diff -up ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c

--- ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c.werror	2016-01-26 17:01:19.803230193 +0100

+++ ecryptfs-utils-109/src/key_mod/ecryptfs_key_mod_pkcs11_helper.c	2016-01-26 17:01:19.810230176 +0100

@@ -98,7 +98,7 @@ static int ecryptfs_pkcs11h_deserialize(

 		pkcs11h_data->serialized_id = NULL;

 	}

 	else {

-		pkcs11h_data->serialized_id = blob + i;

+		pkcs11h_data->serialized_id = (char *)blob + i;

 		i += serialized_id_length;

 	}

 	pkcs11h_data->certificate_blob_size = blob[i++] % 256;

@@ -116,12 +116,11 @@ static int ecryptfs_pkcs11h_deserialize(

 		pkcs11h_data->passphrase = NULL;

 	}

 	else {

-		pkcs11h_data->passphrase = blob + i;

+		pkcs11h_data->passphrase = (char *)blob + i;

 		i += passphrase_length;

 	}

 	rc = 0;

-out:

 	return rc;

 }

@@ -379,15 +379,15 @@ static int ecryptfs_pkcs11h_get_key_sig(

 	data[i++] = (char)(nbits >> 8);

 	data[i++] = (char)nbits;

 	RSA_get0_key(rsa, &rsa_n, NULL, NULL);

-	BN_bn2bin(rsa_n, &(data[i]));

+	BN_bn2bin(rsa_n, (unsigned char *)&(data[i]));

 	i += nbytes;

 	data[i++] = (char)(ebits >> 8);

 	data[i++] = (char)ebits;

 	RSA_get0_key(rsa, NULL, &rsa_e, NULL);

-	BN_bn2bin(rsa_e, &(data[i]));

+	BN_bn2bin(rsa_e, (unsigned char *)&(data[i]));

 	i += ebytes;

-	SHA1(data, len + 3, hash);

-	to_hex(sig, hash, ECRYPTFS_SIG_SIZE);

+	SHA1((unsigned char *)data, len + 3, (unsigned char *)hash);

+	to_hex((char *)sig, hash, ECRYPTFS_SIG_SIZE);

 	sig[ECRYPTFS_SIG_SIZE_HEX] = '\0';

 	rc = 0;

@@ -423,8 +422,8 @@ static int ecryptfs_pkcs11h_encrypt(char

 		if (

 			(rc = RSA_public_encrypt(

 				from_size,

-				from,

-				to,

+				(unsigned char *)from,

+				(unsigned char *)to,

 				rsa,

 				RSA_PKCS1_PADDING

 			)) == -1

@@ -518,9 +517,9 @@ static int ecryptfs_pkcs11h_decrypt(char

 		(rv = pkcs11h_certificate_decryptAny (

 			certificate,

 			CKM_RSA_PKCS,

-			from,

+			(unsigned char *)from,

 			from_size,

-			to,

+			(unsigned char *)to,

 			to_size

 		)) != CKR_OK

 	) {

@@ -546,9 +545,9 @@ static int ecryptfs_pkcs11h_decrypt(char

 		pkcs11h_certificate_decryptAny (

 			certificate,

 			CKM_RSA_PKCS,

-			from,

+			(unsigned char *)from,

 			from_size,

-			tmp,

+			(unsigned char *)tmp,

 			to_size

 		);

@@ -863,7 +862,7 @@ static int ecryptfs_pkcs11h_process_key(

 		rc = MOUNT_ERROR;

 		goto out;

 	}

-	if ((rc = ecryptfs_pkcs11h_serialize(subgraph_key_ctx->key_mod->blob,

+	if ((rc = ecryptfs_pkcs11h_serialize((unsigned char *)subgraph_key_ctx->key_mod->blob,

 					     &subgraph_key_ctx->key_mod->blob_size, 

 					     pkcs11h_data))) {

 		syslog(LOG_ERR, "PKCS#11: Error serializing pkcs11; rc=[%d]\n", rc);

@@ -942,7 +941,7 @@ static int tf_pkcs11h_global_loglevel(st

 	rc = DEFAULT_TOK;

 	node->val = NULL;

-out:

+// out:

 	return rc;

 }

@@ -955,7 +954,7 @@ static int tf_pkcs11h_global_pincache(st

 	rc = DEFAULT_TOK;

 	node->val = NULL;

-out:

+// out:

 	return rc;

 }

@@ -1025,7 +1024,7 @@ static int tf_pkcs11h_provider_prot_auth

 	sscanf (node->val, "%x", &subgraph_provider_ctx->allow_protected_authentication);

 	rc = DEFAULT_TOK;

 	node->val = NULL;

-out:

+

 	return rc;

 }

@@ -1039,7 +1038,7 @@ static int tf_pkcs11h_provider_cert_priv

 	sscanf (node->val, "%x", &subgraph_provider_ctx->certificate_is_private);

 	rc = DEFAULT_TOK;

 	node->val = NULL;

-out:

+

 	return rc;

 }

@@ -1054,7 +1053,7 @@ static int tf_pkcs11h_provider_private_m

 	rc = DEFAULT_TOK;

 	node->val = NULL;

-out:

+

 	return rc;

 }

@@ -1085,7 +1084,7 @@ static int tf_pkcs11h_provider_end(struc

 	free(subgraph_provider_ctx);

 	*foo = NULL;

 	rc = DEFAULT_TOK;

-out:

+

 	return rc;

 }

@@ -1132,7 +1131,7 @@ static int tf_pkcs11h_key_x509file(struc

 	X509 *x509 = NULL;

 	unsigned char *p = NULL;

 	FILE *fp = NULL;

-	int rc;

+	int rc = 0;

 	subgraph_key_ctx = (struct pkcs11h_subgraph_key_ctx *)(*foo);

diff -up ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c.werror ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c

--- ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c.werror	2015-12-21 21:38:59.000000000 +0100

+++ ecryptfs-utils-109/src/pam_ecryptfs/pam_ecryptfs.c	2016-01-26 17:01:19.810230176 +0100

@@ -84,9 +84,7 @@ static int wrap_passphrase_if_necessary(

 	    stat(wrapped_pw_filename, &s) != 0  &&

 	    passphrase != NULL && *passphrase != '\0' &&

 	    username != NULL && *username != '\0') {

-		setuid(uid);

-		rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename);

-		if (rc != 0) {

+		if ((rc = setuid(uid))<0 || ((rc = ecryptfs_wrap_passphrase_file(wrapped_pw_filename, passphrase, salt, unwrapped_pw_filename)) != 0)) {

 			syslog(LOG_ERR, "pam_ecryptfs: Error wrapping cleartext password; " "rc = [%d]\n", rc);

 		}

 		return rc;

@@ -356,7 +354,7 @@ static int private_dir(pam_handle_t *pam

 			if (stat(recorded, &s) != 0 && stat("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", &s) == 0) {

 				/* User has not recorded their passphrase */

 				unlink("/var/lib/update-notifier/user.d/ecryptfs-record-passphrase");

-				symlink("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", "/var/lib/update-notifier/user.d/ecryptfs-record-passphrase");

+				rc=symlink("/usr/share/ecryptfs-utils/ecryptfs-record-passphrase", "/var/lib/update-notifier/user.d/ecryptfs-record-passphrase");

 				fd = open("/var/lib/update-notifier/dpkg-run-stamp", O_WRONLY|O_CREAT|O_NONBLOCK, 0666);

 				if (fd != -1)

 					close(fd);

@@ -517,7 +515,10 @@ PAM_EXTERN int pam_sm_chauthtok(pam_hand

 		char passphrase[ECRYPTFS_MAX_PASSWORD_LENGTH + 1];

 		/* temp regain uid 0 to drop privs */

-		seteuid(oeuid);

+		if (seteuid(oeuid) < 0) {

+			syslog(LOG_ERR, "pam_ecryptfs: seteuid error");

+			goto out_child;

+		}

 		/* setgroups() already called */

 		if (setgid(gid) < 0 || setuid(uid) < 0)

 			goto out_child;

@@ -542,9 +543,9 @@ out_child:

 	free(wrapped_pw_filename);

 out:

-	seteuid(oeuid);

-	setegid(oegid);

-	setgroups(ngids, groups);

+	rc = seteuid(oeuid);

+	rc = setegid(oegid);

+	rc = setgroups(ngids, groups);

 outnouid:

 	return rc;

diff -up ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c.werror ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c

--- ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c.werror	2015-12-21 21:38:59.000000000 +0100

+++ ecryptfs-utils-109/src/utils/ecryptfs_generate_tpm_key.c	2016-01-26 17:01:19.810230176 +0100

@@ -89,7 +89,7 @@ int main(int argc, char **argv)

 	int i, c, *pcrsSelected = NULL, numPcrsSelected = 0;

 	TSS_UUID *uuid;

 	BYTE wellknown[] = TSS_WELL_KNOWN_SECRET;

-	char *tmp_pcrs;

+	int *tmp_pcrs;

 	while (1) {

 		c = getopt(argc, argv, "p:");

diff -up ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c.werror ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c

--- ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c.werror	2016-01-26 17:01:19.807230183 +0100

+++ ecryptfs-utils-109/src/utils/mount.ecryptfs_private.c	2016-01-26 17:01:30.262205251 +0100

@@ -232,7 +232,7 @@ static int check_cwd_f_type()

 	 *

 	 * This whitelist is to prevent malicious mount.ecryptfs_private users

 	 * from mounting over filesystem types such as PROC_SUPER_MAGIC to

-	 * deceive other programs with a crafted /proc/self/*. See

+	 * deceive other programs with a crafted /proc/self/ *. See

 	 * https://launchpad.net/bugs/1530566 for more details.

 	 */

 	__SWORD_TYPE f_type_whitelist[] = {

@@ -276,7 +276,7 @@ static int check_cwd_f_type()

 	fprintf(stderr,

 		"Refusing to mount over an unapproved filesystem type: %#lx\n",

-		buf.f_type);

+		(long unsigned int)buf.f_type);

 	return 1;

 }

@@ -829,8 +829,8 @@ int main(int argc, char *argv[]) {

  		 * update mtab for us, and replace the current process.

 		 * Do not use the umount.ecryptfs helper (-i).

  		 */

-		setresuid(0,0,0);

-		setresgid(0,0,0);

+		rc=setresuid(0,0,0);

+		rc=setresgid(0,0,0);

 		clearenv();

 		/* Since we're doing a lazy unmount anyway, just unmount the current

diff -up ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c.werror ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c

--- ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c.werror	2015-12-21 21:38:59.000000000 +0100

+++ ecryptfs-utils-109/tests/kernel/inode-race-stat/test.c	2016-01-26 17:01:19.811230174 +0100

@@ -364,6 +364,7 @@ abort:

 		if (write(pipe_to[i][1], cmd, 1) != 1)

 			continue;

+		(void)ret;

 		(void)waitpid(pids[i], &status, 0);

 		(void)close(pipe_to[i][1]);