[openssh] - clean the data structures before exit net process

Tue Jan 25 13:06:32 UTC 2011

commit f00e4a3ddca9ff37e8af762d19b284a0eb55358c
Author: Jan F <jfch at kerberos.example.com>
Date:   Tue Jan 25 14:06:13 2011 +0100

    - clean the data structures before exit net process

 openssh-5.6p1-audit5.patch |  203 +++++++++++++++++++++++++++++++++++++++-----
 openssh-5.6p1-gsskex.patch |  140 +++++++++++++++---------------
 openssh.spec               |    5 +-
 3 files changed, 256 insertions(+), 92 deletions(-)
---

diff --git a/openssh-5.6p1-audit5.patch b/openssh-5.6p1-audit5.patch
index ca3ce9a..471c211 100644
--- a/openssh-5.6p1-audit5.patch
+++ b/openssh-5.6p1-audit5.patch
@@ -1,6 +1,6 @@
 diff -up openssh-5.6p1/audit-bsm.c.audit5 openssh-5.6p1/audit-bsm.c
---- openssh-5.6p1/audit-bsm.c.audit5	2011-01-14 10:14:08.000000000 +0100
-+++ openssh-5.6p1/audit-bsm.c	2011-01-14 10:04:56.000000000 +0100
+--- openssh-5.6p1/audit-bsm.c.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/audit-bsm.c	2011-01-24 23:31:17.000000000 +0100
 @@ -401,4 +401,10 @@ audit_session_key_free_body(int ctos)
  {
  	/* not implemented */
@@ -13,8 +13,8 @@ diff -up openssh-5.6p1/audit-bsm.c.audit5 openssh-5.6p1/audit-bsm.c
 +}
  #endif /* BSM */
 diff -up openssh-5.6p1/audit.c.audit5 openssh-5.6p1/audit.c
---- openssh-5.6p1/audit.c.audit5	2011-01-14 10:14:08.000000000 +0100
-+++ openssh-5.6p1/audit.c	2011-01-14 10:07:57.000000000 +0100
+--- openssh-5.6p1/audit.c.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/audit.c	2011-01-24 23:31:17.000000000 +0100
 @@ -268,5 +268,14 @@ audit_session_key_free_body(int ctos)
  {
  	debug("audit session key discard euid %d direction %d", geteuid(), ctos);
@@ -31,8 +31,8 @@ diff -up openssh-5.6p1/audit.c.audit5 openssh-5.6p1/audit.c
  # endif  /* !defined CUSTOM_SSH_AUDIT_EVENTS */
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.6p1/audit.h.audit5 openssh-5.6p1/audit.h
---- openssh-5.6p1/audit.h.audit5	2011-01-14 10:14:08.000000000 +0100
-+++ openssh-5.6p1/audit.h	2011-01-14 10:14:08.000000000 +0100
+--- openssh-5.6p1/audit.h.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/audit.h	2011-01-24 23:31:17.000000000 +0100
 @@ -62,5 +62,6 @@ void	audit_unsupported_body(int);
  void	audit_kex_body(int, char *, char *, char *);
  void	audit_session_key_free(int ctos);
@@ -41,8 +41,8 @@ diff -up openssh-5.6p1/audit.h.audit5 openssh-5.6p1/audit.h
  
  #endif /* _SSH_AUDIT_H */
 diff -up openssh-5.6p1/audit-linux.c.audit5 openssh-5.6p1/audit-linux.c
---- openssh-5.6p1/audit-linux.c.audit5	2011-01-14 10:14:08.000000000 +0100
-+++ openssh-5.6p1/audit-linux.c	2011-01-14 10:14:08.000000000 +0100
+--- openssh-5.6p1/audit-linux.c.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/audit-linux.c	2011-01-24 23:31:17.000000000 +0100
 @@ -226,4 +226,26 @@ audit_session_key_free_body(int ctos)
  		error("cannot write into audit");
  }
@@ -70,9 +70,93 @@ diff -up openssh-5.6p1/audit-linux.c.audit5 openssh-5.6p1/audit-linux.c
 +}
 +
  #endif /* USE_LINUX_AUDIT */
+diff -up openssh-5.6p1/kex.c.audit5 openssh-5.6p1/kex.c
+--- openssh-5.6p1/kex.c.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/kex.c	2011-01-24 23:31:17.000000000 +0100
+@@ -592,3 +592,34 @@ dump_digest(char *msg, u_char *digest, i
+ 	fprintf(stderr, "\n");
+ }
+ #endif
++
++static void
++enc_destroy(Enc *enc)
++{
++	if (enc == NULL)
++		return;
++
++	if (enc->key) {
++		memset(enc->key, 0, enc->key_len);
++		xfree(enc->key);
++	}
++
++	if (enc->iv) {
++		memset(enc->iv,  0, enc->block_size);
++		xfree(enc->iv);
++	}
++
++	memset(enc, 0, sizeof(*enc));
++}
++
++void
++newkeys_destroy(Newkeys *newkeys)
++{
++	if (newkeys == NULL)
++		return;
++
++	enc_destroy(&newkeys->enc);
++	mac_destroy(&newkeys->mac);
++	memset(&newkeys->comp, 0, sizeof(newkeys->comp));
++}
++
+diff -up openssh-5.6p1/kex.h.audit5 openssh-5.6p1/kex.h
+--- openssh-5.6p1/kex.h.audit5	2010-02-26 21:55:05.000000000 +0100
++++ openssh-5.6p1/kex.h	2011-01-24 23:31:17.000000000 +0100
+@@ -146,6 +146,8 @@ void	 kexdh_server(Kex *);
+ void	 kexgex_client(Kex *);
+ void	 kexgex_server(Kex *);
+ 
++void	newkeys_destroy(Newkeys *newkeys);
++
+ void
+ kex_dh_hash(char *, char *, char *, int, char *, int, u_char *, int,
+     BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
+diff -up openssh-5.6p1/mac.c.audit5 openssh-5.6p1/mac.c
+--- openssh-5.6p1/mac.c.audit5	2008-06-13 02:58:50.000000000 +0200
++++ openssh-5.6p1/mac.c	2011-01-24 23:31:17.000000000 +0100
+@@ -162,6 +162,22 @@ mac_clear(Mac *mac)
+ 	mac->umac_ctx = NULL;
+ }
+ 
++void
++mac_destroy(Mac *mac)
++{
++	if (mac == NULL)
++		return;
++
++	mac_clear(mac);
++
++	if (mac->key) {
++		memset(mac->key, 0, mac->key_len);
++		xfree(mac->key);
++	}
++
++	memset(mac, 0, sizeof(*mac));
++}
++
+ /* XXX copied from ciphers_valid */
+ #define	MAC_SEP	","
+ int
+diff -up openssh-5.6p1/mac.h.audit5 openssh-5.6p1/mac.h
+--- openssh-5.6p1/mac.h.audit5	2007-06-11 06:01:42.000000000 +0200
++++ openssh-5.6p1/mac.h	2011-01-24 23:31:17.000000000 +0100
+@@ -28,3 +28,4 @@ int	 mac_setup(Mac *, char *);
+ int	 mac_init(Mac *);
+ u_char	*mac_compute(Mac *, u_int32_t, u_char *, int);
+ void	 mac_clear(Mac *);
++void	 mac_destroy(Mac *);
 diff -up openssh-5.6p1/monitor.c.audit5 openssh-5.6p1/monitor.c
---- openssh-5.6p1/monitor.c.audit5	2011-01-14 10:14:08.000000000 +0100
-+++ openssh-5.6p1/monitor.c	2011-01-14 10:14:08.000000000 +0100
+--- openssh-5.6p1/monitor.c.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/monitor.c	2011-01-24 23:31:17.000000000 +0100
 @@ -181,6 +181,7 @@ int mm_answer_audit_command(int, Buffer 
  int mm_answer_audit_unsupported_body(int, Buffer *);
  int mm_answer_audit_kex_body(int, Buffer *);
@@ -130,8 +214,8 @@ diff -up openssh-5.6p1/monitor.c.audit5 openssh-5.6p1/monitor.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.6p1/monitor.h.audit5 openssh-5.6p1/monitor.h
---- openssh-5.6p1/monitor.h.audit5	2011-01-14 10:14:08.000000000 +0100
-+++ openssh-5.6p1/monitor.h	2011-01-14 10:14:08.000000000 +0100
+--- openssh-5.6p1/monitor.h.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/monitor.h	2011-01-24 23:31:17.000000000 +0100
 @@ -69,6 +69,7 @@ enum monitor_reqtype {
  	MONITOR_REQ_AUDIT_UNSUPPORTED, MONITOR_ANS_AUDIT_UNSUPPORTED,
  	MONITOR_REQ_AUDIT_KEX, MONITOR_ANS_AUDIT_KEX,
@@ -141,8 +225,8 @@ diff -up openssh-5.6p1/monitor.h.audit5 openssh-5.6p1/monitor.h
  
  struct mm_master;
 diff -up openssh-5.6p1/monitor_wrap.c.audit5 openssh-5.6p1/monitor_wrap.c
---- openssh-5.6p1/monitor_wrap.c.audit5	2011-01-14 10:14:08.000000000 +0100
-+++ openssh-5.6p1/monitor_wrap.c	2011-01-14 10:14:08.000000000 +0100
+--- openssh-5.6p1/monitor_wrap.c.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/monitor_wrap.c	2011-01-24 23:31:17.000000000 +0100
 @@ -1458,4 +1458,16 @@ mm_audit_session_key_free_body(int ctos)
  				  &m);
  	buffer_free(&m);
@@ -161,8 +245,8 @@ diff -up openssh-5.6p1/monitor_wrap.c.audit5 openssh-5.6p1/monitor_wrap.c
 +}
  #endif /* SSH_AUDIT_EVENTS */
 diff -up openssh-5.6p1/monitor_wrap.h.audit5 openssh-5.6p1/monitor_wrap.h
---- openssh-5.6p1/monitor_wrap.h.audit5	2011-01-14 10:14:08.000000000 +0100
-+++ openssh-5.6p1/monitor_wrap.h	2011-01-14 10:14:08.000000000 +0100
+--- openssh-5.6p1/monitor_wrap.h.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/monitor_wrap.h	2011-01-24 23:31:17.000000000 +0100
 @@ -77,6 +77,7 @@ void mm_audit_run_command(const char *);
  void mm_audit_unsupported_body(int);
  void mm_audit_kex_body(int, char *, char *, char *);
@@ -171,9 +255,77 @@ diff -up openssh-5.6p1/monitor_wrap.h.audit5 openssh-5.6p1/monitor_wrap.h
  #endif
  
  struct Session;
+diff -up openssh-5.6p1/packet.c.audit5 openssh-5.6p1/packet.c
+--- openssh-5.6p1/packet.c.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/packet.c	2011-01-24 23:40:06.000000000 +0100
+@@ -60,6 +60,7 @@
+ #include <signal.h>
+ 
+ #include "xmalloc.h"
++#include "audit.h"
+ #include "buffer.h"
+ #include "packet.h"
+ #include "crc32.h"
+@@ -495,9 +496,9 @@ packet_close(void)
+ 		buffer_free(&active_state->compression_buffer);
+ 		buffer_compress_uninit();
+ 	}
+-	audit_session_key_free(2);
+ 	cipher_cleanup(&active_state->send_context);
+ 	cipher_cleanup(&active_state->receive_context);
++	audit_session_key_free(2);
+ }
+ 
+ /* Sets remote side protocol flags. */
+@@ -1939,3 +1940,36 @@ packet_restore_state(void)
+ 		add_recv_bytes(len);
+ 	}
+ }
++
++static void
++packet_destroy_state(struct session_state *state)
++{
++	if (state == NULL)
++		return;
++
++	if (state->connection_in >= 0)
++		close(state->connection_in);
++	if ((state->connection_in != state->connection_out) && (state->connection_out >= 0))
++		close(state->connection_out);
++
++	cipher_cleanup(&state->receive_context);
++	cipher_cleanup(&state->send_context);
++
++	buffer_free(&state->input);
++	buffer_free(&state->output);
++	buffer_free(&state->outgoing_packet);
++	buffer_free(&state->incoming_packet);
++	buffer_free(&state->compression_buffer);
++	newkeys_destroy(state->newkeys[MODE_IN]);
++	newkeys_destroy(state->newkeys[MODE_OUT]);
++	mac_destroy(state->packet_discard_mac);
++//	TAILQ_HEAD(, packet) outgoing;
++	memset(state, 0, sizeof(state));
++}
++
++void
++packet_destroy_all(void)
++{
++	packet_destroy_state(active_state);
++	packet_destroy_state(backup_state);
++}
+diff -up openssh-5.6p1/packet.h.audit5 openssh-5.6p1/packet.h
+--- openssh-5.6p1/packet.h.audit5	2009-07-05 23:11:13.000000000 +0200
++++ openssh-5.6p1/packet.h	2011-01-24 23:31:17.000000000 +0100
+@@ -115,4 +115,5 @@ void	 packet_restore_state(void);
+ void	*packet_get_input(void);
+ void	*packet_get_output(void);
+ 
++void	 packet_destroy_all(void);
+ #endif				/* PACKET_H */
 diff -up openssh-5.6p1/session.c.audit5 openssh-5.6p1/session.c
 --- openssh-5.6p1/session.c.audit5	2010-06-26 02:00:15.000000000 +0200
-+++ openssh-5.6p1/session.c	2011-01-14 10:14:08.000000000 +0100
++++ openssh-5.6p1/session.c	2011-01-24 23:31:17.000000000 +0100
 @@ -1677,6 +1677,7 @@ do_child(Session *s, const char *command
  
  	/* remove hostkey from the child's memory */
@@ -183,8 +335,8 @@ diff -up openssh-5.6p1/session.c.audit5 openssh-5.6p1/session.c
  	/* Force a password change */
  	if (s->authctxt->force_pwchange) {
 diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c
---- openssh-5.6p1/sshd.c.audit5	2011-01-14 10:14:08.000000000 +0100
-+++ openssh-5.6p1/sshd.c	2011-01-14 10:14:08.000000000 +0100
+--- openssh-5.6p1/sshd.c.audit5	2011-01-24 23:31:17.000000000 +0100
++++ openssh-5.6p1/sshd.c	2011-01-24 23:42:47.000000000 +0100
 @@ -579,6 +579,7 @@ demote_sensitive_data(void)
  		}
  		/* Certs do not need demotion */
@@ -193,7 +345,16 @@ diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c
  
  	/* We do not clear ssh1_host key and cookie.  XXX - Okay Niels? */
  }
-@@ -2011,8 +2012,10 @@ main(int ac, char **av)
+@@ -1970,6 +1971,8 @@ main(int ac, char **av)
+ 	 */
+ 	if (use_privsep) {
+ 		mm_send_keystate(pmonitor);
++		packet_destroy_all();
++		audit_session_key_free(2);
+ 		exit(0);
+ 	}
+ 
+@@ -2011,8 +2014,10 @@ main(int ac, char **av)
  	if (use_privsep) {
  		privsep_postauth(authctxt);
  		/* the monitor process [priv] will not return */
@@ -205,7 +366,7 @@ diff -up openssh-5.6p1/sshd.c.audit5 openssh-5.6p1/sshd.c
  	}
  
  	packet_set_timeout(options.client_alive_interval,
-@@ -2249,6 +2252,7 @@ do_ssh1_kex(void)
+@@ -2249,6 +2254,7 @@ do_ssh1_kex(void)
  	}
  	/* Destroy the private and public keys. No longer. */
  	destroy_sensitive_data();
diff --git a/openssh-5.6p1-gsskex.patch b/openssh-5.6p1-gsskex.patch
index 34da324..53211b0 100644
--- a/openssh-5.6p1-gsskex.patch
+++ b/openssh-5.6p1-gsskex.patch
@@ -1,6 +1,6 @@
 diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c
---- openssh-5.6p1/auth2.c.gsskex	2010-11-02 22:23:46.000000000 +0100
-+++ openssh-5.6p1/auth2.c	2010-11-02 22:23:49.000000000 +0100
+--- openssh-5.6p1/auth2.c.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/auth2.c	2011-01-24 23:51:08.000000000 +0100
 @@ -69,6 +69,7 @@ extern Authmethod method_passwd;
  extern Authmethod method_kbdint;
  extern Authmethod method_hostbased;
@@ -36,8 +36,8 @@ diff -up openssh-5.6p1/auth2.c.gsskex openssh-5.6p1/auth2.c
  		if (authctxt->failures >= options.max_authtries) {
  #ifdef SSH_AUDIT_EVENTS
 diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c
---- openssh-5.6p1/auth2-gss.c.gsskex	2010-11-02 22:23:46.000000000 +0100
-+++ openssh-5.6p1/auth2-gss.c	2010-11-02 22:23:49.000000000 +0100
+--- openssh-5.6p1/auth2-gss.c.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/auth2-gss.c	2011-01-24 23:51:08.000000000 +0100
 @@ -1,7 +1,7 @@
  /* $OpenBSD: auth2-gss.c,v 1.16 2007/10/29 00:52:45 dtucker Exp $ */
  
@@ -138,8 +138,8 @@ diff -up openssh-5.6p1/auth2-gss.c.gsskex openssh-5.6p1/auth2-gss.c
  	"gssapi-with-mic",
  	userauth_gssapi,
 diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h
---- openssh-5.6p1/auth.h.gsskex	2010-11-02 22:23:46.000000000 +0100
-+++ openssh-5.6p1/auth.h	2010-11-02 22:23:49.000000000 +0100
+--- openssh-5.6p1/auth.h.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/auth.h	2011-01-24 23:51:08.000000000 +0100
 @@ -53,6 +53,7 @@ struct Authctxt {
  	int		 valid;		/* user exists and is allowed to login */
  	int		 attempt;
@@ -150,7 +150,7 @@ diff -up openssh-5.6p1/auth.h.gsskex openssh-5.6p1/auth.h
  	char		*service;
 diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
 --- openssh-5.6p1/auth-krb5.c.gsskex	2009-12-21 00:49:22.000000000 +0100
-+++ openssh-5.6p1/auth-krb5.c	2010-11-02 22:23:49.000000000 +0100
++++ openssh-5.6p1/auth-krb5.c	2011-01-24 23:51:08.000000000 +0100
 @@ -170,8 +170,13 @@ auth_krb5_password(Authctxt *authctxt, c
  
  	len = strlen(authctxt->krb5_ticket_file) + 6;
@@ -199,8 +199,8 @@ diff -up openssh-5.6p1/auth-krb5.c.gsskex openssh-5.6p1/auth-krb5.c
  	return (krb5_cc_resolve(ctx, ccname, ccache));
  }
 diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi
---- openssh-5.6p1/ChangeLog.gssapi.gsskex	2010-11-02 22:23:49.000000000 +0100
-+++ openssh-5.6p1/ChangeLog.gssapi	2010-11-02 22:23:49.000000000 +0100
+--- openssh-5.6p1/ChangeLog.gssapi.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/ChangeLog.gssapi	2011-01-24 23:51:08.000000000 +0100
 @@ -0,0 +1,95 @@
 +20090615
 +  - [ gss-genr.c gss-serv.c kexgssc.c kexgsss.c monitor.c sshconnect2.c
@@ -299,7 +299,7 @@ diff -up openssh-5.6p1/ChangeLog.gssapi.gsskex openssh-5.6p1/ChangeLog.gssapi
 +    <gssapi-with-mic support is Bugzilla #1008>
 diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c
 --- openssh-5.6p1/clientloop.c.gsskex	2010-08-03 08:04:46.000000000 +0200
-+++ openssh-5.6p1/clientloop.c	2010-11-02 22:23:49.000000000 +0100
++++ openssh-5.6p1/clientloop.c	2011-01-24 23:51:08.000000000 +0100
 @@ -111,6 +111,10 @@
  #include "msg.h"
  #include "roaming.h"
@@ -326,8 +326,8 @@ diff -up openssh-5.6p1/clientloop.c.gsskex openssh-5.6p1/clientloop.c
  				debug("need rekeying");
  				xxx_kex->done = 0;
 diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac
---- openssh-5.6p1/configure.ac.gsskex	2010-11-02 22:23:49.000000000 +0100
-+++ openssh-5.6p1/configure.ac	2010-11-02 22:23:49.000000000 +0100
+--- openssh-5.6p1/configure.ac.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/configure.ac	2011-01-24 23:51:09.000000000 +0100
 @@ -477,6 +477,30 @@ main() { if (NSVersionOfRunTimeLibrary("
  	    [Use tunnel device compatibility to OpenBSD])
  	AC_DEFINE(SSH_TUN_PREPEND_AF, 1,
@@ -361,7 +361,7 @@ diff -up openssh-5.6p1/configure.ac.gsskex openssh-5.6p1/configure.ac
  	    AC_DEFINE(AU_IPv4, 0, [System only supports IPv4 audit records])
 diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c
 --- openssh-5.6p1/gss-genr.c.gsskex	2009-06-22 08:11:07.000000000 +0200
-+++ openssh-5.6p1/gss-genr.c	2010-11-02 22:23:49.000000000 +0100
++++ openssh-5.6p1/gss-genr.c	2011-01-24 23:51:09.000000000 +0100
 @@ -39,12 +39,167 @@
  #include "buffer.h"
  #include "log.h"
@@ -702,7 +702,7 @@ diff -up openssh-5.6p1/gss-genr.c.gsskex openssh-5.6p1/gss-genr.c
  #endif /* GSSAPI */
 diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c
 --- openssh-5.6p1/gss-serv.c.gsskex	2008-05-19 07:05:07.000000000 +0200
-+++ openssh-5.6p1/gss-serv.c	2010-11-02 22:23:49.000000000 +0100
++++ openssh-5.6p1/gss-serv.c	2011-01-24 23:51:09.000000000 +0100
 @@ -1,7 +1,7 @@
  /* $OpenBSD: gss-serv.c,v 1.22 2008/05/08 12:02:23 djm Exp $ */
  
@@ -1018,7 +1018,7 @@ diff -up openssh-5.6p1/gss-serv.c.gsskex openssh-5.6p1/gss-serv.c
  #endif
 diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
 --- openssh-5.6p1/gss-serv-krb5.c.gsskex	2006-09-01 07:38:36.000000000 +0200
-+++ openssh-5.6p1/gss-serv-krb5.c	2010-11-02 22:23:49.000000000 +0100
++++ openssh-5.6p1/gss-serv-krb5.c	2011-01-24 23:51:09.000000000 +0100
 @@ -1,7 +1,7 @@
  /* $OpenBSD: gss-serv-krb5.c,v 1.7 2006/08/03 03:34:42 deraadt Exp $ */
  
@@ -1140,8 +1140,8 @@ diff -up openssh-5.6p1/gss-serv-krb5.c.gsskex openssh-5.6p1/gss-serv-krb5.c
  
  #endif /* KRB5 */
 diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c
---- openssh-5.6p1/kex.c.gsskex	2010-11-02 22:23:46.000000000 +0100
-+++ openssh-5.6p1/kex.c	2010-11-02 22:27:07.000000000 +0100
+--- openssh-5.6p1/kex.c.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/kex.c	2011-01-24 23:51:09.000000000 +0100
 @@ -51,6 +51,10 @@
  #include "roaming.h"
  #include "audit.h"
@@ -1175,8 +1175,8 @@ diff -up openssh-5.6p1/kex.c.gsskex openssh-5.6p1/kex.c
  		fatal("bad kex alg %s", k->name);
  }
 diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c
---- openssh-5.6p1/kexgssc.c.gsskex	2010-11-02 22:23:49.000000000 +0100
-+++ openssh-5.6p1/kexgssc.c	2010-11-02 22:23:49.000000000 +0100
+--- openssh-5.6p1/kexgssc.c.gsskex	2011-01-24 23:51:09.000000000 +0100
++++ openssh-5.6p1/kexgssc.c	2011-01-24 23:51:09.000000000 +0100
 @@ -0,0 +1,334 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -1513,8 +1513,8 @@ diff -up openssh-5.6p1/kexgssc.c.gsskex openssh-5.6p1/kexgssc.c
 +
 +#endif /* GSSAPI */
 diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c
---- openssh-5.6p1/kexgsss.c.gsskex	2010-11-02 22:23:49.000000000 +0100
-+++ openssh-5.6p1/kexgsss.c	2010-11-02 22:23:49.000000000 +0100
+--- openssh-5.6p1/kexgsss.c.gsskex	2011-01-24 23:51:09.000000000 +0100
++++ openssh-5.6p1/kexgsss.c	2011-01-24 23:51:09.000000000 +0100
 @@ -0,0 +1,288 @@
 +/*
 + * Copyright (c) 2001-2009 Simon Wilkinson. All rights reserved.
@@ -1805,8 +1805,8 @@ diff -up openssh-5.6p1/kexgsss.c.gsskex openssh-5.6p1/kexgsss.c
 +}
 +#endif /* GSSAPI */
 diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h
---- openssh-5.6p1/kex.h.gsskex	2010-02-26 21:55:05.000000000 +0100
-+++ openssh-5.6p1/kex.h	2010-11-02 22:23:49.000000000 +0100
+--- openssh-5.6p1/kex.h.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/kex.h	2011-01-24 23:52:26.000000000 +0100
 @@ -67,6 +67,9 @@ enum kex_exchange {
  	KEX_DH_GRP14_SHA1,
  	KEX_DH_GEX_SHA1,
@@ -1830,9 +1830,9 @@ diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h
  	char	*client_version_string;
  	char	*server_version_string;
  	int	(*verify_host_key)(Key *);
-@@ -146,6 +155,11 @@ void	 kexdh_server(Kex *);
- void	 kexgex_client(Kex *);
- void	 kexgex_server(Kex *);
+@@ -148,6 +157,11 @@ void	 kexgex_server(Kex *);
+ 
+ void	newkeys_destroy(Newkeys *newkeys);
  
 +#ifdef GSSAPI
 +void	kexgss_client(Kex *);
@@ -1844,7 +1844,7 @@ diff -up openssh-5.6p1/kex.h.gsskex openssh-5.6p1/kex.h
      BIGNUM *, BIGNUM *, BIGNUM *, u_char **, u_int *);
 diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c
 --- openssh-5.6p1/key.c.gsskex	2010-07-16 05:58:37.000000000 +0200
-+++ openssh-5.6p1/key.c	2010-11-02 22:23:49.000000000 +0100
++++ openssh-5.6p1/key.c	2011-01-24 23:51:09.000000000 +0100
 @@ -1020,6 +1020,8 @@ key_type_from_name(char *name)
  		return KEY_RSA_CERT;
  	} else if (strcmp(name, "ssh-dss-cert-v01 at openssh.com") == 0) {
@@ -1856,7 +1856,7 @@ diff -up openssh-5.6p1/key.c.gsskex openssh-5.6p1/key.c
  	return KEY_UNSPEC;
 diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h
 --- openssh-5.6p1/key.h.gsskex	2010-04-16 07:56:22.000000000 +0200
-+++ openssh-5.6p1/key.h	2010-11-02 22:23:49.000000000 +0100
++++ openssh-5.6p1/key.h	2011-01-24 23:51:09.000000000 +0100
 @@ -39,6 +39,7 @@ enum types {
  	KEY_DSA_CERT,
  	KEY_RSA_CERT_V00,
@@ -1866,8 +1866,8 @@ diff -up openssh-5.6p1/key.h.gsskex openssh-5.6p1/key.h
  };
  enum fp_type {
 diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in
---- openssh-5.6p1/Makefile.in.gsskex	2010-11-02 22:23:49.000000000 +0100
-+++ openssh-5.6p1/Makefile.in	2010-11-02 22:26:34.000000000 +0100
+--- openssh-5.6p1/Makefile.in.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/Makefile.in	2011-01-24 23:51:09.000000000 +0100
 @@ -77,11 +77,11 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
  	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
  	kexgex.o kexdhc.o kexgexc.o msg.o progressmeter.o dns.o \
@@ -1892,8 +1892,8 @@ diff -up openssh-5.6p1/Makefile.in.gsskex openssh-5.6p1/Makefile.in
  MANPAGES	= moduli.5.out scp.1.out ssh-add.1.out ssh-agent.1.out ssh-keygen.1.out ssh-keyscan.1.out ssh.1.out sshd.8.out sftp-server.8.out sftp.1.out ssh-rand-helper.8.out ssh-keysign.8.out ssh-pkcs11-helper.8.out ssh-ldap-helper.8.out sshd_config.5.out ssh_config.5.out ssh-ldap.conf.5.out
  MANPAGES_IN	= moduli.5 scp.1 ssh-add.1 ssh-agent.1 ssh-keygen.1 ssh-keyscan.1 ssh.1 sshd.8 sftp-server.8 sftp.1 ssh-rand-helper.8 ssh-keysign.8 ssh-pkcs11-helper.8 ssh-ldap-helper.8 sshd_config.5 ssh_config.5 ssh-ldap.conf.5
 diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
---- openssh-5.6p1/monitor.c.gsskex	2010-11-02 22:23:47.000000000 +0100
-+++ openssh-5.6p1/monitor.c	2010-11-02 22:23:49.000000000 +0100
+--- openssh-5.6p1/monitor.c.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/monitor.c	2011-01-24 23:51:09.000000000 +0100
 @@ -176,6 +176,8 @@ int mm_answer_gss_setup_ctx(int, Buffer 
  int mm_answer_gss_accept_ctx(int, Buffer *);
  int mm_answer_gss_userok(int, Buffer *);
@@ -1903,7 +1903,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  #endif
  
  #ifdef SSH_AUDIT_EVENTS
-@@ -252,6 +254,7 @@ struct mon_table mon_dispatch_proto20[] 
+@@ -256,6 +258,7 @@ struct mon_table mon_dispatch_proto20[] 
      {MONITOR_REQ_GSSSTEP, MON_ISAUTH, mm_answer_gss_accept_ctx},
      {MONITOR_REQ_GSSUSEROK, MON_AUTH, mm_answer_gss_userok},
      {MONITOR_REQ_GSSCHECKMIC, MON_ISAUTH, mm_answer_gss_checkmic},
@@ -1911,7 +1911,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  #endif
  #ifdef JPAKE
      {MONITOR_REQ_JPAKE_GET_PWDATA, MON_ONCE, mm_answer_jpake_get_pwdata},
-@@ -264,6 +267,12 @@ struct mon_table mon_dispatch_proto20[] 
+@@ -268,6 +271,12 @@ struct mon_table mon_dispatch_proto20[] 
  };
  
  struct mon_table mon_dispatch_postauth20[] = {
@@ -1924,7 +1924,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
      {MONITOR_REQ_MODULI, 0, mm_answer_moduli},
      {MONITOR_REQ_SIGN, 0, mm_answer_sign},
      {MONITOR_REQ_PTY, 0, mm_answer_pty},
-@@ -370,6 +379,10 @@ monitor_child_preauth(Authctxt *_authctx
+@@ -384,6 +393,10 @@ monitor_child_preauth(Authctxt *_authctx
  		/* Permit requests for moduli and signatures */
  		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
@@ -1935,7 +1935,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  	} else {
  		mon_dispatch = mon_dispatch_proto15;
  
-@@ -456,6 +469,10 @@ monitor_child_postauth(struct monitor *p
+@@ -470,6 +483,10 @@ monitor_child_postauth(struct monitor *p
  		monitor_permit(mon_dispatch, MONITOR_REQ_MODULI, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_SIGN, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
@@ -1946,7 +1946,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  	} else {
  		mon_dispatch = mon_dispatch_postauth15;
  		monitor_permit(mon_dispatch, MONITOR_REQ_TERM, 1);
-@@ -1742,6 +1759,13 @@ mm_get_kex(Buffer *m)
+@@ -1754,6 +1771,13 @@ mm_get_kex(Buffer *m)
  	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
  	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
  	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
@@ -1960,7 +1960,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  	kex->server = 1;
  	kex->hostkey_type = buffer_get_int(m);
  	kex->kex_type = buffer_get_int(m);
-@@ -1948,6 +1972,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
+@@ -1960,6 +1984,9 @@ mm_answer_gss_setup_ctx(int sock, Buffer
  	OM_uint32 major;
  	u_int len;
  
@@ -1970,7 +1970,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  	goid.elements = buffer_get_string(m, &len);
  	goid.length = len;
  
-@@ -1975,6 +2002,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -1987,6 +2014,9 @@ mm_answer_gss_accept_ctx(int sock, Buffe
  	OM_uint32 flags = 0; /* GSI needs this */
  	u_int len;
  
@@ -1980,7 +1980,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  	in.value = buffer_get_string(m, &len);
  	in.length = len;
  	major = ssh_gssapi_accept_ctx(gsscontext, &in, &out, &flags);
-@@ -1992,6 +2022,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
+@@ -2004,6 +2034,7 @@ mm_answer_gss_accept_ctx(int sock, Buffe
  		monitor_permit(mon_dispatch, MONITOR_REQ_GSSSTEP, 0);
  		monitor_permit(mon_dispatch, MONITOR_REQ_GSSUSEROK, 1);
  		monitor_permit(mon_dispatch, MONITOR_REQ_GSSCHECKMIC, 1);
@@ -1988,7 +1988,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  	}
  	return (0);
  }
-@@ -2003,6 +2034,9 @@ mm_answer_gss_checkmic(int sock, Buffer 
+@@ -2015,6 +2046,9 @@ mm_answer_gss_checkmic(int sock, Buffer 
  	OM_uint32 ret;
  	u_int len;
  
@@ -1998,7 +1998,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  	gssbuf.value = buffer_get_string(m, &len);
  	gssbuf.length = len;
  	mic.value = buffer_get_string(m, &len);
-@@ -2029,7 +2063,11 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2041,7 +2075,11 @@ mm_answer_gss_userok(int sock, Buffer *m
  {
  	int authenticated;
  
@@ -2011,7 +2011,7 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  
  	buffer_clear(m);
  	buffer_put_int(m, authenticated);
-@@ -2042,6 +2080,74 @@ mm_answer_gss_userok(int sock, Buffer *m
+@@ -2054,6 +2092,74 @@ mm_answer_gss_userok(int sock, Buffer *m
  	/* Monitor loop will terminate if authenticated */
  	return (authenticated);
  }
@@ -2087,8 +2087,8 @@ diff -up openssh-5.6p1/monitor.c.gsskex openssh-5.6p1/monitor.c
  
  #ifdef JPAKE
 diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h
---- openssh-5.6p1/monitor.h.gsskex	2010-11-02 22:23:47.000000000 +0100
-+++ openssh-5.6p1/monitor.h	2010-11-02 22:23:50.000000000 +0100
+--- openssh-5.6p1/monitor.h.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/monitor.h	2011-01-24 23:51:09.000000000 +0100
 @@ -56,6 +56,8 @@ enum monitor_reqtype {
  	MONITOR_REQ_GSSSTEP, MONITOR_ANS_GSSSTEP,
  	MONITOR_REQ_GSSUSEROK, MONITOR_ANS_GSSUSEROK,
@@ -2099,8 +2099,8 @@ diff -up openssh-5.6p1/monitor.h.gsskex openssh-5.6p1/monitor.h
  	MONITOR_REQ_PAM_ACCOUNT, MONITOR_ANS_PAM_ACCOUNT,
  	MONITOR_REQ_PAM_INIT_CTX, MONITOR_ANS_PAM_INIT_CTX,
 diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c
---- openssh-5.6p1/monitor_wrap.c.gsskex	2010-11-02 22:23:47.000000000 +0100
-+++ openssh-5.6p1/monitor_wrap.c	2010-11-02 22:23:50.000000000 +0100
+--- openssh-5.6p1/monitor_wrap.c.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/monitor_wrap.c	2011-01-24 23:51:09.000000000 +0100
 @@ -1250,7 +1250,7 @@ mm_ssh_gssapi_checkmic(Gssctxt *ctx, gss
  }
  
@@ -2163,8 +2163,8 @@ diff -up openssh-5.6p1/monitor_wrap.c.gsskex openssh-5.6p1/monitor_wrap.c
  
  #ifdef JPAKE
 diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h
---- openssh-5.6p1/monitor_wrap.h.gsskex	2010-11-02 22:23:47.000000000 +0100
-+++ openssh-5.6p1/monitor_wrap.h	2010-11-02 22:23:50.000000000 +0100
+--- openssh-5.6p1/monitor_wrap.h.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/monitor_wrap.h	2011-01-24 23:51:09.000000000 +0100
 @@ -60,8 +60,10 @@ BIGNUM *mm_auth_rsa_generate_challenge(K
  OM_uint32 mm_ssh_gssapi_server_ctx(Gssctxt **, gss_OID);
  OM_uint32 mm_ssh_gssapi_accept_ctx(Gssctxt *,
@@ -2179,7 +2179,7 @@ diff -up openssh-5.6p1/monitor_wrap.h.gsskex openssh-5.6p1/monitor_wrap.h
  #ifdef USE_PAM
 diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
 --- openssh-5.6p1/readconf.c.gsskex	2010-08-03 08:04:46.000000000 +0200
-+++ openssh-5.6p1/readconf.c	2010-11-02 22:23:50.000000000 +0100
++++ openssh-5.6p1/readconf.c	2011-01-24 23:51:09.000000000 +0100
 @@ -127,6 +127,7 @@ typedef enum {
  	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
  	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
@@ -2263,7 +2263,7 @@ diff -up openssh-5.6p1/readconf.c.gsskex openssh-5.6p1/readconf.c
  	if (options->kbd_interactive_authentication == -1)
 diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h
 --- openssh-5.6p1/readconf.h.gsskex	2010-08-03 08:04:46.000000000 +0200
-+++ openssh-5.6p1/readconf.h	2010-11-02 22:23:50.000000000 +0100
++++ openssh-5.6p1/readconf.h	2011-01-24 23:51:09.000000000 +0100
 @@ -46,7 +46,11 @@ typedef struct {
  	int     challenge_response_authentication;
  					/* Try S/Key or TIS, authentication. */
@@ -2277,8 +2277,8 @@ diff -up openssh-5.6p1/readconf.h.gsskex openssh-5.6p1/readconf.h
  						 * authentication. */
  	int     kbd_interactive_authentication; /* Try keyboard-interactive auth. */
 diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
---- openssh-5.6p1/servconf.c.gsskex	2010-11-02 22:23:47.000000000 +0100
-+++ openssh-5.6p1/servconf.c	2010-11-02 22:23:50.000000000 +0100
+--- openssh-5.6p1/servconf.c.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/servconf.c	2011-01-24 23:51:09.000000000 +0100
 @@ -93,7 +93,10 @@ initialize_server_options(ServerOptions 
  	options->kerberos_ticket_cleanup = -1;
  	options->kerberos_get_afs_token = -1;
@@ -2356,8 +2356,8 @@ diff -up openssh-5.6p1/servconf.c.gsskex openssh-5.6p1/servconf.c
  		intptr = &options->password_authentication;
  		goto parse_flag;
 diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h
---- openssh-5.6p1/servconf.h.gsskex	2010-11-02 22:23:47.000000000 +0100
-+++ openssh-5.6p1/servconf.h	2010-11-02 22:23:50.000000000 +0100
+--- openssh-5.6p1/servconf.h.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/servconf.h	2011-01-24 23:51:09.000000000 +0100
 @@ -94,7 +94,10 @@ typedef struct {
  	int     kerberos_get_afs_token;		/* If true, try to get AFS token if
  						 * authenticated with Kerberos. */
@@ -2371,7 +2371,7 @@ diff -up openssh-5.6p1/servconf.h.gsskex openssh-5.6p1/servconf.h
  	int     kbd_interactive_authentication;	/* If true, permit */
 diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5
 --- openssh-5.6p1/ssh_config.5.gsskex	2010-08-05 05:03:13.000000000 +0200
-+++ openssh-5.6p1/ssh_config.5	2010-11-02 22:23:50.000000000 +0100
++++ openssh-5.6p1/ssh_config.5	2011-01-24 23:51:09.000000000 +0100
 @@ -509,11 +509,38 @@ Specifies whether user authentication ba
  The default is
  .Dq no .
@@ -2413,8 +2413,8 @@ diff -up openssh-5.6p1/ssh_config.5.gsskex openssh-5.6p1/ssh_config.5
  Indicates that
  .Xr ssh 1
 diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config
---- openssh-5.6p1/ssh_config.gsskex	2010-11-02 22:23:45.000000000 +0100
-+++ openssh-5.6p1/ssh_config	2010-11-02 22:23:50.000000000 +0100
+--- openssh-5.6p1/ssh_config.gsskex	2011-01-24 23:51:07.000000000 +0100
++++ openssh-5.6p1/ssh_config	2011-01-24 23:51:09.000000000 +0100
 @@ -26,6 +26,8 @@
  #   HostbasedAuthentication no
  #   GSSAPIAuthentication no
@@ -2425,8 +2425,8 @@ diff -up openssh-5.6p1/ssh_config.gsskex openssh-5.6p1/ssh_config
  #   CheckHostIP yes
  #   AddressFamily any
 diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
---- openssh-5.6p1/sshconnect2.c.gsskex	2010-11-02 22:23:49.000000000 +0100
-+++ openssh-5.6p1/sshconnect2.c	2010-11-02 22:23:50.000000000 +0100
+--- openssh-5.6p1/sshconnect2.c.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/sshconnect2.c	2011-01-24 23:51:09.000000000 +0100
 @@ -108,9 +108,34 @@ ssh_kex2(char *host, struct sockaddr *ho
  {
  	Kex *kex;
@@ -2629,8 +2629,8 @@ diff -up openssh-5.6p1/sshconnect2.c.gsskex openssh-5.6p1/sshconnect2.c
  
  int
 diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
---- openssh-5.6p1/sshd.c.gsskex	2010-11-02 22:23:49.000000000 +0100
-+++ openssh-5.6p1/sshd.c	2010-11-02 22:23:50.000000000 +0100
+--- openssh-5.6p1/sshd.c.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/sshd.c	2011-01-24 23:51:09.000000000 +0100
 @@ -130,6 +130,10 @@ int allow_severity;
  int deny_severity;
  #endif /* LIBWRAP */
@@ -2642,7 +2642,7 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
  #ifndef O_NOCTTY
  #define O_NOCTTY	0
  #endif
-@@ -1602,10 +1606,13 @@ main(int ac, char **av)
+@@ -1603,10 +1607,13 @@ main(int ac, char **av)
  		logit("Disabling protocol version 1. Could not load host key");
  		options.protocol &= ~SSH_PROTO_1;
  	}
@@ -2656,7 +2656,7 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
  	if (!(options.protocol & (SSH_PROTO_1|SSH_PROTO_2))) {
  		logit("sshd: no hostkeys available -- exiting.");
  		exit(1);
-@@ -1938,6 +1945,60 @@ main(int ac, char **av)
+@@ -1939,6 +1946,60 @@ main(int ac, char **av)
  	/* Log the connection. */
  	verbose("Connection from %.500s port %d", remote_ip, remote_port);
  
@@ -2717,7 +2717,7 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
  	/*
  	 * We don't want to listen forever unless the other side
  	 * successfully authenticates itself.  So we set up an alarm which is
-@@ -2329,12 +2390,61 @@ do_ssh2_kex(void)
+@@ -2335,12 +2396,61 @@ do_ssh2_kex(void)
  
  	myproposal[PROPOSAL_SERVER_HOST_KEY_ALGS] = list_hostkey_types();
  
@@ -2780,8 +2780,8 @@ diff -up openssh-5.6p1/sshd.c.gsskex openssh-5.6p1/sshd.c
  	kex->client_version_string=client_version_string;
  	kex->server_version_string=server_version_string;
 diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5
---- openssh-5.6p1/sshd_config.5.gsskex	2010-11-02 22:23:47.000000000 +0100
-+++ openssh-5.6p1/sshd_config.5	2010-11-02 22:23:50.000000000 +0100
+--- openssh-5.6p1/sshd_config.5.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/sshd_config.5	2011-01-24 23:51:09.000000000 +0100
 @@ -424,12 +424,40 @@ Specifies whether user authentication ba
  The default is
  .Dq no .
@@ -2824,8 +2824,8 @@ diff -up openssh-5.6p1/sshd_config.5.gsskex openssh-5.6p1/sshd_config.5
  Specifies whether rhosts or /etc/hosts.equiv authentication together
  with successful public key client host authentication is allowed
 diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config
---- openssh-5.6p1/sshd_config.gsskex	2010-11-02 22:23:47.000000000 +0100
-+++ openssh-5.6p1/sshd_config	2010-11-02 22:23:50.000000000 +0100
+--- openssh-5.6p1/sshd_config.gsskex	2011-01-24 23:51:08.000000000 +0100
++++ openssh-5.6p1/sshd_config	2011-01-24 23:51:09.000000000 +0100
 @@ -78,6 +78,8 @@ ChallengeResponseAuthentication no
  GSSAPIAuthentication yes
  #GSSAPICleanupCredentials yes
@@ -2837,7 +2837,7 @@ diff -up openssh-5.6p1/sshd_config.gsskex openssh-5.6p1/sshd_config
  # and session processing. If this is enabled, PAM authentication will 
 diff -up openssh-5.6p1/ssh-gss.h.gsskex openssh-5.6p1/ssh-gss.h
 --- openssh-5.6p1/ssh-gss.h.gsskex	2007-06-12 15:40:39.000000000 +0200
-+++ openssh-5.6p1/ssh-gss.h	2010-11-02 22:23:50.000000000 +0100
++++ openssh-5.6p1/ssh-gss.h	2011-01-24 23:51:09.000000000 +0100
 @@ -1,6 +1,6 @@
  /* $OpenBSD: ssh-gss.h,v 1.10 2007/06/12 08:20:00 djm Exp $ */
  /*
diff --git a/openssh.spec b/openssh.spec
index 1aacf9e..f294bca 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -71,7 +71,7 @@
 
 # Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
 %define openssh_ver 5.6p1
-%define openssh_rel 24
+%define openssh_rel 25
 %define pam_ssh_agent_ver 0.9.2
 %define pam_ssh_agent_rel 29
 
@@ -603,6 +603,9 @@ fi
 %endif
 
 %changelog
+* Tue Jan 25 2011 Jan F. Chadima <jchadima at redhat.com> - 5.6p1-25 + 0.9.2-29
+- clean the data structures before exit net process
+
 * Mon Jan 17 2011 Jan F. Chadima <jchadima at redhat.com> - 5.6p1-24 + 0.9.2-29
 - make audit compatible with the fips mode
 
