From ec5276165c469e012e1c3fc64eb00944817bfffd Mon Sep 17 00:00:00 2001
From: Tomáš Mráz <tmraz@fedoraproject.org>
Date: Jul 23 2008 17:33:16 +0000
Subject: - rediff for no fuzz


---

diff --git a/openssh-3.9p1-scp-manpage.patch b/openssh-3.9p1-scp-manpage.patch
deleted file mode 100644
index 325f9a2..0000000
--- a/openssh-3.9p1-scp-manpage.patch
+++ /dev/null
@@ -1,17 +0,0 @@
---- scp.orig	2007-12-22 20:37:27.000000000 +0100
-+++ scp.1	2007-12-22 20:36:42.000000000 +0100
-@@ -60,6 +60,14 @@
- that the file is to be copied to/from that host.
- Copies between two remote hosts are permitted.
- .Pp
-+When copying a source file to a target file which already exists,
-+.Nm 
-+will replace the contents of the target file (keeping the inode).
-+.Pp
-+If the target file does not yet exist, an empty file with the target
-+file name is created, then filled with the source file contents.
-+No attempt is made at "near-atomic" transfer using temporary files.
-+.Pp
- The options are as follows:
- .Bl -tag -width Ds
- .It Fl 1
diff --git a/openssh-4.2p1-askpass-progress.patch b/openssh-4.2p1-askpass-progress.patch
deleted file mode 100644
index c4a50b2..0000000
--- a/openssh-4.2p1-askpass-progress.patch
+++ /dev/null
@@ -1,78 +0,0 @@
---- openssh-4.2p1/contrib/gnome-ssh-askpass2.c.progress	2005-11-28 11:11:24.000000000 +0100
-+++ openssh-4.2p1/contrib/gnome-ssh-askpass2.c	2005-12-20 15:22:42.000000000 +0100
-@@ -53,6 +53,7 @@
- #include <string.h>
- #include <unistd.h>
- #include <X11/Xlib.h>
-+#include <glib.h>
- #include <gtk/gtk.h>
- #include <gdk/gdkx.h>
- 
-@@ -83,13 +84,24 @@
- 	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
- }
- 
-+static void
-+move_progress(GtkWidget *entry, gpointer progress)
-+{
-+	gdouble step;
-+	g_return_if_fail(GTK_IS_PROGRESS_BAR(progress));
-+	
-+	step = g_random_double_range(0.03, 0.1);
-+	gtk_progress_bar_set_pulse_step(GTK_PROGRESS_BAR(progress), step);
-+	gtk_progress_bar_pulse(GTK_PROGRESS_BAR(progress));
-+}
-+
- static int
- passphrase_dialog(char *message)
- {
- 	const char *failed;
- 	char *passphrase, *local;
- 	int result, grab_tries, grab_server, grab_pointer;
--	GtkWidget *dialog, *entry;
-+	GtkWidget *dialog, *entry, *progress, *hbox;
- 	GdkGrabStatus status;
- 
- 	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
-@@ -102,13 +114,31 @@
- 					"%s",
- 					message);
- 
-+	hbox = gtk_hbox_new(FALSE, 0);
-+	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
-+	    FALSE, 0);
-+	gtk_widget_show(hbox);
-+
- 	entry = gtk_entry_new();
--	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
-+	gtk_box_pack_start(GTK_BOX(hbox), entry, TRUE,
- 	    FALSE, 0);
-+	gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
- 	gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
- 	gtk_widget_grab_focus(entry);
- 	gtk_widget_show(entry);
- 
-+	hbox = gtk_hbox_new(FALSE, 0);
-+	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
-+	    FALSE, 8);
-+	gtk_widget_show(hbox);
-+
-+	progress = gtk_progress_bar_new();
-+	
-+	gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
-+	gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
-+	    TRUE, 5);
-+	gtk_widget_show(progress);
-+
- 	gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
- 	gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
- 	gtk_label_set_line_wrap(GTK_LABEL((GTK_MESSAGE_DIALOG(dialog))->label),
-@@ -118,6 +148,8 @@
- 	gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
- 	g_signal_connect(G_OBJECT(entry), "activate",
- 			 G_CALLBACK(ok_dialog), dialog);
-+	g_signal_connect(G_OBJECT(entry), "changed",
-+			 G_CALLBACK(move_progress), progress);
- 
- 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
- 
diff --git a/openssh-4.7p1-gssapi-role.patch b/openssh-4.7p1-gssapi-role.patch
deleted file mode 100644
index baecc6f..0000000
--- a/openssh-4.7p1-gssapi-role.patch
+++ /dev/null
@@ -1,34 +0,0 @@
-Written-by: Nalin Dahyabhai <nalin@redhat.com>
-Reviewed-by: Tomas Mraz <tmraz@redhat.com>
---- auth2-gss.c	2008-01-02 16:34:03.000000000 -0500
-+++ auth2-gss.c	2008-01-02 16:33:19.000000000 -0500
-@@ -258,6 +258,7 @@
- 	Authctxt *authctxt = ctxt;
- 	Gssctxt *gssctxt;
- 	int authenticated = 0;
-+	char *micuser;
- 	Buffer b;
- 	gss_buffer_desc mic, gssbuf;
- 	u_int len;
-@@ -270,7 +271,11 @@
- 	mic.value = packet_get_string(&len);
- 	mic.length = len;
- 
--	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
-+	if (authctxt->role && (strlen(authctxt->role) > 0))
-+		xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
-+	else
-+		micuser = authctxt->user;
-+	ssh_gssapi_buildmic(&b, micuser, authctxt->service,
- 	    "gssapi-with-mic");
- 
- 	gssbuf.value = buffer_ptr(&b);
-@@ -285,6 +290,8 @@
- 	}
- 
- 	buffer_free(&b);
-+	if (micuser != authctxt->user)
-+		xfree(micuser);
- 	xfree(mic.value);
- 
- 	authctxt->postponed = 0;
diff --git a/openssh-4.7p1-mls.patch b/openssh-4.7p1-mls.patch
deleted file mode 100644
index 48eba4c..0000000
--- a/openssh-4.7p1-mls.patch
+++ /dev/null
@@ -1,444 +0,0 @@
-diff -up openssh-4.7p1/misc.c.mls openssh-4.7p1/misc.c
---- openssh-4.7p1/misc.c.mls	2007-01-05 06:24:48.000000000 +0100
-+++ openssh-4.7p1/misc.c	2007-09-06 17:39:28.000000000 +0200
-@@ -418,6 +418,7 @@ char *
- colon(char *cp)
- {
- 	int flag = 0;
-+	int start = 1;
- 
- 	if (*cp == ':')		/* Leading colon is part of file name. */
- 		return (0);
-@@ -431,8 +432,13 @@ colon(char *cp)
- 			return (cp+1);
- 		if (*cp == ':' && !flag)
- 			return (cp);
--		if (*cp == '/')
--			return (0);
-+		if (start) {
-+		/* Slash on beginning or after dots only denotes file name. */
-+			if (*cp == '/')
-+				return (0);
-+			if (*cp != '.')
-+				start = 0;
-+		}
- 	}
- 	return (0);
- }
-diff -up openssh-4.7p1/session.c.mls openssh-4.7p1/session.c
---- openssh-4.7p1/session.c.mls	2007-09-06 17:39:28.000000000 +0200
-+++ openssh-4.7p1/session.c	2007-09-06 17:39:28.000000000 +0200
-@@ -1347,10 +1347,6 @@ do_setusercontext(struct passwd *pw)
- #endif
- 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
- 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
--
--#ifdef WITH_SELINUX
--	ssh_selinux_setup_exec_context(pw->pw_name);
--#endif
- }
- 
- static void
-diff -up openssh-4.7p1/openbsd-compat/port-linux.c.mls openssh-4.7p1/openbsd-compat/port-linux.c
---- openssh-4.7p1/openbsd-compat/port-linux.c.mls	2007-09-06 17:39:28.000000000 +0200
-+++ openssh-4.7p1/openbsd-compat/port-linux.c	2007-08-07 17:38:18.000000000 +0200
-@@ -33,12 +33,23 @@
- #include "key.h"
- #include "hostfile.h"
- #include "auth.h"
-+#include "xmalloc.h"
- 
- #include <selinux/selinux.h>
- #include <selinux/flask.h>
-+#include <selinux/context.h>
- #include <selinux/get_context_list.h>
-+#include <selinux/get_default_type.h>
-+#include <selinux/av_permissions.h>
-+
-+#ifdef HAVE_LINUX_AUDIT
-+#include <libaudit.h>
-+#include <unistd.h>
-+#endif
- 
- extern Authctxt *the_authctxt;
-+extern int inetd_flag;
-+extern int rexeced_flag;
- 
- /* Wrapper around is_selinux_enabled() to log its return value once only */
- static int
-@@ -54,17 +65,173 @@ ssh_selinux_enabled(void)
- 	return (enabled);
- }
- 
-+/* Send audit message */
-+static int
-+send_audit_message(int success, security_context_t default_context,
-+		       security_context_t selected_context)
-+{
-+	int rc=0;
-+#ifdef HAVE_LINUX_AUDIT
-+	char *msg = NULL;
-+	int audit_fd = audit_open();
-+	security_context_t default_raw=NULL;
-+	security_context_t selected_raw=NULL;
-+	rc = -1;
-+	if (audit_fd < 0) {
-+		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
-+                                        errno == EAFNOSUPPORT)
-+                        return 0; /* No audit support in kernel */
-+		error("Error connecting to audit system.");
-+		return rc;
-+	}
-+	if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
-+		error("Error translating default context.");
-+		default_raw = NULL;
-+	}
-+	if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
-+		error("Error translating selected context.");
-+		selected_raw = NULL;
-+	}
-+	if (asprintf(&msg, "sshd: default-context=%s selected-context=%s",
-+		     default_raw ? default_raw : (default_context ? default_context: "?"),
-+		     selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) {
-+		error("Error allocating memory.");
-+		goto out;
-+	}
-+	if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
-+				   msg, NULL, NULL, NULL, success) <= 0) {
-+		error("Error sending audit message.");
-+		goto out;
-+	}
-+	rc = 0;
-+      out:
-+	free(msg);
-+	freecon(default_raw);
-+	freecon(selected_raw);
-+	close(audit_fd);
-+#endif
-+	return rc;
-+}
-+
-+static int
-+mls_range_allowed(security_context_t src, security_context_t dst)
-+{
-+	struct av_decision avd;
-+	int retval;
-+	unsigned int bit = CONTEXT__CONTAINS;
-+
-+	debug("%s: src:%s dst:%s", __func__, src, dst);
-+	retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
-+	if (retval || ((bit & avd.allowed) != bit))
-+		return 0;
-+
-+	return 1;
-+}
-+
-+static int
-+get_user_context(const char *sename, const char *role, const char *lvl,
-+	security_context_t *sc) {
-+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
-+	if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
-+	        /* User may have requested a level completely outside of his 
-+	           allowed range. We get a context just for auditing as the
-+	           range check below will certainly fail for default context. */
-+#endif
-+		if (get_default_context(sename, NULL, sc) != 0) {
-+			*sc = NULL;
-+			return -1;
-+		}
-+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
-+	}
-+#endif
-+	if (role != NULL && role[0]) {
-+		context_t con;
-+		char *type=NULL;
-+		if (get_default_type(role, &type) != 0) {
-+			error("get_default_type: failed to get default type for '%s'",
-+				role);
-+			goto out;
-+		}
-+		con = context_new(*sc);
-+		if (!con) {
-+			goto out;
-+		}
-+		context_role_set(con, role);
-+		context_type_set(con, type);
-+		freecon(*sc);
-+		*sc = strdup(context_str(con));
-+		context_free(con);
-+		if (!*sc) 
-+			return -1;
-+	}
-+#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
-+	if (lvl != NULL && lvl[0]) {
-+		/* verify that the requested range is obtained */
-+		context_t con;
-+		security_context_t obtained_raw;
-+		security_context_t requested_raw;
-+		con = context_new(*sc);
-+		if (!con) {
-+			goto out;
-+		}
-+		context_range_set(con, lvl);
-+		if (selinux_trans_to_raw_context(*sc, &obtained_raw) < 0) {
-+			context_free(con);
-+			goto out;
-+		}
-+		if (selinux_trans_to_raw_context(context_str(con), &requested_raw) < 0) {
-+			freecon(obtained_raw);
-+			context_free(con);
-+			goto out;
-+		}
-+
-+		debug("get_user_context: obtained context '%s' requested context '%s'",
-+			obtained_raw, requested_raw);
-+		if (strcmp(obtained_raw, requested_raw)) {
-+			/* set the context to the real requested one but fail */
-+			freecon(requested_raw);
-+			freecon(obtained_raw);
-+			freecon(*sc);
-+			*sc = strdup(context_str(con));
-+			context_free(con);
-+			return -1;
-+		}
-+		freecon(requested_raw);
-+		freecon(obtained_raw);
-+		context_free(con);
-+	}
-+#endif
-+	return 0;
-+      out:
-+        freecon(*sc);
-+        *sc = NULL;
-+        return -1;
-+}
-+
- /* Return the default security context for the given username */
--static security_context_t
--ssh_selinux_getctxbyname(char *pwname)
-+static int
-+ssh_selinux_getctxbyname(char *pwname,
-+	security_context_t *default_sc, security_context_t *user_sc)
- {
--	security_context_t sc = NULL;
- 	char *sename, *lvl;
-+	const char *reqlvl = NULL;
- 	char *role = NULL;
--	int r = 0;
-+	int r = -1;
-+	context_t con = NULL;
-+
-+	*default_sc = NULL;
-+	*user_sc = NULL;
-+	if (the_authctxt) {
-+		if (the_authctxt->role != NULL) {
-+			char *slash;
-+			role = xstrdup(the_authctxt->role);
-+			if ((slash = strchr(role, '/')) != NULL) {
-+				*slash = '\0';
-+				reqlvl = slash + 1;
-+			}
-+		}
-+	}
- 
--	if (the_authctxt) 
--		role=the_authctxt->role;
- #ifdef HAVE_GETSEUSERBYNAME
- 	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
- 		sename = NULL;
-@@ -72,37 +239,62 @@ ssh_selinux_getctxbyname(char *pwname)
- 	}
- #else
- 	sename = pwname;
--	lvl = NULL;
-+	lvl = "";
- #endif
- 
- 	if (r == 0) {
- #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
--		if (role != NULL && role[0])
--			r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
--		else
--			r = get_default_context_with_level(sename, lvl, NULL, &sc);
-+		r = get_default_context_with_level(sename, lvl, NULL, default_sc);
- #else
--		if (role != NULL && role[0])
--			r = get_default_context_with_role(sename, role, NULL, &sc);
--		else
--			r = get_default_context(sename, NULL, &sc);
-+		r = get_default_context(sename, NULL, default_sc);
- #endif
- 	}
- 
--	if (r != 0) {
--		switch (security_getenforce()) {
--		case -1:
--			fatal("%s: ssh_selinux_getctxbyname: "
--			    "security_getenforce() failed", __func__);
--		case 0:
--			error("%s: Failed to get default SELinux security "
--			    "context for %s", __func__, pwname);
--			break;
--		default:
--			fatal("%s: Failed to get default SELinux security "
--			    "context for %s (in enforcing mode)",
--			    __func__, pwname);
-+	if (r == 0) {
-+		/* If launched from xinetd, we must use current level */
-+		if (inetd_flag && !rexeced_flag) {
-+			security_context_t sshdsc=NULL;
-+
-+			if (getcon_raw(&sshdsc) < 0)
-+				fatal("failed to allocate security context");
-+
-+			if ((con=context_new(sshdsc)) == NULL)
-+				fatal("failed to allocate selinux context");
-+			reqlvl = context_range_get(con);
-+			freecon(sshdsc);
-+			if (reqlvl !=NULL && lvl != NULL && strcmp(reqlvl, lvl) == 0)
-+			    /* we actually don't change level */
-+			    reqlvl = "";
-+
-+			debug("%s: current connection level '%s'", __func__, reqlvl);
- 		}
-+		
-+		if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
-+			r = get_user_context(sename, role, reqlvl, user_sc);
-+		
-+			if (r == 0 && reqlvl != NULL && reqlvl[0]) {
-+				security_context_t default_level_sc = *default_sc;
-+				if (role != NULL && role[0]) {
-+					if (get_user_context(sename, role, lvl, &default_level_sc) < 0)
-+						default_level_sc = *default_sc;
-+				}
-+				/* verify that the requested range is contained in the user range */
-+				if (mls_range_allowed(default_level_sc, *user_sc)) {
-+					logit("permit MLS level %s (user range %s)", reqlvl, lvl);
-+				} else {
-+					r = -1;
-+					error("deny MLS level %s (user range %s)", reqlvl, lvl);
-+				}
-+				if (default_level_sc != *default_sc)
-+					freecon(default_level_sc);
-+			}
-+		} else {
-+			*user_sc = *default_sc;
-+		}
-+	}
-+	if (r != 0) {
-+		error("%s: Failed to get default SELinux security "
-+		    "context for %s", __func__, pwname);
- 	}
- 
- #ifdef HAVE_GETSEUSERBYNAME
-@@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname)
- 	if (lvl != NULL)
- 		xfree(lvl);
- #endif
-+	if (role != NULL)
-+		xfree(role);
-+	if (con)
-+		context_free(con);
- 
--	return (sc);
-+	return (r);
- }
- 
- /* Set the execution context to the default for the specified user */
- void
- ssh_selinux_setup_exec_context(char *pwname)
- {
-+	int r = 0;
-+	security_context_t default_ctx = NULL;
- 	security_context_t user_ctx = NULL;
- 
- 	if (!ssh_selinux_enabled())
-@@ -126,22 +324,45 @@ ssh_selinux_setup_exec_context(char *pwn
- 
- 	debug3("%s: setting execution context", __func__);
- 
--	user_ctx = ssh_selinux_getctxbyname(pwname);
--	if (setexeccon(user_ctx) != 0) {
-+	r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
-+	if (r >= 0) {
-+		r = setexeccon(user_ctx);
-+		if (r < 0) {
-+			error("%s: Failed to set SELinux execution context %s for %s",
-+			    __func__, user_ctx, pwname);
-+		} 
-+#ifdef HAVE_SETKEYCREATECON
-+		else if (setkeycreatecon(user_ctx) < 0) {
-+			error("%s: Failed to set SELinux keyring creation context %s for %s",
-+			    __func__, user_ctx, pwname);
-+		}
-+#endif
-+	}
-+	if (user_ctx == NULL) {
-+		user_ctx = default_ctx;
-+	}
-+	if (r < 0 || user_ctx != default_ctx) {
-+		/* audit just the case when user changed a role or there was
-+		   a failure */
-+		send_audit_message(r >= 0, default_ctx, user_ctx);
-+	}
-+	if (r < 0) {
- 		switch (security_getenforce()) {
- 		case -1:
- 			fatal("%s: security_getenforce() failed", __func__);
- 		case 0:
--			error("%s: Failed to set SELinux execution "
--			    "context for %s", __func__, pwname);
-+			error("%s: SELinux failure. Continuing in permissive mode.",
-+			    __func__);
- 			break;
- 		default:
--			fatal("%s: Failed to set SELinux execution context "
--			    "for %s (in enforcing mode)", __func__, pwname);
-+			fatal("%s: SELinux failure. Aborting connection.",
-+			    __func__);
- 		}
- 	}
--	if (user_ctx != NULL)
-+	if (user_ctx != NULL && user_ctx != default_ctx)
- 		freecon(user_ctx);
-+	if (default_ctx != NULL)
-+		freecon(default_ctx);
- 
- 	debug3("%s: done", __func__);
- }
-@@ -159,7 +380,10 @@ ssh_selinux_setup_pty(char *pwname, cons
- 
- 	debug3("%s: setting TTY context on %s", __func__, tty);
- 
--	user_ctx = ssh_selinux_getctxbyname(pwname);
-+	if (getexeccon(&user_ctx) < 0) {
-+		error("%s: getexeccon: %s", __func__, strerror(errno));
-+		goto out;
-+	}
- 
- 	/* XXX: should these calls fatal() upon failure in enforcing mode? */
- 
-diff -up openssh-4.7p1/configure.ac.mls openssh-4.7p1/configure.ac
---- openssh-4.7p1/configure.ac.mls	2007-10-17 19:05:10.000000000 +0200
-+++ openssh-4.7p1/configure.ac	2007-10-17 19:05:38.000000000 +0200
-@@ -3213,6 +3213,7 @@ AC_ARG_WITH(selinux,
- 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
- 		LIBS="$LIBS $LIBSELINUX"
- 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
-+		AC_CHECK_FUNCS(setkeycreatecon)
- 		LIBS="$save_LIBS"
- 	fi ]
- )
-diff -up openssh-4.7p1/sshd.c.mls openssh-4.7p1/sshd.c
---- openssh-4.7p1/sshd.c.mls	2007-09-06 17:39:28.000000000 +0200
-+++ openssh-4.7p1/sshd.c	2007-09-06 17:39:28.000000000 +0200
-@@ -1838,6 +1838,9 @@ main(int ac, char **av)
- 		restore_uid();
- 	}
- #endif
-+#ifdef WITH_SELINUX
-+	ssh_selinux_setup_exec_context(authctxt->pw->pw_name);
-+#endif
- #ifdef USE_PAM
- 	if (options.use_pam) {
- 		do_pam_setcred(1);
diff --git a/openssh-4.7p1-nss-keys.patch b/openssh-4.7p1-nss-keys.patch
deleted file mode 100644
index 7d6573c..0000000
--- a/openssh-4.7p1-nss-keys.patch
+++ /dev/null
@@ -1,1397 +0,0 @@
-diff -up openssh-4.7p1/key.c.nss-keys openssh-4.7p1/key.c
---- openssh-4.7p1/key.c.nss-keys	2007-08-08 06:28:26.000000000 +0200
-+++ openssh-4.7p1/key.c	2007-11-20 14:40:17.000000000 +0100
-@@ -93,6 +93,54 @@ key_new(int type)
- 	return k;
- }
- 
-+#ifdef HAVE_LIBNSS
-+Key *
-+key_new_nss(int type)
-+{
-+	Key *k = key_new(type);
-+
-+	k->nss = xcalloc(1, sizeof(*k->nss));
-+	k->flags = KEY_FLAG_EXT | KEY_FLAG_NSS;
-+
-+	return k;
-+}
-+
-+Key *
-+key_new_nss_copy(int type, const Key *c)
-+{
-+	Key *k = key_new_nss(type);
-+
-+	switch (k->type) {
-+		case KEY_RSA:
-+			if ((BN_copy(k->rsa->n, c->rsa->n) == NULL) ||
-+				(BN_copy(k->rsa->e, c->rsa->e) == NULL))
-+				fatal("key_new_nss_copy: BN_copy failed");
-+			break;
-+		case KEY_DSA:
-+			if ((BN_copy(k->dsa->p, c->rsa->p) == NULL) ||
-+				(BN_copy(k->dsa->q, c->dsa->q) == NULL) ||
-+				(BN_copy(k->dsa->g, c->dsa->g) == NULL) ||
-+				(BN_copy(k->dsa->pub_key, c->dsa->pub_key) == NULL))
-+				fatal("key_new_nss_copy: BN_copy failed");
-+			break;
-+	}
-+		
-+	k->nss->privk = SECKEY_CopyPrivateKey(c->nss->privk);
-+	if (k->nss->privk == NULL)
-+		fatal("key_new_nss_copy: SECKEY_CopyPrivateKey failed");
-+
-+	k->nss->pubk = SECKEY_CopyPublicKey(c->nss->pubk);
-+	if (k->nss->pubk == NULL)
-+		fatal("key_new_nss_copy: SECKEY_CopyPublicKey failed");
-+	
-+	if (c->nss->privk->wincx)
-+		k->nss->privk->wincx = xstrdup(c->nss->privk->wincx);
-+
-+	return k;
-+}
-+#endif
-+
-+
- Key *
- key_new_private(int type)
- {
-@@ -148,6 +196,19 @@ key_free(Key *k)
- 		fatal("key_free: bad key type %d", k->type);
- 		break;
- 	}
-+#ifdef HAVE_LIBNSS
-+	if (k->flags & KEY_FLAG_NSS) {
-+		if (k->nss->privk != NULL && k->nss->privk->wincx != NULL) {
-+			memset(k->nss->privk->wincx, 0,
-+				strlen(k->nss->privk->wincx));
-+			xfree(k->nss->privk->wincx);
-+			k->nss->privk->wincx = NULL;
-+		}
-+		SECKEY_DestroyPrivateKey(k->nss->privk);
-+		SECKEY_DestroyPublicKey(k->nss->pubk);
-+		xfree(k->nss);
-+	}
-+#endif
- 	xfree(k);
- }
- 
-diff -up openssh-4.7p1/ssh-dss.c.nss-keys openssh-4.7p1/ssh-dss.c
---- openssh-4.7p1/ssh-dss.c.nss-keys	2006-11-07 13:14:42.000000000 +0100
-+++ openssh-4.7p1/ssh-dss.c	2007-11-20 14:26:43.000000000 +0100
-@@ -39,6 +39,10 @@
- #include "log.h"
- #include "key.h"
- 
-+#ifdef HAVE_LIBNSS
-+#include <cryptohi.h>
-+#endif
-+
- #define INTBLOB_LEN	20
- #define SIGBLOB_LEN	(2*INTBLOB_LEN)
- 
-@@ -57,6 +61,34 @@ ssh_dss_sign(const Key *key, u_char **si
- 		error("ssh_dss_sign: no DSA key");
- 		return -1;
- 	}
-+#ifdef HAVE_LIBNSS
-+	if (key->flags & KEY_FLAG_NSS) {
-+		SECItem sigitem;
-+		SECItem *rawsig;
-+
-+		memset(&sigitem, 0, sizeof(sigitem));
-+		if (SEC_SignData(&sigitem, (u_char *)data, datalen, key->nss->privk,
-+			SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) != SECSuccess) {
-+			error("ssh_dss_sign: sign failed");
-+			return -1;
-+		}
-+		
-+		if ((rawsig=DSAU_DecodeDerSig(&sigitem)) == NULL) {
-+			error("ssh_dss_sign: der decode failed");
-+			SECITEM_ZfreeItem(&sigitem, PR_FALSE);
-+			return -1;
-+		}
-+		SECITEM_ZfreeItem(&sigitem, PR_FALSE);
-+		if (rawsig->len != SIGBLOB_LEN) {
-+			error("ssh_dss_sign: unsupported signature length %d",
-+				rawsig->len);
-+			SECITEM_ZfreeItem(rawsig, PR_TRUE);
-+			return -1;
-+		}
-+		memcpy(sigblob, rawsig->data, SIGBLOB_LEN);
-+		SECITEM_ZfreeItem(rawsig, PR_TRUE);
-+	} else {
-+#endif
- 	EVP_DigestInit(&md, evp_md);
- 	EVP_DigestUpdate(&md, data, datalen);
- 	EVP_DigestFinal(&md, digest, &dlen);
-@@ -80,7 +112,9 @@ ssh_dss_sign(const Key *key, u_char **si
- 	BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
- 	BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
- 	DSA_SIG_free(sig);
--
-+#ifdef HAVE_LIBNSS
-+	}
-+#endif
- 	if (datafellows & SSH_BUG_SIGBLOB) {
- 		if (lenp != NULL)
- 			*lenp = SIGBLOB_LEN;
-diff -up openssh-4.7p1/ssh-agent.c.nss-keys openssh-4.7p1/ssh-agent.c
---- openssh-4.7p1/ssh-agent.c.nss-keys	2007-03-21 10:45:07.000000000 +0100
-+++ openssh-4.7p1/ssh-agent.c	2007-11-20 14:26:43.000000000 +0100
-@@ -79,6 +79,10 @@
- #include "scard.h"
- #endif
- 
-+#ifdef HAVE_LIBNSS
-+#include "nsskeys.h"
-+#endif
-+
- #if defined(HAVE_SYS_PRCTL_H)
- #include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
- #endif
-@@ -701,6 +705,114 @@ send:
- }
- #endif /* SMARTCARD */
- 
-+#ifdef HAVE_LIBNSS
-+static void
-+process_add_nss_key (SocketEntry *e)
-+{
-+	char *tokenname = NULL, *keyname = NULL, *password = NULL;
-+	int i, version, success = 0, death = 0, confirm = 0;
-+	Key **keys, *k;
-+	Identity *id;
-+	Idtab *tab;
-+
-+	tokenname = buffer_get_string(&e->request, NULL);
-+	keyname = buffer_get_string(&e->request, NULL);
-+	password = buffer_get_string(&e->request, NULL);
-+
-+	while (buffer_len(&e->request)) {
-+		switch (buffer_get_char(&e->request)) {
-+		case SSH_AGENT_CONSTRAIN_LIFETIME:
-+			death = time(NULL) + buffer_get_int(&e->request);
-+			break;
-+		case SSH_AGENT_CONSTRAIN_CONFIRM:
-+			confirm = 1;
-+			break;
-+		default:
-+			break;
-+		}
-+	}
-+	if (lifetime && !death)
-+		death = time(NULL) + lifetime;
-+
-+	keys = nss_get_keys(tokenname, keyname, password);
-+	/* password is owned by keys[0] now */
-+	xfree(tokenname);
-+	xfree(keyname);
-+
-+	if (keys == NULL) {
-+		memset(password, 0, strlen(password));
-+		xfree(password);
-+		error("nss_get_keys failed");
-+		goto send;
-+	}
-+	for (i = 0; keys[i] != NULL; i++) {
-+		k = keys[i];
-+		version = k->type == KEY_RSA1 ? 1 : 2;
-+		tab = idtab_lookup(version);
-+		if (lookup_identity(k, version) == NULL) {
-+			id = xmalloc(sizeof(Identity));
-+			id->key = k;
-+			id->comment = nss_get_key_label(k);
-+			id->death = death;
-+			id->confirm = confirm;
-+			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
-+			tab->nentries++;
-+			success = 1;
-+		} else {
-+			key_free(k);
-+		}
-+		keys[i] = NULL;
-+	}
-+	xfree(keys);
-+send:
-+	buffer_put_int(&e->output, 1);
-+	buffer_put_char(&e->output,
-+	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
-+}
-+
-+static void
-+process_remove_nss_key(SocketEntry *e)
-+{
-+	char *tokenname = NULL, *keyname = NULL, *password = NULL;
-+	int i, version, success = 0;
-+	Key **keys, *k = NULL;
-+	Identity *id;
-+	Idtab *tab;
-+
-+	tokenname = buffer_get_string(&e->request, NULL);
-+	keyname = buffer_get_string(&e->request, NULL);
-+	password = buffer_get_string(&e->request, NULL);
-+
-+	keys = nss_get_keys(tokenname, keyname, password);
-+	xfree(tokenname);
-+	xfree(keyname);
-+	xfree(password);
-+
-+	if (keys == NULL || keys[0] == NULL) {
-+		error("nss_get_keys failed");
-+		goto send;
-+	}
-+	for (i = 0; keys[i] != NULL; i++) {
-+		k = keys[i];
-+		version = k->type == KEY_RSA1 ? 1 : 2;
-+		if ((id = lookup_identity(k, version)) != NULL) {
-+			tab = idtab_lookup(version);
-+			TAILQ_REMOVE(&tab->idlist, id, next);
-+			tab->nentries--;
-+			free_identity(id);
-+			success = 1;
-+		}
-+		key_free(k);
-+		keys[i] = NULL;
-+	}
-+	xfree(keys);
-+send:
-+	buffer_put_int(&e->output, 1);
-+	buffer_put_char(&e->output,
-+	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
-+}
-+#endif /* HAVE_LIBNSS */
-+
- /* dispatch incoming messages */
- 
- static void
-@@ -793,6 +905,15 @@ process_message(SocketEntry *e)
- 		process_remove_smartcard_key(e);
- 		break;
- #endif /* SMARTCARD */
-+#ifdef HAVE_LIBNSS
-+	case SSH_AGENTC_ADD_NSS_KEY:
-+	case SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED:
-+		process_add_nss_key(e);
-+		break;
-+	case SSH_AGENTC_REMOVE_NSS_KEY:
-+		process_remove_nss_key(e);
-+		break;
-+#endif /* SMARTCARD */
- 	default:
- 		/* Unknown message.  Respond with failure. */
- 		error("Unknown message %d", type);
-diff -up openssh-4.7p1/authfd.h.nss-keys openssh-4.7p1/authfd.h
---- openssh-4.7p1/authfd.h.nss-keys	2006-08-05 04:39:39.000000000 +0200
-+++ openssh-4.7p1/authfd.h	2007-11-20 14:26:43.000000000 +0100
-@@ -49,6 +49,12 @@
- #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
- #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
- 
-+/* nss */
-+#define SSH_AGENTC_ADD_NSS_KEY			30
-+#define SSH_AGENTC_REMOVE_NSS_KEY		31
-+#define SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED	32
-+
-+
- #define	SSH_AGENT_CONSTRAIN_LIFETIME		1
- #define	SSH_AGENT_CONSTRAIN_CONFIRM		2
- 
-@@ -83,6 +89,8 @@ int	 ssh_remove_all_identities(Authentic
- int	 ssh_lock_agent(AuthenticationConnection *, int, const char *);
- int	 ssh_update_card(AuthenticationConnection *, int, const char *,
-     const char *, u_int, u_int);
-+int	 ssh_update_nss_key(AuthenticationConnection *, int, const char *,
-+    const char *, const char *, u_int, u_int);
- 
- int
- ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
-diff -up openssh-4.7p1/configure.ac.nss-keys openssh-4.7p1/configure.ac
---- openssh-4.7p1/configure.ac.nss-keys	2007-11-20 14:26:43.000000000 +0100
-+++ openssh-4.7p1/configure.ac	2007-11-20 14:26:43.000000000 +0100
-@@ -3230,6 +3230,20 @@ AC_ARG_WITH(linux-audit,
- 	fi ]
- )
- 
-+# Check whether user wants NSS support
-+LIBNSS_MSG="no"
-+AC_ARG_WITH(nss,
-+	[  --with-nss   Enable NSS support],
-+	[ if test "x$withval" != "xno" ; then
-+		AC_DEFINE(HAVE_LIBNSS,1,[Define if you want NSS support.])
-+		LIBNSS_MSG="yes"
-+		CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4"
-+		AC_CHECK_HEADERS(pk11pub.h)
-+		LIBS="$LIBS -lnss3"
-+	fi
-+	])
-+AC_SUBST(LIBNSS)
-+
- # Check whether user wants Kerberos 5 support
- KRB5_MSG="no"
- AC_ARG_WITH(kerberos5,
-@@ -4052,6 +4066,7 @@ echo "                   OSF SIA support
- echo "                 KerberosV support: $KRB5_MSG"
- echo "                   SELinux support: $SELINUX_MSG"
- echo "               Linux audit support: $LINUX_AUDIT_MSG"
-+echo "                       NSS support: $LIBNSS_MSG"
- echo "                 Smartcard support: $SCARD_MSG"
- echo "                     S/KEY support: $SKEY_MSG"
- echo "              TCP Wrappers support: $TCPW_MSG"
-diff -up /dev/null openssh-4.7p1/README.nss
---- /dev/null	2007-11-05 08:22:09.502001637 +0100
-+++ openssh-4.7p1/README.nss	2007-11-20 14:26:43.000000000 +0100
-@@ -0,0 +1,36 @@
-+How to use NSS tokens with OpenSSH?
-+
-+This version of OpenSSH contains experimental support for authentication using
-+keys stored in tokens stored in NSS database. This for example includes any
-+PKCS#11 tokens which are installed in your NSS database.
-+
-+As the code is experimental and preliminary only SSH protocol 2 is supported.
-+The NSS certificate and token databases are looked for in the ~/.ssh
-+directory or in a directory specified by environment variable NSS_DB_PATH.
-+
-+Common operations:
-+
-+(1) tell the ssh client to use the NSS keys:
-+
-+	$ ssh -o 'UseNSS yes' otherhost
-+	
-+	if you want to use a specific token:
-+	
-+	$ ssh -o 'UseNSS yes' -o 'NSS Token My PKCS11 Token' otherhost
-+
-+(2) or tell the agent to use the NSS keys:
-+
-+	$ ssh-add -n
-+	
-+	if you want to use a specific token:
-+	
-+	$ ssh-add -n -T 'My PKCS11 Token'
-+
-+(3) extract the public key from token so it can be added to the
-+server:
-+
-+	$ ssh-keygen -n
-+	
-+	if you want to use a specific token and/or key:
-+	
-+	$ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID'
-diff -up openssh-4.7p1/authfd.c.nss-keys openssh-4.7p1/authfd.c
---- openssh-4.7p1/authfd.c.nss-keys	2006-09-01 07:38:36.000000000 +0200
-+++ openssh-4.7p1/authfd.c	2007-11-20 14:26:43.000000000 +0100
-@@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection
- 	return decode_reply(type);
- }
- 
-+int
-+ssh_update_nss_key(AuthenticationConnection *auth, int add,
-+    const char *tokenname, const char *keyname,
-+    const char *pass, u_int life, u_int confirm)
-+{
-+	Buffer msg;
-+	int type, constrained = (life || confirm);
-+
-+	if (add) {
-+		type = constrained ?
-+		    SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED :
-+		    SSH_AGENTC_ADD_NSS_KEY;
-+	} else
-+		type = SSH_AGENTC_REMOVE_NSS_KEY;
-+
-+	buffer_init(&msg);
-+	buffer_put_char(&msg, type);
-+	buffer_put_cstring(&msg, tokenname);
-+	buffer_put_cstring(&msg, keyname);
-+	buffer_put_cstring(&msg, pass);
-+
-+	if (constrained) {
-+		if (life != 0) {
-+			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
-+			buffer_put_int(&msg, life);
-+		}
-+		if (confirm != 0)
-+			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
-+	}
-+
-+	if (ssh_request_reply(auth, &msg, &msg) == 0) {
-+		buffer_free(&msg);
-+		return 0;
-+	}
-+	type = buffer_get_char(&msg);
-+	buffer_free(&msg);
-+	return decode_reply(type);
-+}
-+
- /*
-  * Removes all identities from the agent.  This call is not meant to be used
-  * by normal applications.
-diff -up openssh-4.7p1/readconf.h.nss-keys openssh-4.7p1/readconf.h
---- openssh-4.7p1/readconf.h.nss-keys	2006-08-05 04:39:40.000000000 +0200
-+++ openssh-4.7p1/readconf.h	2007-11-20 14:26:43.000000000 +0100
-@@ -84,6 +84,8 @@ typedef struct {
- 	char   *preferred_authentications;
- 	char   *bind_address;	/* local socket address for connection to sshd */
- 	char   *smartcard_device; /* Smartcard reader device */
-+	int     use_nss;        /* Use NSS library for keys */
-+	char   *nss_token;      /* Look for NSS keys on token */
- 	int	verify_host_key_dns;	/* Verify host key using DNS */
- 
- 	int     num_identity_files;	/* Number of files for RSA/DSA identities. */
-diff -up /dev/null openssh-4.7p1/nsskeys.c
---- /dev/null	2007-11-05 08:22:09.502001637 +0100
-+++ openssh-4.7p1/nsskeys.c	2007-11-20 14:26:43.000000000 +0100
-@@ -0,0 +1,327 @@
-+/*
-+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
-+ * Copyright (c) 2007 Red Hat, Inc. All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in the
-+ *    documentation and/or other materials provided with the distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#include "includes.h"
-+#ifdef HAVE_LIBNSS
-+
-+#include <sys/types.h>
-+
-+#include <stdarg.h>
-+#include <string.h>
-+#include <unistd.h>
-+
-+#include <openssl/evp.h>
-+
-+#include <nss.h>
-+#include <keyhi.h>
-+#include <pk11pub.h>
-+#include <cert.h>
-+
-+#include "xmalloc.h"
-+#include "key.h"
-+#include "log.h"
-+#include "misc.h"
-+#include "nsskeys.h"
-+#include "pathnames.h"
-+
-+static char *
-+password_cb(PK11SlotInfo *slot, PRBool retry, void *arg)
-+{
-+	char *password = arg;
-+	if (retry || password == NULL)
-+		return NULL;
-+	
-+	return PL_strdup(password);
-+}
-+
-+int
-+nss_init(PK11PasswordFunc pwfn)
-+{
-+	char *dbpath;
-+	char buf[MAXPATHLEN];
-+
-+	if (NSS_IsInitialized())
-+		return 0;
-+
-+	if ((dbpath=getenv("NSS_DB_PATH")) == NULL) {
-+		struct passwd *pw;
-+		if ((pw = getpwuid(getuid())) == NULL ||
-+			pw->pw_dir == NULL) {
-+			return -1;
-+		}
-+		snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
-+			    _PATH_SSH_USER_DIR);
-+		dbpath = buf;
-+	}
-+
-+	if (NSS_Init(dbpath) != SECSuccess)
-+		return -1;
-+
-+	if (pwfn == NULL) {
-+		pwfn = password_cb;
-+	}
-+
-+	PK11_SetPasswordFunc(pwfn);
-+	
-+	return 0;
-+}
-+
-+static Key *
-+make_key_from_privkey(SECKEYPrivateKey *privk, char *password)
-+{
-+	Key *k;
-+	switch (SECKEY_GetPrivateKeyType(privk)) {
-+		case rsaKey:
-+			k = key_new_nss(KEY_RSA);
-+			break;
-+		case dsaKey:
-+			k = key_new_nss(KEY_DSA);
-+			break;
-+		default:
-+			return NULL;
-+	}
-+	k->nss->pubk = SECKEY_ConvertToPublicKey(privk);
-+	if (k->nss->pubk != NULL) {
-+		k->nss->privk = SECKEY_CopyPrivateKey(privk);
-+	}
-+	if (k->nss->privk != NULL) {
-+		if (password != NULL) {
-+			k->nss->privk->wincx = xstrdup(password);
-+		}
-+		return k;
-+	}
-+	key_free(k);
-+	return NULL;
-+}
-+
-+static Key **
-+add_key_to_list(Key *k, Key **keys, size_t *i, size_t *allocated)
-+{
-+	if (*allocated < *i + 2) {
-+		*allocated += 16;
-+		keys = xrealloc(keys, *allocated, sizeof(k));
-+	}
-+	keys[*i] = k;
-+	(*i)++;
-+	keys[*i] = NULL;
-+	return keys;
-+}
-+
-+static int
-+nss_convert_pubkey(Key *k)
-+{
-+	u_char *n;
-+	unsigned int len;
-+	char *p;
-+
-+	switch (k->type) {
-+		case KEY_RSA:
-+			n = k->nss->pubk->u.rsa.modulus.data;
-+			len = k->nss->pubk->u.rsa.modulus.len;
-+
-+			if (BN_bin2bn(n, len, k->rsa->n) == NULL) {
-+				fatal("nss_convert_pubkey: BN_bin2bn failed");
-+			}
-+
-+			n = k->nss->pubk->u.rsa.publicExponent.data;
-+			len = k->nss->pubk->u.rsa.publicExponent.len;
-+
-+			if (BN_bin2bn(n, len, k->rsa->e) == NULL) {
-+				fatal("nss_convert_pubkey: BN_bin2bn failed");
-+			}
-+			break;
-+		case KEY_DSA:
-+			n = k->nss->pubk->u.dsa.params.prime.data;
-+			len = k->nss->pubk->u.dsa.params.prime.len;
-+
-+			if (BN_bin2bn(n, len, k->dsa->p) == NULL) {
-+				fatal("nss_convert_pubkey: BN_bin2bn failed");
-+			}
-+
-+			n = k->nss->pubk->u.dsa.params.subPrime.data;
-+			len = k->nss->pubk->u.dsa.params.subPrime.len;
-+
-+			if (BN_bin2bn(n, len, k->dsa->q) == NULL) {
-+				fatal("nss_convert_pubkey: BN_bin2bn failed");
-+			}
-+
-+			n = k->nss->pubk->u.dsa.params.base.data;
-+			len = k->nss->pubk->u.dsa.params.base.len;
-+
-+			if (BN_bin2bn(n, len, k->dsa->g) == NULL) {
-+				fatal("nss_convert_pubkey: BN_bin2bn failed");
-+			}
-+
-+			n = k->nss->pubk->u.dsa.publicValue.data;
-+			len = k->nss->pubk->u.dsa.publicValue.len;
-+
-+			if (BN_bin2bn(n, len, k->dsa->pub_key) == NULL) {
-+				fatal("nss_convert_pubkey: BN_bin2bn failed");
-+			}
-+			break;
-+	}
-+
-+	p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
-+	debug("fingerprint %u %s", key_size(k), p);
-+	xfree(p);
-+
-+	return 0;
-+}
-+
-+static Key **
-+nss_find_privkeys(const char *tokenname, const char *keyname,
-+    char *password)
-+{
-+	Key *k = NULL;
-+	Key **keys = NULL;
-+	PK11SlotList *slots;
-+	PK11SlotListElement *sle;
-+	size_t allocated = 0;
-+	size_t i = 0;
-+
-+	if ((slots=PK11_FindSlotsByNames(NULL, NULL, tokenname, PR_TRUE)) == NULL) {
-+		if (tokenname == NULL) {
-+			debug("No NSS token found");
-+		} else {
-+			debug("NSS token not found: %s", tokenname);
-+		}
-+		return NULL;
-+	}
-+	
-+	for (sle = slots->head; sle; sle = sle->next) {
-+		SECKEYPrivateKeyList *list;
-+		SECKEYPrivateKeyListNode *node;
-+		char *tmppass = password;
-+				
-+		if (PK11_NeedLogin(sle->slot)) {
-+			if (password == NULL) {
-+				char *prompt;
-+				if (asprintf(&prompt, "Enter passphrase for token %s: ",
-+					PK11_GetTokenName(sle->slot)) < 0)
-+					fatal("password_cb: asprintf failed");
-+				tmppass = read_passphrase(prompt, RP_ALLOW_STDIN);
-+			}
-+			PK11_Authenticate(sle->slot, PR_TRUE, tmppass);
-+		}
-+
-+		debug("Looking for: %s:%s", tokenname, keyname);
-+		list = PK11_ListPrivKeysInSlot(sle->slot, (char *)keyname,
-+			tmppass);
-+		if (list == NULL && keyname != NULL) {
-+			char *fooname;
-+			/* NSS bug workaround */
-+			if (asprintf(&fooname, "%s~", keyname) < 0) {
-+				error("nss_find_privkey: asprintf failed");
-+				PK11_FreeSlotList(slots);
-+				return NULL;
-+			}
-+			list = PK11_ListPrivKeysInSlot(sle->slot, fooname,
-+			tmppass);
-+			free(fooname);
-+		}
-+		if (list == NULL && keyname != NULL) {
-+			CERTCertificate *cert;
-+			SECKEYPrivateKey *privk;
-+			cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(),
-+				(char *)keyname);
-+			if (cert == NULL)
-+				goto cleanup;
-+			privk = PK11_FindPrivateKeyFromCert(sle->slot, cert, tmppass);
-+			CERT_DestroyCertificate(cert);
-+			if (privk == NULL)
-+				goto cleanup;
-+			if ((k=make_key_from_privkey(privk, tmppass)) != NULL) {
-+				nss_convert_pubkey(k);
-+				keys = add_key_to_list(k, keys, &i, &allocated);
-+			}
-+			SECKEY_DestroyPrivateKey(privk);
-+		} else {
-+			if (list == NULL)
-+				goto cleanup;
-+			for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list);
-+				node=PRIVKEY_LIST_NEXT(node))
-+				if ((k=make_key_from_privkey(node->key, tmppass)) != NULL) {
-+					nss_convert_pubkey(k);
-+					keys = add_key_to_list(k, keys, &i, &allocated);
-+				}
-+			SECKEY_DestroyPrivateKeyList(list);
-+		}
-+cleanup:
-+		if (password == NULL && tmppass != NULL) {
-+			memset(tmppass, 0, strlen(tmppass));
-+			xfree(tmppass);
-+		}
-+	}
-+	PK11_FreeSlotList(slots);
-+
-+	return keys;
-+}
-+
-+Key **
-+nss_get_keys(const char *tokenname, const char *keyname,
-+    char *password)
-+{
-+	Key **keys;
-+
-+	if (nss_init(NULL) == -1) {
-+		error("Failed to initialize NSS library");
-+		return NULL;
-+	}
-+
-+	keys = nss_find_privkeys(tokenname, keyname, password);
-+	if (keys == NULL && keyname != NULL) {
-+		error("Cannot find key in nss, token removed");
-+		return NULL;
-+	}
-+#if 0
-+	keys = xcalloc(3, sizeof(Key *));
-+
-+	if (k->type == KEY_RSA) {
-+		n = key_new_nss_copy(KEY_RSA1, k);
-+
-+		keys[0] = n;
-+		keys[1] = k;
-+		keys[2] = NULL;
-+	} else {
-+		keys[0] = k;
-+		keys[1] = NULL;
-+	}
-+#endif
-+	return keys;
-+}
-+
-+char *
-+nss_get_key_label(Key *key)
-+{
-+	char *label, *nickname;
-+	
-+	nickname = PK11_GetPrivateKeyNickname(key->nss->privk);
-+	label = xstrdup(nickname);
-+	PORT_Free(nickname);
-+
-+	return label;
-+}
-+
-+#endif /* HAVE_LIBNSS */
-diff -up openssh-4.7p1/ssh.c.nss-keys openssh-4.7p1/ssh.c
---- openssh-4.7p1/ssh.c.nss-keys	2007-08-08 06:32:41.000000000 +0200
-+++ openssh-4.7p1/ssh.c	2007-11-20 14:26:43.000000000 +0100
-@@ -104,6 +104,9 @@
- #ifdef SMARTCARD
- #include "scard.h"
- #endif
-+#ifdef HAVE_LIBNSS
-+#include "nsskeys.h"
-+#endif
- 
- extern char *__progname;
- 
-@@ -1217,9 +1220,11 @@ load_public_identity_files(void)
- 	int i = 0;
- 	Key *public;
- 	struct passwd *pw;
--#ifdef SMARTCARD
-+#if defined(SMARTCARD) || defined(HAVE_LIBNSS)
- 	Key **keys;
-+#endif
- 
-+#ifdef SMARTCARD
- 	if (options.smartcard_device != NULL &&
- 	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
- 	    (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
-@@ -1240,6 +1245,27 @@ load_public_identity_files(void)
- 		xfree(keys);
- 	}
- #endif /* SMARTCARD */
-+#ifdef HAVE_LIBNSS
-+	if (options.use_nss &&
-+	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
-+	    (keys = nss_get_keys(options.nss_token, NULL, NULL)) != NULL) {
-+		int count;
-+		for (count = 0; keys[count] != NULL; count++) {
-+			memmove(&options.identity_files[1], &options.identity_files[0],
-+			    sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
-+			memmove(&options.identity_keys[1], &options.identity_keys[0],
-+			    sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
-+			options.num_identity_files++;
-+			options.identity_keys[0] = keys[count];
-+			options.identity_files[0] = nss_get_key_label(keys[count]);
-+		}
-+		if (options.num_identity_files > SSH_MAX_IDENTITY_FILES)
-+			options.num_identity_files = SSH_MAX_IDENTITY_FILES;
-+		i += count;
-+		xfree(keys);
-+	}
-+#endif /* HAVE_LIBNSS */
-+
- 	if ((pw = getpwuid(original_real_uid)) == NULL)
- 		fatal("load_public_identity_files: getpwuid failed");
- 	if (gethostname(thishost, sizeof(thishost)) == -1)
-diff -up /dev/null openssh-4.7p1/nsskeys.h
---- /dev/null	2007-11-05 08:22:09.502001637 +0100
-+++ openssh-4.7p1/nsskeys.h	2007-11-20 14:26:43.000000000 +0100
-@@ -0,0 +1,39 @@
-+/*
-+ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
-+ * Copyright (c) 2007 Red Hat, Inc.  All rights reserved.
-+ *
-+ * Redistribution and use in source and binary forms, with or without
-+ * modification, are permitted provided that the following conditions
-+ * are met:
-+ * 1. Redistributions of source code must retain the above copyright
-+ *    notice, this list of conditions and the following disclaimer.
-+ * 2. Redistributions in binary form must reproduce the above copyright
-+ *    notice, this list of conditions and the following disclaimer in the
-+ *    documentation and/or other materials provided with the distribution.
-+ *
-+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
-+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
-+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
-+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
-+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
-+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
-+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-+ */
-+
-+#ifndef NSSKEYS_H
-+#define NSSKEYS_H
-+#ifdef HAVE_LIBNSS
-+#include <pk11func.h>
-+#include <prtypes.h>
-+
-+int	nss_init(PK11PasswordFunc);
-+Key	**nss_get_keys(const char *, const char *, char *);
-+char	*nss_get_key_label(Key *);
-+/*void	 sc_close(void);*/
-+/*int	 sc_put_key(Key *, const char *);*/
-+
-+#endif
-+#endif
-diff -up openssh-4.7p1/Makefile.in.nss-keys openssh-4.7p1/Makefile.in
---- openssh-4.7p1/Makefile.in.nss-keys	2007-06-11 06:01:42.000000000 +0200
-+++ openssh-4.7p1/Makefile.in	2007-11-20 14:26:43.000000000 +0100
-@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
- 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
- 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
- 	kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
--	entropy.o scard-opensc.o gss-genr.o umac.o
-+	entropy.o scard-opensc.o gss-genr.o umac.o nsskeys.o
- 
- SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
- 	sshconnect.o sshconnect1.o sshconnect2.o
-diff -up openssh-4.7p1/key.h.nss-keys openssh-4.7p1/key.h
---- openssh-4.7p1/key.h.nss-keys	2006-08-05 04:39:40.000000000 +0200
-+++ openssh-4.7p1/key.h	2007-11-20 14:26:43.000000000 +0100
-@@ -29,11 +29,17 @@
- #include <openssl/rsa.h>
- #include <openssl/dsa.h>
- 
-+#ifdef HAVE_LIBNSS
-+#include <nss.h>
-+#include <keyhi.h>
-+#endif
-+
- typedef struct Key Key;
- enum types {
- 	KEY_RSA1,
- 	KEY_RSA,
- 	KEY_DSA,
-+	KEY_NSS,
- 	KEY_UNSPEC
- };
- enum fp_type {
-@@ -47,16 +53,30 @@ enum fp_rep {
- 
- /* key is stored in external hardware */
- #define KEY_FLAG_EXT		0x0001
-+#define KEY_FLAG_NSS		0x0002
-+
-+#ifdef HAVE_LIBNSS
-+typedef struct NSSKey NSSKey;
-+struct NSSKey {
-+	SECKEYPrivateKey *privk;
-+	SECKEYPublicKey *pubk;
-+};
-+#endif
- 
- struct Key {
- 	int	 type;
- 	int	 flags;
- 	RSA	*rsa;
- 	DSA	*dsa;
-+#ifdef HAVE_LIBNSS
-+	NSSKey  *nss;
-+#endif
- };
- 
- Key		*key_new(int);
- Key		*key_new_private(int);
-+Key 		*key_new_nss(int);
-+Key		*key_new_nss_copy(int, const Key *);
- void		 key_free(Key *);
- Key		*key_demote(const Key *);
- int		 key_equal(const Key *, const Key *);
-diff -up openssh-4.7p1/ssh-add.c.nss-keys openssh-4.7p1/ssh-add.c
---- openssh-4.7p1/ssh-add.c.nss-keys	2006-09-01 07:38:37.000000000 +0200
-+++ openssh-4.7p1/ssh-add.c	2007-11-20 14:26:43.000000000 +0100
-@@ -43,6 +43,14 @@
- 
- #include <openssl/evp.h>
- 
-+#ifdef HAVE_LIBNSS
-+#include <nss.h>
-+#include <secmod.h>
-+#include <pk11pub.h>
-+#include <keyhi.h>
-+#include <cert.h>
-+#endif
-+
- #include <fcntl.h>
- #include <pwd.h>
- #include <stdarg.h>
-@@ -56,6 +64,7 @@
- #include "rsa.h"
- #include "log.h"
- #include "key.h"
-+#include "nsskeys.h"
- #include "buffer.h"
- #include "authfd.h"
- #include "authfile.h"
-@@ -306,6 +315,117 @@ do_file(AuthenticationConnection *ac, in
- 	return 0;
- }
- 
-+#ifdef HAVE_LIBNSS
-+static char *
-+password_cb(PK11SlotInfo *slot, PRBool retry, void *arg)
-+{
-+	char **passcache = arg;
-+	char *password, *p2 = NULL;
-+	char *prompt;
-+	
-+	if (retry)
-+		return NULL;
-+	
-+	if (asprintf(&prompt, "Enter passphrase for token %s: ",
-+		PK11_GetTokenName(slot)) < 0)
-+		fatal("password_cb: asprintf failed");
-+
-+	password = read_passphrase(prompt, RP_ALLOW_STDIN);
-+	
-+	if (password != NULL && (p2=PL_strdup(password)) == NULL) {
-+		memset(password, 0, strlen(password));
-+		fatal("password_cb: PL_strdup failed");
-+	}
-+
-+	if (passcache != NULL) {
-+		if (*passcache != NULL) {
-+			memset(*passcache, 0, strlen(*passcache));
-+			xfree(*passcache);
-+		}
-+		*passcache = password;
-+	} else {
-+		memset(password, 0, strlen(password));
-+		xfree(password);
-+	}
-+	
-+	return p2;
-+}
-+
-+static int
-+add_slot_keys(AuthenticationConnection *ac, PK11SlotInfo *slot, int add)
-+{
-+	SECKEYPrivateKeyList *list;
-+	SECKEYPrivateKeyListNode *node;
-+	char *passcache = NULL;
-+	char *tokenname;
-+	
-+	int count = 0;
-+	
-+	if (PK11_NeedLogin(slot))
-+		PK11_Authenticate(slot, PR_TRUE, &passcache);
-+		
-+	if ((list=PK11_ListPrivKeysInSlot(slot, NULL, NULL)) == NULL) {
-+		return 0;
-+	}
-+	
-+	tokenname = PK11_GetTokenName(slot);
-+	
-+	for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list);
-+		node=PRIVKEY_LIST_NEXT(node)) {
-+		char *keyname;
-+		SECKEYPublicKey *pub;
-+		
-+		keyname = PK11_GetPrivateKeyNickname(node->key);
-+		if (keyname == NULL || *keyname == '\0') {
-+			/* no nickname to refer to */
-+			CERTCertificate *cert;
-+			char *kn;
-+			cert = PK11_GetCertFromPrivateKey(node->key);
-+			if (cert == NULL)
-+				continue;
-+			kn = strchr(cert->nickname, ':');
-+			if (kn == NULL)
-+				kn = cert->nickname;
-+			else
-+				kn++;
-+			keyname = PORT_Strdup(kn);
-+			CERT_DestroyCertificate(cert);
-+			if (keyname == NULL)
-+				continue;
-+		}
-+		pub = SECKEY_ConvertToPublicKey(node->key);
-+		if (pub == NULL) {
-+			fprintf(stderr, "No public key for: %s:%s\n",
-+				tokenname, keyname);
-+			continue; /* not possible to obtain public key */
-+		}
-+		SECKEY_DestroyPublicKey(pub);
-+		
-+		if (ssh_update_nss_key(ac, add, tokenname, keyname,
-+			passcache?passcache:"",	lifetime, confirm)) {
-+			fprintf(stderr, "Key %s: %s:%s\n",
-+				add?"added":"removed", tokenname, keyname);
-+			count++;
-+		} else {
-+			fprintf(stderr, "Could not %s key: %s:%s\n",
-+				add?"add":"remove", tokenname, keyname);
-+		}
-+		
-+		PORT_Free(keyname);
-+		count++;
-+	}
-+
-+	if (passcache != NULL) {
-+		memset(passcache, 0, strlen(passcache));
-+		xfree(passcache);
-+	}
-+	
-+	SECKEY_DestroyPrivateKeyList(list);
-+	
-+	return count;
-+}
-+#endif
-+
- static void
- usage(void)
- {
-@@ -333,6 +453,10 @@ main(int argc, char **argv)
- 	AuthenticationConnection *ac = NULL;
- 	char *sc_reader_id = NULL;
- 	int i, ch, deleting = 0, ret = 0;
-+#ifdef HAVE_LIBNSS
-+	char *token_id = NULL;
-+	int use_nss = 0;
-+#endif
- 
- 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
- 	sanitise_stdfd();
-@@ -350,7 +474,7 @@ main(int argc, char **argv)
- 		    "Could not open a connection to your authentication agent.\n");
- 		exit(2);
- 	}
--	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
-+	while ((ch = getopt(argc, argv, "lLcdDnxXe:s:t:T:")) != -1) {
- 		switch (ch) {
- 		case 'l':
- 		case 'L':
-@@ -372,6 +496,11 @@ main(int argc, char **argv)
- 			if (delete_all(ac) == -1)
- 				ret = 1;
- 			goto done;
-+#ifdef HAVE_LIBNSS
-+		case 'n':
-+			use_nss = 1;
-+			break;
-+#endif
- 		case 's':
- 			sc_reader_id = optarg;
- 			break;
-@@ -386,6 +515,11 @@ main(int argc, char **argv)
- 				goto done;
- 			}
- 			break;
-+#ifdef HAVE_LIBNSS
-+		case 'T':
-+			token_id = optarg;
-+			break;
-+#endif
- 		default:
- 			usage();
- 			ret = 1;
-@@ -399,6 +533,40 @@ main(int argc, char **argv)
- 			ret = 1;
- 		goto done;
- 	}
-+#ifdef HAVE_LIBNSS
-+	if (use_nss) {
-+		PK11SlotList *slots;
-+		PK11SlotListElement *sle;
-+		int count = 0;
-+		if (nss_init(password_cb) == -1) {
-+			fprintf(stderr, "Failed to initialize NSS library\n");
-+			ret = 1;
-+			goto done;
-+		}
-+		
-+		if ((slots=PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE,
-+			NULL)) == NULL) {
-+			fprintf(stderr, "No tokens found\n");
-+			ret = 1;
-+			goto nss_done;
-+		}
-+
-+		for (sle = slots->head; sle; sle = sle->next) {
-+			int rv;
-+			if ((rv=add_slot_keys(ac, sle->slot, !deleting)) == -1) {
-+				ret = 1;
-+			}
-+			count += rv;
-+		}
-+		if (count == 0) {
-+			ret = 1;
-+		}
-+nss_done:		
-+		NSS_Shutdown();
-+		clear_pass();
-+		goto done;
-+	}
-+#endif
- 	if (argc == 0) {
- 		char buf[MAXPATHLEN];
- 		struct passwd *pw;
-diff -up openssh-4.7p1/ssh-rsa.c.nss-keys openssh-4.7p1/ssh-rsa.c
---- openssh-4.7p1/ssh-rsa.c.nss-keys	2006-09-01 07:38:37.000000000 +0200
-+++ openssh-4.7p1/ssh-rsa.c	2007-11-20 14:26:43.000000000 +0100
-@@ -32,6 +32,10 @@
- #include "compat.h"
- #include "ssh.h"
- 
-+#ifdef HAVE_LIBNSS
-+#include <cryptohi.h>
-+#endif
-+
- static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);
- 
- /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
-@@ -50,6 +54,38 @@ ssh_rsa_sign(const Key *key, u_char **si
- 		error("ssh_rsa_sign: no RSA key");
- 		return -1;
- 	}
-+
-+	slen = RSA_size(key->rsa);
-+	sig = xmalloc(slen);
-+
-+#ifdef HAVE_LIBNSS
-+	if (key->flags & KEY_FLAG_NSS) {
-+		SECItem sigitem;
-+		SECOidTag alg;
-+
-+		memset(&sigitem, 0, sizeof(sigitem));
-+		alg = (datafellows & SSH_BUG_RSASIGMD5) ?
-+			SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION :
-+			SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
-+
-+		if (SEC_SignData(&sigitem, (u_char *)data, datalen, key->nss->privk,
-+			alg) != SECSuccess) {
-+			error("ssh_rsa_sign: sign failed");
-+			return -1;
-+		}
-+		if (sigitem.len > slen) {
-+			error("ssh_rsa_sign: slen %u slen2 %u", slen, sigitem.len);
-+			xfree(sig);
-+			SECITEM_ZfreeItem(&sigitem, PR_FALSE);
-+			return -1;
-+		}
-+		if (sigitem.len < slen) {
-+			memset(sig, 0, slen - sigitem.len);
-+		}
-+		memcpy(sig+slen-sigitem.len, sigitem.data, sigitem.len);
-+		SECITEM_ZfreeItem(&sigitem, PR_FALSE);
-+	} else {
-+#endif
- 	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
- 	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
- 		error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
-@@ -59,9 +95,6 @@ ssh_rsa_sign(const Key *key, u_char **si
- 	EVP_DigestUpdate(&md, data, datalen);
- 	EVP_DigestFinal(&md, digest, &dlen);
- 
--	slen = RSA_size(key->rsa);
--	sig = xmalloc(slen);
--
- 	ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
- 	memset(digest, 'd', sizeof(digest));
- 
-@@ -83,6 +116,9 @@ ssh_rsa_sign(const Key *key, u_char **si
- 		xfree(sig);
- 		return -1;
- 	}
-+#ifdef HAVE_LIBNSS
-+	}
-+#endif
- 	/* encode signature */
- 	buffer_init(&b);
- 	buffer_put_cstring(&b, "ssh-rsa");
-diff -up openssh-4.7p1/ssh-keygen.c.nss-keys openssh-4.7p1/ssh-keygen.c
---- openssh-4.7p1/ssh-keygen.c.nss-keys	2007-02-19 12:10:25.000000000 +0100
-+++ openssh-4.7p1/ssh-keygen.c	2007-11-20 14:26:43.000000000 +0100
-@@ -52,6 +52,11 @@
- #include "scard.h"
- #endif
- 
-+#ifdef HAVE_LIBNSS
-+#include <nss.h>
-+#include "nsskeys.h"
-+#endif
-+
- /* Number of bits in the RSA/DSA key.  This value can be set on the command line. */
- #define DEFAULT_BITS		2048
- #define DEFAULT_BITS_DSA	1024
-@@ -499,6 +504,26 @@ do_download(struct passwd *pw, const cha
- }
- #endif /* SMARTCARD */
- 
-+#ifdef HAVE_LIBNSS
-+static void
-+do_nss_download(struct passwd *pw, const char *tokenname, const char *keyname)
-+{
-+	Key **keys = NULL;
-+	int i;
-+	
-+	keys = nss_get_keys(tokenname, keyname, NULL);
-+	if (keys == NULL)
-+		fatal("cannot find public key in NSS");
-+	for (i = 0; keys[i]; i++) {
-+		key_write(keys[i], stdout);
-+		key_free(keys[i]);
-+		fprintf(stdout, "\n");
-+	}
-+	xfree(keys);
-+	exit(0);
-+}
-+#endif /* HAVE_LIBNSS */
-+
- static void
- do_fingerprint(struct passwd *pw)
- {
-@@ -1056,7 +1081,8 @@ main(int argc, char **argv)
- 	Key *private, *public;
- 	struct passwd *pw;
- 	struct stat st;
--	int opt, type, fd, download = 0;
-+	int opt, type, fd, download = 1;
-+	int use_nss = 0;
- 	u_int32_t memory = 0, generator_wanted = 0, trials = 100;
- 	int do_gen_candidates = 0, do_screen_candidates = 0;
- 	int log_level = SYSLOG_LEVEL_INFO;
-@@ -1090,7 +1116,7 @@ main(int argc, char **argv)
- 	}
- 
- 	while ((opt = getopt(argc, argv,
--	    "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
-+	    "degiqpclnBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
- 		switch (opt) {
- 		case 'b':
- 			bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);
-@@ -1130,6 +1156,10 @@ main(int argc, char **argv)
- 		case 'g':
- 			print_generic = 1;
- 			break;
-+		case 'n':
-+			use_nss = 1;
-+			download = 1;
-+			break;
- 		case 'P':
- 			identity_passphrase = optarg;
- 			break;
-@@ -1161,10 +1191,10 @@ main(int argc, char **argv)
- 		case 't':
- 			key_type_name = optarg;
- 			break;
--		case 'D':
--			download = 1;
--			/*FALLTHROUGH*/
- 		case 'U':
-+			download = 0;
-+			/*FALLTHROUGH*/
-+		case 'D':
- 			reader_id = optarg;
- 			break;
- 		case 'v':
-@@ -1269,6 +1299,17 @@ main(int argc, char **argv)
- 			exit(0);
- 		}
- 	}
-+
-+	if (use_nss) {
-+#ifdef HAVE_LIBNSS
-+		if (download)
-+			do_nss_download(pw, reader_id, identity_file);
-+		else
-+			fatal("no support for NSS key upload.");
-+#else
-+		fatal("no support for NSS keys.");
-+#endif
-+	}
- 	if (reader_id != NULL) {
- #ifdef SMARTCARD
- 		if (download)
-diff -up openssh-4.7p1/readconf.c.nss-keys openssh-4.7p1/readconf.c
---- openssh-4.7p1/readconf.c.nss-keys	2007-03-21 10:46:03.000000000 +0100
-+++ openssh-4.7p1/readconf.c	2007-11-20 14:26:43.000000000 +0100
-@@ -124,6 +124,7 @@ typedef enum {
- 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
- 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
- 	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
-+	oUseNSS, oNSSToken,
- 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
- 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
- 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
-@@ -209,6 +210,13 @@ static struct {
- #else
- 	{ "smartcarddevice", oUnsupported },
- #endif
-+#ifdef HAVE_LIBNSS
-+	{ "usenss", oUseNSS },
-+	{ "nsstoken", oNSSToken },
-+#else
-+	{ "usenss", oUnsupported },
-+	{ "nsstoken", oNSSToken },
-+#endif
- 	{ "clearallforwardings", oClearAllForwardings },
- 	{ "enablesshkeysign", oEnableSSHKeysign },
- 	{ "verifyhostkeydns", oVerifyHostKeyDNS },
-@@ -601,6 +609,14 @@ parse_string:
- 		charptr = &options->smartcard_device;
- 		goto parse_string;
- 
-+	case oUseNSS:
-+		intptr = &options->use_nss;
-+		goto parse_flag;
-+
-+	case oNSSToken:
-+		charptr = &options->nss_token;
-+		goto parse_command;
-+
- 	case oProxyCommand:
- 		charptr = &options->proxy_command;
- parse_command:
-@@ -1049,6 +1065,8 @@ initialize_options(Options * options)
- 	options->preferred_authentications = NULL;
- 	options->bind_address = NULL;
- 	options->smartcard_device = NULL;
-+	options->use_nss = -1;
-+	options->nss_token = NULL;
- 	options->enable_ssh_keysign = - 1;
- 	options->no_host_authentication_for_localhost = - 1;
- 	options->identities_only = - 1;
-@@ -1177,6 +1195,8 @@ fill_default_options(Options * options)
- 		options->no_host_authentication_for_localhost = 0;
- 	if (options->identities_only == -1)
- 		options->identities_only = 0;
-+	if (options->use_nss == -1)
-+		options->use_nss = 0;
- 	if (options->enable_ssh_keysign == -1)
- 		options->enable_ssh_keysign = 0;
- 	if (options->rekey_limit == -1)
diff --git a/openssh-5.1p1-askpass-progress.patch b/openssh-5.1p1-askpass-progress.patch
new file mode 100644
index 0000000..ec93b87
--- /dev/null
+++ b/openssh-5.1p1-askpass-progress.patch
@@ -0,0 +1,79 @@
+diff -up openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress openssh-5.1p1/contrib/gnome-ssh-askpass2.c
+--- openssh-5.1p1/contrib/gnome-ssh-askpass2.c.progress	2008-07-23 19:05:26.000000000 +0200
++++ openssh-5.1p1/contrib/gnome-ssh-askpass2.c	2008-07-23 19:05:26.000000000 +0200
+@@ -53,6 +53,7 @@
+ #include <string.h>
+ #include <unistd.h>
+ #include <X11/Xlib.h>
++#include <glib.h>
+ #include <gtk/gtk.h>
+ #include <gdk/gdkx.h>
+ 
+@@ -83,13 +84,24 @@ ok_dialog(GtkWidget *entry, gpointer dia
+ 	gtk_dialog_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+ }
+ 
++static void
++move_progress(GtkWidget *entry, gpointer progress)
++{
++	gdouble step;
++	g_return_if_fail(GTK_IS_PROGRESS_BAR(progress));
++	
++	step = g_random_double_range(0.03, 0.1);
++	gtk_progress_bar_set_pulse_step(GTK_PROGRESS_BAR(progress), step);
++	gtk_progress_bar_pulse(GTK_PROGRESS_BAR(progress));
++}
++
+ static int
+ passphrase_dialog(char *message)
+ {
+ 	const char *failed;
+ 	char *passphrase, *local;
+ 	int result, grab_tries, grab_server, grab_pointer;
+-	GtkWidget *dialog, *entry;
++	GtkWidget *dialog, *entry, *progress, *hbox;
+ 	GdkGrabStatus status;
+ 
+ 	grab_server = (getenv("GNOME_SSH_ASKPASS_GRAB_SERVER") != NULL);
+@@ -102,13 +114,31 @@ passphrase_dialog(char *message)
+ 					"%s",
+ 					message);
+ 
++	hbox = gtk_hbox_new(FALSE, 0);
++	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
++	    FALSE, 0);
++	gtk_widget_show(hbox);
++
+ 	entry = gtk_entry_new();
+-	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), entry, FALSE,
++	gtk_box_pack_start(GTK_BOX(hbox), entry, TRUE,
+ 	    FALSE, 0);
++	gtk_entry_set_width_chars(GTK_ENTRY(entry), 2);
+ 	gtk_entry_set_visibility(GTK_ENTRY(entry), FALSE);
+ 	gtk_widget_grab_focus(entry);
+ 	gtk_widget_show(entry);
+ 
++	hbox = gtk_hbox_new(FALSE, 0);
++	gtk_box_pack_start(GTK_BOX(GTK_DIALOG(dialog)->vbox), hbox, FALSE,
++	    FALSE, 8);
++	gtk_widget_show(hbox);
++
++	progress = gtk_progress_bar_new();
++	
++	gtk_progress_bar_set_text(GTK_PROGRESS_BAR(progress), "Passphrase length hidden intentionally");
++	gtk_box_pack_start(GTK_BOX(hbox), progress, TRUE,
++	    TRUE, 5);
++	gtk_widget_show(progress);
++
+ 	gtk_window_set_title(GTK_WINDOW(dialog), "OpenSSH");
+ 	gtk_window_set_position (GTK_WINDOW(dialog), GTK_WIN_POS_CENTER);
+ 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
+@@ -119,6 +149,8 @@ passphrase_dialog(char *message)
+ 	gtk_dialog_set_default_response(GTK_DIALOG(dialog), GTK_RESPONSE_OK);
+ 	g_signal_connect(G_OBJECT(entry), "activate",
+ 			 G_CALLBACK(ok_dialog), dialog);
++	g_signal_connect(G_OBJECT(entry), "changed",
++			 G_CALLBACK(move_progress), progress);
+ 
+ 	gtk_window_set_keep_above(GTK_WINDOW(dialog), TRUE);
+ 
diff --git a/openssh-5.1p1-gssapi-role.patch b/openssh-5.1p1-gssapi-role.patch
new file mode 100644
index 0000000..cb18897
--- /dev/null
+++ b/openssh-5.1p1-gssapi-role.patch
@@ -0,0 +1,35 @@
+Written-by: Nalin Dahyabhai <nalin@redhat.com>
+Reviewed-by: Tomas Mraz <tmraz@redhat.com>
+diff -up openssh-5.1p1/auth2-gss.c.gssapi-role openssh-5.1p1/auth2-gss.c
+--- openssh-5.1p1/auth2-gss.c.gssapi-role	2007-12-02 12:59:45.000000000 +0100
++++ openssh-5.1p1/auth2-gss.c	2008-07-23 19:18:15.000000000 +0200
+@@ -258,6 +258,7 @@ input_gssapi_mic(int type, u_int32_t ple
+ 	Authctxt *authctxt = ctxt;
+ 	Gssctxt *gssctxt;
+ 	int authenticated = 0;
++	char *micuser;
+ 	Buffer b;
+ 	gss_buffer_desc mic, gssbuf;
+ 	u_int len;
+@@ -270,7 +271,11 @@ input_gssapi_mic(int type, u_int32_t ple
+ 	mic.value = packet_get_string(&len);
+ 	mic.length = len;
+ 
+-	ssh_gssapi_buildmic(&b, authctxt->user, authctxt->service,
++	if (authctxt->role && (strlen(authctxt->role) > 0))
++		xasprintf(&micuser, "%s/%s", authctxt->user, authctxt->role);
++	else
++		micuser = authctxt->user;
++	ssh_gssapi_buildmic(&b, micuser, authctxt->service,
+ 	    "gssapi-with-mic");
+ 
+ 	gssbuf.value = buffer_ptr(&b);
+@@ -282,6 +287,8 @@ input_gssapi_mic(int type, u_int32_t ple
+ 		logit("GSSAPI MIC check failed");
+ 
+ 	buffer_free(&b);
++	if (micuser != authctxt->user)
++		xfree(micuser);
+ 	xfree(mic.value);
+ 
+ 	authctxt->postponed = 0;
diff --git a/openssh-5.1p1-mls.patch b/openssh-5.1p1-mls.patch
new file mode 100644
index 0000000..baf34ad
--- /dev/null
+++ b/openssh-5.1p1-mls.patch
@@ -0,0 +1,445 @@
+diff -up openssh-5.1p1/misc.c.mls openssh-5.1p1/misc.c
+--- openssh-5.1p1/misc.c.mls	2008-06-13 06:48:59.000000000 +0200
++++ openssh-5.1p1/misc.c	2008-07-23 18:53:37.000000000 +0200
+@@ -427,6 +427,7 @@ char *
+ colon(char *cp)
+ {
+ 	int flag = 0;
++	int start = 1;
+ 
+ 	if (*cp == ':')		/* Leading colon is part of file name. */
+ 		return (0);
+@@ -440,8 +441,13 @@ colon(char *cp)
+ 			return (cp+1);
+ 		if (*cp == ':' && !flag)
+ 			return (cp);
+-		if (*cp == '/')
+-			return (0);
++		if (start) {
++		/* Slash on beginning or after dots only denotes file name. */
++			if (*cp == '/')
++				return (0);
++			if (*cp != '.')
++				start = 0;
++		}
+ 	}
+ 	return (0);
+ }
+diff -up openssh-5.1p1/session.c.mls openssh-5.1p1/session.c
+--- openssh-5.1p1/session.c.mls	2008-06-16 15:29:18.000000000 +0200
++++ openssh-5.1p1/session.c	2008-07-23 18:53:37.000000000 +0200
+@@ -1550,10 +1550,6 @@ do_setusercontext(struct passwd *pw)
+ #endif
+ 	if (getuid() != pw->pw_uid || geteuid() != pw->pw_uid)
+ 		fatal("Failed to set uids to %u.", (u_int) pw->pw_uid);
+-
+-#ifdef WITH_SELINUX
+-	ssh_selinux_setup_exec_context(pw->pw_name);
+-#endif
+ }
+ 
+ static void
+diff -up openssh-5.1p1/openbsd-compat/port-linux.c.mls openssh-5.1p1/openbsd-compat/port-linux.c
+--- openssh-5.1p1/openbsd-compat/port-linux.c.mls	2008-07-23 18:53:37.000000000 +0200
++++ openssh-5.1p1/openbsd-compat/port-linux.c	2008-07-23 18:53:37.000000000 +0200
+@@ -33,12 +33,23 @@
+ #include "key.h"
+ #include "hostfile.h"
+ #include "auth.h"
++#include "xmalloc.h"
+ 
+ #include <selinux/selinux.h>
+ #include <selinux/flask.h>
++#include <selinux/context.h>
+ #include <selinux/get_context_list.h>
++#include <selinux/get_default_type.h>
++#include <selinux/av_permissions.h>
++
++#ifdef HAVE_LINUX_AUDIT
++#include <libaudit.h>
++#include <unistd.h>
++#endif
+ 
+ extern Authctxt *the_authctxt;
++extern int inetd_flag;
++extern int rexeced_flag;
+ 
+ /* Wrapper around is_selinux_enabled() to log its return value once only */
+ int
+@@ -54,17 +65,173 @@ ssh_selinux_enabled(void)
+ 	return (enabled);
+ }
+ 
++/* Send audit message */
++static int
++send_audit_message(int success, security_context_t default_context,
++		       security_context_t selected_context)
++{
++	int rc=0;
++#ifdef HAVE_LINUX_AUDIT
++	char *msg = NULL;
++	int audit_fd = audit_open();
++	security_context_t default_raw=NULL;
++	security_context_t selected_raw=NULL;
++	rc = -1;
++	if (audit_fd < 0) {
++		if (errno == EINVAL || errno == EPROTONOSUPPORT ||
++                                        errno == EAFNOSUPPORT)
++                        return 0; /* No audit support in kernel */
++		error("Error connecting to audit system.");
++		return rc;
++	}
++	if (selinux_trans_to_raw_context(default_context, &default_raw) < 0) {
++		error("Error translating default context.");
++		default_raw = NULL;
++	}
++	if (selinux_trans_to_raw_context(selected_context, &selected_raw) < 0) {
++		error("Error translating selected context.");
++		selected_raw = NULL;
++	}
++	if (asprintf(&msg, "sshd: default-context=%s selected-context=%s",
++		     default_raw ? default_raw : (default_context ? default_context: "?"),
++		     selected_context ? selected_raw : (selected_context ? selected_context :"?")) < 0) {
++		error("Error allocating memory.");
++		goto out;
++	}
++	if (audit_log_user_message(audit_fd, AUDIT_USER_ROLE_CHANGE,
++				   msg, NULL, NULL, NULL, success) <= 0) {
++		error("Error sending audit message.");
++		goto out;
++	}
++	rc = 0;
++      out:
++	free(msg);
++	freecon(default_raw);
++	freecon(selected_raw);
++	close(audit_fd);
++#endif
++	return rc;
++}
++
++static int
++mls_range_allowed(security_context_t src, security_context_t dst)
++{
++	struct av_decision avd;
++	int retval;
++	unsigned int bit = CONTEXT__CONTAINS;
++
++	debug("%s: src:%s dst:%s", __func__, src, dst);
++	retval = security_compute_av(src, dst, SECCLASS_CONTEXT, bit, &avd);
++	if (retval || ((bit & avd.allowed) != bit))
++		return 0;
++
++	return 1;
++}
++
++static int
++get_user_context(const char *sename, const char *role, const char *lvl,
++	security_context_t *sc) {
++#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
++	if (lvl == NULL || lvl[0] == '\0' || get_default_context_with_level(sename, lvl, NULL, sc) != 0) {
++	        /* User may have requested a level completely outside of his 
++	           allowed range. We get a context just for auditing as the
++	           range check below will certainly fail for default context. */
++#endif
++		if (get_default_context(sename, NULL, sc) != 0) {
++			*sc = NULL;
++			return -1;
++		}
++#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
++	}
++#endif
++	if (role != NULL && role[0]) {
++		context_t con;
++		char *type=NULL;
++		if (get_default_type(role, &type) != 0) {
++			error("get_default_type: failed to get default type for '%s'",
++				role);
++			goto out;
++		}
++		con = context_new(*sc);
++		if (!con) {
++			goto out;
++		}
++		context_role_set(con, role);
++		context_type_set(con, type);
++		freecon(*sc);
++		*sc = strdup(context_str(con));
++		context_free(con);
++		if (!*sc) 
++			return -1;
++	}
++#ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
++	if (lvl != NULL && lvl[0]) {
++		/* verify that the requested range is obtained */
++		context_t con;
++		security_context_t obtained_raw;
++		security_context_t requested_raw;
++		con = context_new(*sc);
++		if (!con) {
++			goto out;
++		}
++		context_range_set(con, lvl);
++		if (selinux_trans_to_raw_context(*sc, &obtained_raw) < 0) {
++			context_free(con);
++			goto out;
++		}
++		if (selinux_trans_to_raw_context(context_str(con), &requested_raw) < 0) {
++			freecon(obtained_raw);
++			context_free(con);
++			goto out;
++		}
++
++		debug("get_user_context: obtained context '%s' requested context '%s'",
++			obtained_raw, requested_raw);
++		if (strcmp(obtained_raw, requested_raw)) {
++			/* set the context to the real requested one but fail */
++			freecon(requested_raw);
++			freecon(obtained_raw);
++			freecon(*sc);
++			*sc = strdup(context_str(con));
++			context_free(con);
++			return -1;
++		}
++		freecon(requested_raw);
++		freecon(obtained_raw);
++		context_free(con);
++	}
++#endif
++	return 0;
++      out:
++        freecon(*sc);
++        *sc = NULL;
++        return -1;
++}
++
+ /* Return the default security context for the given username */
+-static security_context_t
+-ssh_selinux_getctxbyname(char *pwname)
++static int
++ssh_selinux_getctxbyname(char *pwname,
++	security_context_t *default_sc, security_context_t *user_sc)
+ {
+-	security_context_t sc = NULL;
+ 	char *sename, *lvl;
++	const char *reqlvl = NULL;
+ 	char *role = NULL;
+-	int r = 0;
++	int r = -1;
++	context_t con = NULL;
++
++	*default_sc = NULL;
++	*user_sc = NULL;
++	if (the_authctxt) {
++		if (the_authctxt->role != NULL) {
++			char *slash;
++			role = xstrdup(the_authctxt->role);
++			if ((slash = strchr(role, '/')) != NULL) {
++				*slash = '\0';
++				reqlvl = slash + 1;
++			}
++		}
++	}
+ 
+-	if (the_authctxt) 
+-		role=the_authctxt->role;
+ #ifdef HAVE_GETSEUSERBYNAME
+ 	if ((r=getseuserbyname(pwname, &sename, &lvl)) != 0) {
+ 		sename = NULL;
+@@ -72,38 +239,63 @@ ssh_selinux_getctxbyname(char *pwname)
+ 	}
+ #else
+ 	sename = pwname;
+-	lvl = NULL;
++	lvl = "";
+ #endif
+ 
+ 	if (r == 0) {
+ #ifdef HAVE_GET_DEFAULT_CONTEXT_WITH_LEVEL
+-		if (role != NULL && role[0])
+-			r = get_default_context_with_rolelevel(sename, role, lvl, NULL, &sc);
+-		else
+-			r = get_default_context_with_level(sename, lvl, NULL, &sc);
++		r = get_default_context_with_level(sename, lvl, NULL, default_sc);
+ #else
+-		if (role != NULL && role[0])
+-			r = get_default_context_with_role(sename, role, NULL, &sc);
+-		else
+-			r = get_default_context(sename, NULL, &sc);
++		r = get_default_context(sename, NULL, default_sc);
+ #endif
+ 	}
+ 
+-	if (r != 0) {
+-		switch (security_getenforce()) {
+-		case -1:
+-			fatal("%s: ssh_selinux_getctxbyname: "
+-			    "security_getenforce() failed", __func__);
+-		case 0:
+-			error("%s: Failed to get default SELinux security "
+-			    "context for %s", __func__, pwname);
+-			break;
+-		default:
+-			fatal("%s: Failed to get default SELinux security "
+-			    "context for %s (in enforcing mode)",
+-			    __func__, pwname);
++	if (r == 0) {
++		/* If launched from xinetd, we must use current level */
++		if (inetd_flag && !rexeced_flag) {
++			security_context_t sshdsc=NULL;
++
++			if (getcon_raw(&sshdsc) < 0)
++				fatal("failed to allocate security context");
++
++			if ((con=context_new(sshdsc)) == NULL)
++				fatal("failed to allocate selinux context");
++			reqlvl = context_range_get(con);
++			freecon(sshdsc);
++			if (reqlvl !=NULL && lvl != NULL && strcmp(reqlvl, lvl) == 0)
++			    /* we actually don't change level */
++			    reqlvl = "";
++
++			debug("%s: current connection level '%s'", __func__, reqlvl);
++		}
++		
++		if ((reqlvl != NULL && reqlvl[0]) || (role != NULL && role[0])) {
++			r = get_user_context(sename, role, reqlvl, user_sc);
++		
++			if (r == 0 && reqlvl != NULL && reqlvl[0]) {
++				security_context_t default_level_sc = *default_sc;
++				if (role != NULL && role[0]) {
++					if (get_user_context(sename, role, lvl, &default_level_sc) < 0)
++						default_level_sc = *default_sc;
++				}
++				/* verify that the requested range is contained in the user range */
++				if (mls_range_allowed(default_level_sc, *user_sc)) {
++					logit("permit MLS level %s (user range %s)", reqlvl, lvl);
++				} else {
++					r = -1;
++					error("deny MLS level %s (user range %s)", reqlvl, lvl);
++				}
++				if (default_level_sc != *default_sc)
++					freecon(default_level_sc);
++			}
++		} else {
++			*user_sc = *default_sc;
+ 		}
+ 	}
++	if (r != 0) {
++		error("%s: Failed to get default SELinux security "
++		    "context for %s", __func__, pwname);
++	}
+ 
+ #ifdef HAVE_GETSEUSERBYNAME
+ 	if (sename != NULL)
+@@ -111,14 +303,20 @@ ssh_selinux_getctxbyname(char *pwname)
+ 	if (lvl != NULL)
+ 		xfree(lvl);
+ #endif
++	if (role != NULL)
++		xfree(role);
++	if (con)
++		context_free(con);
+ 
+-	return (sc);
++	return (r);
+ }
+ 
+ /* Set the execution context to the default for the specified user */
+ void
+ ssh_selinux_setup_exec_context(char *pwname)
+ {
++	int r = 0;
++	security_context_t default_ctx = NULL;
+ 	security_context_t user_ctx = NULL;
+ 
+ 	if (!ssh_selinux_enabled())
+@@ -126,22 +324,45 @@ ssh_selinux_setup_exec_context(char *pwn
+ 
+ 	debug3("%s: setting execution context", __func__);
+ 
+-	user_ctx = ssh_selinux_getctxbyname(pwname);
+-	if (setexeccon(user_ctx) != 0) {
++	r = ssh_selinux_getctxbyname(pwname, &default_ctx, &user_ctx);
++	if (r >= 0) {
++		r = setexeccon(user_ctx);
++		if (r < 0) {
++			error("%s: Failed to set SELinux execution context %s for %s",
++			    __func__, user_ctx, pwname);
++		} 
++#ifdef HAVE_SETKEYCREATECON
++		else if (setkeycreatecon(user_ctx) < 0) {
++			error("%s: Failed to set SELinux keyring creation context %s for %s",
++			    __func__, user_ctx, pwname);
++		}
++#endif
++	}
++	if (user_ctx == NULL) {
++		user_ctx = default_ctx;
++	}
++	if (r < 0 || user_ctx != default_ctx) {
++		/* audit just the case when user changed a role or there was
++		   a failure */
++		send_audit_message(r >= 0, default_ctx, user_ctx);
++	}
++	if (r < 0) {
+ 		switch (security_getenforce()) {
+ 		case -1:
+ 			fatal("%s: security_getenforce() failed", __func__);
+ 		case 0:
+-			error("%s: Failed to set SELinux execution "
+-			    "context for %s", __func__, pwname);
++			error("%s: SELinux failure. Continuing in permissive mode.",
++			    __func__);
+ 			break;
+ 		default:
+-			fatal("%s: Failed to set SELinux execution context "
+-			    "for %s (in enforcing mode)", __func__, pwname);
++			fatal("%s: SELinux failure. Aborting connection.",
++			    __func__);
+ 		}
+ 	}
+-	if (user_ctx != NULL)
++	if (user_ctx != NULL && user_ctx != default_ctx)
+ 		freecon(user_ctx);
++	if (default_ctx != NULL)
++		freecon(default_ctx);
+ 
+ 	debug3("%s: done", __func__);
+ }
+@@ -159,7 +380,10 @@ ssh_selinux_setup_pty(char *pwname, cons
+ 
+ 	debug3("%s: setting TTY context on %s", __func__, tty);
+ 
+-	user_ctx = ssh_selinux_getctxbyname(pwname);
++	if (getexeccon(&user_ctx) < 0) {
++		error("%s: getexeccon: %s", __func__, strerror(errno));
++		goto out;
++	}
+ 
+ 	/* XXX: should these calls fatal() upon failure in enforcing mode? */
+ 
+diff -up openssh-5.1p1/configure.ac.mls openssh-5.1p1/configure.ac
+--- openssh-5.1p1/configure.ac.mls	2008-07-23 18:53:37.000000000 +0200
++++ openssh-5.1p1/configure.ac	2008-07-23 18:53:37.000000000 +0200
+@@ -3311,6 +3311,7 @@ AC_ARG_WITH(selinux,
+ 		SSHDLIBS="$SSHDLIBS $LIBSELINUX"
+ 		LIBS="$LIBS $LIBSELINUX"
+ 		AC_CHECK_FUNCS(getseuserbyname get_default_context_with_level)
++		AC_CHECK_FUNCS(setkeycreatecon)
+ 		LIBS="$save_LIBS"
+ 	fi ]
+ )
+diff -up openssh-5.1p1/sshd.c.mls openssh-5.1p1/sshd.c
+--- openssh-5.1p1/sshd.c.mls	2008-07-23 18:53:37.000000000 +0200
++++ openssh-5.1p1/sshd.c	2008-07-23 18:53:37.000000000 +0200
+@@ -1896,6 +1896,9 @@ main(int ac, char **av)
+ 		restore_uid();
+ 	}
+ #endif
++#ifdef WITH_SELINUX
++	ssh_selinux_setup_exec_context(authctxt->pw->pw_name);
++#endif
+ #ifdef USE_PAM
+ 	if (options.use_pam) {
+ 		do_pam_setcred(1);
diff --git a/openssh-5.1p1-nss-keys.patch b/openssh-5.1p1-nss-keys.patch
new file mode 100644
index 0000000..8805f3e
--- /dev/null
+++ b/openssh-5.1p1-nss-keys.patch
@@ -0,0 +1,1397 @@
+diff -up openssh-5.1p1/key.c.nss-keys openssh-5.1p1/key.c
+--- openssh-5.1p1/key.c.nss-keys	2008-07-11 09:35:09.000000000 +0200
++++ openssh-5.1p1/key.c	2008-07-23 19:16:00.000000000 +0200
+@@ -96,6 +96,54 @@ key_new(int type)
+ 	return k;
+ }
+ 
++#ifdef HAVE_LIBNSS
++Key *
++key_new_nss(int type)
++{
++	Key *k = key_new(type);
++
++	k->nss = xcalloc(1, sizeof(*k->nss));
++	k->flags = KEY_FLAG_EXT | KEY_FLAG_NSS;
++
++	return k;
++}
++
++Key *
++key_new_nss_copy(int type, const Key *c)
++{
++	Key *k = key_new_nss(type);
++
++	switch (k->type) {
++		case KEY_RSA:
++			if ((BN_copy(k->rsa->n, c->rsa->n) == NULL) ||
++				(BN_copy(k->rsa->e, c->rsa->e) == NULL))
++				fatal("key_new_nss_copy: BN_copy failed");
++			break;
++		case KEY_DSA:
++			if ((BN_copy(k->dsa->p, c->rsa->p) == NULL) ||
++				(BN_copy(k->dsa->q, c->dsa->q) == NULL) ||
++				(BN_copy(k->dsa->g, c->dsa->g) == NULL) ||
++				(BN_copy(k->dsa->pub_key, c->dsa->pub_key) == NULL))
++				fatal("key_new_nss_copy: BN_copy failed");
++			break;
++	}
++		
++	k->nss->privk = SECKEY_CopyPrivateKey(c->nss->privk);
++	if (k->nss->privk == NULL)
++		fatal("key_new_nss_copy: SECKEY_CopyPrivateKey failed");
++
++	k->nss->pubk = SECKEY_CopyPublicKey(c->nss->pubk);
++	if (k->nss->pubk == NULL)
++		fatal("key_new_nss_copy: SECKEY_CopyPublicKey failed");
++	
++	if (c->nss->privk->wincx)
++		k->nss->privk->wincx = xstrdup(c->nss->privk->wincx);
++
++	return k;
++}
++#endif
++
++
+ Key *
+ key_new_private(int type)
+ {
+@@ -151,6 +199,19 @@ key_free(Key *k)
+ 		fatal("key_free: bad key type %d", k->type);
+ 		break;
+ 	}
++#ifdef HAVE_LIBNSS
++	if (k->flags & KEY_FLAG_NSS) {
++		if (k->nss->privk != NULL && k->nss->privk->wincx != NULL) {
++			memset(k->nss->privk->wincx, 0,
++				strlen(k->nss->privk->wincx));
++			xfree(k->nss->privk->wincx);
++			k->nss->privk->wincx = NULL;
++		}
++		SECKEY_DestroyPrivateKey(k->nss->privk);
++		SECKEY_DestroyPublicKey(k->nss->pubk);
++		xfree(k->nss);
++	}
++#endif
+ 	xfree(k);
+ }
+ 
+diff -up openssh-5.1p1/ssh-dss.c.nss-keys openssh-5.1p1/ssh-dss.c
+--- openssh-5.1p1/ssh-dss.c.nss-keys	2006-11-07 13:14:42.000000000 +0100
++++ openssh-5.1p1/ssh-dss.c	2008-07-23 19:16:00.000000000 +0200
+@@ -39,6 +39,10 @@
+ #include "log.h"
+ #include "key.h"
+ 
++#ifdef HAVE_LIBNSS
++#include <cryptohi.h>
++#endif
++
+ #define INTBLOB_LEN	20
+ #define SIGBLOB_LEN	(2*INTBLOB_LEN)
+ 
+@@ -57,6 +61,34 @@ ssh_dss_sign(const Key *key, u_char **si
+ 		error("ssh_dss_sign: no DSA key");
+ 		return -1;
+ 	}
++#ifdef HAVE_LIBNSS
++	if (key->flags & KEY_FLAG_NSS) {
++		SECItem sigitem;
++		SECItem *rawsig;
++
++		memset(&sigitem, 0, sizeof(sigitem));
++		if (SEC_SignData(&sigitem, (u_char *)data, datalen, key->nss->privk,
++			SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) != SECSuccess) {
++			error("ssh_dss_sign: sign failed");
++			return -1;
++		}
++		
++		if ((rawsig=DSAU_DecodeDerSig(&sigitem)) == NULL) {
++			error("ssh_dss_sign: der decode failed");
++			SECITEM_ZfreeItem(&sigitem, PR_FALSE);
++			return -1;
++		}
++		SECITEM_ZfreeItem(&sigitem, PR_FALSE);
++		if (rawsig->len != SIGBLOB_LEN) {
++			error("ssh_dss_sign: unsupported signature length %d",
++				rawsig->len);
++			SECITEM_ZfreeItem(rawsig, PR_TRUE);
++			return -1;
++		}
++		memcpy(sigblob, rawsig->data, SIGBLOB_LEN);
++		SECITEM_ZfreeItem(rawsig, PR_TRUE);
++	} else {
++#endif
+ 	EVP_DigestInit(&md, evp_md);
+ 	EVP_DigestUpdate(&md, data, datalen);
+ 	EVP_DigestFinal(&md, digest, &dlen);
+@@ -80,7 +112,9 @@ ssh_dss_sign(const Key *key, u_char **si
+ 	BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
+ 	BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
+ 	DSA_SIG_free(sig);
+-
++#ifdef HAVE_LIBNSS
++	}
++#endif
+ 	if (datafellows & SSH_BUG_SIGBLOB) {
+ 		if (lenp != NULL)
+ 			*lenp = SIGBLOB_LEN;
+diff -up openssh-5.1p1/ssh-agent.c.nss-keys openssh-5.1p1/ssh-agent.c
+--- openssh-5.1p1/ssh-agent.c.nss-keys	2008-07-04 15:10:49.000000000 +0200
++++ openssh-5.1p1/ssh-agent.c	2008-07-23 19:16:00.000000000 +0200
+@@ -80,6 +80,10 @@
+ #include "scard.h"
+ #endif
+ 
++#ifdef HAVE_LIBNSS
++#include "nsskeys.h"
++#endif
++
+ #if defined(HAVE_SYS_PRCTL_H)
+ #include <sys/prctl.h>	/* For prctl() and PR_SET_DUMPABLE */
+ #endif
+@@ -714,6 +718,114 @@ send:
+ }
+ #endif /* SMARTCARD */
+ 
++#ifdef HAVE_LIBNSS
++static void
++process_add_nss_key (SocketEntry *e)
++{
++	char *tokenname = NULL, *keyname = NULL, *password = NULL;
++	int i, version, success = 0, death = 0, confirm = 0;
++	Key **keys, *k;
++	Identity *id;
++	Idtab *tab;
++
++	tokenname = buffer_get_string(&e->request, NULL);
++	keyname = buffer_get_string(&e->request, NULL);
++	password = buffer_get_string(&e->request, NULL);
++
++	while (buffer_len(&e->request)) {
++		switch (buffer_get_char(&e->request)) {
++		case SSH_AGENT_CONSTRAIN_LIFETIME:
++			death = time(NULL) + buffer_get_int(&e->request);
++			break;
++		case SSH_AGENT_CONSTRAIN_CONFIRM:
++			confirm = 1;
++			break;
++		default:
++			break;
++		}
++	}
++	if (lifetime && !death)
++		death = time(NULL) + lifetime;
++
++	keys = nss_get_keys(tokenname, keyname, password);
++	/* password is owned by keys[0] now */
++	xfree(tokenname);
++	xfree(keyname);
++
++	if (keys == NULL) {
++		memset(password, 0, strlen(password));
++		xfree(password);
++		error("nss_get_keys failed");
++		goto send;
++	}
++	for (i = 0; keys[i] != NULL; i++) {
++		k = keys[i];
++		version = k->type == KEY_RSA1 ? 1 : 2;
++		tab = idtab_lookup(version);
++		if (lookup_identity(k, version) == NULL) {
++			id = xmalloc(sizeof(Identity));
++			id->key = k;
++			id->comment = nss_get_key_label(k);
++			id->death = death;
++			id->confirm = confirm;
++			TAILQ_INSERT_TAIL(&tab->idlist, id, next);
++			tab->nentries++;
++			success = 1;
++		} else {
++			key_free(k);
++		}
++		keys[i] = NULL;
++	}
++	xfree(keys);
++send:
++	buffer_put_int(&e->output, 1);
++	buffer_put_char(&e->output,
++	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
++}
++
++static void
++process_remove_nss_key(SocketEntry *e)
++{
++	char *tokenname = NULL, *keyname = NULL, *password = NULL;
++	int i, version, success = 0;
++	Key **keys, *k = NULL;
++	Identity *id;
++	Idtab *tab;
++
++	tokenname = buffer_get_string(&e->request, NULL);
++	keyname = buffer_get_string(&e->request, NULL);
++	password = buffer_get_string(&e->request, NULL);
++
++	keys = nss_get_keys(tokenname, keyname, password);
++	xfree(tokenname);
++	xfree(keyname);
++	xfree(password);
++
++	if (keys == NULL || keys[0] == NULL) {
++		error("nss_get_keys failed");
++		goto send;
++	}
++	for (i = 0; keys[i] != NULL; i++) {
++		k = keys[i];
++		version = k->type == KEY_RSA1 ? 1 : 2;
++		if ((id = lookup_identity(k, version)) != NULL) {
++			tab = idtab_lookup(version);
++			TAILQ_REMOVE(&tab->idlist, id, next);
++			tab->nentries--;
++			free_identity(id);
++			success = 1;
++		}
++		key_free(k);
++		keys[i] = NULL;
++	}
++	xfree(keys);
++send:
++	buffer_put_int(&e->output, 1);
++	buffer_put_char(&e->output,
++	    success ? SSH_AGENT_SUCCESS : SSH_AGENT_FAILURE);
++}
++#endif /* HAVE_LIBNSS */
++
+ /* dispatch incoming messages */
+ 
+ static void
+@@ -806,6 +918,15 @@ process_message(SocketEntry *e)
+ 		process_remove_smartcard_key(e);
+ 		break;
+ #endif /* SMARTCARD */
++#ifdef HAVE_LIBNSS
++	case SSH_AGENTC_ADD_NSS_KEY:
++	case SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED:
++		process_add_nss_key(e);
++		break;
++	case SSH_AGENTC_REMOVE_NSS_KEY:
++		process_remove_nss_key(e);
++		break;
++#endif /* SMARTCARD */
+ 	default:
+ 		/* Unknown message.  Respond with failure. */
+ 		error("Unknown message %d", type);
+diff -up openssh-5.1p1/authfd.h.nss-keys openssh-5.1p1/authfd.h
+--- openssh-5.1p1/authfd.h.nss-keys	2006-08-05 04:39:39.000000000 +0200
++++ openssh-5.1p1/authfd.h	2008-07-23 19:16:00.000000000 +0200
+@@ -49,6 +49,12 @@
+ #define SSH2_AGENTC_ADD_ID_CONSTRAINED		25
+ #define SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26
+ 
++/* nss */
++#define SSH_AGENTC_ADD_NSS_KEY			30
++#define SSH_AGENTC_REMOVE_NSS_KEY		31
++#define SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED	32
++
++
+ #define	SSH_AGENT_CONSTRAIN_LIFETIME		1
+ #define	SSH_AGENT_CONSTRAIN_CONFIRM		2
+ 
+@@ -83,6 +89,8 @@ int	 ssh_remove_all_identities(Authentic
+ int	 ssh_lock_agent(AuthenticationConnection *, int, const char *);
+ int	 ssh_update_card(AuthenticationConnection *, int, const char *,
+     const char *, u_int, u_int);
++int	 ssh_update_nss_key(AuthenticationConnection *, int, const char *,
++    const char *, const char *, u_int, u_int);
+ 
+ int
+ ssh_decrypt_challenge(AuthenticationConnection *, Key *, BIGNUM *, u_char[16],
+diff -up openssh-5.1p1/configure.ac.nss-keys openssh-5.1p1/configure.ac
+--- openssh-5.1p1/configure.ac.nss-keys	2008-07-23 19:16:00.000000000 +0200
++++ openssh-5.1p1/configure.ac	2008-07-23 19:16:00.000000000 +0200
+@@ -3328,6 +3328,20 @@ AC_ARG_WITH(linux-audit,
+ 	fi ]
+ )
+ 
++# Check whether user wants NSS support
++LIBNSS_MSG="no"
++AC_ARG_WITH(nss,
++	[  --with-nss   Enable NSS support],
++	[ if test "x$withval" != "xno" ; then
++		AC_DEFINE(HAVE_LIBNSS,1,[Define if you want NSS support.])
++		LIBNSS_MSG="yes"
++		CPPFLAGS="$CPPFLAGS -I/usr/include/nss3 -I/usr/include/nspr4"
++		AC_CHECK_HEADERS(pk11pub.h)
++		LIBS="$LIBS -lnss3"
++	fi
++	])
++AC_SUBST(LIBNSS)
++
+ # Check whether user wants Kerberos 5 support
+ KRB5_MSG="no"
+ AC_ARG_WITH(kerberos5,
+@@ -4157,6 +4171,7 @@ echo "                   OSF SIA support
+ echo "                 KerberosV support: $KRB5_MSG"
+ echo "                   SELinux support: $SELINUX_MSG"
+ echo "               Linux audit support: $LINUX_AUDIT_MSG"
++echo "                       NSS support: $LIBNSS_MSG"
+ echo "                 Smartcard support: $SCARD_MSG"
+ echo "                     S/KEY support: $SKEY_MSG"
+ echo "              TCP Wrappers support: $TCPW_MSG"
+diff -up /dev/null openssh-5.1p1/README.nss
+--- /dev/null	2008-07-15 11:15:04.125063641 +0200
++++ openssh-5.1p1/README.nss	2008-07-23 19:16:00.000000000 +0200
+@@ -0,0 +1,36 @@
++How to use NSS tokens with OpenSSH?
++
++This version of OpenSSH contains experimental support for authentication using
++keys stored in tokens stored in NSS database. This for example includes any
++PKCS#11 tokens which are installed in your NSS database.
++
++As the code is experimental and preliminary only SSH protocol 2 is supported.
++The NSS certificate and token databases are looked for in the ~/.ssh
++directory or in a directory specified by environment variable NSS_DB_PATH.
++
++Common operations:
++
++(1) tell the ssh client to use the NSS keys:
++
++	$ ssh -o 'UseNSS yes' otherhost
++	
++	if you want to use a specific token:
++	
++	$ ssh -o 'UseNSS yes' -o 'NSS Token My PKCS11 Token' otherhost
++
++(2) or tell the agent to use the NSS keys:
++
++	$ ssh-add -n
++	
++	if you want to use a specific token:
++	
++	$ ssh-add -n -T 'My PKCS11 Token'
++
++(3) extract the public key from token so it can be added to the
++server:
++
++	$ ssh-keygen -n
++	
++	if you want to use a specific token and/or key:
++	
++	$ ssh-keygen -n -D 'My PKCS11 Token' 'My Key ID'
+diff -up openssh-5.1p1/authfd.c.nss-keys openssh-5.1p1/authfd.c
+--- openssh-5.1p1/authfd.c.nss-keys	2006-09-01 07:38:36.000000000 +0200
++++ openssh-5.1p1/authfd.c	2008-07-23 19:16:00.000000000 +0200
+@@ -626,6 +626,45 @@ ssh_update_card(AuthenticationConnection
+ 	return decode_reply(type);
+ }
+ 
++int
++ssh_update_nss_key(AuthenticationConnection *auth, int add,
++    const char *tokenname, const char *keyname,
++    const char *pass, u_int life, u_int confirm)
++{
++	Buffer msg;
++	int type, constrained = (life || confirm);
++
++	if (add) {
++		type = constrained ?
++		    SSH_AGENTC_ADD_NSS_KEY_CONSTRAINED :
++		    SSH_AGENTC_ADD_NSS_KEY;
++	} else
++		type = SSH_AGENTC_REMOVE_NSS_KEY;
++
++	buffer_init(&msg);
++	buffer_put_char(&msg, type);
++	buffer_put_cstring(&msg, tokenname);
++	buffer_put_cstring(&msg, keyname);
++	buffer_put_cstring(&msg, pass);
++
++	if (constrained) {
++		if (life != 0) {
++			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_LIFETIME);
++			buffer_put_int(&msg, life);
++		}
++		if (confirm != 0)
++			buffer_put_char(&msg, SSH_AGENT_CONSTRAIN_CONFIRM);
++	}
++
++	if (ssh_request_reply(auth, &msg, &msg) == 0) {
++		buffer_free(&msg);
++		return 0;
++	}
++	type = buffer_get_char(&msg);
++	buffer_free(&msg);
++	return decode_reply(type);
++}
++
+ /*
+  * Removes all identities from the agent.  This call is not meant to be used
+  * by normal applications.
+diff -up openssh-5.1p1/readconf.h.nss-keys openssh-5.1p1/readconf.h
+--- openssh-5.1p1/readconf.h.nss-keys	2008-06-29 16:04:03.000000000 +0200
++++ openssh-5.1p1/readconf.h	2008-07-23 19:16:00.000000000 +0200
+@@ -84,6 +84,8 @@ typedef struct {
+ 	char   *preferred_authentications;
+ 	char   *bind_address;	/* local socket address for connection to sshd */
+ 	char   *smartcard_device; /* Smartcard reader device */
++	int     use_nss;        /* Use NSS library for keys */
++	char   *nss_token;      /* Look for NSS keys on token */
+ 	int	verify_host_key_dns;	/* Verify host key using DNS */
+ 
+ 	int     num_identity_files;	/* Number of files for RSA/DSA identities. */
+diff -up /dev/null openssh-5.1p1/nsskeys.c
+--- /dev/null	2008-07-15 11:15:04.125063641 +0200
++++ openssh-5.1p1/nsskeys.c	2008-07-23 19:16:00.000000000 +0200
+@@ -0,0 +1,327 @@
++/*
++ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
++ * Copyright (c) 2007 Red Hat, Inc. All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#include "includes.h"
++#ifdef HAVE_LIBNSS
++
++#include <sys/types.h>
++
++#include <stdarg.h>
++#include <string.h>
++#include <unistd.h>
++
++#include <openssl/evp.h>
++
++#include <nss.h>
++#include <keyhi.h>
++#include <pk11pub.h>
++#include <cert.h>
++
++#include "xmalloc.h"
++#include "key.h"
++#include "log.h"
++#include "misc.h"
++#include "nsskeys.h"
++#include "pathnames.h"
++
++static char *
++password_cb(PK11SlotInfo *slot, PRBool retry, void *arg)
++{
++	char *password = arg;
++	if (retry || password == NULL)
++		return NULL;
++	
++	return PL_strdup(password);
++}
++
++int
++nss_init(PK11PasswordFunc pwfn)
++{
++	char *dbpath;
++	char buf[MAXPATHLEN];
++
++	if (NSS_IsInitialized())
++		return 0;
++
++	if ((dbpath=getenv("NSS_DB_PATH")) == NULL) {
++		struct passwd *pw;
++		if ((pw = getpwuid(getuid())) == NULL ||
++			pw->pw_dir == NULL) {
++			return -1;
++		}
++		snprintf(buf, sizeof(buf), "%s/%s", pw->pw_dir,
++			    _PATH_SSH_USER_DIR);
++		dbpath = buf;
++	}
++
++	if (NSS_Init(dbpath) != SECSuccess)
++		return -1;
++
++	if (pwfn == NULL) {
++		pwfn = password_cb;
++	}
++
++	PK11_SetPasswordFunc(pwfn);
++	
++	return 0;
++}
++
++static Key *
++make_key_from_privkey(SECKEYPrivateKey *privk, char *password)
++{
++	Key *k;
++	switch (SECKEY_GetPrivateKeyType(privk)) {
++		case rsaKey:
++			k = key_new_nss(KEY_RSA);
++			break;
++		case dsaKey:
++			k = key_new_nss(KEY_DSA);
++			break;
++		default:
++			return NULL;
++	}
++	k->nss->pubk = SECKEY_ConvertToPublicKey(privk);
++	if (k->nss->pubk != NULL) {
++		k->nss->privk = SECKEY_CopyPrivateKey(privk);
++	}
++	if (k->nss->privk != NULL) {
++		if (password != NULL) {
++			k->nss->privk->wincx = xstrdup(password);
++		}
++		return k;
++	}
++	key_free(k);
++	return NULL;
++}
++
++static Key **
++add_key_to_list(Key *k, Key **keys, size_t *i, size_t *allocated)
++{
++	if (*allocated < *i + 2) {
++		*allocated += 16;
++		keys = xrealloc(keys, *allocated, sizeof(k));
++	}
++	keys[*i] = k;
++	(*i)++;
++	keys[*i] = NULL;
++	return keys;
++}
++
++static int
++nss_convert_pubkey(Key *k)
++{
++	u_char *n;
++	unsigned int len;
++	char *p;
++
++	switch (k->type) {
++		case KEY_RSA:
++			n = k->nss->pubk->u.rsa.modulus.data;
++			len = k->nss->pubk->u.rsa.modulus.len;
++
++			if (BN_bin2bn(n, len, k->rsa->n) == NULL) {
++				fatal("nss_convert_pubkey: BN_bin2bn failed");
++			}
++
++			n = k->nss->pubk->u.rsa.publicExponent.data;
++			len = k->nss->pubk->u.rsa.publicExponent.len;
++
++			if (BN_bin2bn(n, len, k->rsa->e) == NULL) {
++				fatal("nss_convert_pubkey: BN_bin2bn failed");
++			}
++			break;
++		case KEY_DSA:
++			n = k->nss->pubk->u.dsa.params.prime.data;
++			len = k->nss->pubk->u.dsa.params.prime.len;
++
++			if (BN_bin2bn(n, len, k->dsa->p) == NULL) {
++				fatal("nss_convert_pubkey: BN_bin2bn failed");
++			}
++
++			n = k->nss->pubk->u.dsa.params.subPrime.data;
++			len = k->nss->pubk->u.dsa.params.subPrime.len;
++
++			if (BN_bin2bn(n, len, k->dsa->q) == NULL) {
++				fatal("nss_convert_pubkey: BN_bin2bn failed");
++			}
++
++			n = k->nss->pubk->u.dsa.params.base.data;
++			len = k->nss->pubk->u.dsa.params.base.len;
++
++			if (BN_bin2bn(n, len, k->dsa->g) == NULL) {
++				fatal("nss_convert_pubkey: BN_bin2bn failed");
++			}
++
++			n = k->nss->pubk->u.dsa.publicValue.data;
++			len = k->nss->pubk->u.dsa.publicValue.len;
++
++			if (BN_bin2bn(n, len, k->dsa->pub_key) == NULL) {
++				fatal("nss_convert_pubkey: BN_bin2bn failed");
++			}
++			break;
++	}
++
++	p = key_fingerprint(k, SSH_FP_MD5, SSH_FP_HEX);
++	debug("fingerprint %u %s", key_size(k), p);
++	xfree(p);
++
++	return 0;
++}
++
++static Key **
++nss_find_privkeys(const char *tokenname, const char *keyname,
++    char *password)
++{
++	Key *k = NULL;
++	Key **keys = NULL;
++	PK11SlotList *slots;
++	PK11SlotListElement *sle;
++	size_t allocated = 0;
++	size_t i = 0;
++
++	if ((slots=PK11_FindSlotsByNames(NULL, NULL, tokenname, PR_TRUE)) == NULL) {
++		if (tokenname == NULL) {
++			debug("No NSS token found");
++		} else {
++			debug("NSS token not found: %s", tokenname);
++		}
++		return NULL;
++	}
++	
++	for (sle = slots->head; sle; sle = sle->next) {
++		SECKEYPrivateKeyList *list;
++		SECKEYPrivateKeyListNode *node;
++		char *tmppass = password;
++				
++		if (PK11_NeedLogin(sle->slot)) {
++			if (password == NULL) {
++				char *prompt;
++				if (asprintf(&prompt, "Enter passphrase for token %s: ",
++					PK11_GetTokenName(sle->slot)) < 0)
++					fatal("password_cb: asprintf failed");
++				tmppass = read_passphrase(prompt, RP_ALLOW_STDIN);
++			}
++			PK11_Authenticate(sle->slot, PR_TRUE, tmppass);
++		}
++
++		debug("Looking for: %s:%s", tokenname, keyname);
++		list = PK11_ListPrivKeysInSlot(sle->slot, (char *)keyname,
++			tmppass);
++		if (list == NULL && keyname != NULL) {
++			char *fooname;
++			/* NSS bug workaround */
++			if (asprintf(&fooname, "%s~", keyname) < 0) {
++				error("nss_find_privkey: asprintf failed");
++				PK11_FreeSlotList(slots);
++				return NULL;
++			}
++			list = PK11_ListPrivKeysInSlot(sle->slot, fooname,
++			tmppass);
++			free(fooname);
++		}
++		if (list == NULL && keyname != NULL) {
++			CERTCertificate *cert;
++			SECKEYPrivateKey *privk;
++			cert = CERT_FindCertByNickname(CERT_GetDefaultCertDB(),
++				(char *)keyname);
++			if (cert == NULL)
++				goto cleanup;
++			privk = PK11_FindPrivateKeyFromCert(sle->slot, cert, tmppass);
++			CERT_DestroyCertificate(cert);
++			if (privk == NULL)
++				goto cleanup;
++			if ((k=make_key_from_privkey(privk, tmppass)) != NULL) {
++				nss_convert_pubkey(k);
++				keys = add_key_to_list(k, keys, &i, &allocated);
++			}
++			SECKEY_DestroyPrivateKey(privk);
++		} else {
++			if (list == NULL)
++				goto cleanup;
++			for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list);
++				node=PRIVKEY_LIST_NEXT(node))
++				if ((k=make_key_from_privkey(node->key, tmppass)) != NULL) {
++					nss_convert_pubkey(k);
++					keys = add_key_to_list(k, keys, &i, &allocated);
++				}
++			SECKEY_DestroyPrivateKeyList(list);
++		}
++cleanup:
++		if (password == NULL && tmppass != NULL) {
++			memset(tmppass, 0, strlen(tmppass));
++			xfree(tmppass);
++		}
++	}
++	PK11_FreeSlotList(slots);
++
++	return keys;
++}
++
++Key **
++nss_get_keys(const char *tokenname, const char *keyname,
++    char *password)
++{
++	Key **keys;
++
++	if (nss_init(NULL) == -1) {
++		error("Failed to initialize NSS library");
++		return NULL;
++	}
++
++	keys = nss_find_privkeys(tokenname, keyname, password);
++	if (keys == NULL && keyname != NULL) {
++		error("Cannot find key in nss, token removed");
++		return NULL;
++	}
++#if 0
++	keys = xcalloc(3, sizeof(Key *));
++
++	if (k->type == KEY_RSA) {
++		n = key_new_nss_copy(KEY_RSA1, k);
++
++		keys[0] = n;
++		keys[1] = k;
++		keys[2] = NULL;
++	} else {
++		keys[0] = k;
++		keys[1] = NULL;
++	}
++#endif
++	return keys;
++}
++
++char *
++nss_get_key_label(Key *key)
++{
++	char *label, *nickname;
++	
++	nickname = PK11_GetPrivateKeyNickname(key->nss->privk);
++	label = xstrdup(nickname);
++	PORT_Free(nickname);
++
++	return label;
++}
++
++#endif /* HAVE_LIBNSS */
+diff -up openssh-5.1p1/ssh.c.nss-keys openssh-5.1p1/ssh.c
+--- openssh-5.1p1/ssh.c.nss-keys	2008-07-04 04:53:50.000000000 +0200
++++ openssh-5.1p1/ssh.c	2008-07-23 19:16:00.000000000 +0200
+@@ -104,6 +104,9 @@
+ #ifdef SMARTCARD
+ #include "scard.h"
+ #endif
++#ifdef HAVE_LIBNSS
++#include "nsskeys.h"
++#endif
+ 
+ extern char *__progname;
+ 
+@@ -1235,9 +1238,11 @@ load_public_identity_files(void)
+ 	int i = 0;
+ 	Key *public;
+ 	struct passwd *pw;
+-#ifdef SMARTCARD
++#if defined(SMARTCARD) || defined(HAVE_LIBNSS)
+ 	Key **keys;
++#endif
+ 
++#ifdef SMARTCARD
+ 	if (options.smartcard_device != NULL &&
+ 	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
+ 	    (keys = sc_get_keys(options.smartcard_device, NULL)) != NULL) {
+@@ -1260,6 +1265,27 @@ load_public_identity_files(void)
+ 		xfree(keys);
+ 	}
+ #endif /* SMARTCARD */
++#ifdef HAVE_LIBNSS
++	if (options.use_nss &&
++	    options.num_identity_files < SSH_MAX_IDENTITY_FILES &&
++	    (keys = nss_get_keys(options.nss_token, NULL, NULL)) != NULL) {
++		int count;
++		for (count = 0; keys[count] != NULL; count++) {
++			memmove(&options.identity_files[1], &options.identity_files[0],
++			    sizeof(char *) * (SSH_MAX_IDENTITY_FILES - 1));
++			memmove(&options.identity_keys[1], &options.identity_keys[0],
++			    sizeof(Key *) * (SSH_MAX_IDENTITY_FILES - 1));
++			options.num_identity_files++;
++			options.identity_keys[0] = keys[count];
++			options.identity_files[0] = nss_get_key_label(keys[count]);
++		}
++		if (options.num_identity_files > SSH_MAX_IDENTITY_FILES)
++			options.num_identity_files = SSH_MAX_IDENTITY_FILES;
++		i += count;
++		xfree(keys);
++	}
++#endif /* HAVE_LIBNSS */
++
+ 	if ((pw = getpwuid(original_real_uid)) == NULL)
+ 		fatal("load_public_identity_files: getpwuid failed");
+ 	pwname = xstrdup(pw->pw_name);
+diff -up /dev/null openssh-5.1p1/nsskeys.h
+--- /dev/null	2008-07-15 11:15:04.125063641 +0200
++++ openssh-5.1p1/nsskeys.h	2008-07-23 19:16:00.000000000 +0200
+@@ -0,0 +1,39 @@
++/*
++ * Copyright (c) 2001 Markus Friedl.  All rights reserved.
++ * Copyright (c) 2007 Red Hat, Inc.  All rights reserved.
++ *
++ * Redistribution and use in source and binary forms, with or without
++ * modification, are permitted provided that the following conditions
++ * are met:
++ * 1. Redistributions of source code must retain the above copyright
++ *    notice, this list of conditions and the following disclaimer.
++ * 2. Redistributions in binary form must reproduce the above copyright
++ *    notice, this list of conditions and the following disclaimer in the
++ *    documentation and/or other materials provided with the distribution.
++ *
++ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
++ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
++ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
++ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
++ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
++ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
++ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
++ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
++ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
++ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
++ */
++
++#ifndef NSSKEYS_H
++#define NSSKEYS_H
++#ifdef HAVE_LIBNSS
++#include <pk11func.h>
++#include <prtypes.h>
++
++int	nss_init(PK11PasswordFunc);
++Key	**nss_get_keys(const char *, const char *, char *);
++char	*nss_get_key_label(Key *);
++/*void	 sc_close(void);*/
++/*int	 sc_put_key(Key *, const char *);*/
++
++#endif
++#endif
+diff -up openssh-5.1p1/Makefile.in.nss-keys openssh-5.1p1/Makefile.in
+--- openssh-5.1p1/Makefile.in.nss-keys	2008-07-08 16:21:12.000000000 +0200
++++ openssh-5.1p1/Makefile.in	2008-07-23 19:16:00.000000000 +0200
+@@ -71,7 +71,7 @@ LIBSSH_OBJS=acss.o authfd.o authfile.o b
+ 	atomicio.o key.o dispatch.o kex.o mac.o uidswap.o uuencode.o misc.o \
+ 	monitor_fdpass.o rijndael.o ssh-dss.o ssh-rsa.o dh.o kexdh.o \
+ 	kexgex.o kexdhc.o kexgexc.o scard.o msg.o progressmeter.o dns.o \
+-	entropy.o scard-opensc.o gss-genr.o umac.o
++	entropy.o scard-opensc.o gss-genr.o umac.o nsskeys.o
+ 
+ SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
+ 	sshconnect.o sshconnect1.o sshconnect2.o mux.o
+diff -up openssh-5.1p1/key.h.nss-keys openssh-5.1p1/key.h
+--- openssh-5.1p1/key.h.nss-keys	2008-06-12 20:40:35.000000000 +0200
++++ openssh-5.1p1/key.h	2008-07-23 19:16:00.000000000 +0200
+@@ -29,11 +29,17 @@
+ #include <openssl/rsa.h>
+ #include <openssl/dsa.h>
+ 
++#ifdef HAVE_LIBNSS
++#include <nss.h>
++#include <keyhi.h>
++#endif
++
+ typedef struct Key Key;
+ enum types {
+ 	KEY_RSA1,
+ 	KEY_RSA,
+ 	KEY_DSA,
++	KEY_NSS,
+ 	KEY_UNSPEC
+ };
+ enum fp_type {
+@@ -48,16 +54,30 @@ enum fp_rep {
+ 
+ /* key is stored in external hardware */
+ #define KEY_FLAG_EXT		0x0001
++#define KEY_FLAG_NSS		0x0002
++
++#ifdef HAVE_LIBNSS
++typedef struct NSSKey NSSKey;
++struct NSSKey {
++	SECKEYPrivateKey *privk;
++	SECKEYPublicKey *pubk;
++};
++#endif
+ 
+ struct Key {
+ 	int	 type;
+ 	int	 flags;
+ 	RSA	*rsa;
+ 	DSA	*dsa;
++#ifdef HAVE_LIBNSS
++	NSSKey  *nss;
++#endif
+ };
+ 
+ Key		*key_new(int);
+ Key		*key_new_private(int);
++Key 		*key_new_nss(int);
++Key		*key_new_nss_copy(int, const Key *);
+ void		 key_free(Key *);
+ Key		*key_demote(const Key *);
+ int		 key_equal(const Key *, const Key *);
+diff -up openssh-5.1p1/ssh-add.c.nss-keys openssh-5.1p1/ssh-add.c
+--- openssh-5.1p1/ssh-add.c.nss-keys	2008-02-28 09:13:52.000000000 +0100
++++ openssh-5.1p1/ssh-add.c	2008-07-23 19:16:00.000000000 +0200
+@@ -44,6 +44,14 @@
+ #include <openssl/evp.h>
+ #include "openbsd-compat/openssl-compat.h"
+ 
++#ifdef HAVE_LIBNSS
++#include <nss.h>
++#include <secmod.h>
++#include <pk11pub.h>
++#include <keyhi.h>
++#include <cert.h>
++#endif
++
+ #include <fcntl.h>
+ #include <pwd.h>
+ #include <stdarg.h>
+@@ -57,6 +65,7 @@
+ #include "rsa.h"
+ #include "log.h"
+ #include "key.h"
++#include "nsskeys.h"
+ #include "buffer.h"
+ #include "authfd.h"
+ #include "authfile.h"
+@@ -307,6 +316,117 @@ do_file(AuthenticationConnection *ac, in
+ 	return 0;
+ }
+ 
++#ifdef HAVE_LIBNSS
++static char *
++password_cb(PK11SlotInfo *slot, PRBool retry, void *arg)
++{
++	char **passcache = arg;
++	char *password, *p2 = NULL;
++	char *prompt;
++	
++	if (retry)
++		return NULL;
++	
++	if (asprintf(&prompt, "Enter passphrase for token %s: ",
++		PK11_GetTokenName(slot)) < 0)
++		fatal("password_cb: asprintf failed");
++
++	password = read_passphrase(prompt, RP_ALLOW_STDIN);
++	
++	if (password != NULL && (p2=PL_strdup(password)) == NULL) {
++		memset(password, 0, strlen(password));
++		fatal("password_cb: PL_strdup failed");
++	}
++
++	if (passcache != NULL) {
++		if (*passcache != NULL) {
++			memset(*passcache, 0, strlen(*passcache));
++			xfree(*passcache);
++		}
++		*passcache = password;
++	} else {
++		memset(password, 0, strlen(password));
++		xfree(password);
++	}
++	
++	return p2;
++}
++
++static int
++add_slot_keys(AuthenticationConnection *ac, PK11SlotInfo *slot, int add)
++{
++	SECKEYPrivateKeyList *list;
++	SECKEYPrivateKeyListNode *node;
++	char *passcache = NULL;
++	char *tokenname;
++	
++	int count = 0;
++	
++	if (PK11_NeedLogin(slot))
++		PK11_Authenticate(slot, PR_TRUE, &passcache);
++		
++	if ((list=PK11_ListPrivKeysInSlot(slot, NULL, NULL)) == NULL) {
++		return 0;
++	}
++	
++	tokenname = PK11_GetTokenName(slot);
++	
++	for (node=PRIVKEY_LIST_HEAD(list); !PRIVKEY_LIST_END(node, list);
++		node=PRIVKEY_LIST_NEXT(node)) {
++		char *keyname;
++		SECKEYPublicKey *pub;
++		
++		keyname = PK11_GetPrivateKeyNickname(node->key);
++		if (keyname == NULL || *keyname == '\0') {
++			/* no nickname to refer to */
++			CERTCertificate *cert;
++			char *kn;
++			cert = PK11_GetCertFromPrivateKey(node->key);
++			if (cert == NULL)
++				continue;
++			kn = strchr(cert->nickname, ':');
++			if (kn == NULL)
++				kn = cert->nickname;
++			else
++				kn++;
++			keyname = PORT_Strdup(kn);
++			CERT_DestroyCertificate(cert);
++			if (keyname == NULL)
++				continue;
++		}
++		pub = SECKEY_ConvertToPublicKey(node->key);
++		if (pub == NULL) {
++			fprintf(stderr, "No public key for: %s:%s\n",
++				tokenname, keyname);
++			continue; /* not possible to obtain public key */
++		}
++		SECKEY_DestroyPublicKey(pub);
++		
++		if (ssh_update_nss_key(ac, add, tokenname, keyname,
++			passcache?passcache:"",	lifetime, confirm)) {
++			fprintf(stderr, "Key %s: %s:%s\n",
++				add?"added":"removed", tokenname, keyname);
++			count++;
++		} else {
++			fprintf(stderr, "Could not %s key: %s:%s\n",
++				add?"add":"remove", tokenname, keyname);
++		}
++		
++		PORT_Free(keyname);
++		count++;
++	}
++
++	if (passcache != NULL) {
++		memset(passcache, 0, strlen(passcache));
++		xfree(passcache);
++	}
++	
++	SECKEY_DestroyPrivateKeyList(list);
++	
++	return count;
++}
++#endif
++
+ static void
+ usage(void)
+ {
+@@ -334,6 +454,10 @@ main(int argc, char **argv)
+ 	AuthenticationConnection *ac = NULL;
+ 	char *sc_reader_id = NULL;
+ 	int i, ch, deleting = 0, ret = 0;
++#ifdef HAVE_LIBNSS
++	char *token_id = NULL;
++	int use_nss = 0;
++#endif
+ 
+ 	/* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */
+ 	sanitise_stdfd();
+@@ -351,7 +475,7 @@ main(int argc, char **argv)
+ 		    "Could not open a connection to your authentication agent.\n");
+ 		exit(2);
+ 	}
+-	while ((ch = getopt(argc, argv, "lLcdDxXe:s:t:")) != -1) {
++	while ((ch = getopt(argc, argv, "lLcdDnxXe:s:t:T:")) != -1) {
+ 		switch (ch) {
+ 		case 'l':
+ 		case 'L':
+@@ -373,6 +497,11 @@ main(int argc, char **argv)
+ 			if (delete_all(ac) == -1)
+ 				ret = 1;
+ 			goto done;
++#ifdef HAVE_LIBNSS
++		case 'n':
++			use_nss = 1;
++			break;
++#endif
+ 		case 's':
+ 			sc_reader_id = optarg;
+ 			break;
+@@ -387,6 +516,11 @@ main(int argc, char **argv)
+ 				goto done;
+ 			}
+ 			break;
++#ifdef HAVE_LIBNSS
++		case 'T':
++			token_id = optarg;
++			break;
++#endif
+ 		default:
+ 			usage();
+ 			ret = 1;
+@@ -400,6 +534,40 @@ main(int argc, char **argv)
+ 			ret = 1;
+ 		goto done;
+ 	}
++#ifdef HAVE_LIBNSS
++	if (use_nss) {
++		PK11SlotList *slots;
++		PK11SlotListElement *sle;
++		int count = 0;
++		if (nss_init(password_cb) == -1) {
++			fprintf(stderr, "Failed to initialize NSS library\n");
++			ret = 1;
++			goto done;
++		}
++		
++		if ((slots=PK11_GetAllTokens(CKM_INVALID_MECHANISM, PR_FALSE, PR_FALSE,
++			NULL)) == NULL) {
++			fprintf(stderr, "No tokens found\n");
++			ret = 1;
++			goto nss_done;
++		}
++
++		for (sle = slots->head; sle; sle = sle->next) {
++			int rv;
++			if ((rv=add_slot_keys(ac, sle->slot, !deleting)) == -1) {
++				ret = 1;
++			}
++			count += rv;
++		}
++		if (count == 0) {
++			ret = 1;
++		}
++nss_done:		
++		NSS_Shutdown();
++		clear_pass();
++		goto done;
++	}
++#endif
+ 	if (argc == 0) {
+ 		char buf[MAXPATHLEN];
+ 		struct passwd *pw;
+diff -up openssh-5.1p1/ssh-rsa.c.nss-keys openssh-5.1p1/ssh-rsa.c
+--- openssh-5.1p1/ssh-rsa.c.nss-keys	2006-09-01 07:38:37.000000000 +0200
++++ openssh-5.1p1/ssh-rsa.c	2008-07-23 19:16:00.000000000 +0200
+@@ -32,6 +32,10 @@
+ #include "compat.h"
+ #include "ssh.h"
+ 
++#ifdef HAVE_LIBNSS
++#include <cryptohi.h>
++#endif
++
+ static int openssh_RSA_verify(int, u_char *, u_int, u_char *, u_int, RSA *);
+ 
+ /* RSASSA-PKCS1-v1_5 (PKCS #1 v2.0 signature) with SHA1 */
+@@ -50,6 +54,38 @@ ssh_rsa_sign(const Key *key, u_char **si
+ 		error("ssh_rsa_sign: no RSA key");
+ 		return -1;
+ 	}
++
++	slen = RSA_size(key->rsa);
++	sig = xmalloc(slen);
++
++#ifdef HAVE_LIBNSS
++	if (key->flags & KEY_FLAG_NSS) {
++		SECItem sigitem;
++		SECOidTag alg;
++
++		memset(&sigitem, 0, sizeof(sigitem));
++		alg = (datafellows & SSH_BUG_RSASIGMD5) ?
++			SEC_OID_PKCS1_MD5_WITH_RSA_ENCRYPTION :
++			SEC_OID_PKCS1_SHA1_WITH_RSA_ENCRYPTION;
++
++		if (SEC_SignData(&sigitem, (u_char *)data, datalen, key->nss->privk,
++			alg) != SECSuccess) {
++			error("ssh_rsa_sign: sign failed");
++			return -1;
++		}
++		if (sigitem.len > slen) {
++			error("ssh_rsa_sign: slen %u slen2 %u", slen, sigitem.len);
++			xfree(sig);
++			SECITEM_ZfreeItem(&sigitem, PR_FALSE);
++			return -1;
++		}
++		if (sigitem.len < slen) {
++			memset(sig, 0, slen - sigitem.len);
++		}
++		memcpy(sig+slen-sigitem.len, sigitem.data, sigitem.len);
++		SECITEM_ZfreeItem(&sigitem, PR_FALSE);
++	} else {
++#endif
+ 	nid = (datafellows & SSH_BUG_RSASIGMD5) ? NID_md5 : NID_sha1;
+ 	if ((evp_md = EVP_get_digestbynid(nid)) == NULL) {
+ 		error("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
+@@ -59,9 +95,6 @@ ssh_rsa_sign(const Key *key, u_char **si
+ 	EVP_DigestUpdate(&md, data, datalen);
+ 	EVP_DigestFinal(&md, digest, &dlen);
+ 
+-	slen = RSA_size(key->rsa);
+-	sig = xmalloc(slen);
+-
+ 	ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
+ 	memset(digest, 'd', sizeof(digest));
+ 
+@@ -83,6 +116,9 @@ ssh_rsa_sign(const Key *key, u_char **si
+ 		xfree(sig);
+ 		return -1;
+ 	}
++#ifdef HAVE_LIBNSS
++	}
++#endif
+ 	/* encode signature */
+ 	buffer_init(&b);
+ 	buffer_put_cstring(&b, "ssh-rsa");
+diff -up openssh-5.1p1/ssh-keygen.c.nss-keys openssh-5.1p1/ssh-keygen.c
+--- openssh-5.1p1/ssh-keygen.c.nss-keys	2008-07-14 03:28:29.000000000 +0200
++++ openssh-5.1p1/ssh-keygen.c	2008-07-23 19:16:00.000000000 +0200
+@@ -53,6 +53,11 @@
+ #include "scard.h"
+ #endif
+ 
++#ifdef HAVE_LIBNSS
++#include <nss.h>
++#include "nsskeys.h"
++#endif
++
+ /* Number of bits in the RSA/DSA key.  This value can be set on the command line. */
+ #define DEFAULT_BITS		2048
+ #define DEFAULT_BITS_DSA	1024
+@@ -501,6 +506,26 @@ do_download(struct passwd *pw, const cha
+ }
+ #endif /* SMARTCARD */
+ 
++#ifdef HAVE_LIBNSS
++static void
++do_nss_download(struct passwd *pw, const char *tokenname, const char *keyname)
++{
++	Key **keys = NULL;
++	int i;
++	
++	keys = nss_get_keys(tokenname, keyname, NULL);
++	if (keys == NULL)
++		fatal("cannot find public key in NSS");
++	for (i = 0; keys[i]; i++) {
++		key_write(keys[i], stdout);
++		key_free(keys[i]);
++		fprintf(stdout, "\n");
++	}
++	xfree(keys);
++	exit(0);
++}
++#endif /* HAVE_LIBNSS */
++
+ static void
+ do_fingerprint(struct passwd *pw)
+ {
+@@ -1083,7 +1108,8 @@ main(int argc, char **argv)
+ 	Key *private, *public;
+ 	struct passwd *pw;
+ 	struct stat st;
+-	int opt, type, fd, download = 0;
++	int opt, type, fd, download = 1;
++	int use_nss = 0;
+ 	u_int32_t memory = 0, generator_wanted = 0, trials = 100;
+ 	int do_gen_candidates = 0, do_screen_candidates = 0;
+ 	BIGNUM *start = NULL;
+@@ -1116,7 +1142,7 @@ main(int argc, char **argv)
+ 	}
+ 
+ 	while ((opt = getopt(argc, argv,
+-	    "degiqpclBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
++	    "degiqpclnBHvxXyF:b:f:t:U:D:P:N:C:r:g:R:T:G:M:S:a:W:")) != -1) {
+ 		switch (opt) {
+ 		case 'b':
+ 			bits = (u_int32_t)strtonum(optarg, 768, 32768, &errstr);
+@@ -1156,6 +1182,10 @@ main(int argc, char **argv)
+ 		case 'g':
+ 			print_generic = 1;
+ 			break;
++		case 'n':
++			use_nss = 1;
++			download = 1;
++			break;
+ 		case 'P':
+ 			identity_passphrase = optarg;
+ 			break;
+@@ -1187,10 +1217,10 @@ main(int argc, char **argv)
+ 		case 't':
+ 			key_type_name = optarg;
+ 			break;
+-		case 'D':
+-			download = 1;
+-			/*FALLTHROUGH*/
+ 		case 'U':
++			download = 0;
++			/*FALLTHROUGH*/
++		case 'D':
+ 			reader_id = optarg;
+ 			break;
+ 		case 'v':
+@@ -1299,6 +1329,17 @@ main(int argc, char **argv)
+ 			exit(0);
+ 		}
+ 	}
++
++	if (use_nss) {
++#ifdef HAVE_LIBNSS
++		if (download)
++			do_nss_download(pw, reader_id, identity_file);
++		else
++			fatal("no support for NSS key upload.");
++#else
++		fatal("no support for NSS keys.");
++#endif
++	}
+ 	if (reader_id != NULL) {
+ #ifdef SMARTCARD
+ 		if (download)
+diff -up openssh-5.1p1/readconf.c.nss-keys openssh-5.1p1/readconf.c
+--- openssh-5.1p1/readconf.c.nss-keys	2008-06-29 16:04:03.000000000 +0200
++++ openssh-5.1p1/readconf.c	2008-07-23 19:16:00.000000000 +0200
+@@ -124,6 +124,7 @@ typedef enum {
+ 	oKbdInteractiveAuthentication, oKbdInteractiveDevices, oHostKeyAlias,
+ 	oDynamicForward, oPreferredAuthentications, oHostbasedAuthentication,
+ 	oHostKeyAlgorithms, oBindAddress, oSmartcardDevice,
++	oUseNSS, oNSSToken,
+ 	oClearAllForwardings, oNoHostAuthenticationForLocalhost,
+ 	oEnableSSHKeysign, oRekeyLimit, oVerifyHostKeyDNS, oConnectTimeout,
+ 	oAddressFamily, oGssAuthentication, oGssDelegateCreds,
+@@ -210,6 +211,13 @@ static struct {
+ #else
+ 	{ "smartcarddevice", oUnsupported },
+ #endif
++#ifdef HAVE_LIBNSS
++	{ "usenss", oUseNSS },
++	{ "nsstoken", oNSSToken },
++#else
++	{ "usenss", oUnsupported },
++	{ "nsstoken", oNSSToken },
++#endif
+ 	{ "clearallforwardings", oClearAllForwardings },
+ 	{ "enablesshkeysign", oEnableSSHKeysign },
+ 	{ "verifyhostkeydns", oVerifyHostKeyDNS },
+@@ -603,6 +611,14 @@ parse_string:
+ 		charptr = &options->smartcard_device;
+ 		goto parse_string;
+ 
++	case oUseNSS:
++		intptr = &options->use_nss;
++		goto parse_flag;
++
++	case oNSSToken:
++		charptr = &options->nss_token;
++		goto parse_command;
++
+ 	case oProxyCommand:
+ 		charptr = &options->proxy_command;
+ parse_command:
+@@ -1055,6 +1071,8 @@ initialize_options(Options * options)
+ 	options->preferred_authentications = NULL;
+ 	options->bind_address = NULL;
+ 	options->smartcard_device = NULL;
++	options->use_nss = -1;
++	options->nss_token = NULL;
+ 	options->enable_ssh_keysign = - 1;
+ 	options->no_host_authentication_for_localhost = - 1;
+ 	options->identities_only = - 1;
+@@ -1184,6 +1202,8 @@ fill_default_options(Options * options)
+ 		options->no_host_authentication_for_localhost = 0;
+ 	if (options->identities_only == -1)
+ 		options->identities_only = 0;
++	if (options->use_nss == -1)
++		options->use_nss = 0;
+ 	if (options->enable_ssh_keysign == -1)
+ 		options->enable_ssh_keysign = 0;
+ 	if (options->rekey_limit == -1)
diff --git a/openssh-5.1p1-scp-manpage.patch b/openssh-5.1p1-scp-manpage.patch
new file mode 100644
index 0000000..e314a05
--- /dev/null
+++ b/openssh-5.1p1-scp-manpage.patch
@@ -0,0 +1,18 @@
+diff -up openssh-5.1p1/scp.1.manpage openssh-5.1p1/scp.1
+--- openssh-5.1p1/scp.1.manpage	2008-07-12 09:12:49.000000000 +0200
++++ openssh-5.1p1/scp.1	2008-07-23 19:18:15.000000000 +0200
+@@ -66,6 +66,14 @@ treating file names containing
+ as host specifiers.
+ Copies between two remote hosts are also permitted.
+ .Pp
++When copying a source file to a target file which already exists,
++.Nm 
++will replace the contents of the target file (keeping the inode).
++.Pp
++If the target file does not yet exist, an empty file with the target
++file name is created, then filled with the source file contents.
++No attempt is made at "near-atomic" transfer using temporary files.
++.Pp
+ The options are as follows:
+ .Bl -tag -width Ds
+ .It Fl 1
diff --git a/openssh.spec b/openssh.spec
index 3f5ee83..f2f7b0c 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -79,7 +79,7 @@ Patch2: openssh-5.1p1-skip-initial.patch
 Patch3: openssh-3.8.1p1-krb5-config.patch
 Patch4: openssh-5.1p1-vendor.patch
 Patch12: openssh-5.1p1-selinux.patch
-Patch13: openssh-4.7p1-mls.patch
+Patch13: openssh-5.1p1-mls.patch
 Patch16: openssh-4.7p1-audit.patch
 Patch17: openssh-4.3p2-cve-2007-3102.patch
 Patch18: openssh-5.0p1-pam_selinux.patch
@@ -87,15 +87,15 @@ Patch22: openssh-3.9p1-askpass-keep-above.patch
 Patch24: openssh-4.3p1-fromto-remote.patch
 Patch27: openssh-5.1p1-log-in-chroot.patch
 Patch30: openssh-4.0p1-exit-deadlock.patch
-Patch35: openssh-4.2p1-askpass-progress.patch
+Patch35: openssh-5.1p1-askpass-progress.patch
 Patch38: openssh-4.3p2-askpass-grab-info.patch
 Patch39: openssh-4.3p2-no-v6only.patch
 Patch44: openssh-4.3p2-allow-ip-opts.patch
 Patch49: openssh-4.3p2-gssapi-canohost.patch
-Patch51: openssh-4.7p1-nss-keys.patch
-Patch54: openssh-4.7p1-gssapi-role.patch
+Patch51: openssh-5.1p1-nss-keys.patch
+Patch54: openssh-5.1p1-gssapi-role.patch
 Patch55: openssh-5.1p1-cloexec.patch
-Patch62: openssh-3.9p1-scp-manpage.patch
+Patch62: openssh-5.1p1-scp-manpage.patch
 
 License: BSD
 Group: Applications/Internet
@@ -224,9 +224,9 @@ an X11 passphrase dialog for OpenSSH.
 %patch44 -p1 -b .ip-opts
 %patch49 -p1 -b .canohost
 %patch51 -p1 -b .nss-keys
-%patch54 -p0 -b .gssapi-role
+%patch54 -p1 -b .gssapi-role
 %patch55 -p1 -b .cloexec
-%patch62 -p0 -b .manpage
+%patch62 -p1 -b .manpage
 
 autoreconf