditstub.c
--- openssh-5.9p0/auditstub.c.audit3	2011-09-03 19:28:53.879026270 +0200
+--- openssh-5.9p1/auditstub.c.audit3	2011-09-14 07:05:58.866461077 +0200
-+++ openssh-5.9p0/auditstub.c	2011-09-03 19:28:53.882025491 +0200
+++ openssh-5.9p1/auditstub.c	2011-09-14 07:05:58.870569033 +0200
@@ -0,0 +1,39 @@
 +/* $Id: auditstub.c,v 1.1 jfch Exp $ */
 +
@ -221,9 +225,9 @@ diff -up openssh-5.9p0/auditstub.c.audit3 openssh-5.9p0/auditstub.c
 +{
 +}
 +
-diff -up openssh-5.9p0/cipher.c.audit3 openssh-5.9p0/cipher.c
+diff -up openssh-5.9p1/cipher.c.audit3 openssh-5.9p1/cipher.c
--- openssh-5.9p0/cipher.c.audit3	2011-08-30 10:34:01.000000000 +0200
+--- openssh-5.9p1/cipher.c.audit3	2011-09-07 15:05:09.000000000 +0200
-+++ openssh-5.9p0/cipher.c	2011-09-03 19:28:53.966162869 +0200
+++ openssh-5.9p1/cipher.c	2011-09-14 07:05:58.955582581 +0200
@@ -60,15 +60,7 @@ extern void ssh1_3des_iv(EVP_CIPHER_CTX
 extern const EVP_CIPHER *evp_aes_128_ctr(void);
 extern void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
@ -241,9 +245,9 @@ diff -up openssh-5.9p0/cipher.c.audit3 openssh-5.9p0/cipher.c
 	{ "none",		SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
 	{ "des",		SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
 	{ "3des",		SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
-diff -up openssh-5.9p0/cipher.h.audit3 openssh-5.9p0/cipher.h
+diff -up openssh-5.9p1/cipher.h.audit3 openssh-5.9p1/cipher.h
--- openssh-5.9p0/cipher.h.audit3	2009-01-28 06:38:41.000000000 +0100
+--- openssh-5.9p1/cipher.h.audit3	2009-01-28 06:38:41.000000000 +0100
-+++ openssh-5.9p0/cipher.h	2011-09-03 19:28:54.068070077 +0200
+++ openssh-5.9p1/cipher.h	2011-09-14 07:05:59.063459363 +0200
@@ -61,7 +61,16 @@
 typedef struct Cipher Cipher;
 typedef struct CipherContext CipherContext;
@ -262,9 +266,9 @@ diff -up openssh-5.9p0/cipher.h.audit3 openssh-5.9p0/cipher.h
 struct CipherContext {
 	int	plaintext;
 	EVP_CIPHER_CTX evp;
-diff -up openssh-5.9p0/kex.c.audit3 openssh-5.9p0/kex.c
+diff -up openssh-5.9p1/kex.c.audit3 openssh-5.9p1/kex.c
--- openssh-5.9p0/kex.c.audit3	2010-09-24 14:11:14.000000000 +0200
+--- openssh-5.9p1/kex.c.audit3	2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.9p0/kex.c	2011-09-03 19:28:54.177212272 +0200
+++ openssh-5.9p1/kex.c	2011-09-14 07:05:59.171457800 +0200
@@ -49,6 +49,7 @@
 #include "dispatch.h"
 #include "monitor.h"
@ -327,9 +331,9 @@ diff -up openssh-5.9p0/kex.c.audit3 openssh-5.9p0/kex.c
 	}
 	choose_kex(kex, cprop[PROPOSAL_KEX_ALGS], sprop[PROPOSAL_KEX_ALGS]);
 	choose_hostkeyalg(kex, cprop[PROPOSAL_SERVER_HOST_KEY_ALGS],
-diff -up openssh-5.9p0/monitor.c.audit3 openssh-5.9p0/monitor.c
+diff -up openssh-5.9p1/monitor.c.audit3 openssh-5.9p1/monitor.c
--- openssh-5.9p0/monitor.c.audit3	2011-09-03 19:28:52.851088094 +0200
+--- openssh-5.9p1/monitor.c.audit3	2011-09-14 07:05:57.952459820 +0200
-+++ openssh-5.9p0/monitor.c	2011-09-03 19:28:54.298087612 +0200
+++ openssh-5.9p1/monitor.c	2011-09-14 07:05:59.272520466 +0200
@@ -97,6 +97,7 @@
 #include "ssh2.h"
 #include "jpake.h"
@ -383,7 +387,7 @@ diff -up openssh-5.9p0/monitor.c.audit3 openssh-5.9p0/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -2380,3 +2391,44 @@ mm_answer_jpake_check_confirm(int sock,
+@@ -2383,3 +2394,47 @@ mm_answer_jpake_check_confirm(int sock,
 }
 #endif /* JPAKE */
@ -421,6 +425,9 @@ diff -up openssh-5.9p0/monitor.c.audit3 openssh-5.9p0/monitor.c
 +
 +	audit_kex_body(ctos, cipher, mac, compress, pid, uid);
 +
 +	xfree(cipher);
 +	xfree(mac);
 +	xfree(compress);
 +	buffer_clear(m);
 +
 +	mm_request_send(sock, MONITOR_ANS_AUDIT_KEX, m);
@ -428,9 +435,9 @@ diff -up openssh-5.9p0/monitor.c.audit3 openssh-5.9p0/monitor.c
 +}
 +
 +#endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-5.9p0/monitor.h.audit3 openssh-5.9p0/monitor.h
+diff -up openssh-5.9p1/monitor.h.audit3 openssh-5.9p1/monitor.h
--- openssh-5.9p0/monitor.h.audit3	2011-09-03 19:28:51.000000000 +0200
+--- openssh-5.9p1/monitor.h.audit3	2011-09-14 07:05:55.510580908 +0200
-+++ openssh-5.9p0/monitor.h	2011-09-03 19:29:52.565211520 +0200
+++ openssh-5.9p1/monitor.h	2011-09-14 07:05:59.378647273 +0200
@@ -61,6 +61,8 @@ enum monitor_reqtype {
 	MONITOR_REQ_PAM_FREE_CTX, MONITOR_ANS_PAM_FREE_CTX,
 	MONITOR_REQ_AUDIT_EVENT, MONITOR_REQ_AUDIT_COMMAND,
@ -440,9 +447,9 @@ diff -up openssh-5.9p0/monitor.h.audit3 openssh-5.9p0/monitor.h
 	MONITOR_REQ_TERM,
 	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
 	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
-diff -up openssh-5.9p0/monitor_wrap.c.audit3 openssh-5.9p0/monitor_wrap.c
+diff -up openssh-5.9p1/monitor_wrap.c.audit3 openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p0/monitor_wrap.c.audit3	2011-09-03 19:28:52.963088596 +0200
+--- openssh-5.9p1/monitor_wrap.c.audit3	2011-09-14 07:05:58.059501118 +0200
-+++ openssh-5.9p0/monitor_wrap.c	2011-09-03 19:28:54.602024893 +0200
+++ openssh-5.9p1/monitor_wrap.c	2011-09-14 07:05:59.511503364 +0200
@@ -1505,3 +1505,41 @@ mm_jpake_check_confirm(const BIGNUM *k,
 	return success;
 }
@ -485,9 +492,9 @@ diff -up openssh-5.9p0/monitor_wrap.c.audit3 openssh-5.9p0/monitor_wrap.c
 +	buffer_free(&m);
 +}
 +#endif /* SSH_AUDIT_EVENTS */
-diff -up openssh-5.9p0/monitor_wrap.h.audit3 openssh-5.9p0/monitor_wrap.h
+diff -up openssh-5.9p1/monitor_wrap.h.audit3 openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p0/monitor_wrap.h.audit3	2011-09-03 19:28:53.069087341 +0200
+--- openssh-5.9p1/monitor_wrap.h.audit3	2011-09-14 07:05:58.171521245 +0200
-+++ openssh-5.9p0/monitor_wrap.h	2011-09-03 19:28:54.704055439 +0200
+++ openssh-5.9p1/monitor_wrap.h	2011-09-14 07:05:59.624646515 +0200
@@ -78,6 +78,8 @@ void mm_sshpam_free_ctx(void *);
 void mm_audit_event(ssh_audit_event_t);
 int mm_audit_run_command(const char *);
@ -497,9 +504,9 @@ diff -up openssh-5.9p0/monitor_wrap.h.audit3 openssh-5.9p0/monitor_wrap.h
 #endif
 struct Session;
-diff -up openssh-5.9p0/sshd.c.audit3 openssh-5.9p0/sshd.c
+diff -up openssh-5.9p1/sshd.c.audit3 openssh-5.9p1/sshd.c
--- openssh-5.9p0/sshd.c.audit3	2011-09-03 19:28:51.758025429 +0200
+--- openssh-5.9p1/sshd.c.audit3	2011-09-14 07:05:56.554583874 +0200
-+++ openssh-5.9p0/sshd.c	2011-09-03 19:28:54.835049403 +0200
+++ openssh-5.9p1/sshd.c	2011-09-14 07:05:59.828466112 +0200
@@ -118,6 +118,7 @@
 #endif
 #include "monitor_wrap.h"
@ -508,7 +515,7 @@ diff -up openssh-5.9p0/sshd.c.audit3 openssh-5.9p0/sshd.c
 #include "ssh-sandbox.h"
 #include "version.h"
-@@ -2204,6 +2205,10 @@ do_ssh1_kex(void)
+@@ -2209,6 +2210,10 @@ do_ssh1_kex(void)
 		if (cookie[i] != packet_get_char())
 			packet_disconnect("IP Spoofing check bytes do not match.");
--- a/openssh-5.9p1-audit4.patch
+++ b/openssh-5.9p1-audit4.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
--- openssh-5.9p1/audit-bsm.c.audit4	2011-09-13 07:36:58.921674464 +0200
+--- openssh-5.9p1/audit-bsm.c.audit4	2011-09-14 07:20:13.580471755 +0200
-+++ openssh-5.9p1/audit-bsm.c	2011-09-13 07:36:59.171674206 +0200
+++ openssh-5.9p1/audit-bsm.c	2011-09-14 07:20:15.087521491 +0200
@@ -408,4 +408,10 @@ audit_kex_body(int ctos, char *enc, char
 {
 	/* not implemented */
@ -13,9 +13,9 @@ diff -up openssh-5.9p1/audit-bsm.c.audit4 openssh-5.9p1/audit-bsm.c
 +}
 #endif /* BSM */
 diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
--- openssh-5.9p1/audit-linux.c.audit4	2011-09-13 07:36:58.938720835 +0200
+--- openssh-5.9p1/audit-linux.c.audit4	2011-09-14 07:20:13.692465249 +0200
-+++ openssh-5.9p1/audit-linux.c	2011-09-13 07:36:59.187673990 +0200
+++ openssh-5.9p1/audit-linux.c	2011-09-14 07:21:51.559462876 +0200
-@@ -292,6 +292,8 @@ audit_unsupported_body(int what)
+@@ -294,6 +294,8 @@ audit_unsupported_body(int what)
 #endif
 }
@ -24,15 +24,15 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
 void
 audit_kex_body(int ctos, char *enc, char *mac, char *compress, pid_t pid,
 	       uid_t uid)
-@@ -299,7 +301,6 @@ audit_kex_body(int ctos, char *enc, char
+@@ -301,7 +303,6 @@ audit_kex_body(int ctos, char *enc, char
 #ifdef AUDIT_CRYPTO_SESSION
 	char buf[AUDIT_LOG_SIZE];
 	int audit_fd, audit_ok;
 -	const static char *direction[] = { "from-server", "from-client", "both" };
 	Cipher *cipher = cipher_by_name(enc);
 	char *s;
- 	snprintf(buf, sizeof(buf), "op=start direction=%s cipher=%s ksize=%d spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
+@@ -327,4 +328,32 @@ audit_kex_body(int ctos, char *enc, char
@@ -323,4 +324,30 @@ audit_kex_body(int ctos, char *enc, char
 #endif
 }
@ -41,12 +41,14 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
 +{
 +	char buf[AUDIT_LOG_SIZE];
 +	int audit_fd, audit_ok;
 +	char *s;
 +
 +	snprintf(buf, sizeof(buf), "op=destroy kind=session fp=? direction=%s spid=%jd suid=%jd rport=%d laddr=%s lport=%d ",
 +		 direction[ctos], (intmax_t)pid, (intmax_t)uid,
 +		 get_remote_port(),
-+		 get_local_ipaddr(packet_get_connection_in()),
+		 (s = get_local_ipaddr(packet_get_connection_in())),
 +		 get_local_port());
 +	xfree(s);
 +	audit_fd = audit_open();
 +	if (audit_fd < 0) {
 +		if (errno != EINVAL && errno != EPROTONOSUPPORT &&
@ -64,8 +66,8 @@ diff -up openssh-5.9p1/audit-linux.c.audit4 openssh-5.9p1/audit-linux.c
 +
 #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
--- openssh-5.9p1/audit.c.audit4	2011-09-13 07:36:58.954674484 +0200
+--- openssh-5.9p1/audit.c.audit4	2011-09-14 07:20:13.787520896 +0200
-+++ openssh-5.9p1/audit.c	2011-09-13 07:36:59.202799426 +0200
+++ openssh-5.9p1/audit.c	2011-09-14 07:20:15.619521843 +0200
@@ -143,6 +143,12 @@ audit_kex(int ctos, char *enc, char *mac
 	PRIVSEP(audit_kex_body(ctos, enc, mac, comp, getpid(), getuid()));
 }
@ -96,8 +98,8 @@ diff -up openssh-5.9p1/audit.c.audit4 openssh-5.9p1/audit.c
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
--- openssh-5.9p1/audit.h.audit4	2011-09-13 07:36:58.971799421 +0200
+--- openssh-5.9p1/audit.h.audit4	2011-09-14 07:20:13.893524944 +0200
-+++ openssh-5.9p1/audit.h	2011-09-13 07:36:59.216674281 +0200
+++ openssh-5.9p1/audit.h	2011-09-14 07:20:15.739523476 +0200
@@ -62,5 +62,7 @@ void	audit_unsupported(int);
 void	audit_kex(int, char *, char *, char *);
 void	audit_unsupported_body(int);
@ -107,8 +109,8 @@ diff -up openssh-5.9p1/audit.h.audit4 openssh-5.9p1/audit.h
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
--- openssh-5.9p1/auditstub.c.audit4	2011-09-13 07:36:58.986674407 +0200
+--- openssh-5.9p1/auditstub.c.audit4	2011-09-14 07:20:13.993523515 +0200
-+++ openssh-5.9p1/auditstub.c	2011-09-13 07:36:59.230674500 +0200
+++ openssh-5.9p1/auditstub.c	2011-09-14 07:20:15.843531733 +0200
@@ -27,6 +27,8 @@
  * Red Hat author: Jan F. Chadima <jchadima@redhat.com>
  */
@ -132,8 +134,8 @@ diff -up openssh-5.9p1/auditstub.c.audit4 openssh-5.9p1/auditstub.c
 +{
 +}
 diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
--- openssh-5.9p1/kex.c.audit4	2011-09-13 07:36:59.032798982 +0200
+--- openssh-5.9p1/kex.c.audit4	2011-09-14 07:20:14.294645864 +0200
-+++ openssh-5.9p1/kex.c	2011-09-13 07:36:59.243799057 +0200
+++ openssh-5.9p1/kex.c	2011-09-14 07:20:15.948646500 +0200
@@ -624,3 +624,34 @@ dump_digest(char *msg, u_char *digest, i
 	fprintf(stderr, "\n");
 }
@ -171,7 +173,7 @@ diff -up openssh-5.9p1/kex.c.audit4 openssh-5.9p1/kex.c
 +
 diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
 --- openssh-5.9p1/kex.h.audit4	2010-09-24 14:11:14.000000000 +0200
-+++ openssh-5.9p1/kex.h	2011-09-13 07:36:59.259674391 +0200
+++ openssh-5.9p1/kex.h	2011-09-14 07:20:16.045521582 +0200
@@ -156,6 +156,8 @@ void	 kexgex_server(Kex *);
 void	 kexecdh_client(Kex *);
 void	 kexecdh_server(Kex *);
@ -183,7 +185,7 @@ diff -up openssh-5.9p1/kex.h.audit4 openssh-5.9p1/kex.h
     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
 --- openssh-5.9p1/mac.c.audit4	2011-08-17 02:29:03.000000000 +0200
-+++ openssh-5.9p1/mac.c	2011-09-13 07:36:59.273799275 +0200
+++ openssh-5.9p1/mac.c	2011-09-14 07:20:16.173477847 +0200
@@ -168,6 +168,20 @@ mac_clear(Mac *mac)
 	mac->umac_ctx = NULL;
 }
@ -207,15 +209,15 @@ diff -up openssh-5.9p1/mac.c.audit4 openssh-5.9p1/mac.c
 int
 diff -up openssh-5.9p1/mac.h.audit4 openssh-5.9p1/mac.h
 --- openssh-5.9p1/mac.h.audit4	2007-06-11 06:01:42.000000000 +0200
-+++ openssh-5.9p1/mac.h	2011-09-13 07:36:59.286674543 +0200
+++ openssh-5.9p1/mac.h	2011-09-14 07:20:16.287522108 +0200
@@ -28,3 +28,4 @@ int	 mac_setup(Mac *, char *);
 int	 mac_init(Mac *);
 u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
 void	 mac_clear(Mac *);
 +void	 mac_destroy(Mac *);
 diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.audit4	2011-09-13 07:36:59.058688802 +0200
+--- openssh-5.9p1/monitor.c.audit4	2011-09-14 07:20:14.404521153 +0200
-+++ openssh-5.9p1/monitor.c	2011-09-13 07:38:37.825674060 +0200
+++ openssh-5.9p1/monitor.c	2011-09-14 07:20:16.400462714 +0200
@@ -190,6 +190,7 @@ int mm_answer_audit_command(int, Buffer
 int mm_answer_audit_end_command(int, Buffer *);
 int mm_answer_audit_unsupported_body(int, Buffer *);
@ -261,7 +263,7 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 	}
 -	/* Drain any buffered messages from the child */
-	while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
+-	while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
 -		;
 -
 	if (!authctxt->valid)
@ -297,13 +299,13 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 +#endif
 +
 +	/* Drain any buffered messages from the child */
-+	while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
+	while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
 +		;
 +
 }
-@@ -2429,4 +2447,22 @@ mm_answer_audit_kex_body(int sock, Buffe
+@@ -2437,4 +2455,22 @@ mm_answer_audit_kex_body(int sock, Buffe
 	return 0;
 }
@ -327,8 +329,8 @@ diff -up openssh-5.9p1/monitor.c.audit4 openssh-5.9p1/monitor.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
--- openssh-5.9p1/monitor.h.audit4	2011-09-13 07:36:59.076799458 +0200
+--- openssh-5.9p1/monitor.h.audit4	2011-09-14 07:20:14.518521791 +0200
-+++ openssh-5.9p1/monitor.h	2011-09-13 07:36:59.322799576 +0200
+++ openssh-5.9p1/monitor.h	2011-09-14 07:20:16.512585387 +0200
@@ -63,6 +63,7 @@ enum monitor_reqtype {
 	MONITOR_ANS_AUDIT_COMMAND, MONITOR_REQ_AUDIT_END_COMMAND,
 	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
@ -338,8 +340,8 @@ diff -up openssh-5.9p1/monitor.h.audit4 openssh-5.9p1/monitor.h
 	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
 	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
 diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.audit4	2011-09-13 07:36:59.100724984 +0200
+--- openssh-5.9p1/monitor_wrap.c.audit4	2011-09-14 07:20:14.713521378 +0200
-+++ openssh-5.9p1/monitor_wrap.c	2011-09-13 07:36:59.339674340 +0200
+++ openssh-5.9p1/monitor_wrap.c	2011-09-14 07:20:16.640587362 +0200
@@ -653,12 +653,14 @@ mm_send_keystate(struct monitor *monitor
 		fatal("%s: conversion of newkeys failed", __func__);
@ -376,8 +378,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit4 openssh-5.9p1/monitor_wrap.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p1/monitor_wrap.h.audit4	2011-09-13 07:36:59.118674223 +0200
+--- openssh-5.9p1/monitor_wrap.h.audit4	2011-09-14 07:20:14.821520100 +0200
-+++ openssh-5.9p1/monitor_wrap.h	2011-09-13 07:36:59.353674499 +0200
+++ openssh-5.9p1/monitor_wrap.h	2011-09-14 07:20:16.749585355 +0200
@@ -80,6 +80,7 @@ int mm_audit_run_command(const char *);
 void mm_audit_end_command(int, const char *);
 void mm_audit_unsupported_body(int);
@ -387,8 +389,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit4 openssh-5.9p1/monitor_wrap.h
 struct Session;
 diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
--- openssh-5.9p1/packet.c.audit4	2011-09-13 07:36:58.244674109 +0200
+--- openssh-5.9p1/packet.c.audit4	2011-09-14 07:20:09.337458270 +0200
-+++ openssh-5.9p1/packet.c	2011-09-13 07:36:59.373710318 +0200
+++ openssh-5.9p1/packet.c	2011-09-14 07:20:16.892461022 +0200
@@ -60,6 +60,7 @@
 #include <signal.h>
@ -582,7 +584,7 @@ diff -up openssh-5.9p1/packet.c.audit4 openssh-5.9p1/packet.c
 +
 diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
 --- openssh-5.9p1/packet.h.audit4	2011-05-15 00:43:13.000000000 +0200
-+++ openssh-5.9p1/packet.h	2011-09-13 07:36:59.390799281 +0200
+++ openssh-5.9p1/packet.h	2011-09-14 07:20:17.003583853 +0200
@@ -124,4 +124,5 @@ void	 packet_restore_state(void);
 void	*packet_get_input(void);
 void	*packet_get_output(void);
@ -590,8 +592,8 @@ diff -up openssh-5.9p1/packet.h.audit4 openssh-5.9p1/packet.h
 +void	 packet_destroy_all(int, int);
 #endif				/* PACKET_H */
 diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.audit4	2011-09-13 07:36:58.637798995 +0200
+--- openssh-5.9p1/session.c.audit4	2011-09-14 07:20:11.774521404 +0200
-+++ openssh-5.9p1/session.c	2011-09-13 07:36:59.411690264 +0200
+++ openssh-5.9p1/session.c	2011-09-14 07:20:17.134462420 +0200
@@ -1634,6 +1634,9 @@ do_child(Session *s, const char *command
 	/* remove hostkey from the child's memory */
@ -603,9 +605,9 @@ diff -up openssh-5.9p1/session.c.audit4 openssh-5.9p1/session.c
 	/* Force a password change */
 	if (s->authctxt->force_pwchange) {
 diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.audit4	2011-09-13 07:36:59.143674103 +0200
+--- openssh-5.9p1/sshd.c.audit4	2011-09-14 07:20:14.946521214 +0200
-+++ openssh-5.9p1/sshd.c	2011-09-13 07:39:06.125718627 +0200
+++ openssh-5.9p1/sshd.c	2011-09-14 07:20:17.258458657 +0200
-@@ -684,6 +684,8 @@ privsep_preauth(Authctxt *authctxt)
+@@ -686,6 +686,8 @@ privsep_preauth(Authctxt *authctxt)
 	}
 }
@ -614,7 +616,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
 static void
 privsep_postauth(Authctxt *authctxt)
 {
-@@ -708,6 +710,10 @@ privsep_postauth(Authctxt *authctxt)
+@@ -710,6 +712,10 @@ privsep_postauth(Authctxt *authctxt)
 	else if (pmonitor->m_pid != 0) {
 		verbose("User child is on pid %ld", (long)pmonitor->m_pid);
 		buffer_clear(&loginmsg);
@ -625,7 +627,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
 		monitor_child_postauth(pmonitor);
 		/* NEVERREACHED */
-@@ -1999,6 +2005,7 @@ main(int ac, char **av)
+@@ -2001,6 +2007,7 @@ main(int ac, char **av)
 	 */
 	if (use_privsep) {
 		mm_send_keystate(pmonitor);
@ -633,7 +635,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
 		exit(0);
 	}
-@@ -2051,6 +2058,8 @@ main(int ac, char **av)
+@@ -2053,6 +2060,8 @@ main(int ac, char **av)
 	do_authenticated(authctxt);
 	/* The connection has been terminated. */
@ -642,7 +644,7 @@ diff -up openssh-5.9p1/sshd.c.audit4 openssh-5.9p1/sshd.c
 	packet_get_state(MODE_IN, NULL, NULL, NULL, &ibytes);
 	packet_get_state(MODE_OUT, NULL, NULL, NULL, &obytes);
 	verbose("Transferred: sent %llu, received %llu bytes",
-@@ -2368,8 +2377,20 @@ do_ssh2_kex(void)
+@@ -2370,8 +2379,20 @@ do_ssh2_kex(void)
 void
 cleanup_exit(int i)
 {
--- a/openssh-5.9p1-audit5.patch
+++ b/openssh-5.9p1-audit5.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/audit-bsm.c.audit5 openssh-5.9p1/audit-bsm.c
--- openssh-5.9p1/audit-bsm.c.audit5	2011-09-10 19:40:19.638521318 +0200
+--- openssh-5.9p1/audit-bsm.c.audit5	2011-09-13 22:07:31.262575526 +0200
-+++ openssh-5.9p1/audit-bsm.c	2011-09-10 19:40:21.675487204 +0200
+++ openssh-5.9p1/audit-bsm.c	2011-09-13 22:07:33.268491813 +0200
@@ -414,4 +414,22 @@ audit_session_key_free_body(int ctos, pi
 {
 	/* not implemented */
@ -25,8 +25,8 @@ diff -up openssh-5.9p1/audit-bsm.c.audit5 openssh-5.9p1/audit-bsm.c
 +}
 #endif /* BSM */
 diff -up openssh-5.9p1/audit-linux.c.audit5 openssh-5.9p1/audit-linux.c
--- openssh-5.9p1/audit-linux.c.audit5	2011-09-10 19:40:19.713521349 +0200
+--- openssh-5.9p1/audit-linux.c.audit5	2011-09-13 22:07:31.400584308 +0200
-+++ openssh-5.9p1/audit-linux.c	2011-09-10 19:40:21.765473529 +0200
+++ openssh-5.9p1/audit-linux.c	2011-09-13 22:07:33.357460348 +0200
@@ -350,4 +350,50 @@ audit_session_key_free_body(int ctos, pi
 		error("cannot write into audit");
 }
@ -79,8 +79,8 @@ diff -up openssh-5.9p1/audit-linux.c.audit5 openssh-5.9p1/audit-linux.c
 +}
 #endif /* USE_LINUX_AUDIT */
 diff -up openssh-5.9p1/audit.c.audit5 openssh-5.9p1/audit.c
--- openssh-5.9p1/audit.c.audit5	2011-09-10 19:40:19.814646179 +0200
+--- openssh-5.9p1/audit.c.audit5	2011-09-13 22:07:31.495458797 +0200
-+++ openssh-5.9p1/audit.c	2011-09-10 19:40:21.872459880 +0200
+++ openssh-5.9p1/audit.c	2011-09-13 22:07:33.478458341 +0200
@@ -290,5 +290,24 @@ audit_session_key_free_body(int ctos, pi
 	debug("audit session key discard euid %u direction %d from pid %ld uid %u",
 		(unsigned)geteuid(), ctos, (long)pid, (unsigned)uid);
@ -107,8 +107,8 @@ diff -up openssh-5.9p1/audit.c.audit5 openssh-5.9p1/audit.c
 # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/audit.h.audit5 openssh-5.9p1/audit.h
--- openssh-5.9p1/audit.h.audit5	2011-09-10 19:40:19.945521685 +0200
+--- openssh-5.9p1/audit.h.audit5	2011-09-13 22:07:31.616459125 +0200
-+++ openssh-5.9p1/audit.h	2011-09-10 19:40:21.990457118 +0200
+++ openssh-5.9p1/audit.h	2011-09-13 22:07:33.612458074 +0200
@@ -48,6 +48,8 @@ enum ssh_audit_event_type {
 };
 typedef enum ssh_audit_event_type ssh_audit_event_t;
@ -127,8 +127,8 @@ diff -up openssh-5.9p1/audit.h.audit5 openssh-5.9p1/audit.h
 #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.9p1/key.c.audit5 openssh-5.9p1/key.c
--- openssh-5.9p1/key.c.audit5	2011-09-10 19:40:11.396460430 +0200
+--- openssh-5.9p1/key.c.audit5	2011-09-13 22:07:23.054490740 +0200
-+++ openssh-5.9p1/key.c	2011-09-10 19:40:22.096459112 +0200
+++ openssh-5.9p1/key.c	2011-09-13 22:07:33.721583661 +0200
@@ -1799,6 +1799,30 @@ key_demote(const Key *k)
 }
@ -161,8 +161,8 @@ diff -up openssh-5.9p1/key.c.audit5 openssh-5.9p1/key.c
 {
 	if (k == NULL)
 diff -up openssh-5.9p1/key.h.audit5 openssh-5.9p1/key.h
--- openssh-5.9p1/key.h.audit5	2011-09-10 19:40:11.510460018 +0200
+--- openssh-5.9p1/key.h.audit5	2011-09-13 22:07:23.160459285 +0200
-+++ openssh-5.9p1/key.h	2011-09-10 19:40:22.208459363 +0200
+++ openssh-5.9p1/key.h	2011-09-13 22:07:33.847459341 +0200
@@ -109,6 +109,7 @@ Key	*key_generate(int, u_int);
 Key	*key_from_private(const Key *);
 int	 key_type_from_name(char *);
@ -172,8 +172,8 @@ diff -up openssh-5.9p1/key.h.audit5 openssh-5.9p1/key.h
 int	 key_to_certified(Key *, int);
 int	 key_drop_cert(Key *);
 diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
--- openssh-5.9p1/monitor.c.audit5	2011-09-10 19:40:20.635514835 +0200
+--- openssh-5.9p1/monitor.c.audit5	2011-09-13 22:07:32.285495537 +0200
-+++ openssh-5.9p1/monitor.c	2011-09-10 19:40:22.327585849 +0200
+++ openssh-5.9p1/monitor.c	2011-09-13 22:10:04.148554239 +0200
@@ -114,6 +114,8 @@ extern Buffer auth_debug;
 extern int auth_debug_init;
 extern Buffer loginmsg;
@ -223,7 +223,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
 #endif
     {0, 0, NULL}
 };
-@@ -1720,6 +1727,8 @@ mm_answer_term(int sock, Buffer *req)
+@@ -1716,6 +1723,8 @@ mm_answer_term(int sock, Buffer *req)
 		sshpam_cleanup();
 #endif
@ -232,7 +232,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
 	while (waitpid(pmonitor->m_pid, &status, 0) == -1)
 		if (errno != EINTR)
 			exit(1);
-@@ -2466,4 +2475,24 @@ mm_answer_audit_session_key_free_body(in
+@@ -2470,4 +2479,25 @@ mm_answer_audit_session_key_free_body(in
 	mm_request_send(sock, MONITOR_ANS_AUDIT_SESSION_KEY_FREE, m);
 	return 0;
 }
@ -251,6 +251,7 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
 +
 +	audit_destroy_sensitive_data(fp, pid, uid);
 +
 +	xfree(fp);
 +	buffer_clear(m);
 +
 +	mm_request_send(sock, MONITOR_ANS_AUDIT_SERVER_KEY_FREE, m);
@ -258,8 +259,8 @@ diff -up openssh-5.9p1/monitor.c.audit5 openssh-5.9p1/monitor.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/monitor.h.audit5 openssh-5.9p1/monitor.h
--- openssh-5.9p1/monitor.h.audit5	2011-09-10 19:40:20.741522656 +0200
+--- openssh-5.9p1/monitor.h.audit5	2011-09-13 22:07:32.385522626 +0200
-+++ openssh-5.9p1/monitor.h	2011-09-10 19:40:22.440461159 +0200
+++ openssh-5.9p1/monitor.h	2011-09-13 22:07:34.098459356 +0200
@@ -64,6 +64,7 @@ enum monitor_reqtype {
 	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
 	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
@ -269,8 +270,8 @@ diff -up openssh-5.9p1/monitor.h.audit5 openssh-5.9p1/monitor.h
 	MONITOR_REQ_JPAKE_STEP1, MONITOR_ANS_JPAKE_STEP1,
 	MONITOR_REQ_JPAKE_GET_PWDATA, MONITOR_ANS_JPAKE_GET_PWDATA,
 diff -up openssh-5.9p1/monitor_wrap.c.audit5 openssh-5.9p1/monitor_wrap.c
--- openssh-5.9p1/monitor_wrap.c.audit5	2011-09-10 19:40:20.871609482 +0200
+--- openssh-5.9p1/monitor_wrap.c.audit5	2011-09-13 22:07:32.510521163 +0200
-+++ openssh-5.9p1/monitor_wrap.c	2011-09-10 19:40:22.559458727 +0200
+++ openssh-5.9p1/monitor_wrap.c	2011-09-13 22:07:34.610458275 +0200
@@ -1559,4 +1559,20 @@ mm_audit_session_key_free_body(int ctos,
 				  &m);
 	buffer_free(&m);
@ -293,8 +294,8 @@ diff -up openssh-5.9p1/monitor_wrap.c.audit5 openssh-5.9p1/monitor_wrap.c
 +}
 #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.9p1/monitor_wrap.h.audit5 openssh-5.9p1/monitor_wrap.h
--- openssh-5.9p1/monitor_wrap.h.audit5	2011-09-10 19:40:20.983521729 +0200
+--- openssh-5.9p1/monitor_wrap.h.audit5	2011-09-13 22:07:32.607520810 +0200
-+++ openssh-5.9p1/monitor_wrap.h	2011-09-10 19:40:22.730460011 +0200
+++ openssh-5.9p1/monitor_wrap.h	2011-09-13 22:07:34.716458214 +0200
@@ -81,6 +81,7 @@ void mm_audit_end_command(int, const cha
 void mm_audit_unsupported_body(int);
 void mm_audit_kex_body(int, char *, char *, char *, pid_t, uid_t);
@ -304,8 +305,8 @@ diff -up openssh-5.9p1/monitor_wrap.h.audit5 openssh-5.9p1/monitor_wrap.h
 struct Session;
 diff -up openssh-5.9p1/session.c.audit5 openssh-5.9p1/session.c
--- openssh-5.9p1/session.c.audit5	2011-09-10 19:40:21.385531298 +0200
+--- openssh-5.9p1/session.c.audit5	2011-09-13 22:07:32.973544819 +0200
-+++ openssh-5.9p1/session.c	2011-09-10 19:40:22.903583654 +0200
+++ openssh-5.9p1/session.c	2011-09-13 22:07:34.849585578 +0200
@@ -136,7 +136,7 @@ extern int log_stderr;
 extern int debug_flag;
 extern u_int utmp_len;
@ -325,8 +326,8 @@ diff -up openssh-5.9p1/session.c.audit5 openssh-5.9p1/session.c
 	   monitor over a single socket, with no synchronization. */
 	packet_destroy_all(0, 1);
 diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
--- openssh-5.9p1/sshd.c.audit5	2011-09-10 19:40:21.520510716 +0200
+--- openssh-5.9p1/sshd.c.audit5	2011-09-13 22:07:33.106516378 +0200
-+++ openssh-5.9p1/sshd.c	2011-09-10 19:42:06.573520393 +0200
+++ openssh-5.9p1/sshd.c	2011-09-13 22:07:34.989470331 +0200
@@ -254,7 +254,7 @@ Buffer loginmsg;
 struct passwd *privsep_pw = NULL;
@ -440,7 +441,7 @@ diff -up openssh-5.9p1/sshd.c.audit5 openssh-5.9p1/sshd.c
 		}
 		/* Certs do not need demotion */
 	}
-@@ -1143,6 +1193,7 @@ server_accept_loop(int *sock_in, int *so
+@@ -1145,6 +1195,7 @@ server_accept_loop(int *sock_in, int *so
 		if (received_sigterm) {
 			logit("Received signal %d; terminating.",
 			    (int) received_sigterm);
--- a/openssh-5.9p1-coverity.patch
+++ b/openssh-5.9p1-coverity.patch
@ -1,6 +1,6 @@
 diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
 --- openssh-5.9p1/auth-pam.c.coverity	2009-07-12 14:07:21.000000000 +0200
-+++ openssh-5.9p1/auth-pam.c	2011-09-13 08:41:24.635521346 +0200
+++ openssh-5.9p1/auth-pam.c	2011-09-14 08:09:47.074520582 +0200
@@ -216,7 +216,12 @@ pthread_join(sp_pthread_t thread, void *
 	if (sshpam_thread_status != -1)
 		return (sshpam_thread_status);
@ -17,7 +17,7 @@ diff -up openssh-5.9p1/auth-pam.c.coverity openssh-5.9p1/auth-pam.c
 #endif
 diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
 --- openssh-5.9p1/channels.c.coverity	2011-06-23 00:31:57.000000000 +0200
-+++ openssh-5.9p1/channels.c	2011-09-13 08:26:11.771584519 +0200
+++ openssh-5.9p1/channels.c	2011-09-14 08:09:47.556582810 +0200
@@ -229,11 +229,11 @@ channel_register_fds(Channel *c, int rfd
 	channel_max_fd = MAX(channel_max_fd, wfd);
 	channel_max_fd = MAX(channel_max_fd, efd);
@ -50,8 +50,8 @@ diff -up openssh-5.9p1/channels.c.coverity openssh-5.9p1/channels.c
 }
 diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
 --- openssh-5.9p1/clientloop.c.coverity	2011-06-23 00:31:58.000000000 +0200
-+++ openssh-5.9p1/clientloop.c	2011-09-13 08:26:11.889458598 +0200
+++ openssh-5.9p1/clientloop.c	2011-09-14 08:17:41.556521887 +0200
-@@ -1970,6 +1970,7 @@ client_input_global_request(int type, u_
+@@ -1970,14 +1970,15 @@ client_input_global_request(int type, u_
 	char *rtype;
 	int want_reply;
 	int success = 0;
@ -59,9 +59,19 @@ diff -up openssh-5.9p1/clientloop.c.coverity openssh-5.9p1/clientloop.c
 	rtype = packet_get_string(NULL);
 	want_reply = packet_get_char();
 	debug("client_input_global_request: rtype %s want_reply %d",
 	    rtype, want_reply);
 	if (want_reply) {
 -		packet_start(success ?
 -		    SSH2_MSG_REQUEST_SUCCESS : SSH2_MSG_REQUEST_FAILURE);
 +		packet_start(/*success ?
 +		    SSH2_MSG_REQUEST_SUCCESS :*/ SSH2_MSG_REQUEST_FAILURE);
 		packet_send();
 		packet_write_wait();
 	}
 diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
 --- openssh-5.9p1/key.c.coverity	2011-05-20 11:03:08.000000000 +0200
-+++ openssh-5.9p1/key.c	2011-09-13 08:26:12.000459857 +0200
+++ openssh-5.9p1/key.c	2011-09-14 08:09:47.803458435 +0200
@@ -803,8 +803,10 @@ key_read(Key *ret, char **cpp)
 		success = 1;
 /*XXXX*/
@ -73,9 +83,19 @@ diff -up openssh-5.9p1/key.c.coverity openssh-5.9p1/key.c
 		/* advance cp: skip whitespace and data */
 		while (*cp == ' ' || *cp == '\t')
 			cp++;
 diff -up openssh-5.9p1/misc.c.coverity openssh-5.9p1/misc.c
 diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
 --- openssh-5.9p1/monitor.c.coverity	2011-08-05 22:15:18.000000000 +0200
-+++ openssh-5.9p1/monitor.c	2011-09-13 08:26:12.132583409 +0200
+++ openssh-5.9p1/monitor.c	2011-09-14 08:09:47.914584009 +0200
@@ -420,7 +420,7 @@ monitor_child_preauth(Authctxt *_authctx
 	}
 	/* Drain any buffered messages from the child */
 -	while (pmonitor->m_log_recvfd != -1 && monitor_read_log(pmonitor) == 0)
 +	while (pmonitor->m_log_recvfd >= 0 && monitor_read_log(pmonitor) == 0)
 		;
 	if (!authctxt->valid)
@@ -1161,6 +1161,10 @@ mm_answer_keyallowed(int sock, Buffer *m
 			break;
 		}
@ -97,9 +117,26 @@ diff -up openssh-5.9p1/monitor.c.coverity openssh-5.9p1/monitor.c
 	buffer_clear(m);
 	buffer_put_int(m, allowed);
 	buffer_put_int(m, forced_command != NULL);
 diff -up openssh-5.9p1/monitor_wrap.c.coverity openssh-5.9p1/monitor_wrap.c
 --- openssh-5.9p1/monitor_wrap.c.coverity	2011-09-14 08:11:36.480500123 +0200
 +++ openssh-5.9p1/monitor_wrap.c	2011-09-14 08:14:11.279520598 +0200
@@ -707,10 +707,10 @@ mm_pty_allocate(int *ptyfd, int *ttyfd,
 	if ((tmp1 = dup(pmonitor->m_recvfd)) == -1 ||
 	    (tmp2 = dup(pmonitor->m_recvfd)) == -1) {
 		error("%s: cannot allocate fds for pty", __func__);
 -		if (tmp1 > 0)
 +		if (tmp1 >= 0)
 			close(tmp1);
 -		if (tmp2 > 0)
 -			close(tmp2);
 +		/*DEAD CODE if (tmp2 >= 0)
 +			close(tmp2);*/
 		return 0;
 	}
 	close(tmp1);
 diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/openbsd-compat/bindresvport.c
 --- openssh-5.9p1/openbsd-compat/bindresvport.c.coverity	2010-12-03 00:50:26.000000000 +0100
-+++ openssh-5.9p1/openbsd-compat/bindresvport.c	2011-09-13 08:26:12.298464549 +0200
+++ openssh-5.9p1/openbsd-compat/bindresvport.c	2011-09-14 08:09:48.084459344 +0200
@@ -58,7 +58,7 @@ bindresvport_sa(int sd, struct sockaddr
 	struct sockaddr_in6 *in6;
 	u_int16_t *portp;
@ -111,7 +148,7 @@ diff -up openssh-5.9p1/openbsd-compat/bindresvport.c.coverity openssh-5.9p1/open
 	if (sa == NULL) {
 diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
 --- openssh-5.9p1/packet.c.coverity	2011-05-15 00:58:15.000000000 +0200
-+++ openssh-5.9p1/packet.c	2011-09-13 08:26:12.405461249 +0200
+++ openssh-5.9p1/packet.c	2011-09-14 08:09:48.184587842 +0200
@@ -1177,6 +1177,7 @@ packet_read_poll1(void)
 		case DEATTACK_DETECTED:
 			packet_disconnect("crc32 compensation attack: "
@ -131,7 +168,7 @@ diff -up openssh-5.9p1/packet.c.coverity openssh-5.9p1/packet.c
 	setp = (fd_set *)xcalloc(howmany(active_state->connection_out + 1,
 diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
 --- openssh-5.9p1/progressmeter.c.coverity	2006-08-05 04:39:40.000000000 +0200
-+++ openssh-5.9p1/progressmeter.c	2011-09-13 08:26:12.511520013 +0200
+++ openssh-5.9p1/progressmeter.c	2011-09-14 08:09:48.300586004 +0200
@@ -65,7 +65,7 @@ static void update_progress_meter(int);
 static time_t start;		/* start progress */
@ -152,7 +189,7 @@ diff -up openssh-5.9p1/progressmeter.c.coverity openssh-5.9p1/progressmeter.c
 	file = f;
 diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
 --- openssh-5.9p1/progressmeter.h.coverity	2006-03-26 05:30:02.000000000 +0200
-+++ openssh-5.9p1/progressmeter.h	2011-09-13 08:26:12.630521541 +0200
+++ openssh-5.9p1/progressmeter.h	2011-09-14 08:09:48.420645724 +0200
@@ -23,5 +23,5 @@
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
@ -162,7 +199,7 @@ diff -up openssh-5.9p1/progressmeter.h.coverity openssh-5.9p1/progressmeter.h
 void	stop_progress_meter(void);
 diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
 --- openssh-5.9p1/scp.c.coverity	2011-01-06 12:41:21.000000000 +0100
-+++ openssh-5.9p1/scp.c	2011-09-13 08:26:12.748520967 +0200
+++ openssh-5.9p1/scp.c	2011-09-14 08:09:48.531505457 +0200
@@ -155,7 +155,7 @@ killchild(int signo)
 {
 	if (do_cmd_pid > 1) {
@ -174,7 +211,16 @@ diff -up openssh-5.9p1/scp.c.coverity openssh-5.9p1/scp.c
 	if (signo)
 diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
 --- openssh-5.9p1/servconf.c.coverity	2011-06-23 00:30:03.000000000 +0200
-+++ openssh-5.9p1/servconf.c	2011-09-13 08:26:12.854521290 +0200
+++ openssh-5.9p1/servconf.c	2011-09-14 08:30:17.557468182 +0200
@@ -609,7 +609,7 @@ match_cfg_line(char **condition, int lin
 		debug3("checking syntax for 'Match %s'", cp);
 	else
 		debug3("checking match for '%s' user %s host %s addr %s", cp,
 -		    user ? user : "(null)", host ? host : "(null)",
 +		    user /* User is not NULL ? user : "(null)" */, host ? host : "(null)",
 		    address ? address : "(null)");
 	while ((attrib = strdelim(&cp)) && *attrib != '\0') {
@@ -1171,7 +1171,7 @@ process_server_config_line(ServerOptions
 			fatal("%s line %d: Missing subsystem name.",
 			    filename, linenum);
@ -184,9 +230,21 @@ diff -up openssh-5.9p1/servconf.c.coverity openssh-5.9p1/servconf.c
 			break;
 		}
 		for (i = 0; i < options->num_subsystems; i++)
@@ -1262,8 +1262,9 @@ process_server_config_line(ServerOptions
 		if (*activep && *charptr == NULL) {
 			*charptr = tilde_expand_filename(arg, getuid());
 			/* increase optional counter */
 -			if (intptr != NULL)
 -				*intptr = *intptr + 1;
 +			/* DEAD CODE intptr is still NULL ;)
 +  			 if (intptr != NULL)
 +				*intptr = *intptr + 1; */
 		}
 		break;
 diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 --- openssh-5.9p1/serverloop.c.coverity	2011-05-20 11:02:50.000000000 +0200
-+++ openssh-5.9p1/serverloop.c	2011-09-13 08:26:12.968645756 +0200
+++ openssh-5.9p1/serverloop.c	2011-09-14 08:09:48.793586380 +0200
@@ -147,13 +147,13 @@ notify_setup(void)
 static void
 notify_parent(void)
@ -298,7 +356,7 @@ diff -up openssh-5.9p1/serverloop.c.coverity openssh-5.9p1/serverloop.c
 		tun = forced_tun_device;
 diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 --- openssh-5.9p1/sftp-client.c.coverity	2010-12-04 23:02:48.000000000 +0100
-+++ openssh-5.9p1/sftp-client.c	2011-09-13 08:26:13.083520760 +0200
+++ openssh-5.9p1/sftp-client.c	2011-09-14 08:09:48.910470343 +0200
@@ -149,7 +149,7 @@ get_msg(struct sftp_conn *conn, Buffer *
 }
@ -523,7 +581,7 @@ diff -up openssh-5.9p1/sftp-client.c.coverity openssh-5.9p1/sftp-client.c
 	size_t len = strlen(p1) + strlen(p2) + 2;
 diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
 --- openssh-5.9p1/sftp-client.h.coverity	2010-12-04 23:02:48.000000000 +0100
-+++ openssh-5.9p1/sftp-client.h	2011-09-13 08:26:13.181525164 +0200
+++ openssh-5.9p1/sftp-client.h	2011-09-14 08:09:49.021583940 +0200
@@ -56,49 +56,49 @@ struct sftp_conn *do_init(int, int, u_in
 u_int sftp_proto_version(struct sftp_conn *);
@ -623,7 +681,7 @@ diff -up openssh-5.9p1/sftp-client.h.coverity openssh-5.9p1/sftp-client.h
 #endif
 diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
 --- openssh-5.9p1/sftp.c.coverity	2010-12-04 23:02:48.000000000 +0100
-+++ openssh-5.9p1/sftp.c	2011-09-13 08:26:13.311521187 +0200
+++ openssh-5.9p1/sftp.c	2011-09-14 08:09:49.468493585 +0200
@@ -206,7 +206,7 @@ killchild(int signo)
 {
 	if (sshpid > 1) {
@ -738,7 +796,7 @@ diff -up openssh-5.9p1/sftp.c.coverity openssh-5.9p1/sftp.c
 	char s_used[FMT_SCALED_STRSIZE];
 diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
 --- openssh-5.9p1/ssh-agent.c.coverity	2011-06-03 06:14:16.000000000 +0200
-+++ openssh-5.9p1/ssh-agent.c	2011-09-13 08:26:13.416521025 +0200
+++ openssh-5.9p1/ssh-agent.c	2011-09-14 08:09:49.572460295 +0200
@@ -1147,8 +1147,8 @@ main(int ac, char **av)
 	sanitise_stdfd();
@ -752,8 +810,20 @@ diff -up openssh-5.9p1/ssh-agent.c.coverity openssh-5.9p1/ssh-agent.c
 	/* Disable ptrace on Linux without sgid bit */
 diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
 --- openssh-5.9p1/sshd.c.coverity	2011-06-23 11:45:51.000000000 +0200
-+++ openssh-5.9p1/sshd.c	2011-09-13 08:26:13.565519531 +0200
+++ openssh-5.9p1/sshd.c	2011-09-14 08:09:49.687509968 +0200
-@@ -1302,6 +1302,9 @@ server_accept_loop(int *sock_in, int *so
+@@ -676,8 +676,10 @@ privsep_preauth(Authctxt *authctxt)
 		if (getuid() == 0 || geteuid() == 0)
 			privsep_preauth_child();
 		setproctitle("%s", "[net]");
 -		if (box != NULL)
 +		if (box != NULL) {
 			ssh_sandbox_child(box);
 +			xfree(box);
 +		}
 		return 0;
 	}
@@ -1302,6 +1304,9 @@ server_accept_loop(int *sock_in, int *so
 		if (num_listen_socks < 0)
 			break;
 	}
@ -763,7 +833,7 @@ diff -up openssh-5.9p1/sshd.c.coverity openssh-5.9p1/sshd.c
 }
-@@ -1774,7 +1777,7 @@ main(int ac, char **av)
+@@ -1774,7 +1779,7 @@ main(int ac, char **av)
 	/* Chdir to the root directory so that the current disk can be
 	   unmounted if desired. */
--- a/openssh-5.9p1-sesandbox.patch
+++ b/openssh-5.9p1-sesandbox.patch
@ -26,7 +26,7 @@ diff -up openssh-5.9p1/configure.ac.sesandbox openssh-5.9p1/configure.ac
 		AC_MSG_ERROR([Darwin seatbelt sandbox requires sandbox.h and sandbox_init function])
 	SANDBOX_STYLE="darwin"
 	AC_DEFINE([SANDBOX_DARWIN], [1], [Sandbox using Darwin sandbox_init(3)])
-+elif test "x$sandbox_arg" = "xselinux" \\
+elif test "x$sandbox_arg" = "xselinux"  || \
 +    test "x$WITH_SELINUX" = "x1"; then
 +	SANDBOX_STYLE="selinux"
 +	AC_DEFINE([SANDBOX_SELINUX], [1], [Sandbox using selinux(8)])
@ -105,7 +105,7 @@ diff -up openssh-5.9p1/openbsd-compat/port-linux.h.sesandbox openssh-5.9p1/openb
 diff -up openssh-5.9p1/sandbox-selinux.c.sesandbox openssh-5.9p1/sandbox-selinux.c
 --- openssh-5.9p1/sandbox-selinux.c.sesandbox	2011-09-13 16:01:08.715520826 +0200
 +++ openssh-5.9p1/sandbox-selinux.c	2011-09-13 16:20:02.463511312 +0200
-@@ -0,0 +1,120 @@
+@@ -0,0 +1,121 @@
 +/* $Id: sandbox-selinux.c,v 1.0 2011/01/17 10:15:30 jfch Exp $ */
 + 
 +/*
@ -148,11 +148,12 @@ diff -up openssh-5.9p1/sandbox-selinux.c.sesandbox openssh-5.9p1/sandbox-selinux
 +#include <stdlib.h>
 +#include <string.h>
 +#include <unistd.h>
 +#include <sys/resource.h>
 +
 +#include "log.h"
 +#include "ssh-sandbox.h"
 +#include "xmalloc.h"
-+#include "openbsd-comnpat/port-linux.h"
+#include "openbsd-compat/port-linux.h"
 +
 +/* selinux based sandbox */
 +
--- a/openssh-5.9p1-wIm.patch
+++ b/openssh-5.9p1-wIm.patch
@ -0,0 +1,78 @@
 diff -up openssh-5.9p1/Makefile.in.wIm openssh-5.9p1/Makefile.in
 --- openssh-5.9p1/Makefile.in.wIm	2011-08-05 22:15:18.000000000 +0200
 +++ openssh-5.9p1/Makefile.in	2011-09-12 16:24:18.643674014 +0200
@@ -66,7 +66,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
 	cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
 	compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
 	log.o match.o md-sha256.o moduli.o nchan.o packet.o \
 -	readpass.o rsa.o ttymodes.o xmalloc.o addrmatch.o \
 +	readpass.o rsa.o ttymodes.o whereIam.o xmalloc.o addrmatch.o \
 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-ecdsa.o ssh-rsa.o dh.o \
 	kexdh.o kexgex.o kexdhc.o kexgexc.o bufec.o kexecdh.o kexecdhc.o \
 diff -up openssh-5.9p1/log.h.wIm openssh-5.9p1/log.h
 --- openssh-5.9p1/log.h.wIm	2011-06-20 06:42:23.000000000 +0200
 +++ openssh-5.9p1/log.h	2011-09-12 16:34:52.984674326 +0200
@@ -65,6 +65,8 @@ void     verbose(const char *, ...) __at
 void     debug(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     debug2(const char *, ...) __attribute__((format(printf, 1, 2)));
 void     debug3(const char *, ...) __attribute__((format(printf, 1, 2)));
 +void	 _debug_wIm_body(const char *, int, const char *, const char *, int);
 +#define	debug_wIm(a,b) _debug_wIm_body(a,b,__func__,__FILE__,__LINE__)
 void	 set_log_handler(log_handler_fn *, void *);
 diff -up openssh-5.9p1/sshd.c.wIm openssh-5.9p1/sshd.c
 --- openssh-5.9p1/sshd.c.wIm	2011-06-23 11:45:51.000000000 +0200
 +++ openssh-5.9p1/sshd.c	2011-09-12 16:38:35.787816490 +0200
@@ -140,6 +140,9 @@ int deny_severity;
 extern char *__progname;
 +/* trace of fork processes */
 +extern int whereIam;
 +
 /* Server configuration options. */
 ServerOptions options;
@@ -666,6 +669,7 @@ privsep_preauth(Authctxt *authctxt)
 		return 1;
 	} else {
 		/* child */
 +		whereIam = 1;
 		close(pmonitor->m_sendfd);
 		close(pmonitor->m_log_recvfd);
@@ -715,6 +719,7 @@ privsep_postauth(Authctxt *authctxt)
 	/* child */
 +	whereIam = 2;
 	close(pmonitor->m_sendfd);
 	pmonitor->m_sendfd = -1;
@@ -1325,6 +1330,8 @@ main(int ac, char **av)
 	Key *key;
 	Authctxt *authctxt;
 +	whereIam = 0;
 +
 #ifdef HAVE_SECUREWARE
 	(void)set_auth_parameters(ac, av);
 #endif
 diff -up openssh-5.9p1/whereIam.c.wIm openssh-5.9p1/whereIam.c
 --- openssh-5.9p1/whereIam.c.wIm	2011-09-12 16:24:18.722674167 +0200
 +++ openssh-5.9p1/whereIam.c	2011-09-12 16:24:18.724674418 +0200
@@ -0,0 +1,12 @@
 +
 +int whereIam = -1;
 +
 +void _debug_wIm_body(const char *txt, int val, const char *func, const char *file, int line)
 +{
 +	if (txt)
 +		debug("%s=%d, %s(%s:%d) wIm = %d, uid=%d, euid=%d", txt, val, func, file, line, whereIam, getuid(), geteuid());
 +	else
 +		debug("%s(%s:%d) wIm = %d, uid=%d, euid=%d", func, file, line, whereIam, getuid(), geteuid());
 +}
 +
 +
--- a/openssh.spec
+++ b/openssh.spec
@ -34,10 +34,6 @@
 # Do we want LDAP support
 %define ldap 1
 # Do we want NSS tokens support
 # NSS support is broken from 5.4p1
 %define nss 0
 # Whether or not /sbin/nologin exists.
 %define nologin 1
@ -79,7 +75,7 @@
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.9p1
-%define openssh_rel 8
+%define openssh_rel 9
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 32
@ -109,7 +105,7 @@ Source11: sshd.service
 Source13: sshd-keygen
 # Internal debug
-Patch0: openssh-5.8p1-wIm.patch
+Patch0: openssh-5.9p1-wIm.patch
 #?
 Patch100: openssh-5.9p1-coverity.patch
@ -251,10 +247,6 @@ BuildRequires: krb5-devel
 BuildRequires: libedit-devel ncurses-devel
 %endif
 %if %{nss}
 BuildRequires: nss-devel
 %endif
 %if %{WITH_SELINUX}
 Requires: libselinux >= 1.27.7
 BuildRequires: libselinux-devel >= 1.27.7
@ -505,9 +497,6 @@ fi
 	--with-ssl-engine \
 	--with-authorized-keys-command \
 	--with-ipaddr-display \
 %if %{nss}
 	--with-nss \
 %endif
 %if %{scard}
 	--with-smartcard \
 %endif
@ -520,7 +509,7 @@ fi
 	--with-pam \
 %endif
 %if %{WITH_SELINUX}
-	--with-selinux --with-audit=linux --with-sandbox-style=selinux \
+	--with-selinux --with-audit=linux --with-sandbox=selinux \
 %endif
 %if %{kerberos5}
 	--with-kerberos5${krb5_prefix:+=${krb5_prefix}} \
@ -622,11 +611,6 @@ rm -f $RPM_BUILD_ROOT/etc/profile.d/gnome-ssh-askpass.*
 perl -pi -e "s|$RPM_BUILD_ROOT||g" $RPM_BUILD_ROOT%{_mandir}/man*/*
 rm -f README.nss.nss-keys
 %if ! %{nss}
 rm -f README.nss
 %endif
 %if %{pam_ssh_agent}
 pushd pam_ssh_agent_auth-%{pam_ssh_agent_ver}
 make install DESTDIR=$RPM_BUILD_ROOT
@ -789,6 +773,11 @@ fi
 %endif
 %changelog
 * Wed Sep 14 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-9 + 0.9.2-32
 - coverity upgrade
 - wipe off nonfunctional nss
 - selinux sandbox tweaking
 * Tue Sep 13 2011 Jan F. Chadima <jchadima@redhat.com> - 5.9p1-8 + 0.9.2-32
 - coverity upgrade
 - experimental selinux sandbox