* [gentoo-commits] repo/gentoo:master commit in: sys-auth/pam_ssh_agent_auth/, sys-auth/pam_ssh_agent_auth/files/
@ 2018-11-02 19:51 Robin H. Johnson
0 siblings, 0 replies; 3+ messages in thread
From: Robin H. Johnson @ 2018-11-02 19:51 UTC (permalink / raw
To: gentoo-commits
commit: 5b085b63dd4fd0a5ef43144ca3f23bb2cf88a4d1
Author: Craig Andrews <candrews <AT> gentoo <DOT> org>
AuthorDate: Fri Nov 2 16:46:01 2018 +0000
Commit: Robin H. Johnson <robbat2 <AT> gentoo <DOT> org>
CommitDate: Fri Nov 2 19:50:53 2018 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5b085b63
sys-auth/pam_ssh_agent_auth: 0.10.3 version bump
Include OpenSSL 1.1.1 support patch
Add -9999 live ebuild
Update metadata to reference github project site
Closes: https://bugs.gentoo.org/669758
Signed-off-by: Craig Andrews <candrews <AT> gentoo.org>
Package-Manager: Portage-2.3.51, Repoman-2.3.11
(cherry picked from commit 1bd6acd801306f1dadb54637f1e838c0c6dad6a5)
Signed-off-by: Robin H. Johnson <robbat2 <AT> gentoo.org>
sys-auth/pam_ssh_agent_auth/Manifest | 1 +
.../pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch | 1244 ++++++++++++++++++++
sys-auth/pam_ssh_agent_auth/metadata.xml | 1 +
.../pam_ssh_agent_auth-0.10.3.ebuild | 51 +
.../pam_ssh_agent_auth-9999.ebuild | 48 +
5 files changed, 1345 insertions(+)
diff --git a/sys-auth/pam_ssh_agent_auth/Manifest b/sys-auth/pam_ssh_agent_auth/Manifest
index 10e261a8104..1b1fdc46d1c 100644
--- a/sys-auth/pam_ssh_agent_auth/Manifest
+++ b/sys-auth/pam_ssh_agent_auth/Manifest
@@ -1,4 +1,5 @@
DIST pam_ssh_agent_auth-0.10.2.tar.bz2 246412 BLAKE2B 3adf2bcc76559733f997744c95c660c67010b124db6e811559625a2ad7cbc7339d43d22dd5144135ae36ab90fdeb3c80c887e3157241936ceeb6026c8aa298fe SHA512 b4b9bc4486d873f236f7c54874c996e24f344f889dfda3beadb12b97cbb89078028a103a4a7175cd919fb0a12fd5bcefef50420510ae5eff9252e494e0124b38
+DIST pam_ssh_agent_auth-0.10.3.tar.bz2 1066393 BLAKE2B 07b113d05e09f770d63dbea813ea644199d2b103f9c6d7e5960bfad37cb181ce5a5f111f72e0274c0335e4c217ccd19bd53d61af23f8bc6aff14c1995fc4edc9 SHA512 d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
DIST pam_ssh_agent_auth-0.9.2.tar.bz2 237156 BLAKE2B b9d09920e10b454ea739e44c38daba6a509fbd4a96f01e26a82e0a8c58b696806b1f3ea95d53c10b55ed01e5804dfb687dd4545b87d85fa4f6a474548c3666d5 SHA512 e710a4dff315c8d79c5d5edc4ebe1629a8fc6d09651813fd4792a2021e7c2d5768d6b7e8539801e31b947cc30817f32375d751fc396707fc4f257df4f33cd408
DIST pam_ssh_agent_auth-0.9.3.tar.bz2 239596 BLAKE2B 7be6af1c78457e082d34f5df406fccf74fbda48d1fe87be0592b927ea296b6db3cf1f9a58bcdd61c50556ffc53c16276dc87e5970d9caa0e51fb520e0473240b SHA512 c2304dcf623858339b5fd77bcf64e9c980a3ee241384b9125d64ba6ab9539a65eacbd3576b31a94bb390e4c089e702f9df2963119250b773bd8be872ae63a050
DIST pam_ssh_agent_auth-0.9.4.tar.bz2 239250 BLAKE2B fee1e009a5374126db0b0df9f05436521e215933ed2eabdcd1983e6372fc7160c6a6c53d07b9ddc7bdd8b9529a27c7da4ef35aad2c80ea1ef2f895f3fb237135 SHA512 3d469e85bf7c49dcf9345c63678ebe050db4d15447592bc337bfc762f2337f92cebd7e840fc12d7be94acf1aa47b0272efe2c1688888ecd8f9daf63549520792
diff --git a/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch b/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch
new file mode 100644
index 00000000000..a422cd5e479
--- /dev/null
+++ b/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch
@@ -0,0 +1,1244 @@
+From eef90424a0545b7b0125dfaf5e3cef3c5248ada0 Mon Sep 17 00:00:00 2001
+From: Guido Falsi <mad@madpilot.net>
+Date: Sat, 20 Oct 2018 14:29:43 +0200
+Subject: [PATCH 1/2] Adapt to OpenSSL 1.1.1.
+
+The FreeBSD operating system is migrating to OpenSSL 1.1.1 and I have created this set of patches to make pam_ssh_agent_auth compile with it.
+
+The patch comments out some parts of include files which are not actually used and reference now opaque OpenSSL internals.
+
+I also have migrated the source files to use accessors to use the OpenSSL objects.
+
+The patch works on FreeBSD head (will be 12.0) but the --without-openssl-header-check argument is required in configure there.
+---
+ authfd.c | 50 ++++++++++++++++++++
+ bufbn.c | 4 ++
+ cipher.h | 6 ++-
+ kex.h | 9 +++-
+ key.c | 133 ++++++++++++++++++++++++++++++++++++++++++++++++++--
+ ssh-dss.c | 51 ++++++++++++++++----
+ ssh-ecdsa.c | 40 ++++++++++++----
+ ssh-rsa.c | 22 +++++++--
+ 8 files changed, 287 insertions(+), 28 deletions(-)
+
+diff --git a/authfd.c b/authfd.c
+index 7b96921..35f8de1 100644
+--- a/authfd.c
++++ b/authfd.c
+@@ -372,6 +372,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
+ case 1:
+ key = pamsshagentauth_key_new(KEY_RSA1);
+ bits = pamsshagentauth_buffer_get_int(&auth->identities);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->e);
+ pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->n);
+ *comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL);
+@@ -379,6 +380,15 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
+ if (keybits < 0 || bits != (u_int)keybits)
+ pamsshagentauth_logit("Warning: identity keysize mismatch: actual %d, announced %u",
+ BN_num_bits(key->rsa->n), bits);
++#else
++ pamsshagentauth_buffer_get_bignum(&auth->identities, RSA_get0_e(key->rsa));
++ pamsshagentauth_buffer_get_bignum(&auth->identities, RSA_get0_n(key->rsa));
++ *comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL);
++ keybits = BN_num_bits(RSA_get0_n(key->rsa));
++ if (keybits < 0 || bits != (u_int)keybits)
++ pamsshagentauth_logit("Warning: identity keysize mismatch: actual %d, announced %u",
++ BN_num_bits(RSA_get0_n(key->rsa)), bits);
++#endif
+ break;
+ case 2:
+ blob = pamsshagentauth_buffer_get_string(&auth->identities, &blen);
+@@ -422,9 +432,15 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
+ }
+ pamsshagentauth_buffer_init(&buffer);
+ pamsshagentauth_buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(key->rsa->n));
+ pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->e);
+ pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->n);
++#else
++ pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(RSA_get0_n(key->rsa)));
++ pamsshagentauth_buffer_put_bignum(&buffer, RSA_get0_e(key->rsa));
++ pamsshagentauth_buffer_put_bignum(&buffer, RSA_get0_n(key->rsa));
++#endif
+ pamsshagentauth_buffer_put_bignum(&buffer, challenge);
+ pamsshagentauth_buffer_append(&buffer, session_id, 16);
+ pamsshagentauth_buffer_put_int(&buffer, response_type);
+@@ -501,6 +517,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
+ static void
+ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ pamsshagentauth_buffer_put_int(b, BN_num_bits(key->n));
+ pamsshagentauth_buffer_put_bignum(b, key->n);
+ pamsshagentauth_buffer_put_bignum(b, key->e);
+@@ -509,6 +526,16 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
+ pamsshagentauth_buffer_put_bignum(b, key->iqmp); /* ssh key->u */
+ pamsshagentauth_buffer_put_bignum(b, key->q); /* ssh key->p, SSL key->q */
+ pamsshagentauth_buffer_put_bignum(b, key->p); /* ssh key->q, SSL key->p */
++#else
++ pamsshagentauth_buffer_put_int(b, BN_num_bits(RSA_get0_n(key)));
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_n(key));
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_e(key));
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_d(key));
++ /* To keep within the protocol: p < q for ssh. in SSL p > q */
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_iqmp(key)); /* ssh key->u */
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_q(key)); /* ssh key->p, SSL key->q */
++ pamsshagentauth_buffer_put_bignum(b, RSA_get0_p(key)); /* ssh key->q, SSL key->p */
++#endif
+ pamsshagentauth_buffer_put_cstring(b, comment);
+ }
+
+@@ -518,19 +545,36 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
+ pamsshagentauth_buffer_put_cstring(b, key_ssh_name(key));
+ switch (key->type) {
+ case KEY_RSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->n);
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->e);
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->d);
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->iqmp);
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->p);
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->q);
++#else
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_n(key->rsa));
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_e(key->rsa));
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_d(key->rsa));
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_iqmp(key->rsa));
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_p(key->rsa));
++ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_q(key->rsa));
++#endif
+ break;
+ case KEY_DSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->p);
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->q);
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->g);
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->pub_key);
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->priv_key);
++#else
++ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_p(key->dsa));
++ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_q(key->dsa));
++ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_g(key->dsa));
++ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_pub_key(key->dsa));
++ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_priv_key(key->dsa));
++#endif
+ break;
+ }
+ pamsshagentauth_buffer_put_cstring(b, comment);
+@@ -610,9 +654,15 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
+
+ if (key->type == KEY_RSA1) {
+ pamsshagentauth_buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ pamsshagentauth_buffer_put_int(&msg, BN_num_bits(key->rsa->n));
+ pamsshagentauth_buffer_put_bignum(&msg, key->rsa->e);
+ pamsshagentauth_buffer_put_bignum(&msg, key->rsa->n);
++#else
++ pamsshagentauth_buffer_put_int(&msg, BN_num_bits(RSA_get0_n(key->rsa)));
++ pamsshagentauth_buffer_put_bignum(&msg, RSA_get0_e(key->rsa));
++ pamsshagentauth_buffer_put_bignum(&msg, RSA_get0_n(key->rsa));
++#endif
+ } else if (key->type == KEY_DSA || key->type == KEY_RSA) {
+ pamsshagentauth_key_to_blob(key, &blob, &blen);
+ pamsshagentauth_buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
+diff --git a/bufbn.c b/bufbn.c
+index 6a49c73..4ecedc1 100644
+--- a/bufbn.c
++++ b/bufbn.c
+@@ -151,7 +151,11 @@ pamsshagentauth_buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
+ pamsshagentauth_buffer_put_int(buffer, 0);
+ return 0;
+ }
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (value->neg) {
++#else
++ if (BN_is_negative(value)) {
++#endif
+ pamsshagentauth_logerror("buffer_put_bignum2_ret: negative numbers not supported");
+ return (-1);
+ }
+diff --git a/cipher.h b/cipher.h
+index 49bbc16..64f59ca 100644
+--- a/cipher.h
++++ b/cipher.h
+@@ -59,15 +59,18 @@
+ #define CIPHER_DECRYPT 0
+
+ typedef struct Cipher Cipher;
+-typedef struct CipherContext CipherContext;
++// typedef struct CipherContext CipherContext;
+
+ struct Cipher;
++/*
+ struct CipherContext {
+ int plaintext;
+ EVP_CIPHER_CTX evp;
+ Cipher *cipher;
+ };
++*/
+
++/*
+ u_int cipher_mask_ssh1(int);
+ Cipher *cipher_by_name(const char *);
+ Cipher *cipher_by_number(int);
+@@ -88,4 +91,5 @@ void cipher_set_keyiv(CipherContext *, u_char *);
+ int cipher_get_keyiv_len(const CipherContext *);
+ int cipher_get_keycontext(const CipherContext *, u_char *);
+ void cipher_set_keycontext(CipherContext *, u_char *);
++*/
+ #endif /* CIPHER_H */
+diff --git a/kex.h b/kex.h
+index 8e29c90..81ca57d 100644
+--- a/kex.h
++++ b/kex.h
+@@ -70,7 +70,7 @@ enum kex_exchange {
+ #define KEX_INIT_SENT 0x0001
+
+ typedef struct Kex Kex;
+-typedef struct Mac Mac;
++// typedef struct Mac Mac;
+ typedef struct Comp Comp;
+ typedef struct Enc Enc;
+ typedef struct Newkeys Newkeys;
+@@ -84,6 +84,7 @@ struct Enc {
+ u_char *key;
+ u_char *iv;
+ };
++/*
+ struct Mac {
+ char *name;
+ int enabled;
+@@ -95,11 +96,13 @@ struct Mac {
+ HMAC_CTX evp_ctx;
+ struct umac_ctx *umac_ctx;
+ };
++*/
+ struct Comp {
+ int type;
+ int enabled;
+ char *name;
+ };
++/*
+ struct Newkeys {
+ Enc enc;
+ Mac mac;
+@@ -126,7 +129,9 @@ struct Kex {
+ int (*host_key_index)(Key *);
+ void (*kex[KEX_MAX])(Kex *);
+ };
++*/
+
++/*
+ Kex *kex_setup(char *[PROPOSAL_MAX]);
+ void kex_finish(Kex *);
+
+@@ -152,6 +157,8 @@ kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
+ void
+ derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
+
++*/
++
+ #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH)
+ void dump_digest(char *, u_char *, int);
+ #endif
+diff --git a/key.c b/key.c
+index 107a442..aedbbb5 100644
+--- a/key.c
++++ b/key.c
+@@ -77,15 +77,21 @@ pamsshagentauth_key_new(int type)
+ case KEY_RSA:
+ if ((rsa = RSA_new()) == NULL)
+ pamsshagentauth_fatal("key_new: RSA_new failed");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((rsa->n = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new: BN_new failed");
+ if ((rsa->e = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new: BN_new failed");
++#else
++ if (RSA_set0_key(rsa, BN_new(), BN_new(), NULL) != 1)
++ pamsshagentauth_fatal("key_new: RSA_set0_key failed");
++#endif
+ k->rsa = rsa;
+ break;
+ case KEY_DSA:
+ if ((dsa = DSA_new()) == NULL)
+ pamsshagentauth_fatal("key_new: DSA_new failed");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((dsa->p = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new: BN_new failed");
+ if ((dsa->q = BN_new()) == NULL)
+@@ -94,6 +100,12 @@ pamsshagentauth_key_new(int type)
+ pamsshagentauth_fatal("key_new: BN_new failed");
+ if ((dsa->pub_key = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new: BN_new failed");
++#else
++ if (DSA_set0_pqg(dsa, BN_new(), BN_new(), BN_new()) != 1)
++ pamsshagentauth_fatal("key_new: DSA_set0_pqg failed");
++ if (DSA_set0_key(dsa, BN_new(), NULL) != 1)
++ pamsshagentauth_fatal("key_new: DSA_set0_key failed");
++#endif
+ k->dsa = dsa;
+ break;
+ case KEY_ECDSA:
+@@ -118,6 +130,7 @@ pamsshagentauth_key_new_private(int type)
+ switch (k->type) {
+ case KEY_RSA1:
+ case KEY_RSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((k->rsa->d = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new_private: BN_new failed");
+ if ((k->rsa->iqmp = BN_new()) == NULL)
+@@ -130,14 +143,30 @@ pamsshagentauth_key_new_private(int type)
+ pamsshagentauth_fatal("key_new_private: BN_new failed");
+ if ((k->rsa->dmp1 = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new_private: BN_new failed");
++#else
++ if (RSA_set0_key(k->rsa, NULL, NULL, BN_new()) != 1)
++ pamsshagentauth_fatal("key_new: RSA_set0_key failed");
++ if (RSA_set0_crt_params(k->rsa, BN_new(), BN_new(), BN_new()) != 1)
++ pamsshagentauth_fatal("key_new: RSA_set0_crt_params failed");
++ if (RSA_set0_factors(k->rsa, BN_new(), BN_new()) != 1)
++ pamsshagentauth_fatal("key_new: RSA_set0_factors failed");
++#endif
+ break;
+ case KEY_DSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((k->dsa->priv_key = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new_private: BN_new failed");
++#else
++ if (DSA_set0_key(k->dsa, NULL, BN_new()) != 1)
++ pamsshagentauth_fatal("key_new_private: DSA_set0_key failed");
++#endif
+ break;
+ case KEY_ECDSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (EC_KEY_set_private_key(k->ecdsa, BN_new()) != 1)
+ pamsshagentauth_fatal("key_new_private: EC_KEY_set_private_key failed");
++#else
++#endif
+ break;
+ case KEY_ED25519:
+ RAND_bytes(k->ed25519->sk, sizeof(k->ed25519->sk));
+@@ -195,14 +224,26 @@ pamsshagentauth_key_equal(const Key *a, const Key *b)
+ case KEY_RSA1:
+ case KEY_RSA:
+ return a->rsa != NULL && b->rsa != NULL &&
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
+ BN_cmp(a->rsa->n, b->rsa->n) == 0;
++#else
++ BN_cmp(RSA_get0_e(a->rsa), RSA_get0_e(b->rsa)) == 0 &&
++ BN_cmp(RSA_get0_n(a->rsa), RSA_get0_n(b->rsa)) == 0;
++#endif
+ case KEY_DSA:
+ return a->dsa != NULL && b->dsa != NULL &&
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
+ BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
+ BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
+ BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
++#else
++ BN_cmp(DSA_get0_p(a->dsa), DSA_get0_p(b->dsa)) == 0 &&
++ BN_cmp(DSA_get0_q(a->dsa), DSA_get0_q(b->dsa)) == 0 &&
++ BN_cmp(DSA_get0_g(a->dsa), DSA_get0_g(b->dsa)) == 0 &&
++ BN_cmp(DSA_get0_pub_key(a->dsa), DSA_get0_pub_key(b->dsa)) == 0;
++#endif
+ case KEY_ECDSA:
+ return a->ecdsa != NULL && b->ecdsa != NULL &&
+ EC_KEY_check_key(a->ecdsa) == 1 &&
+@@ -231,7 +272,7 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+ u_int *dgst_raw_length)
+ {
+ const EVP_MD *md = NULL;
+- EVP_MD_CTX ctx;
++ EVP_MD_CTX *ctx;
+ u_char *blob = NULL;
+ u_char *retval = NULL;
+ u_int len = 0;
+@@ -252,12 +293,21 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+ }
+ switch (k->type) {
+ case KEY_RSA1:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ nlen = BN_num_bytes(k->rsa->n);
+ elen = BN_num_bytes(k->rsa->e);
+ len = nlen + elen;
+ blob = pamsshagentauth_xmalloc(len);
+ BN_bn2bin(k->rsa->n, blob);
+ BN_bn2bin(k->rsa->e, blob + nlen);
++#else
++ nlen = BN_num_bytes(RSA_get0_n(k->rsa));
++ elen = BN_num_bytes(RSA_get0_e(k->rsa));
++ len = nlen + elen;
++ blob = pamsshagentauth_xmalloc(len);
++ BN_bn2bin(RSA_get0_n(k->rsa), blob);
++ BN_bn2bin(RSA_get0_e(k->rsa), blob + nlen);
++#endif
+ break;
+ case KEY_DSA:
+ case KEY_ECDSA:
+@@ -273,11 +323,14 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+ }
+ if (blob != NULL) {
+ retval = pamsshagentauth_xmalloc(EVP_MAX_MD_SIZE);
+- EVP_DigestInit(&ctx, md);
+- EVP_DigestUpdate(&ctx, blob, len);
+- EVP_DigestFinal(&ctx, retval, dgst_raw_length);
++ /* XXX Errors from EVP_* functions are not hadled */
++ ctx = EVP_MD_CTX_create();
++ EVP_DigestInit(ctx, md);
++ EVP_DigestUpdate(ctx, blob, len);
++ EVP_DigestFinal(ctx, retval, dgst_raw_length);
+ memset(blob, 0, len);
+ pamsshagentauth_xfree(blob);
++ EVP_MD_CTX_destroy(ctx);
+ } else {
+ pamsshagentauth_fatal("key_fingerprint_raw: blob is null");
+ }
+@@ -457,10 +510,17 @@ pamsshagentauth_key_read(Key *ret, char **cpp)
+ return -1;
+ *cpp = cp;
+ /* Get public exponent, public modulus. */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (!read_bignum(cpp, ret->rsa->e))
+ return -1;
+ if (!read_bignum(cpp, ret->rsa->n))
+ return -1;
++#else
++ if (!read_bignum(cpp, RSA_get0_e(ret->rsa)))
++ return -1;
++ if (!read_bignum(cpp, RSA_get0_n(ret->rsa)))
++ return -1;
++#endif
+ success = 1;
+ break;
+ case KEY_UNSPEC:
+@@ -583,10 +643,17 @@ pamsshagentauth_key_write(const Key *key, FILE *f)
+
+ if (key->type == KEY_RSA1 && key->rsa != NULL) {
+ /* size of modulus 'n' */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ bits = BN_num_bits(key->rsa->n);
+ fprintf(f, "%u", bits);
+ if (write_bignum(f, key->rsa->e) &&
+ write_bignum(f, key->rsa->n)) {
++#else
++ bits = BN_num_bits(RSA_get0_n(key->rsa));
++ fprintf(f, "%u", bits);
++ if (write_bignum(f, RSA_get0_e(key->rsa)) &&
++ write_bignum(f, RSA_get0_n(key->rsa))) {
++#endif
+ success = 1;
+ } else {
+ pamsshagentauth_logerror("key_write: failed for RSA key");
+@@ -675,10 +742,17 @@ pamsshagentauth_key_size(const Key *k)
+ {
+ switch (k->type) {
+ case KEY_RSA1:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ case KEY_RSA:
+ return BN_num_bits(k->rsa->n);
+ case KEY_DSA:
+ return BN_num_bits(k->dsa->p);
++#else
++ case KEY_RSA:
++ return BN_num_bits(RSA_get0_n(k->rsa));
++ case KEY_DSA:
++ return BN_num_bits(DSA_get0_p(k->dsa));
++#endif
+ case KEY_ECDSA:
+ {
+ int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(k->ecdsa));
+@@ -769,17 +843,29 @@ pamsshagentauth_key_from_private(const Key *k)
+ switch (k->type) {
+ case KEY_DSA:
+ n = pamsshagentauth_key_new(k->type);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
+ (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
+ (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
+ (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
++#else
++ if ((BN_copy(DSA_get0_p(n->dsa), DSA_get0_p(k->dsa)) == NULL) ||
++ (BN_copy(DSA_get0_q(n->dsa), DSA_get0_q(k->dsa)) == NULL) ||
++ (BN_copy(DSA_get0_g(n->dsa), DSA_get0_g(k->dsa)) == NULL) ||
++ (BN_copy(DSA_get0_pub_key(n->dsa), DSA_get0_pub_key(k->dsa)) == NULL))
++#endif
+ pamsshagentauth_fatal("key_from_private: BN_copy failed");
+ break;
+ case KEY_RSA:
+ case KEY_RSA1:
+ n = pamsshagentauth_key_new(k->type);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
+ (BN_copy(n->rsa->e, k->rsa->e) == NULL))
++#else
++ if ((BN_copy(RSA_get0_n(n->rsa), RSA_get0_n(k->rsa)) == NULL) ||
++ (BN_copy(RSA_get0_e(n->rsa), RSA_get0_e(k->rsa)) == NULL))
++#endif
+ pamsshagentauth_fatal("key_from_private: BN_copy failed");
+ break;
+ case KEY_ECDSA:
+@@ -881,8 +967,13 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
+ switch (type) {
+ case KEY_RSA:
+ key = pamsshagentauth_key_new(type);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
++#else
++ if (pamsshagentauth_buffer_get_bignum2_ret(&b, RSA_get0_e(key->rsa)) == -1 ||
++ pamsshagentauth_buffer_get_bignum2_ret(&b, RSA_get0_n(key->rsa)) == -1) {
++#endif
+ pamsshagentauth_logerror("key_from_blob: can't read rsa key");
+ pamsshagentauth_key_free(key);
+ key = NULL;
+@@ -894,10 +985,17 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
+ break;
+ case KEY_DSA:
+ key = pamsshagentauth_key_new(type);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
++#else
++ if (pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_p(key->dsa)) == -1 ||
++ pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_q(key->dsa)) == -1 ||
++ pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_g(key->dsa)) == -1 ||
++ pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_pub_key(key->dsa)) == -1) {
++#endif
+ pamsshagentauth_logerror("key_from_blob: can't read dsa key");
+ pamsshagentauth_key_free(key);
+ key = NULL;
+@@ -1015,6 +1113,7 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
+ }
+ pamsshagentauth_buffer_init(&b);
+ switch (key->type) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ case KEY_DSA:
+ pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
+ pamsshagentauth_buffer_put_bignum2(&b, key->dsa->p);
+@@ -1027,6 +1126,20 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
+ pamsshagentauth_buffer_put_bignum2(&b, key->rsa->e);
+ pamsshagentauth_buffer_put_bignum2(&b, key->rsa->n);
+ break;
++#else
++ case KEY_DSA:
++ pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
++ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_p(key->dsa));
++ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_q(key->dsa));
++ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_g(key->dsa));
++ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_pub_key(key->dsa));
++ break;
++ case KEY_RSA:
++ pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
++ pamsshagentauth_buffer_put_bignum2(&b, RSA_get0_e(key->rsa));
++ pamsshagentauth_buffer_put_bignum2(&b, RSA_get0_n(key->rsa));
++ break;
++#endif
+ case KEY_ECDSA:
+ {
+ size_t l = 0;
+@@ -1138,14 +1251,20 @@ pamsshagentauth_key_demote(const Key *k)
+ case KEY_RSA:
+ if ((pk->rsa = RSA_new()) == NULL)
+ pamsshagentauth_fatal("key_demote: RSA_new failed");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
+ pamsshagentauth_fatal("key_demote: BN_dup failed");
+ if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
+ pamsshagentauth_fatal("key_demote: BN_dup failed");
++#else
++ if (RSA_set0_key(pk->rsa, BN_dup(RSA_get0_n(k->rsa)), BN_dup(RSA_get0_e(k->rsa)), NULL) != 1)
++ pamsshagentauth_fatal("key_demote: RSA_set0_key failed");
++#endif
+ break;
+ case KEY_DSA:
+ if ((pk->dsa = DSA_new()) == NULL)
+ pamsshagentauth_fatal("key_demote: DSA_new failed");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
+ pamsshagentauth_fatal("key_demote: BN_dup failed");
+ if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
+@@ -1154,6 +1273,12 @@ pamsshagentauth_key_demote(const Key *k)
+ pamsshagentauth_fatal("key_demote: BN_dup failed");
+ if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
+ pamsshagentauth_fatal("key_demote: BN_dup failed");
++#else
++ if (DSA_set0_pqg(pk->dsa, BN_dup(DSA_get0_p(k->dsa)), BN_dup(DSA_get0_q(k->dsa)), BN_dup(DSA_get0_g(k->dsa))) != 1)
++ pamsshagentauth_fatal("key_demote: DSA_set0_pqg failed");
++ if (DSA_set0_key(pk->dsa, BN_dup(DSA_get0_pub_key(k->dsa)), NULL) != 1)
++ pamsshagentauth_fatal("key_demote: DSA_set0_key failed");
++#endif
+ break;
+ case KEY_ECDSA:
+ pamsshagentauth_fatal("key_demote: implement me");
+diff --git a/ssh-dss.c b/ssh-dss.c
+index 9fdaa5d..1051ae2 100644
+--- a/ssh-dss.c
++++ b/ssh-dss.c
+@@ -48,37 +48,53 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
+ {
+ DSA_SIG *sig;
+ const EVP_MD *evp_md = EVP_sha1();
+- EVP_MD_CTX md;
++ EVP_MD_CTX *md;
+ u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
+ u_int rlen, slen, len, dlen;
+ Buffer b;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ const BIGNUM *r, *s;
++#endif
+
+ if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
+ pamsshagentauth_logerror("ssh_dss_sign: no DSA key");
+ return -1;
+ }
+- EVP_DigestInit(&md, evp_md);
+- EVP_DigestUpdate(&md, data, datalen);
+- EVP_DigestFinal(&md, digest, &dlen);
++ md = EVP_MD_CTX_create();
++ EVP_DigestInit(md, evp_md);
++ EVP_DigestUpdate(md, data, datalen);
++ EVP_DigestFinal(md, digest, &dlen);
+
+ sig = DSA_do_sign(digest, dlen, key->dsa);
+ memset(digest, 'd', sizeof(digest));
++ EVP_MD_CTX_destroy(md);
+
+ if (sig == NULL) {
+ pamsshagentauth_logerror("ssh_dss_sign: sign failed");
+ return -1;
+ }
+
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ rlen = BN_num_bytes(sig->r);
+ slen = BN_num_bytes(sig->s);
++#else
++ DSA_SIG_get0((const DSA_SIG *)sig, (const BIGNUM **)r, (const BIGNUM **)s);
++ rlen = BN_num_bytes(r);
++ slen = BN_num_bytes(s);
++#endif
+ if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
+ pamsshagentauth_logerror("bad sig size %u %u", rlen, slen);
+ DSA_SIG_free(sig);
+ return -1;
+ }
+ memset(sigblob, 0, SIGBLOB_LEN);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
+ BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
++#else
++ BN_bn2bin(r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
++ BN_bn2bin(s, sigblob+ SIGBLOB_LEN - slen);
++#endif
+ DSA_SIG_free(sig);
+
+ if (datafellows & SSH_BUG_SIGBLOB) {
+@@ -110,11 +126,14 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ {
+ DSA_SIG *sig;
+ const EVP_MD *evp_md = EVP_sha1();
+- EVP_MD_CTX md;
++ EVP_MD_CTX *md;
+ u_char digest[EVP_MAX_MD_SIZE], *sigblob;
+ u_int len, dlen;
+ int rlen, ret;
+ Buffer b;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ BIGNUM *r, *s;
++#endif
+
+ if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
+ pamsshagentauth_logerror("ssh_dss_verify: no DSA key");
+@@ -157,6 +176,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ /* parse signature */
+ if ((sig = DSA_SIG_new()) == NULL)
+ pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_new failed");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((sig->r = BN_new()) == NULL)
+ pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
+ if ((sig->s = BN_new()) == NULL)
+@@ -164,18 +184,33 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
+ (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL))
+ pamsshagentauth_fatal("ssh_dss_verify: BN_bin2bn failed");
++#else
++ if ((r = BN_new()) == NULL)
++ pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
++ if ((s = BN_new()) == NULL)
++ pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
++ if (DSA_SIG_set0(sig, r, s) != 1)
++ pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_set0 failed");
++ if ((BN_bin2bn(sigblob, INTBLOB_LEN, r) == NULL) ||
++ (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, s) == NULL))
++ pamsshagentauth_fatal("ssh_dss_verify: BN_bin2bn failed");
++ if (DSA_SIG_set0(sig, r, s) != 1)
++ pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_set0 failed");
++#endif
+
+ /* clean up */
+ memset(sigblob, 0, len);
+ pamsshagentauth_xfree(sigblob);
+
+ /* sha1 the data */
+- EVP_DigestInit(&md, evp_md);
+- EVP_DigestUpdate(&md, data, datalen);
+- EVP_DigestFinal(&md, digest, &dlen);
++ md = EVP_MD_CTX_create();
++ EVP_DigestInit(md, evp_md);
++ EVP_DigestUpdate(md, data, datalen);
++ EVP_DigestFinal(md, digest, &dlen);
+
+ ret = DSA_do_verify(digest, dlen, sig, key->dsa);
+ memset(digest, 'd', sizeof(digest));
++ EVP_MD_CTX_destroy(md);
+
+ DSA_SIG_free(sig);
+
+diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
+index efa0f3d..c213959 100644
+--- a/ssh-ecdsa.c
++++ b/ssh-ecdsa.c
+@@ -41,22 +41,27 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+ {
+ ECDSA_SIG *sig;
+ const EVP_MD *evp_md = evp_from_key(key);
+- EVP_MD_CTX md;
++ EVP_MD_CTX *md;
+ u_char digest[EVP_MAX_MD_SIZE];
+ u_int len, dlen;
+ Buffer b, bb;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ BIGNUM *r, *s;
++#endif
+
+ if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) {
+ pamsshagentauth_logerror("ssh_ecdsa_sign: no ECDSA key");
+ return -1;
+ }
+
+- EVP_DigestInit(&md, evp_md);
+- EVP_DigestUpdate(&md, data, datalen);
+- EVP_DigestFinal(&md, digest, &dlen);
++ md = EVP_MD_CTX_create();
++ EVP_DigestInit(md, evp_md);
++ EVP_DigestUpdate(md, data, datalen);
++ EVP_DigestFinal(md, digest, &dlen);
+
+ sig = ECDSA_do_sign(digest, dlen, key->ecdsa);
+ memset(digest, 'd', sizeof(digest));
++ EVP_MD_CTX_destroy(md);
+
+ if (sig == NULL) {
+ pamsshagentauth_logerror("ssh_ecdsa_sign: sign failed");
+@@ -64,8 +69,14 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+ }
+
+ pamsshagentauth_buffer_init(&bb);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->r) == -1 ||
+ pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->s) == -1) {
++#else
++ DSA_SIG_get0(sig, &r, &s);
++ if (pamsshagentauth_buffer_get_bignum2_ret(&bb, r) == -1 ||
++ pamsshagentauth_buffer_get_bignum2_ret(&bb, s) == -1) {
++#endif
+ pamsshagentauth_logerror("couldn't serialize signature");
+ ECDSA_SIG_free(sig);
+ return -1;
+@@ -94,11 +105,14 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ {
+ ECDSA_SIG *sig;
+ const EVP_MD *evp_md = evp_from_key(key);
+- EVP_MD_CTX md;
++ EVP_MD_CTX *md;
+ u_char digest[EVP_MAX_MD_SIZE], *sigblob;
+ u_int len, dlen;
+ int rlen, ret;
+ Buffer b;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++ BIGNUM *r, *s;
++#endif
+
+ if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) {
+ pamsshagentauth_logerror("ssh_ecdsa_sign: no ECDSA key");
+@@ -127,8 +141,14 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+
+ pamsshagentauth_buffer_init(&b);
+ pamsshagentauth_buffer_append(&b, sigblob, len);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) ||
+ (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1))
++#else
++ DSA_SIG_get0(sig, &r, &s);
++ if ((pamsshagentauth_buffer_get_bignum2_ret(&b, r) == -1) ||
++ (pamsshagentauth_buffer_get_bignum2_ret(&b, s) == -1))
++#endif
+ pamsshagentauth_fatal("ssh_ecdsa_verify:"
+ "pamsshagentauth_buffer_get_bignum2_ret failed");
+
+@@ -137,16 +157,18 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ pamsshagentauth_xfree(sigblob);
+
+ /* sha256 the data */
+- EVP_DigestInit(&md, evp_md);
+- EVP_DigestUpdate(&md, data, datalen);
+- EVP_DigestFinal(&md, digest, &dlen);
++ md = EVP_MD_CTX_create();
++ EVP_DigestInit(md, evp_md);
++ EVP_DigestUpdate(md, data, datalen);
++ EVP_DigestFinal(md, digest, &dlen);
+
+ ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa);
+ memset(digest, 'd', sizeof(digest));
++ EVP_MD_CTX_destroy(md);
+
+ ECDSA_SIG_free(sig);
+
+ pamsshagentauth_verbose("ssh_ecdsa_verify: signature %s",
+ ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
+ return ret;
+-}
+\ No newline at end of file
++}
+diff --git a/ssh-rsa.c b/ssh-rsa.c
+index d05844b..9d74eb6 100644
+--- a/ssh-rsa.c
++++ b/ssh-rsa.c
+@@ -40,7 +40,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+ const u_char *data, u_int datalen)
+ {
+ const EVP_MD *evp_md;
+- EVP_MD_CTX md;
++ EVP_MD_CTX *md;
+ u_char digest[EVP_MAX_MD_SIZE], *sig;
+ u_int slen, dlen, len;
+ int ok, nid;
+@@ -55,6 +55,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+ pamsshagentauth_logerror("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
+ return -1;
+ }
++ md = EVP_MD_CTX_create();
+ EVP_DigestInit(&md, evp_md);
+ EVP_DigestUpdate(&md, data, datalen);
+ EVP_DigestFinal(&md, digest, &dlen);
+@@ -64,6 +65,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+
+ ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
+ memset(digest, 'd', sizeof(digest));
++ EVP_MD_CTX_destroy(md);
+
+ if (ok != 1) {
+ int ecode = ERR_get_error();
+@@ -107,7 +109,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ {
+ Buffer b;
+ const EVP_MD *evp_md;
+- EVP_MD_CTX md;
++ EVP_MD_CTX *md;
+ char *ktype;
+ u_char digest[EVP_MAX_MD_SIZE], *sigblob;
+ u_int len, dlen, modlen;
+@@ -117,9 +119,17 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ pamsshagentauth_logerror("ssh_rsa_verify: no RSA key");
+ return -1;
+ }
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
++#else
++ if (BN_num_bits(RSA_get0_n(key->rsa)) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
++#endif
+ pamsshagentauth_logerror("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits",
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
++#else
++ BN_num_bits(RSA_get0_n(key->rsa)), SSH_RSA_MINIMUM_MODULUS_SIZE);
++#endif
+ return -1;
+ }
+ pamsshagentauth_buffer_init(&b);
+@@ -161,12 +171,14 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ pamsshagentauth_xfree(sigblob);
+ return -1;
+ }
+- EVP_DigestInit(&md, evp_md);
+- EVP_DigestUpdate(&md, data, datalen);
+- EVP_DigestFinal(&md, digest, &dlen);
++ md = EVP_MD_CTX_create();
++ EVP_DigestInit(md, evp_md);
++ EVP_DigestUpdate(md, data, datalen);
++ EVP_DigestFinal(md, digest, &dlen);
+
+ ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
+ memset(digest, 'd', sizeof(digest));
++ EVP_MD_CTX_destroy(md);
+ memset(sigblob, 's', len);
+ pamsshagentauth_xfree(sigblob);
+ pamsshagentauth_verbose("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
+
+From 4dc87369134f215378042ec4d971a4fe48d1a02b Mon Sep 17 00:00:00 2001
+From: Guido Falsi <mad@madpilot.net>
+Date: Wed, 24 Oct 2018 20:36:15 +0200
+Subject: [PATCH 2/2] Check against the correct OPENSSL_VERSION_NUMBER
+
+Alexey Dokuchaev (a fellow FreeBSD developer) pointed out to me the opaque structures were introduced in 1.1.0-pre
+5, so the correct OPENSSL_VERSION_NUMBER to discriminate is 0x10100005L.
+---
+ authfd.c | 12 ++++++------
+ bufbn.c | 2 +-
+ key.c | 36 ++++++++++++++++++------------------
+ ssh-dss.c | 10 +++++-----
+ ssh-ecdsa.c | 8 ++++----
+ ssh-rsa.c | 4 ++--
+ 6 files changed, 36 insertions(+), 36 deletions(-)
+
+diff --git a/authfd.c b/authfd.c
+index 35f8de1..01d1d89 100644
+--- a/authfd.c
++++ b/authfd.c
+@@ -372,7 +372,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
+ case 1:
+ key = pamsshagentauth_key_new(KEY_RSA1);
+ bits = pamsshagentauth_buffer_get_int(&auth->identities);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->e);
+ pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->n);
+ *comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL);
+@@ -432,7 +432,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
+ }
+ pamsshagentauth_buffer_init(&buffer);
+ pamsshagentauth_buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(key->rsa->n));
+ pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->e);
+ pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->n);
+@@ -517,7 +517,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
+ static void
+ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ pamsshagentauth_buffer_put_int(b, BN_num_bits(key->n));
+ pamsshagentauth_buffer_put_bignum(b, key->n);
+ pamsshagentauth_buffer_put_bignum(b, key->e);
+@@ -545,7 +545,7 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
+ pamsshagentauth_buffer_put_cstring(b, key_ssh_name(key));
+ switch (key->type) {
+ case KEY_RSA:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->n);
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->e);
+ pamsshagentauth_buffer_put_bignum2(b, key->rsa->d);
+@@ -562,7 +562,7 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
+ #endif
+ break;
+ case KEY_DSA:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->p);
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->q);
+ pamsshagentauth_buffer_put_bignum2(b, key->dsa->g);
+@@ -654,7 +654,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
+
+ if (key->type == KEY_RSA1) {
+ pamsshagentauth_buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ pamsshagentauth_buffer_put_int(&msg, BN_num_bits(key->rsa->n));
+ pamsshagentauth_buffer_put_bignum(&msg, key->rsa->e);
+ pamsshagentauth_buffer_put_bignum(&msg, key->rsa->n);
+diff --git a/bufbn.c b/bufbn.c
+index 4ecedc1..b4754cc 100644
+--- a/bufbn.c
++++ b/bufbn.c
+@@ -151,7 +151,7 @@ pamsshagentauth_buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
+ pamsshagentauth_buffer_put_int(buffer, 0);
+ return 0;
+ }
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if (value->neg) {
+ #else
+ if (BN_is_negative(value)) {
+diff --git a/key.c b/key.c
+index aedbbb5..dcc5fc8 100644
+--- a/key.c
++++ b/key.c
+@@ -77,7 +77,7 @@ pamsshagentauth_key_new(int type)
+ case KEY_RSA:
+ if ((rsa = RSA_new()) == NULL)
+ pamsshagentauth_fatal("key_new: RSA_new failed");
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((rsa->n = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new: BN_new failed");
+ if ((rsa->e = BN_new()) == NULL)
+@@ -91,7 +91,7 @@ pamsshagentauth_key_new(int type)
+ case KEY_DSA:
+ if ((dsa = DSA_new()) == NULL)
+ pamsshagentauth_fatal("key_new: DSA_new failed");
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((dsa->p = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new: BN_new failed");
+ if ((dsa->q = BN_new()) == NULL)
+@@ -130,7 +130,7 @@ pamsshagentauth_key_new_private(int type)
+ switch (k->type) {
+ case KEY_RSA1:
+ case KEY_RSA:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((k->rsa->d = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new_private: BN_new failed");
+ if ((k->rsa->iqmp = BN_new()) == NULL)
+@@ -153,7 +153,7 @@ pamsshagentauth_key_new_private(int type)
+ #endif
+ break;
+ case KEY_DSA:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((k->dsa->priv_key = BN_new()) == NULL)
+ pamsshagentauth_fatal("key_new_private: BN_new failed");
+ #else
+@@ -162,7 +162,7 @@ pamsshagentauth_key_new_private(int type)
+ #endif
+ break;
+ case KEY_ECDSA:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if (EC_KEY_set_private_key(k->ecdsa, BN_new()) != 1)
+ pamsshagentauth_fatal("key_new_private: EC_KEY_set_private_key failed");
+ #else
+@@ -224,7 +224,7 @@ pamsshagentauth_key_equal(const Key *a, const Key *b)
+ case KEY_RSA1:
+ case KEY_RSA:
+ return a->rsa != NULL && b->rsa != NULL &&
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
+ BN_cmp(a->rsa->n, b->rsa->n) == 0;
+ #else
+@@ -233,7 +233,7 @@ pamsshagentauth_key_equal(const Key *a, const Key *b)
+ #endif
+ case KEY_DSA:
+ return a->dsa != NULL && b->dsa != NULL &&
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
+ BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
+ BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
+@@ -293,7 +293,7 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+ }
+ switch (k->type) {
+ case KEY_RSA1:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ nlen = BN_num_bytes(k->rsa->n);
+ elen = BN_num_bytes(k->rsa->e);
+ len = nlen + elen;
+@@ -510,7 +510,7 @@ pamsshagentauth_key_read(Key *ret, char **cpp)
+ return -1;
+ *cpp = cp;
+ /* Get public exponent, public modulus. */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if (!read_bignum(cpp, ret->rsa->e))
+ return -1;
+ if (!read_bignum(cpp, ret->rsa->n))
+@@ -643,7 +643,7 @@ pamsshagentauth_key_write(const Key *key, FILE *f)
+
+ if (key->type == KEY_RSA1 && key->rsa != NULL) {
+ /* size of modulus 'n' */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ bits = BN_num_bits(key->rsa->n);
+ fprintf(f, "%u", bits);
+ if (write_bignum(f, key->rsa->e) &&
+@@ -742,7 +742,7 @@ pamsshagentauth_key_size(const Key *k)
+ {
+ switch (k->type) {
+ case KEY_RSA1:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ case KEY_RSA:
+ return BN_num_bits(k->rsa->n);
+ case KEY_DSA:
+@@ -843,7 +843,7 @@ pamsshagentauth_key_from_private(const Key *k)
+ switch (k->type) {
+ case KEY_DSA:
+ n = pamsshagentauth_key_new(k->type);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
+ (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
+ (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
+@@ -859,7 +859,7 @@ pamsshagentauth_key_from_private(const Key *k)
+ case KEY_RSA:
+ case KEY_RSA1:
+ n = pamsshagentauth_key_new(k->type);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
+ (BN_copy(n->rsa->e, k->rsa->e) == NULL))
+ #else
+@@ -967,7 +967,7 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
+ switch (type) {
+ case KEY_RSA:
+ key = pamsshagentauth_key_new(type);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
+ #else
+@@ -985,7 +985,7 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
+ break;
+ case KEY_DSA:
+ key = pamsshagentauth_key_new(type);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
+ pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
+@@ -1113,7 +1113,7 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
+ }
+ pamsshagentauth_buffer_init(&b);
+ switch (key->type) {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ case KEY_DSA:
+ pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
+ pamsshagentauth_buffer_put_bignum2(&b, key->dsa->p);
+@@ -1251,7 +1251,7 @@ pamsshagentauth_key_demote(const Key *k)
+ case KEY_RSA:
+ if ((pk->rsa = RSA_new()) == NULL)
+ pamsshagentauth_fatal("key_demote: RSA_new failed");
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
+ pamsshagentauth_fatal("key_demote: BN_dup failed");
+ if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
+@@ -1264,7 +1264,7 @@ pamsshagentauth_key_demote(const Key *k)
+ case KEY_DSA:
+ if ((pk->dsa = DSA_new()) == NULL)
+ pamsshagentauth_fatal("key_demote: DSA_new failed");
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
+ pamsshagentauth_fatal("key_demote: BN_dup failed");
+ if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
+diff --git a/ssh-dss.c b/ssh-dss.c
+index 1051ae2..9b96274 100644
+--- a/ssh-dss.c
++++ b/ssh-dss.c
+@@ -52,7 +52,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
+ u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
+ u_int rlen, slen, len, dlen;
+ Buffer b;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ const BIGNUM *r, *s;
+ #endif
+
+@@ -74,7 +74,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
+ return -1;
+ }
+
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ rlen = BN_num_bytes(sig->r);
+ slen = BN_num_bytes(sig->s);
+ #else
+@@ -88,7 +88,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
+ return -1;
+ }
+ memset(sigblob, 0, SIGBLOB_LEN);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
+ BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
+ #else
+@@ -131,7 +131,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ u_int len, dlen;
+ int rlen, ret;
+ Buffer b;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ BIGNUM *r, *s;
+ #endif
+
+@@ -176,7 +176,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ /* parse signature */
+ if ((sig = DSA_SIG_new()) == NULL)
+ pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_new failed");
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((sig->r = BN_new()) == NULL)
+ pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
+ if ((sig->s = BN_new()) == NULL)
+diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
+index c213959..5b13b30 100644
+--- a/ssh-ecdsa.c
++++ b/ssh-ecdsa.c
+@@ -45,7 +45,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+ u_char digest[EVP_MAX_MD_SIZE];
+ u_int len, dlen;
+ Buffer b, bb;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ BIGNUM *r, *s;
+ #endif
+
+@@ -69,7 +69,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+ }
+
+ pamsshagentauth_buffer_init(&bb);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if (pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->r) == -1 ||
+ pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->s) == -1) {
+ #else
+@@ -110,7 +110,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ u_int len, dlen;
+ int rlen, ret;
+ Buffer b;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ BIGNUM *r, *s;
+ #endif
+
+@@ -141,7 +141,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+
+ pamsshagentauth_buffer_init(&b);
+ pamsshagentauth_buffer_append(&b, sigblob, len);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) ||
+ (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1))
+ #else
+diff --git a/ssh-rsa.c b/ssh-rsa.c
+index 9d74eb6..35f2e36 100644
+--- a/ssh-rsa.c
++++ b/ssh-rsa.c
+@@ -119,13 +119,13 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ pamsshagentauth_logerror("ssh_rsa_verify: no RSA key");
+ return -1;
+ }
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ #else
+ if (BN_num_bits(RSA_get0_n(key->rsa)) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ #endif
+ pamsshagentauth_logerror("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits",
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
+ #else
+ BN_num_bits(RSA_get0_n(key->rsa)), SSH_RSA_MINIMUM_MODULUS_SIZE);
diff --git a/sys-auth/pam_ssh_agent_auth/metadata.xml b/sys-auth/pam_ssh_agent_auth/metadata.xml
index b2c4b0002ee..cbaa4da90d4 100644
--- a/sys-auth/pam_ssh_agent_auth/metadata.xml
+++ b/sys-auth/pam_ssh_agent_auth/metadata.xml
@@ -6,5 +6,6 @@
</maintainer>
<upstream>
<remote-id type="sourceforge">pamsshagentauth</remote-id>
+ <remote-id type="github">jbeverly/pam_ssh_agent_auth</remote-id>
</upstream>
</pkgmetadata>
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild
new file mode 100644
index 00000000000..8afccd4a986
--- /dev/null
+++ b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit pam
+
+DESCRIPTION="Simple module to authenticate users against their ssh-agent keys"
+HOMEPAGE="http://pamsshagentauth.sourceforge.net"
+
+if [[ ${PV} == *9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/jbeverly/${PN}.git"
+ inherit git-r3
+else
+ SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2"
+ KEYWORDS="~amd64 ~arm ~x86"
+fi
+
+LICENSE="MIT"
+SLOT="0"
+IUSE=""
+
+PATCHES=(
+ "${FILESDIR}/${P}-openssl-1.1.1.patch"
+)
+DEPEND="virtual/pam
+ dev-libs/openssl:0="
+
+RDEPEND="${DEPEND}
+ virtual/ssh"
+
+# needed for pod2man
+DEPEND="${DEPEND}
+ dev-lang/perl"
+
+src_configure() {
+ pammod_hide_symbols
+
+ econf \
+ --without-openssl-header-check \
+ --libexecdir="$(getpam_mod_dir)"
+}
+
+src_install() {
+ # Don't use emake install as it makes it harder to have proper
+ # install paths.
+ dopammod pam_ssh_agent_auth.so
+ doman pam_ssh_agent_auth.8
+
+ dodoc CONTRIBUTORS
+}
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild
new file mode 100644
index 00000000000..2b877364229
--- /dev/null
+++ b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild
@@ -0,0 +1,48 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit pam
+
+DESCRIPTION="Simple module to authenticate users against their ssh-agent keys"
+HOMEPAGE="http://pamsshagentauth.sourceforge.net"
+
+if [[ ${PV} == *9999 ]] ; then
+ EGIT_REPO_URI="https://github.com/jbeverly/${PN}.git"
+ inherit git-r3
+else
+ SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2"
+ KEYWORDS="~amd64 ~arm ~x86"
+fi
+
+LICENSE="MIT"
+SLOT="0"
+IUSE=""
+
+DEPEND="virtual/pam
+ dev-libs/openssl:0="
+
+RDEPEND="${DEPEND}
+ virtual/ssh"
+
+# needed for pod2man
+DEPEND="${DEPEND}
+ dev-lang/perl"
+
+src_configure() {
+ pammod_hide_symbols
+
+ econf \
+ --without-openssl-header-check \
+ --libexecdir="$(getpam_mod_dir)"
+}
+
+src_install() {
+ # Don't use emake install as it makes it harder to have proper
+ # install paths.
+ dopammod pam_ssh_agent_auth.so
+ doman pam_ssh_agent_auth.8
+
+ dodoc CONTRIBUTORS
+}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-auth/pam_ssh_agent_auth/, sys-auth/pam_ssh_agent_auth/files/
@ 2019-05-21 14:30 Andreas Sturmlechner
0 siblings, 0 replies; 3+ messages in thread
From: Andreas Sturmlechner @ 2019-05-21 14:30 UTC (permalink / raw
To: gentoo-commits
commit: f666399d633b0cebb40f21271394372b2a41c4e5
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Tue May 21 13:13:46 2019 +0000
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Tue May 21 14:30:30 2019 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f666399d
sys-auth/pam_ssh_agent_auth: Drop old
Package-Manager: Portage-2.3.66, Repoman-2.3.12
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>
sys-auth/pam_ssh_agent_auth/Manifest | 4 --
.../files/pam_ssh_agent_auth-0.9.2-libs.patch | 24 -----------
.../pam_ssh_agent_auth-0.10.2.ebuild | 41 -------------------
.../pam_ssh_agent_auth-0.9.2.ebuild | 46 ---------------------
.../pam_ssh_agent_auth-0.9.3.ebuild | 47 ----------------------
.../pam_ssh_agent_auth-0.9.4.ebuild | 43 --------------------
6 files changed, 205 deletions(-)
diff --git a/sys-auth/pam_ssh_agent_auth/Manifest b/sys-auth/pam_ssh_agent_auth/Manifest
index 1b1fdc46d1c..1c43b8634e4 100644
--- a/sys-auth/pam_ssh_agent_auth/Manifest
+++ b/sys-auth/pam_ssh_agent_auth/Manifest
@@ -1,5 +1 @@
-DIST pam_ssh_agent_auth-0.10.2.tar.bz2 246412 BLAKE2B 3adf2bcc76559733f997744c95c660c67010b124db6e811559625a2ad7cbc7339d43d22dd5144135ae36ab90fdeb3c80c887e3157241936ceeb6026c8aa298fe SHA512 b4b9bc4486d873f236f7c54874c996e24f344f889dfda3beadb12b97cbb89078028a103a4a7175cd919fb0a12fd5bcefef50420510ae5eff9252e494e0124b38
DIST pam_ssh_agent_auth-0.10.3.tar.bz2 1066393 BLAKE2B 07b113d05e09f770d63dbea813ea644199d2b103f9c6d7e5960bfad37cb181ce5a5f111f72e0274c0335e4c217ccd19bd53d61af23f8bc6aff14c1995fc4edc9 SHA512 d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
-DIST pam_ssh_agent_auth-0.9.2.tar.bz2 237156 BLAKE2B b9d09920e10b454ea739e44c38daba6a509fbd4a96f01e26a82e0a8c58b696806b1f3ea95d53c10b55ed01e5804dfb687dd4545b87d85fa4f6a474548c3666d5 SHA512 e710a4dff315c8d79c5d5edc4ebe1629a8fc6d09651813fd4792a2021e7c2d5768d6b7e8539801e31b947cc30817f32375d751fc396707fc4f257df4f33cd408
-DIST pam_ssh_agent_auth-0.9.3.tar.bz2 239596 BLAKE2B 7be6af1c78457e082d34f5df406fccf74fbda48d1fe87be0592b927ea296b6db3cf1f9a58bcdd61c50556ffc53c16276dc87e5970d9caa0e51fb520e0473240b SHA512 c2304dcf623858339b5fd77bcf64e9c980a3ee241384b9125d64ba6ab9539a65eacbd3576b31a94bb390e4c089e702f9df2963119250b773bd8be872ae63a050
-DIST pam_ssh_agent_auth-0.9.4.tar.bz2 239250 BLAKE2B fee1e009a5374126db0b0df9f05436521e215933ed2eabdcd1983e6372fc7160c6a6c53d07b9ddc7bdd8b9529a27c7da4ef35aad2c80ea1ef2f895f3fb237135 SHA512 3d469e85bf7c49dcf9345c63678ebe050db4d15447592bc337bfc762f2337f92cebd7e840fc12d7be94acf1aa47b0272efe2c1688888ecd8f9daf63549520792
diff --git a/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.9.2-libs.patch b/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.9.2-libs.patch
deleted file mode 100644
index 3e259761a2e..00000000000
--- a/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.9.2-libs.patch
+++ /dev/null
@@ -1,24 +0,0 @@
-diff --git a/Makefile.in b/Makefile.in
-index 3428c51..4b5ea8a 100644
---- a/Makefile.in
-+++ b/Makefile.in
-@@ -48,7 +48,7 @@ PAM_MODULES=pam_ssh_agent_auth.so
-
- SSHOBJS=xmalloc.o atomicio.o authfd.o bufaux.o bufbn.o buffer.o cleanup.o entropy.o fatal.o key.o log.o misc.o secure_filename.o ssh-dss.o ssh-rsa.o uuencode.o compat.o
-
--PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o
-+PAM_SSH_AGENT_AUTH_OBJS=pam_user_key_allowed2.o iterate_ssh_agent_keys.o userauth_pubkey_from_id.o pam_user_authorized_keys.o pam_ssh_agent_auth.o
-
-
- MANPAGES_IN = pam_ssh_agent_auth.pod
-@@ -72,8 +72,8 @@ $(LIBCOMPAT): always
- (cd openbsd-compat && $(MAKE))
- always:
-
--pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) pam_ssh_agent_auth.o
-- $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat $(LIBS) -lpam pam_ssh_agent_auth.o
-+pam_ssh_agent_auth.so: $(LIBCOMPAT) $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS)
-+ $(LD) $(LDFLAGS_SHARED) -o $@ $(SSHOBJS) $(PAM_SSH_AGENT_AUTH_OBJS) $(LDFLAGS) -lopenbsd-compat $(LIBS) -lpam
-
- $(MANPAGES): $(MANPAGES_IN)
- pod2man --section=8 --release=v0.8 --name=pam_ssh_agent_auth --official --center "PAM" pam_ssh_agent_auth.pod > pam_ssh_agent_auth.8
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.2.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.2.ebuild
deleted file mode 100644
index 3faa51dfab8..00000000000
--- a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.2.ebuild
+++ /dev/null
@@ -1,41 +0,0 @@
-# Copyright 1999-2017 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-
-inherit pam
-
-DESCRIPTION="Simple module to authenticate users against their ssh-agent keys"
-HOMEPAGE="http://pamsshagentauth.sourceforge.net"
-SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2"
-
-LICENSE="MIT"
-SLOT="0"
-KEYWORDS="~amd64 ~arm ~x86"
-IUSE=""
-
-DEPEND="virtual/pam
- dev-libs/openssl"
-
-RDEPEND="${DEPEND}
- virtual/ssh"
-
-# needed for pod2man
-DEPEND="${DEPEND}
- dev-lang/perl"
-
-src_configure() {
- pammod_hide_symbols
-
- econf \
- --libexecdir="$(getpam_mod_dir)"
-}
-
-src_install() {
- # Don't use emake install as it makes it harder to have proper
- # install paths.
- dopammod pam_ssh_agent_auth.so
- doman pam_ssh_agent_auth.8
-
- dodoc CONTRIBUTORS
-}
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.9.2.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.9.2.ebuild
deleted file mode 100644
index 9d12c9d6d89..00000000000
--- a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.9.2.ebuild
+++ /dev/null
@@ -1,46 +0,0 @@
-# Copyright 1999-2011 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=4
-
-inherit eutils pam
-
-DESCRIPTION="Simple module to authenticate users against their ssh-agent keys"
-HOMEPAGE="http://pamsshagentauth.sourceforge.net"
-SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2"
-
-LICENSE="MIT"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE=""
-
-DEPEND="virtual/pam
- dev-libs/openssl"
-
-RDEPEND="${DEPEND}
- virtual/ssh"
-
-# needed for pod2man
-DEPEND="${DEPEND}
- dev-lang/perl"
-
-src_prepare() {
- epatch "${FILESDIR}"/${P}-libs.patch
-}
-
-src_configure() {
- pammod_hide_symbols
-
- econf \
- --libexecdir=$(getpam_mod_dir)
-}
-
-src_test() { :; }
-
-src_install() {
- # Don't use emake install as it makes it harder to have proper
- # install paths.
- dopammod pam_ssh_agent_auth.so
-
- doman pam_ssh_agent_auth.8 || die
-}
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.9.3.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.9.3.ebuild
deleted file mode 100644
index 2ebe6d4f574..00000000000
--- a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.9.3.ebuild
+++ /dev/null
@@ -1,47 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=4
-
-inherit eutils pam
-
-DESCRIPTION="Simple module to authenticate users against their ssh-agent keys"
-HOMEPAGE="http://pamsshagentauth.sourceforge.net"
-SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2"
-
-LICENSE="MIT"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE=""
-
-DEPEND="virtual/pam
- dev-libs/openssl"
-
-RDEPEND="${DEPEND}
- virtual/ssh"
-
-# needed for pod2man
-DEPEND="${DEPEND}
- dev-lang/perl"
-
-src_prepare() {
- epatch "${FILESDIR}"/${PN}-0.9.2-libs.patch
-}
-
-src_configure() {
- pammod_hide_symbols
-
- econf \
- --libexecdir=$(getpam_mod_dir)
-}
-
-src_test() { :; }
-
-src_install() {
- # Don't use emake install as it makes it harder to have proper
- # install paths.
- dopammod pam_ssh_agent_auth.so
- doman pam_ssh_agent_auth.8
-
- dodoc CONTRIBUTORS
-}
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.9.4.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.9.4.ebuild
deleted file mode 100644
index 0bc8de146ed..00000000000
--- a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.9.4.ebuild
+++ /dev/null
@@ -1,43 +0,0 @@
-# Copyright 1999-2012 Gentoo Foundation
-# Distributed under the terms of the GNU General Public License v2
-
-EAPI=5
-
-inherit pam
-
-DESCRIPTION="Simple module to authenticate users against their ssh-agent keys"
-HOMEPAGE="http://pamsshagentauth.sourceforge.net"
-SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2"
-
-LICENSE="MIT"
-SLOT="0"
-KEYWORDS="~amd64 ~x86"
-IUSE=""
-
-DEPEND="virtual/pam
- dev-libs/openssl"
-
-RDEPEND="${DEPEND}
- virtual/ssh"
-
-# needed for pod2man
-DEPEND="${DEPEND}
- dev-lang/perl"
-
-src_configure() {
- pammod_hide_symbols
-
- econf \
- --libexecdir=$(getpam_mod_dir)
-}
-
-src_test() { :; }
-
-src_install() {
- # Don't use emake install as it makes it harder to have proper
- # install paths.
- dopammod pam_ssh_agent_auth.so
- doman pam_ssh_agent_auth.8
-
- dodoc CONTRIBUTORS
-}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [gentoo-commits] repo/gentoo:master commit in: sys-auth/pam_ssh_agent_auth/, sys-auth/pam_ssh_agent_auth/files/
@ 2020-11-15 15:31 Joonas Niilola
0 siblings, 0 replies; 3+ messages in thread
From: Joonas Niilola @ 2020-11-15 15:31 UTC (permalink / raw
To: gentoo-commits
commit: 690c09813b74469b056b7b62a756f491d48baa19
Author: Joonas Niilola <juippis <AT> gentoo <DOT> org>
AuthorDate: Sun Nov 15 13:56:56 2020 +0000
Commit: Joonas Niilola <juippis <AT> gentoo <DOT> org>
CommitDate: Sun Nov 15 15:31:18 2020 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=690c0981
sys-auth/pam_ssh_agent_auth: fix SizeViolation issue
Closes: https://bugs.gentoo.org/748213
Signed-off-by: Joonas Niilola <juippis <AT> gentoo.org>
sys-auth/pam_ssh_agent_auth/Manifest | 1 +
.../pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch | 1244 --------------------
.../pam_ssh_agent_auth-0.10.3.ebuild | 7 +-
.../pam_ssh_agent_auth-9999.ebuild | 8 +-
4 files changed, 11 insertions(+), 1249 deletions(-)
diff --git a/sys-auth/pam_ssh_agent_auth/Manifest b/sys-auth/pam_ssh_agent_auth/Manifest
index 1c43b8634e4..023aa7f9e0c 100644
--- a/sys-auth/pam_ssh_agent_auth/Manifest
+++ b/sys-auth/pam_ssh_agent_auth/Manifest
@@ -1 +1,2 @@
+DIST pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch 46417 BLAKE2B bb62c32fc9c1eb5dc0788b9a535fdf6000812c57a6a758e693406a0d01bcf0cc5ec9f7622c4f21cee74895657a5a3ad13255e19d51e20eca8978e63864266629 SHA512 279fad3be9289c1da06d34e08d2b81a8ad863e07c7b0471419c029aa121abe9942ae4cc4259b7f1e2c2dd32368fc07dc1f9432aba860820455e0d9419c9e7f74
DIST pam_ssh_agent_auth-0.10.3.tar.bz2 1066393 BLAKE2B 07b113d05e09f770d63dbea813ea644199d2b103f9c6d7e5960bfad37cb181ce5a5f111f72e0274c0335e4c217ccd19bd53d61af23f8bc6aff14c1995fc4edc9 SHA512 d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
diff --git a/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch b/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch
deleted file mode 100644
index a422cd5e479..00000000000
--- a/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch
+++ /dev/null
@@ -1,1244 +0,0 @@
-From eef90424a0545b7b0125dfaf5e3cef3c5248ada0 Mon Sep 17 00:00:00 2001
-From: Guido Falsi <mad@madpilot.net>
-Date: Sat, 20 Oct 2018 14:29:43 +0200
-Subject: [PATCH 1/2] Adapt to OpenSSL 1.1.1.
-
-The FreeBSD operating system is migrating to OpenSSL 1.1.1 and I have created this set of patches to make pam_ssh_agent_auth compile with it.
-
-The patch comments out some parts of include files which are not actually used and reference now opaque OpenSSL internals.
-
-I also have migrated the source files to use accessors to use the OpenSSL objects.
-
-The patch works on FreeBSD head (will be 12.0) but the --without-openssl-header-check argument is required in configure there.
----
- authfd.c | 50 ++++++++++++++++++++
- bufbn.c | 4 ++
- cipher.h | 6 ++-
- kex.h | 9 +++-
- key.c | 133 ++++++++++++++++++++++++++++++++++++++++++++++++++--
- ssh-dss.c | 51 ++++++++++++++++----
- ssh-ecdsa.c | 40 ++++++++++++----
- ssh-rsa.c | 22 +++++++--
- 8 files changed, 287 insertions(+), 28 deletions(-)
-
-diff --git a/authfd.c b/authfd.c
-index 7b96921..35f8de1 100644
---- a/authfd.c
-+++ b/authfd.c
-@@ -372,6 +372,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
- case 1:
- key = pamsshagentauth_key_new(KEY_RSA1);
- bits = pamsshagentauth_buffer_get_int(&auth->identities);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->e);
- pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->n);
- *comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL);
-@@ -379,6 +380,15 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
- if (keybits < 0 || bits != (u_int)keybits)
- pamsshagentauth_logit("Warning: identity keysize mismatch: actual %d, announced %u",
- BN_num_bits(key->rsa->n), bits);
-+#else
-+ pamsshagentauth_buffer_get_bignum(&auth->identities, RSA_get0_e(key->rsa));
-+ pamsshagentauth_buffer_get_bignum(&auth->identities, RSA_get0_n(key->rsa));
-+ *comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL);
-+ keybits = BN_num_bits(RSA_get0_n(key->rsa));
-+ if (keybits < 0 || bits != (u_int)keybits)
-+ pamsshagentauth_logit("Warning: identity keysize mismatch: actual %d, announced %u",
-+ BN_num_bits(RSA_get0_n(key->rsa)), bits);
-+#endif
- break;
- case 2:
- blob = pamsshagentauth_buffer_get_string(&auth->identities, &blen);
-@@ -422,9 +432,15 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
- }
- pamsshagentauth_buffer_init(&buffer);
- pamsshagentauth_buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(key->rsa->n));
- pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->e);
- pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->n);
-+#else
-+ pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(RSA_get0_n(key->rsa)));
-+ pamsshagentauth_buffer_put_bignum(&buffer, RSA_get0_e(key->rsa));
-+ pamsshagentauth_buffer_put_bignum(&buffer, RSA_get0_n(key->rsa));
-+#endif
- pamsshagentauth_buffer_put_bignum(&buffer, challenge);
- pamsshagentauth_buffer_append(&buffer, session_id, 16);
- pamsshagentauth_buffer_put_int(&buffer, response_type);
-@@ -501,6 +517,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
- static void
- ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
- {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- pamsshagentauth_buffer_put_int(b, BN_num_bits(key->n));
- pamsshagentauth_buffer_put_bignum(b, key->n);
- pamsshagentauth_buffer_put_bignum(b, key->e);
-@@ -509,6 +526,16 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
- pamsshagentauth_buffer_put_bignum(b, key->iqmp); /* ssh key->u */
- pamsshagentauth_buffer_put_bignum(b, key->q); /* ssh key->p, SSL key->q */
- pamsshagentauth_buffer_put_bignum(b, key->p); /* ssh key->q, SSL key->p */
-+#else
-+ pamsshagentauth_buffer_put_int(b, BN_num_bits(RSA_get0_n(key)));
-+ pamsshagentauth_buffer_put_bignum(b, RSA_get0_n(key));
-+ pamsshagentauth_buffer_put_bignum(b, RSA_get0_e(key));
-+ pamsshagentauth_buffer_put_bignum(b, RSA_get0_d(key));
-+ /* To keep within the protocol: p < q for ssh. in SSL p > q */
-+ pamsshagentauth_buffer_put_bignum(b, RSA_get0_iqmp(key)); /* ssh key->u */
-+ pamsshagentauth_buffer_put_bignum(b, RSA_get0_q(key)); /* ssh key->p, SSL key->q */
-+ pamsshagentauth_buffer_put_bignum(b, RSA_get0_p(key)); /* ssh key->q, SSL key->p */
-+#endif
- pamsshagentauth_buffer_put_cstring(b, comment);
- }
-
-@@ -518,19 +545,36 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
- pamsshagentauth_buffer_put_cstring(b, key_ssh_name(key));
- switch (key->type) {
- case KEY_RSA:
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- pamsshagentauth_buffer_put_bignum2(b, key->rsa->n);
- pamsshagentauth_buffer_put_bignum2(b, key->rsa->e);
- pamsshagentauth_buffer_put_bignum2(b, key->rsa->d);
- pamsshagentauth_buffer_put_bignum2(b, key->rsa->iqmp);
- pamsshagentauth_buffer_put_bignum2(b, key->rsa->p);
- pamsshagentauth_buffer_put_bignum2(b, key->rsa->q);
-+#else
-+ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_n(key->rsa));
-+ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_e(key->rsa));
-+ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_d(key->rsa));
-+ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_iqmp(key->rsa));
-+ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_p(key->rsa));
-+ pamsshagentauth_buffer_put_bignum2(b, RSA_get0_q(key->rsa));
-+#endif
- break;
- case KEY_DSA:
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- pamsshagentauth_buffer_put_bignum2(b, key->dsa->p);
- pamsshagentauth_buffer_put_bignum2(b, key->dsa->q);
- pamsshagentauth_buffer_put_bignum2(b, key->dsa->g);
- pamsshagentauth_buffer_put_bignum2(b, key->dsa->pub_key);
- pamsshagentauth_buffer_put_bignum2(b, key->dsa->priv_key);
-+#else
-+ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_p(key->dsa));
-+ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_q(key->dsa));
-+ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_g(key->dsa));
-+ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_pub_key(key->dsa));
-+ pamsshagentauth_buffer_put_bignum2(b, DSA_get0_priv_key(key->dsa));
-+#endif
- break;
- }
- pamsshagentauth_buffer_put_cstring(b, comment);
-@@ -610,9 +654,15 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
-
- if (key->type == KEY_RSA1) {
- pamsshagentauth_buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- pamsshagentauth_buffer_put_int(&msg, BN_num_bits(key->rsa->n));
- pamsshagentauth_buffer_put_bignum(&msg, key->rsa->e);
- pamsshagentauth_buffer_put_bignum(&msg, key->rsa->n);
-+#else
-+ pamsshagentauth_buffer_put_int(&msg, BN_num_bits(RSA_get0_n(key->rsa)));
-+ pamsshagentauth_buffer_put_bignum(&msg, RSA_get0_e(key->rsa));
-+ pamsshagentauth_buffer_put_bignum(&msg, RSA_get0_n(key->rsa));
-+#endif
- } else if (key->type == KEY_DSA || key->type == KEY_RSA) {
- pamsshagentauth_key_to_blob(key, &blob, &blen);
- pamsshagentauth_buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
-diff --git a/bufbn.c b/bufbn.c
-index 6a49c73..4ecedc1 100644
---- a/bufbn.c
-+++ b/bufbn.c
-@@ -151,7 +151,11 @@ pamsshagentauth_buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
- pamsshagentauth_buffer_put_int(buffer, 0);
- return 0;
- }
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (value->neg) {
-+#else
-+ if (BN_is_negative(value)) {
-+#endif
- pamsshagentauth_logerror("buffer_put_bignum2_ret: negative numbers not supported");
- return (-1);
- }
-diff --git a/cipher.h b/cipher.h
-index 49bbc16..64f59ca 100644
---- a/cipher.h
-+++ b/cipher.h
-@@ -59,15 +59,18 @@
- #define CIPHER_DECRYPT 0
-
- typedef struct Cipher Cipher;
--typedef struct CipherContext CipherContext;
-+// typedef struct CipherContext CipherContext;
-
- struct Cipher;
-+/*
- struct CipherContext {
- int plaintext;
- EVP_CIPHER_CTX evp;
- Cipher *cipher;
- };
-+*/
-
-+/*
- u_int cipher_mask_ssh1(int);
- Cipher *cipher_by_name(const char *);
- Cipher *cipher_by_number(int);
-@@ -88,4 +91,5 @@ void cipher_set_keyiv(CipherContext *, u_char *);
- int cipher_get_keyiv_len(const CipherContext *);
- int cipher_get_keycontext(const CipherContext *, u_char *);
- void cipher_set_keycontext(CipherContext *, u_char *);
-+*/
- #endif /* CIPHER_H */
-diff --git a/kex.h b/kex.h
-index 8e29c90..81ca57d 100644
---- a/kex.h
-+++ b/kex.h
-@@ -70,7 +70,7 @@ enum kex_exchange {
- #define KEX_INIT_SENT 0x0001
-
- typedef struct Kex Kex;
--typedef struct Mac Mac;
-+// typedef struct Mac Mac;
- typedef struct Comp Comp;
- typedef struct Enc Enc;
- typedef struct Newkeys Newkeys;
-@@ -84,6 +84,7 @@ struct Enc {
- u_char *key;
- u_char *iv;
- };
-+/*
- struct Mac {
- char *name;
- int enabled;
-@@ -95,11 +96,13 @@ struct Mac {
- HMAC_CTX evp_ctx;
- struct umac_ctx *umac_ctx;
- };
-+*/
- struct Comp {
- int type;
- int enabled;
- char *name;
- };
-+/*
- struct Newkeys {
- Enc enc;
- Mac mac;
-@@ -126,7 +129,9 @@ struct Kex {
- int (*host_key_index)(Key *);
- void (*kex[KEX_MAX])(Kex *);
- };
-+*/
-
-+/*
- Kex *kex_setup(char *[PROPOSAL_MAX]);
- void kex_finish(Kex *);
-
-@@ -152,6 +157,8 @@ kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
- void
- derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
-
-+*/
-+
- #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH)
- void dump_digest(char *, u_char *, int);
- #endif
-diff --git a/key.c b/key.c
-index 107a442..aedbbb5 100644
---- a/key.c
-+++ b/key.c
-@@ -77,15 +77,21 @@ pamsshagentauth_key_new(int type)
- case KEY_RSA:
- if ((rsa = RSA_new()) == NULL)
- pamsshagentauth_fatal("key_new: RSA_new failed");
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((rsa->n = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new: BN_new failed");
- if ((rsa->e = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new: BN_new failed");
-+#else
-+ if (RSA_set0_key(rsa, BN_new(), BN_new(), NULL) != 1)
-+ pamsshagentauth_fatal("key_new: RSA_set0_key failed");
-+#endif
- k->rsa = rsa;
- break;
- case KEY_DSA:
- if ((dsa = DSA_new()) == NULL)
- pamsshagentauth_fatal("key_new: DSA_new failed");
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((dsa->p = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new: BN_new failed");
- if ((dsa->q = BN_new()) == NULL)
-@@ -94,6 +100,12 @@ pamsshagentauth_key_new(int type)
- pamsshagentauth_fatal("key_new: BN_new failed");
- if ((dsa->pub_key = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new: BN_new failed");
-+#else
-+ if (DSA_set0_pqg(dsa, BN_new(), BN_new(), BN_new()) != 1)
-+ pamsshagentauth_fatal("key_new: DSA_set0_pqg failed");
-+ if (DSA_set0_key(dsa, BN_new(), NULL) != 1)
-+ pamsshagentauth_fatal("key_new: DSA_set0_key failed");
-+#endif
- k->dsa = dsa;
- break;
- case KEY_ECDSA:
-@@ -118,6 +130,7 @@ pamsshagentauth_key_new_private(int type)
- switch (k->type) {
- case KEY_RSA1:
- case KEY_RSA:
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((k->rsa->d = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new_private: BN_new failed");
- if ((k->rsa->iqmp = BN_new()) == NULL)
-@@ -130,14 +143,30 @@ pamsshagentauth_key_new_private(int type)
- pamsshagentauth_fatal("key_new_private: BN_new failed");
- if ((k->rsa->dmp1 = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new_private: BN_new failed");
-+#else
-+ if (RSA_set0_key(k->rsa, NULL, NULL, BN_new()) != 1)
-+ pamsshagentauth_fatal("key_new: RSA_set0_key failed");
-+ if (RSA_set0_crt_params(k->rsa, BN_new(), BN_new(), BN_new()) != 1)
-+ pamsshagentauth_fatal("key_new: RSA_set0_crt_params failed");
-+ if (RSA_set0_factors(k->rsa, BN_new(), BN_new()) != 1)
-+ pamsshagentauth_fatal("key_new: RSA_set0_factors failed");
-+#endif
- break;
- case KEY_DSA:
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((k->dsa->priv_key = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new_private: BN_new failed");
-+#else
-+ if (DSA_set0_key(k->dsa, NULL, BN_new()) != 1)
-+ pamsshagentauth_fatal("key_new_private: DSA_set0_key failed");
-+#endif
- break;
- case KEY_ECDSA:
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (EC_KEY_set_private_key(k->ecdsa, BN_new()) != 1)
- pamsshagentauth_fatal("key_new_private: EC_KEY_set_private_key failed");
-+#else
-+#endif
- break;
- case KEY_ED25519:
- RAND_bytes(k->ed25519->sk, sizeof(k->ed25519->sk));
-@@ -195,14 +224,26 @@ pamsshagentauth_key_equal(const Key *a, const Key *b)
- case KEY_RSA1:
- case KEY_RSA:
- return a->rsa != NULL && b->rsa != NULL &&
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
- BN_cmp(a->rsa->n, b->rsa->n) == 0;
-+#else
-+ BN_cmp(RSA_get0_e(a->rsa), RSA_get0_e(b->rsa)) == 0 &&
-+ BN_cmp(RSA_get0_n(a->rsa), RSA_get0_n(b->rsa)) == 0;
-+#endif
- case KEY_DSA:
- return a->dsa != NULL && b->dsa != NULL &&
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
- BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
- BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
- BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
-+#else
-+ BN_cmp(DSA_get0_p(a->dsa), DSA_get0_p(b->dsa)) == 0 &&
-+ BN_cmp(DSA_get0_q(a->dsa), DSA_get0_q(b->dsa)) == 0 &&
-+ BN_cmp(DSA_get0_g(a->dsa), DSA_get0_g(b->dsa)) == 0 &&
-+ BN_cmp(DSA_get0_pub_key(a->dsa), DSA_get0_pub_key(b->dsa)) == 0;
-+#endif
- case KEY_ECDSA:
- return a->ecdsa != NULL && b->ecdsa != NULL &&
- EC_KEY_check_key(a->ecdsa) == 1 &&
-@@ -231,7 +272,7 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
- u_int *dgst_raw_length)
- {
- const EVP_MD *md = NULL;
-- EVP_MD_CTX ctx;
-+ EVP_MD_CTX *ctx;
- u_char *blob = NULL;
- u_char *retval = NULL;
- u_int len = 0;
-@@ -252,12 +293,21 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
- }
- switch (k->type) {
- case KEY_RSA1:
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- nlen = BN_num_bytes(k->rsa->n);
- elen = BN_num_bytes(k->rsa->e);
- len = nlen + elen;
- blob = pamsshagentauth_xmalloc(len);
- BN_bn2bin(k->rsa->n, blob);
- BN_bn2bin(k->rsa->e, blob + nlen);
-+#else
-+ nlen = BN_num_bytes(RSA_get0_n(k->rsa));
-+ elen = BN_num_bytes(RSA_get0_e(k->rsa));
-+ len = nlen + elen;
-+ blob = pamsshagentauth_xmalloc(len);
-+ BN_bn2bin(RSA_get0_n(k->rsa), blob);
-+ BN_bn2bin(RSA_get0_e(k->rsa), blob + nlen);
-+#endif
- break;
- case KEY_DSA:
- case KEY_ECDSA:
-@@ -273,11 +323,14 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
- }
- if (blob != NULL) {
- retval = pamsshagentauth_xmalloc(EVP_MAX_MD_SIZE);
-- EVP_DigestInit(&ctx, md);
-- EVP_DigestUpdate(&ctx, blob, len);
-- EVP_DigestFinal(&ctx, retval, dgst_raw_length);
-+ /* XXX Errors from EVP_* functions are not hadled */
-+ ctx = EVP_MD_CTX_create();
-+ EVP_DigestInit(ctx, md);
-+ EVP_DigestUpdate(ctx, blob, len);
-+ EVP_DigestFinal(ctx, retval, dgst_raw_length);
- memset(blob, 0, len);
- pamsshagentauth_xfree(blob);
-+ EVP_MD_CTX_destroy(ctx);
- } else {
- pamsshagentauth_fatal("key_fingerprint_raw: blob is null");
- }
-@@ -457,10 +510,17 @@ pamsshagentauth_key_read(Key *ret, char **cpp)
- return -1;
- *cpp = cp;
- /* Get public exponent, public modulus. */
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (!read_bignum(cpp, ret->rsa->e))
- return -1;
- if (!read_bignum(cpp, ret->rsa->n))
- return -1;
-+#else
-+ if (!read_bignum(cpp, RSA_get0_e(ret->rsa)))
-+ return -1;
-+ if (!read_bignum(cpp, RSA_get0_n(ret->rsa)))
-+ return -1;
-+#endif
- success = 1;
- break;
- case KEY_UNSPEC:
-@@ -583,10 +643,17 @@ pamsshagentauth_key_write(const Key *key, FILE *f)
-
- if (key->type == KEY_RSA1 && key->rsa != NULL) {
- /* size of modulus 'n' */
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- bits = BN_num_bits(key->rsa->n);
- fprintf(f, "%u", bits);
- if (write_bignum(f, key->rsa->e) &&
- write_bignum(f, key->rsa->n)) {
-+#else
-+ bits = BN_num_bits(RSA_get0_n(key->rsa));
-+ fprintf(f, "%u", bits);
-+ if (write_bignum(f, RSA_get0_e(key->rsa)) &&
-+ write_bignum(f, RSA_get0_n(key->rsa))) {
-+#endif
- success = 1;
- } else {
- pamsshagentauth_logerror("key_write: failed for RSA key");
-@@ -675,10 +742,17 @@ pamsshagentauth_key_size(const Key *k)
- {
- switch (k->type) {
- case KEY_RSA1:
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- case KEY_RSA:
- return BN_num_bits(k->rsa->n);
- case KEY_DSA:
- return BN_num_bits(k->dsa->p);
-+#else
-+ case KEY_RSA:
-+ return BN_num_bits(RSA_get0_n(k->rsa));
-+ case KEY_DSA:
-+ return BN_num_bits(DSA_get0_p(k->dsa));
-+#endif
- case KEY_ECDSA:
- {
- int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(k->ecdsa));
-@@ -769,17 +843,29 @@ pamsshagentauth_key_from_private(const Key *k)
- switch (k->type) {
- case KEY_DSA:
- n = pamsshagentauth_key_new(k->type);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
- (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
- (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
- (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
-+#else
-+ if ((BN_copy(DSA_get0_p(n->dsa), DSA_get0_p(k->dsa)) == NULL) ||
-+ (BN_copy(DSA_get0_q(n->dsa), DSA_get0_q(k->dsa)) == NULL) ||
-+ (BN_copy(DSA_get0_g(n->dsa), DSA_get0_g(k->dsa)) == NULL) ||
-+ (BN_copy(DSA_get0_pub_key(n->dsa), DSA_get0_pub_key(k->dsa)) == NULL))
-+#endif
- pamsshagentauth_fatal("key_from_private: BN_copy failed");
- break;
- case KEY_RSA:
- case KEY_RSA1:
- n = pamsshagentauth_key_new(k->type);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
- (BN_copy(n->rsa->e, k->rsa->e) == NULL))
-+#else
-+ if ((BN_copy(RSA_get0_n(n->rsa), RSA_get0_n(k->rsa)) == NULL) ||
-+ (BN_copy(RSA_get0_e(n->rsa), RSA_get0_e(k->rsa)) == NULL))
-+#endif
- pamsshagentauth_fatal("key_from_private: BN_copy failed");
- break;
- case KEY_ECDSA:
-@@ -881,8 +967,13 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
- switch (type) {
- case KEY_RSA:
- key = pamsshagentauth_key_new(type);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
- pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
-+#else
-+ if (pamsshagentauth_buffer_get_bignum2_ret(&b, RSA_get0_e(key->rsa)) == -1 ||
-+ pamsshagentauth_buffer_get_bignum2_ret(&b, RSA_get0_n(key->rsa)) == -1) {
-+#endif
- pamsshagentauth_logerror("key_from_blob: can't read rsa key");
- pamsshagentauth_key_free(key);
- key = NULL;
-@@ -894,10 +985,17 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
- break;
- case KEY_DSA:
- key = pamsshagentauth_key_new(type);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
- pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
- pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
- pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
-+#else
-+ if (pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_p(key->dsa)) == -1 ||
-+ pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_q(key->dsa)) == -1 ||
-+ pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_g(key->dsa)) == -1 ||
-+ pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_pub_key(key->dsa)) == -1) {
-+#endif
- pamsshagentauth_logerror("key_from_blob: can't read dsa key");
- pamsshagentauth_key_free(key);
- key = NULL;
-@@ -1015,6 +1113,7 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
- }
- pamsshagentauth_buffer_init(&b);
- switch (key->type) {
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- case KEY_DSA:
- pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
- pamsshagentauth_buffer_put_bignum2(&b, key->dsa->p);
-@@ -1027,6 +1126,20 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
- pamsshagentauth_buffer_put_bignum2(&b, key->rsa->e);
- pamsshagentauth_buffer_put_bignum2(&b, key->rsa->n);
- break;
-+#else
-+ case KEY_DSA:
-+ pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
-+ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_p(key->dsa));
-+ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_q(key->dsa));
-+ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_g(key->dsa));
-+ pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_pub_key(key->dsa));
-+ break;
-+ case KEY_RSA:
-+ pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
-+ pamsshagentauth_buffer_put_bignum2(&b, RSA_get0_e(key->rsa));
-+ pamsshagentauth_buffer_put_bignum2(&b, RSA_get0_n(key->rsa));
-+ break;
-+#endif
- case KEY_ECDSA:
- {
- size_t l = 0;
-@@ -1138,14 +1251,20 @@ pamsshagentauth_key_demote(const Key *k)
- case KEY_RSA:
- if ((pk->rsa = RSA_new()) == NULL)
- pamsshagentauth_fatal("key_demote: RSA_new failed");
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
- pamsshagentauth_fatal("key_demote: BN_dup failed");
- if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
- pamsshagentauth_fatal("key_demote: BN_dup failed");
-+#else
-+ if (RSA_set0_key(pk->rsa, BN_dup(RSA_get0_n(k->rsa)), BN_dup(RSA_get0_e(k->rsa)), NULL) != 1)
-+ pamsshagentauth_fatal("key_demote: RSA_set0_key failed");
-+#endif
- break;
- case KEY_DSA:
- if ((pk->dsa = DSA_new()) == NULL)
- pamsshagentauth_fatal("key_demote: DSA_new failed");
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
- pamsshagentauth_fatal("key_demote: BN_dup failed");
- if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
-@@ -1154,6 +1273,12 @@ pamsshagentauth_key_demote(const Key *k)
- pamsshagentauth_fatal("key_demote: BN_dup failed");
- if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
- pamsshagentauth_fatal("key_demote: BN_dup failed");
-+#else
-+ if (DSA_set0_pqg(pk->dsa, BN_dup(DSA_get0_p(k->dsa)), BN_dup(DSA_get0_q(k->dsa)), BN_dup(DSA_get0_g(k->dsa))) != 1)
-+ pamsshagentauth_fatal("key_demote: DSA_set0_pqg failed");
-+ if (DSA_set0_key(pk->dsa, BN_dup(DSA_get0_pub_key(k->dsa)), NULL) != 1)
-+ pamsshagentauth_fatal("key_demote: DSA_set0_key failed");
-+#endif
- break;
- case KEY_ECDSA:
- pamsshagentauth_fatal("key_demote: implement me");
-diff --git a/ssh-dss.c b/ssh-dss.c
-index 9fdaa5d..1051ae2 100644
---- a/ssh-dss.c
-+++ b/ssh-dss.c
-@@ -48,37 +48,53 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
- {
- DSA_SIG *sig;
- const EVP_MD *evp_md = EVP_sha1();
-- EVP_MD_CTX md;
-+ EVP_MD_CTX *md;
- u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
- u_int rlen, slen, len, dlen;
- Buffer b;
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ const BIGNUM *r, *s;
-+#endif
-
- if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
- pamsshagentauth_logerror("ssh_dss_sign: no DSA key");
- return -1;
- }
-- EVP_DigestInit(&md, evp_md);
-- EVP_DigestUpdate(&md, data, datalen);
-- EVP_DigestFinal(&md, digest, &dlen);
-+ md = EVP_MD_CTX_create();
-+ EVP_DigestInit(md, evp_md);
-+ EVP_DigestUpdate(md, data, datalen);
-+ EVP_DigestFinal(md, digest, &dlen);
-
- sig = DSA_do_sign(digest, dlen, key->dsa);
- memset(digest, 'd', sizeof(digest));
-+ EVP_MD_CTX_destroy(md);
-
- if (sig == NULL) {
- pamsshagentauth_logerror("ssh_dss_sign: sign failed");
- return -1;
- }
-
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- rlen = BN_num_bytes(sig->r);
- slen = BN_num_bytes(sig->s);
-+#else
-+ DSA_SIG_get0((const DSA_SIG *)sig, (const BIGNUM **)r, (const BIGNUM **)s);
-+ rlen = BN_num_bytes(r);
-+ slen = BN_num_bytes(s);
-+#endif
- if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
- pamsshagentauth_logerror("bad sig size %u %u", rlen, slen);
- DSA_SIG_free(sig);
- return -1;
- }
- memset(sigblob, 0, SIGBLOB_LEN);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
- BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
-+#else
-+ BN_bn2bin(r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
-+ BN_bn2bin(s, sigblob+ SIGBLOB_LEN - slen);
-+#endif
- DSA_SIG_free(sig);
-
- if (datafellows & SSH_BUG_SIGBLOB) {
-@@ -110,11 +126,14 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
- {
- DSA_SIG *sig;
- const EVP_MD *evp_md = EVP_sha1();
-- EVP_MD_CTX md;
-+ EVP_MD_CTX *md;
- u_char digest[EVP_MAX_MD_SIZE], *sigblob;
- u_int len, dlen;
- int rlen, ret;
- Buffer b;
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ BIGNUM *r, *s;
-+#endif
-
- if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
- pamsshagentauth_logerror("ssh_dss_verify: no DSA key");
-@@ -157,6 +176,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
- /* parse signature */
- if ((sig = DSA_SIG_new()) == NULL)
- pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_new failed");
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((sig->r = BN_new()) == NULL)
- pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
- if ((sig->s = BN_new()) == NULL)
-@@ -164,18 +184,33 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
- if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
- (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL))
- pamsshagentauth_fatal("ssh_dss_verify: BN_bin2bn failed");
-+#else
-+ if ((r = BN_new()) == NULL)
-+ pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
-+ if ((s = BN_new()) == NULL)
-+ pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
-+ if (DSA_SIG_set0(sig, r, s) != 1)
-+ pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_set0 failed");
-+ if ((BN_bin2bn(sigblob, INTBLOB_LEN, r) == NULL) ||
-+ (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, s) == NULL))
-+ pamsshagentauth_fatal("ssh_dss_verify: BN_bin2bn failed");
-+ if (DSA_SIG_set0(sig, r, s) != 1)
-+ pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_set0 failed");
-+#endif
-
- /* clean up */
- memset(sigblob, 0, len);
- pamsshagentauth_xfree(sigblob);
-
- /* sha1 the data */
-- EVP_DigestInit(&md, evp_md);
-- EVP_DigestUpdate(&md, data, datalen);
-- EVP_DigestFinal(&md, digest, &dlen);
-+ md = EVP_MD_CTX_create();
-+ EVP_DigestInit(md, evp_md);
-+ EVP_DigestUpdate(md, data, datalen);
-+ EVP_DigestFinal(md, digest, &dlen);
-
- ret = DSA_do_verify(digest, dlen, sig, key->dsa);
- memset(digest, 'd', sizeof(digest));
-+ EVP_MD_CTX_destroy(md);
-
- DSA_SIG_free(sig);
-
-diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
-index efa0f3d..c213959 100644
---- a/ssh-ecdsa.c
-+++ b/ssh-ecdsa.c
-@@ -41,22 +41,27 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
- {
- ECDSA_SIG *sig;
- const EVP_MD *evp_md = evp_from_key(key);
-- EVP_MD_CTX md;
-+ EVP_MD_CTX *md;
- u_char digest[EVP_MAX_MD_SIZE];
- u_int len, dlen;
- Buffer b, bb;
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ BIGNUM *r, *s;
-+#endif
-
- if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) {
- pamsshagentauth_logerror("ssh_ecdsa_sign: no ECDSA key");
- return -1;
- }
-
-- EVP_DigestInit(&md, evp_md);
-- EVP_DigestUpdate(&md, data, datalen);
-- EVP_DigestFinal(&md, digest, &dlen);
-+ md = EVP_MD_CTX_create();
-+ EVP_DigestInit(md, evp_md);
-+ EVP_DigestUpdate(md, data, datalen);
-+ EVP_DigestFinal(md, digest, &dlen);
-
- sig = ECDSA_do_sign(digest, dlen, key->ecdsa);
- memset(digest, 'd', sizeof(digest));
-+ EVP_MD_CTX_destroy(md);
-
- if (sig == NULL) {
- pamsshagentauth_logerror("ssh_ecdsa_sign: sign failed");
-@@ -64,8 +69,14 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
- }
-
- pamsshagentauth_buffer_init(&bb);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->r) == -1 ||
- pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->s) == -1) {
-+#else
-+ DSA_SIG_get0(sig, &r, &s);
-+ if (pamsshagentauth_buffer_get_bignum2_ret(&bb, r) == -1 ||
-+ pamsshagentauth_buffer_get_bignum2_ret(&bb, s) == -1) {
-+#endif
- pamsshagentauth_logerror("couldn't serialize signature");
- ECDSA_SIG_free(sig);
- return -1;
-@@ -94,11 +105,14 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
- {
- ECDSA_SIG *sig;
- const EVP_MD *evp_md = evp_from_key(key);
-- EVP_MD_CTX md;
-+ EVP_MD_CTX *md;
- u_char digest[EVP_MAX_MD_SIZE], *sigblob;
- u_int len, dlen;
- int rlen, ret;
- Buffer b;
-+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+ BIGNUM *r, *s;
-+#endif
-
- if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) {
- pamsshagentauth_logerror("ssh_ecdsa_sign: no ECDSA key");
-@@ -127,8 +141,14 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
-
- pamsshagentauth_buffer_init(&b);
- pamsshagentauth_buffer_append(&b, sigblob, len);
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) ||
- (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1))
-+#else
-+ DSA_SIG_get0(sig, &r, &s);
-+ if ((pamsshagentauth_buffer_get_bignum2_ret(&b, r) == -1) ||
-+ (pamsshagentauth_buffer_get_bignum2_ret(&b, s) == -1))
-+#endif
- pamsshagentauth_fatal("ssh_ecdsa_verify:"
- "pamsshagentauth_buffer_get_bignum2_ret failed");
-
-@@ -137,16 +157,18 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
- pamsshagentauth_xfree(sigblob);
-
- /* sha256 the data */
-- EVP_DigestInit(&md, evp_md);
-- EVP_DigestUpdate(&md, data, datalen);
-- EVP_DigestFinal(&md, digest, &dlen);
-+ md = EVP_MD_CTX_create();
-+ EVP_DigestInit(md, evp_md);
-+ EVP_DigestUpdate(md, data, datalen);
-+ EVP_DigestFinal(md, digest, &dlen);
-
- ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa);
- memset(digest, 'd', sizeof(digest));
-+ EVP_MD_CTX_destroy(md);
-
- ECDSA_SIG_free(sig);
-
- pamsshagentauth_verbose("ssh_ecdsa_verify: signature %s",
- ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
- return ret;
--}
-\ No newline at end of file
-+}
-diff --git a/ssh-rsa.c b/ssh-rsa.c
-index d05844b..9d74eb6 100644
---- a/ssh-rsa.c
-+++ b/ssh-rsa.c
-@@ -40,7 +40,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
- const u_char *data, u_int datalen)
- {
- const EVP_MD *evp_md;
-- EVP_MD_CTX md;
-+ EVP_MD_CTX *md;
- u_char digest[EVP_MAX_MD_SIZE], *sig;
- u_int slen, dlen, len;
- int ok, nid;
-@@ -55,6 +55,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
- pamsshagentauth_logerror("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
- return -1;
- }
-+ md = EVP_MD_CTX_create();
- EVP_DigestInit(&md, evp_md);
- EVP_DigestUpdate(&md, data, datalen);
- EVP_DigestFinal(&md, digest, &dlen);
-@@ -64,6 +65,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
-
- ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
- memset(digest, 'd', sizeof(digest));
-+ EVP_MD_CTX_destroy(md);
-
- if (ok != 1) {
- int ecode = ERR_get_error();
-@@ -107,7 +109,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
- {
- Buffer b;
- const EVP_MD *evp_md;
-- EVP_MD_CTX md;
-+ EVP_MD_CTX *md;
- char *ktype;
- u_char digest[EVP_MAX_MD_SIZE], *sigblob;
- u_int len, dlen, modlen;
-@@ -117,9 +119,17 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
- pamsshagentauth_logerror("ssh_rsa_verify: no RSA key");
- return -1;
- }
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-+#else
-+ if (BN_num_bits(RSA_get0_n(key->rsa)) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
-+#endif
- pamsshagentauth_logerror("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits",
-+#if OPENSSL_VERSION_NUMBER < 0x10100000L
- BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
-+#else
-+ BN_num_bits(RSA_get0_n(key->rsa)), SSH_RSA_MINIMUM_MODULUS_SIZE);
-+#endif
- return -1;
- }
- pamsshagentauth_buffer_init(&b);
-@@ -161,12 +171,14 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
- pamsshagentauth_xfree(sigblob);
- return -1;
- }
-- EVP_DigestInit(&md, evp_md);
-- EVP_DigestUpdate(&md, data, datalen);
-- EVP_DigestFinal(&md, digest, &dlen);
-+ md = EVP_MD_CTX_create();
-+ EVP_DigestInit(md, evp_md);
-+ EVP_DigestUpdate(md, data, datalen);
-+ EVP_DigestFinal(md, digest, &dlen);
-
- ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
- memset(digest, 'd', sizeof(digest));
-+ EVP_MD_CTX_destroy(md);
- memset(sigblob, 's', len);
- pamsshagentauth_xfree(sigblob);
- pamsshagentauth_verbose("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
-
-From 4dc87369134f215378042ec4d971a4fe48d1a02b Mon Sep 17 00:00:00 2001
-From: Guido Falsi <mad@madpilot.net>
-Date: Wed, 24 Oct 2018 20:36:15 +0200
-Subject: [PATCH 2/2] Check against the correct OPENSSL_VERSION_NUMBER
-
-Alexey Dokuchaev (a fellow FreeBSD developer) pointed out to me the opaque structures were introduced in 1.1.0-pre
-5, so the correct OPENSSL_VERSION_NUMBER to discriminate is 0x10100005L.
----
- authfd.c | 12 ++++++------
- bufbn.c | 2 +-
- key.c | 36 ++++++++++++++++++------------------
- ssh-dss.c | 10 +++++-----
- ssh-ecdsa.c | 8 ++++----
- ssh-rsa.c | 4 ++--
- 6 files changed, 36 insertions(+), 36 deletions(-)
-
-diff --git a/authfd.c b/authfd.c
-index 35f8de1..01d1d89 100644
---- a/authfd.c
-+++ b/authfd.c
-@@ -372,7 +372,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
- case 1:
- key = pamsshagentauth_key_new(KEY_RSA1);
- bits = pamsshagentauth_buffer_get_int(&auth->identities);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->e);
- pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->n);
- *comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL);
-@@ -432,7 +432,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
- }
- pamsshagentauth_buffer_init(&buffer);
- pamsshagentauth_buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(key->rsa->n));
- pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->e);
- pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->n);
-@@ -517,7 +517,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
- static void
- ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
- {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- pamsshagentauth_buffer_put_int(b, BN_num_bits(key->n));
- pamsshagentauth_buffer_put_bignum(b, key->n);
- pamsshagentauth_buffer_put_bignum(b, key->e);
-@@ -545,7 +545,7 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
- pamsshagentauth_buffer_put_cstring(b, key_ssh_name(key));
- switch (key->type) {
- case KEY_RSA:
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- pamsshagentauth_buffer_put_bignum2(b, key->rsa->n);
- pamsshagentauth_buffer_put_bignum2(b, key->rsa->e);
- pamsshagentauth_buffer_put_bignum2(b, key->rsa->d);
-@@ -562,7 +562,7 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
- #endif
- break;
- case KEY_DSA:
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- pamsshagentauth_buffer_put_bignum2(b, key->dsa->p);
- pamsshagentauth_buffer_put_bignum2(b, key->dsa->q);
- pamsshagentauth_buffer_put_bignum2(b, key->dsa->g);
-@@ -654,7 +654,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
-
- if (key->type == KEY_RSA1) {
- pamsshagentauth_buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- pamsshagentauth_buffer_put_int(&msg, BN_num_bits(key->rsa->n));
- pamsshagentauth_buffer_put_bignum(&msg, key->rsa->e);
- pamsshagentauth_buffer_put_bignum(&msg, key->rsa->n);
-diff --git a/bufbn.c b/bufbn.c
-index 4ecedc1..b4754cc 100644
---- a/bufbn.c
-+++ b/bufbn.c
-@@ -151,7 +151,7 @@ pamsshagentauth_buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
- pamsshagentauth_buffer_put_int(buffer, 0);
- return 0;
- }
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if (value->neg) {
- #else
- if (BN_is_negative(value)) {
-diff --git a/key.c b/key.c
-index aedbbb5..dcc5fc8 100644
---- a/key.c
-+++ b/key.c
-@@ -77,7 +77,7 @@ pamsshagentauth_key_new(int type)
- case KEY_RSA:
- if ((rsa = RSA_new()) == NULL)
- pamsshagentauth_fatal("key_new: RSA_new failed");
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if ((rsa->n = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new: BN_new failed");
- if ((rsa->e = BN_new()) == NULL)
-@@ -91,7 +91,7 @@ pamsshagentauth_key_new(int type)
- case KEY_DSA:
- if ((dsa = DSA_new()) == NULL)
- pamsshagentauth_fatal("key_new: DSA_new failed");
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if ((dsa->p = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new: BN_new failed");
- if ((dsa->q = BN_new()) == NULL)
-@@ -130,7 +130,7 @@ pamsshagentauth_key_new_private(int type)
- switch (k->type) {
- case KEY_RSA1:
- case KEY_RSA:
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if ((k->rsa->d = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new_private: BN_new failed");
- if ((k->rsa->iqmp = BN_new()) == NULL)
-@@ -153,7 +153,7 @@ pamsshagentauth_key_new_private(int type)
- #endif
- break;
- case KEY_DSA:
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if ((k->dsa->priv_key = BN_new()) == NULL)
- pamsshagentauth_fatal("key_new_private: BN_new failed");
- #else
-@@ -162,7 +162,7 @@ pamsshagentauth_key_new_private(int type)
- #endif
- break;
- case KEY_ECDSA:
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if (EC_KEY_set_private_key(k->ecdsa, BN_new()) != 1)
- pamsshagentauth_fatal("key_new_private: EC_KEY_set_private_key failed");
- #else
-@@ -224,7 +224,7 @@ pamsshagentauth_key_equal(const Key *a, const Key *b)
- case KEY_RSA1:
- case KEY_RSA:
- return a->rsa != NULL && b->rsa != NULL &&
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
- BN_cmp(a->rsa->n, b->rsa->n) == 0;
- #else
-@@ -233,7 +233,7 @@ pamsshagentauth_key_equal(const Key *a, const Key *b)
- #endif
- case KEY_DSA:
- return a->dsa != NULL && b->dsa != NULL &&
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
- BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
- BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
-@@ -293,7 +293,7 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
- }
- switch (k->type) {
- case KEY_RSA1:
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- nlen = BN_num_bytes(k->rsa->n);
- elen = BN_num_bytes(k->rsa->e);
- len = nlen + elen;
-@@ -510,7 +510,7 @@ pamsshagentauth_key_read(Key *ret, char **cpp)
- return -1;
- *cpp = cp;
- /* Get public exponent, public modulus. */
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if (!read_bignum(cpp, ret->rsa->e))
- return -1;
- if (!read_bignum(cpp, ret->rsa->n))
-@@ -643,7 +643,7 @@ pamsshagentauth_key_write(const Key *key, FILE *f)
-
- if (key->type == KEY_RSA1 && key->rsa != NULL) {
- /* size of modulus 'n' */
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- bits = BN_num_bits(key->rsa->n);
- fprintf(f, "%u", bits);
- if (write_bignum(f, key->rsa->e) &&
-@@ -742,7 +742,7 @@ pamsshagentauth_key_size(const Key *k)
- {
- switch (k->type) {
- case KEY_RSA1:
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- case KEY_RSA:
- return BN_num_bits(k->rsa->n);
- case KEY_DSA:
-@@ -843,7 +843,7 @@ pamsshagentauth_key_from_private(const Key *k)
- switch (k->type) {
- case KEY_DSA:
- n = pamsshagentauth_key_new(k->type);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
- (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
- (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
-@@ -859,7 +859,7 @@ pamsshagentauth_key_from_private(const Key *k)
- case KEY_RSA:
- case KEY_RSA1:
- n = pamsshagentauth_key_new(k->type);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
- (BN_copy(n->rsa->e, k->rsa->e) == NULL))
- #else
-@@ -967,7 +967,7 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
- switch (type) {
- case KEY_RSA:
- key = pamsshagentauth_key_new(type);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
- pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
- #else
-@@ -985,7 +985,7 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
- break;
- case KEY_DSA:
- key = pamsshagentauth_key_new(type);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
- pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
- pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
-@@ -1113,7 +1113,7 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
- }
- pamsshagentauth_buffer_init(&b);
- switch (key->type) {
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- case KEY_DSA:
- pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
- pamsshagentauth_buffer_put_bignum2(&b, key->dsa->p);
-@@ -1251,7 +1251,7 @@ pamsshagentauth_key_demote(const Key *k)
- case KEY_RSA:
- if ((pk->rsa = RSA_new()) == NULL)
- pamsshagentauth_fatal("key_demote: RSA_new failed");
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
- pamsshagentauth_fatal("key_demote: BN_dup failed");
- if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
-@@ -1264,7 +1264,7 @@ pamsshagentauth_key_demote(const Key *k)
- case KEY_DSA:
- if ((pk->dsa = DSA_new()) == NULL)
- pamsshagentauth_fatal("key_demote: DSA_new failed");
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
- pamsshagentauth_fatal("key_demote: BN_dup failed");
- if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
-diff --git a/ssh-dss.c b/ssh-dss.c
-index 1051ae2..9b96274 100644
---- a/ssh-dss.c
-+++ b/ssh-dss.c
-@@ -52,7 +52,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
- u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
- u_int rlen, slen, len, dlen;
- Buffer b;
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
- const BIGNUM *r, *s;
- #endif
-
-@@ -74,7 +74,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
- return -1;
- }
-
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- rlen = BN_num_bytes(sig->r);
- slen = BN_num_bytes(sig->s);
- #else
-@@ -88,7 +88,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
- return -1;
- }
- memset(sigblob, 0, SIGBLOB_LEN);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
- BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
- #else
-@@ -131,7 +131,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
- u_int len, dlen;
- int rlen, ret;
- Buffer b;
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
- BIGNUM *r, *s;
- #endif
-
-@@ -176,7 +176,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
- /* parse signature */
- if ((sig = DSA_SIG_new()) == NULL)
- pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_new failed");
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if ((sig->r = BN_new()) == NULL)
- pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
- if ((sig->s = BN_new()) == NULL)
-diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
-index c213959..5b13b30 100644
---- a/ssh-ecdsa.c
-+++ b/ssh-ecdsa.c
-@@ -45,7 +45,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
- u_char digest[EVP_MAX_MD_SIZE];
- u_int len, dlen;
- Buffer b, bb;
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
- BIGNUM *r, *s;
- #endif
-
-@@ -69,7 +69,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
- }
-
- pamsshagentauth_buffer_init(&bb);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if (pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->r) == -1 ||
- pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->s) == -1) {
- #else
-@@ -110,7 +110,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
- u_int len, dlen;
- int rlen, ret;
- Buffer b;
--#if OPENSSL_VERSION_NUMBER >= 0x10100000L
-+#if OPENSSL_VERSION_NUMBER >= 0x10100005L
- BIGNUM *r, *s;
- #endif
-
-@@ -141,7 +141,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
-
- pamsshagentauth_buffer_init(&b);
- pamsshagentauth_buffer_append(&b, sigblob, len);
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) ||
- (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1))
- #else
-diff --git a/ssh-rsa.c b/ssh-rsa.c
-index 9d74eb6..35f2e36 100644
---- a/ssh-rsa.c
-+++ b/ssh-rsa.c
-@@ -119,13 +119,13 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
- pamsshagentauth_logerror("ssh_rsa_verify: no RSA key");
- return -1;
- }
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
- #else
- if (BN_num_bits(RSA_get0_n(key->rsa)) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
- #endif
- pamsshagentauth_logerror("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits",
--#if OPENSSL_VERSION_NUMBER < 0x10100000L
-+#if OPENSSL_VERSION_NUMBER < 0x10100005L
- BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
- #else
- BN_num_bits(RSA_get0_n(key->rsa)), SSH_RSA_MINIMUM_MODULUS_SIZE);
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild
index 37eb86d8b47..0f805773108 100644
--- a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild
+++ b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -12,7 +12,8 @@ if [[ ${PV} == *9999 ]] ; then
EGIT_REPO_URI="https://github.com/jbeverly/${PN}.git"
inherit git-r3
else
- SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2"
+ SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2
+ https://dev.gentoo.org/~juippis/distfiles/tmp/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch"
KEYWORDS="~amd64 ~arm ~x86"
fi
@@ -21,7 +22,7 @@ SLOT="0"
IUSE=""
PATCHES=(
- "${FILESDIR}/${P}-openssl-1.1.1.patch"
+ "${DISTDIR}/${P}-openssl-1.1.1.patch"
)
DEPEND="sys-libs/pam
dev-libs/openssl:0="
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild
index 12b2fba91df..0f805773108 100644
--- a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild
+++ b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2019 Gentoo Authors
+# Copyright 1999-2020 Gentoo Authors
# Distributed under the terms of the GNU General Public License v2
EAPI=7
@@ -12,7 +12,8 @@ if [[ ${PV} == *9999 ]] ; then
EGIT_REPO_URI="https://github.com/jbeverly/${PN}.git"
inherit git-r3
else
- SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2"
+ SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2
+ https://dev.gentoo.org/~juippis/distfiles/tmp/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch"
KEYWORDS="~amd64 ~arm ~x86"
fi
@@ -20,6 +21,9 @@ LICENSE="MIT"
SLOT="0"
IUSE=""
+PATCHES=(
+ "${DISTDIR}/${P}-openssl-1.1.1.patch"
+)
DEPEND="sys-libs/pam
dev-libs/openssl:0="
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-11-15 15:31 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-05-21 14:30 [gentoo-commits] repo/gentoo:master commit in: sys-auth/pam_ssh_agent_auth/, sys-auth/pam_ssh_agent_auth/files/ Andreas Sturmlechner
-- strict thread matches above, loose matches on Subject: below --
2020-11-15 15:31 Joonas Niilola
2018-11-02 19:51 Robin H. Johnson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox