13 files changed, 216 insertions, 253 deletions

diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 6ecfb93d5..ab1a3e315 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.55 2014/02/04 00:37:50 djm Exp $
+# $Id: Makefile.in,v 1.56 2014/09/30 23:43:08 djm Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
 
 OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
 
-COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o
+COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
 
 PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
 
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
index eac073cc0..09dbfda16 100644
--- a/openbsd-compat/arc4random.c
+++ b/openbsd-compat/arc4random.c
@@ -87,7 +87,7 @@ _rs_stir(void)
                 _rs_init(rnd, sizeof(rnd));
         } else
                 _rs_rekey(rnd, sizeof(rnd));
-        memset(rnd, 0, sizeof(rnd));
+        explicit_bzero(rnd, sizeof(rnd));
 
         /* invalidate rs_buf */
         rs_have = 0;
@@ -229,7 +229,7 @@ arc4random_buf(void *_buf, size_t n)
                 buf[i] = r & 0xff;
                 r >>= 8;
         }
-        i = r = 0;
+        explicit_bzero(&r, sizeof(r));
 }
 #endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
 
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 267e77a11..a2d82126d 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -57,6 +57,22 @@ check_ntsec(const char *filename)
         return (pathconf(filename, _PC_POSIX_PERMISSIONS));
 }
 
+const char *
+cygwin_ssh_privsep_user()
+{
+  static char cyg_privsep_user[DNLEN + UNLEN + 2];
+
+  if (!cyg_privsep_user[0])
+    {
+#ifdef CW_CYGNAME_FROM_WINNAME
+      if (cygwin_internal (CW_CYGNAME_FROM_WINNAME, "sshd", cyg_privsep_user,
+                           sizeof cyg_privsep_user) != 0)
+#endif
+        strcpy (cyg_privsep_user, "sshd");
+    }
+  return cyg_privsep_user;
+}
+
 #define NL(x) x, (sizeof (x) - 1)
 #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))
 
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 1177366f1..79cb2a197 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -1,4 +1,4 @@
-/* $Id: bsd-cygwin_util.h,v 1.17 2014/01/18 10:04:00 dtucker Exp $ */
+/* $Id: bsd-cygwin_util.h,v 1.18 2014/05/27 04:34:43 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com>
@@ -39,6 +39,8 @@
 /* Avoid including windows headers. */
 typedef void *HANDLE;
 #define INVALID_HANDLE_VALUE ((HANDLE) -1)
+#define DNLEN 16
+#define UNLEN 256
 
 /* Cygwin functions for which declarations are only available when including
    windows headers, so we have to define them here explicitely. */
@@ -48,6 +50,8 @@ extern void cygwin_set_impersonation_token (const HANDLE);
 #include <sys/cygwin.h>
 #include <io.h>
 
+#define CYGWIN_SSH_PRIVSEP_USER (cygwin_ssh_privsep_user())
+const char *cygwin_ssh_privsep_user();
 
 int binary_open(const char *, int , ...);
 int check_ntsec(const char *);
diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c
index 975991e7f..23a635989 100644
--- a/openbsd-compat/bsd-snprintf.c
+++ b/openbsd-compat/bsd-snprintf.c
@@ -538,7 +538,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
         }
         while (*value && (cnt < max)) {
                 DOPR_OUTCH(buffer, *currlen, maxlen, *value);
-                *value++;
+                value++;
                 ++cnt;
         }
         while ((padlen < 0) && (cnt < max)) {
@@ -553,7 +553,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
 
 static int
 fmtint(char *buffer, size_t *currlen, size_t maxlen,
-                    LLONG value, int base, int min, int max, int flags)
+    intmax_t value, int base, int min, int max, int flags)
 {
         int signvalue = 0;
         unsigned LLONG uvalue;
diff --git a/openbsd-compat/explicit_bzero.c b/openbsd-compat/explicit_bzero.c
index b106741e5..3c85a4843 100644
--- a/openbsd-compat/explicit_bzero.c
+++ b/openbsd-compat/explicit_bzero.c
@@ -7,14 +7,34 @@
 
 #include "includes.h"
 
+/*
+ * explicit_bzero - don't let the compiler optimize away bzero
+ */
+
 #ifndef HAVE_EXPLICIT_BZERO
 
+#ifdef HAVE_MEMSET_S
+
+void
+explicit_bzero(void *p, size_t n)
+{
+        (void)memset_s(p, n, 0, n);
+}
+
+#else /* HAVE_MEMSET_S */
+
 /*
- * explicit_bzero - don't let the compiler optimize away bzero
+ * Indirect bzero through a volatile pointer to hopefully avoid
+ * dead-store optimisation eliminating the call.
  */
+static void (* volatile ssh_bzero)(void *, size_t) = bzero;
+
 void
 explicit_bzero(void *p, size_t n)
 {
-        bzero(p, n);
+        ssh_bzero(p, n);
 }
-#endif
+
+#endif /* HAVE_MEMSET_S */
+
+#endif /* HAVE_EXPLICIT_BZERO */
diff --git a/openbsd-compat/kludge-fd_set.c b/openbsd-compat/kludge-fd_set.c
new file mode 100644
index 000000000..6c2ffb64b
--- /dev/null
+++ b/openbsd-compat/kludge-fd_set.c
@@ -0,0 +1,28 @@
+/* Placed in the public domain.  */
+
+/*
+ * _FORTIFY_SOURCE includes a misguided check for FD_SET(n)/FD_ISSET(b)
+ * where n > FD_SETSIZE. This breaks OpenSSH and other programs that
+ * explicitly allocate fd_sets. To avoid this, we wrap FD_SET in a
+ * function compiled without _FORTIFY_SOURCE.
+ */
+
+#include "config.h"
+
+#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE)
+# include <features.h>
+# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ)
+#  if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0)
+#   undef _FORTIFY_SOURCE
+#   undef __USE_FORTIFY_LEVEL
+#   include <sys/socket.h>
+void kludge_FD_SET(int n, fd_set *set) {
+        FD_SET(n, set);
+}
+int kludge_FD_ISSET(int n, fd_set *set) {
+        return FD_ISSET(n, set);
+}
+#  endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */
+# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */
+#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */
+
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index bc9888e31..ce6abae82 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openbsd-compat.h,v 1.61 2014/02/04 00:18:23 djm Exp $ */
+/* $Id: openbsd-compat.h,v 1.62 2014/09/30 23:43:08 djm Exp $ */
 
 /*
  * Copyright (c) 1999-2003 Damien Miller.  All rights reserved.
@@ -268,4 +268,20 @@ char *shadow_pw(struct passwd *pw);
 #include "port-tun.h"
 #include "port-uw.h"
 
+/* _FORTIFY_SOURCE breaks FD_ISSET(n)/FD_SET(n) for n > FD_SETSIZE. Avoid. */
+#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE)
+# include <features.h>
+# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ)
+#  if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0)
+#   include <sys/socket.h>  /* Ensure include guard is defined */
+#   undef FD_SET
+#   undef FD_ISSET
+#   define FD_SET(n, set)       kludge_FD_SET(n, set)
+#   define FD_ISSET(n, set)     kludge_FD_ISSET(n, set)
+void kludge_FD_SET(int, fd_set *);
+int kludge_FD_ISSET(int, fd_set *);
+#  endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */
+# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */
+#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */
+
 #endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 885c121f2..36570e4ad 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */
+/* $Id: openssl-compat.c,v 1.19 2014/07/02 05:28:07 djm Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -16,6 +16,7 @@
  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 #include "includes.h"
 
 #include <stdarg.h>
@@ -26,147 +27,44 @@
 # include <openssl/conf.h>
 #endif
 
-#ifndef HAVE_RSA_GET_DEFAULT_METHOD
-# include <openssl/rsa.h>
-#endif
-
 #include "log.h"
 
-#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 #include "openssl-compat.h"
 
-#ifdef SSH_OLD_EVP
-int
-ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type,
-    unsigned char *key, unsigned char *iv, int enc)
-{
-        EVP_CipherInit(evp, type, key, iv, enc);
-        return 1;
-}
-
-int
-ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
-{
-        EVP_Cipher(evp, dst, src, len);
-        return 1;
-}
-
-int
-ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
-{
-        EVP_CIPHER_CTX_cleanup(evp);
-        return 1;
-}
-#endif
-
-#ifndef HAVE_EVP_DIGESTINIT_EX
-int
-EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine)
-{
-        if (engine != NULL)
-                fatal("%s: ENGINE is not supported", __func__);
-# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
-        EVP_DigestInit(ctx, md);
-        return 1;
-# else
-        return EVP_DigestInit(ctx, md);
-# endif
-}
-#endif
-
-#ifndef HAVE_EVP_DIGESTFINAL_EX
-int
-EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s)
-{
-# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
-        EVP_DigestFinal(ctx, md, s);
-        return 1;
-# else
-        return EVP_DigestFinal(ctx, md, s);
-# endif
-}
-#endif
-
-#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
-int
-ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt)
-{
-        EVP_DigestUpdate(ctx, d, cnt);
-        return 1;
-}
-#endif
-
-#ifndef HAVE_EVP_MD_CTX_COPY_EX
-int
-EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
-{
-        return EVP_MD_CTX_copy(out, in);
-}
-#endif
-
-#ifndef HAVE_BN_IS_PRIME_EX
-int
-BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, void *cb)
-{
-        if (cb != NULL)
-                fatal("%s: callback args not supported", __func__);
-        return BN_is_prime(p, nchecks, NULL, ctx, NULL);
-}
-#endif
-
-#ifndef HAVE_RSA_GENERATE_KEY_EX
-int
-RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *bn_e, void *cb)
-{
-        RSA *new_rsa, tmp_rsa;
-        unsigned long e;
-
-        if (cb != NULL)
-                fatal("%s: callback args not supported", __func__);
-        e = BN_get_word(bn_e);
-        if (e == 0xffffffffL)
-                fatal("%s: value of e too large", __func__);
-        new_rsa = RSA_generate_key(bits, e, NULL, NULL);
-        if (new_rsa == NULL)
-                return 0;
-        /* swap rsa/new_rsa then free new_rsa */
-        tmp_rsa = *rsa;
-        *rsa = *new_rsa;
-        *new_rsa = tmp_rsa;
-        RSA_free(new_rsa);
-        return 1;
-}
-#endif
+/*
+ * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
+ * We match major, minor, fix and status (not patch) for <1.0.0.
+ * After that, we acceptable compatible fix versions (so we
+ * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
+ * within a patch series.
+ */
 
-#ifndef HAVE_DSA_GENERATE_PARAMETERS_EX
 int
-DSA_generate_parameters_ex(DSA *dsa, int bits, const unsigned char *seed,
-    int seed_len, int *counter_ret, unsigned long *h_ret, void *cb)
+ssh_compatible_openssl(long headerver, long libver)
 {
-        DSA *new_dsa, tmp_dsa;
-
-        if (cb != NULL)
-                fatal("%s: callback args not supported", __func__);
-        new_dsa = DSA_generate_parameters(bits, (unsigned char *)seed, seed_len,
-            counter_ret, h_ret, NULL, NULL);
-        if (new_dsa == NULL)
-                return 0;
-        /* swap dsa/new_dsa then free new_dsa */
-        tmp_dsa = *dsa;
-        *dsa = *new_dsa;
-        *new_dsa = tmp_dsa;
-        DSA_free(new_dsa);
-        return 1;
-}
-#endif
-
-#ifndef HAVE_RSA_GET_DEFAULT_METHOD
-RSA_METHOD *
-RSA_get_default_method(void)
-{
-        return RSA_PKCS1_SSLeay();
+        long mask, hfix, lfix;
+
+        /* exact match is always OK */
+        if (headerver == libver)
+                return 1;
+
+        /* for versions < 1.0.0, major,minor,fix,status must match */
+        if (headerver < 0x1000000f) {
+                mask = 0xfffff00fL; /* major,minor,fix,status */
+                return (headerver & mask) == (libver & mask);
+        }
+        
+        /*
+         * For versions >= 1.0.0, major,minor,status must match and library
+         * fix version must be equal to or newer than the header.
+         */
+        mask = 0xfff0000fL; /* major,minor,status */
+        hfix = (headerver & 0x000ff000) >> 12;
+        lfix = (libver & 0x000ff000) >> 12;
+        if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
+                return 1;
+        return 0;
 }
-#endif
 
 #ifdef  USE_OPENSSL_ENGINE
 void
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 276b9706d..3695d412b 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.31 2014/08/29 18:18:29 djm Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -16,28 +16,19 @@
  * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
  */
 
+#ifndef _OPENSSL_COMPAT_H
+#define _OPENSSL_COMPAT_H
+
 #include "includes.h"
 #include <openssl/opensslv.h>
 #include <openssl/evp.h>
 #include <openssl/rsa.h>
 #include <openssl/dsa.h>
 
-/* Only in 0.9.8 */
-#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
-# define OPENSSL_DSA_MAX_MODULUS_BITS        10000
-#endif
-#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
-# define OPENSSL_RSA_MAX_MODULUS_BITS        16384
-#endif
-
-/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */
-#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f)
-# define OPENSSL_free(x) Free(x)
-#endif
+int ssh_compatible_openssl(long, long);
 
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-# define SSH_OLD_EVP
-# define EVP_CIPHER_CTX_get_app_data(e)         ((e)->app_data)
+#if (OPENSSL_VERSION_NUMBER <= 0x0090805fL)
+# error OpenSSL 0.9.8f or greater is required
 #endif
 
 #if OPENSSL_VERSION_NUMBER < 0x10000001L
@@ -46,27 +37,17 @@
 # define LIBCRYPTO_EVP_INL_TYPE size_t
 #endif
 
-#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
-# define USE_BUILTIN_RIJNDAEL
+#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
+# define OPENSSL_RSA_MAX_MODULUS_BITS   16384
 #endif
-
-#ifdef USE_BUILTIN_RIJNDAEL
-# include "rijndael.h"
-# define AES_KEY rijndael_ctx
-# define AES_BLOCK_SIZE 16
-# define AES_encrypt(a, b, c)           rijndael_encrypt(c, a, b)
-# define AES_set_encrypt_key(a, b, c)   rijndael_set_key(c, (char *)a, b, 1)
-# define EVP_aes_128_cbc evp_rijndael
-# define EVP_aes_192_cbc evp_rijndael
-# define EVP_aes_256_cbc evp_rijndael
-const EVP_CIPHER *evp_rijndael(void);
-void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
+#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
+# define OPENSSL_DSA_MAX_MODULUS_BITS   10000
 #endif
 
 #ifndef OPENSSL_HAVE_EVPCTR
-#define EVP_aes_128_ctr evp_aes_128_ctr
-#define EVP_aes_192_ctr evp_aes_128_ctr
-#define EVP_aes_256_ctr evp_aes_128_ctr
+# define EVP_aes_128_ctr evp_aes_128_ctr
+# define EVP_aes_192_ctr evp_aes_128_ctr
+# define EVP_aes_256_ctr evp_aes_128_ctr
 const EVP_CIPHER *evp_aes_128_ctr(void);
 void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
 #endif
@@ -88,26 +69,9 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
 # endif
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
-#define EVP_X_STATE(evp)        &(evp).c
-#define EVP_X_STATE_LEN(evp)    sizeof((evp).c)
-#else
-#define EVP_X_STATE(evp)        (evp).cipher_data
-#define EVP_X_STATE_LEN(evp)    (evp).cipher->ctx_size
-#endif
-
-/* OpenSSL 0.9.8e returns cipher key len not context key len */
-#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
-# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
-#endif
-
-#ifndef HAVE_RSA_GET_DEFAULT_METHOD
-RSA_METHOD *RSA_get_default_method(void);
-#endif
-
 /*
  * We overload some of the OpenSSL crypto functions with ssh_* equivalents
- * which cater for older and/or less featureful OpenSSL version.
+ * to automatically handle OpenSSL engine initialisation.
  *
  * In order for the compat library to call the real functions, it must
  * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
@@ -115,19 +79,6 @@ RSA_METHOD *RSA_get_default_method(void);
  */
 #ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
 
-# ifdef SSH_OLD_EVP
-#  ifdef EVP_Cipher
-#   undef EVP_Cipher
-#  endif
-#  define EVP_CipherInit(a,b,c,d,e)     ssh_EVP_CipherInit((a),(b),(c),(d),(e))
-#  define EVP_Cipher(a,b,c,d)           ssh_EVP_Cipher((a),(b),(c),(d))
-#  define EVP_CIPHER_CTX_cleanup(a)     ssh_EVP_CIPHER_CTX_cleanup((a))
-# endif /* SSH_OLD_EVP */
-
-# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
-#  define EVP_DigestUpdate(a,b,c)       ssh_EVP_DigestUpdate((a),(b),(c))
-#  endif
-
 # ifdef USE_OPENSSL_ENGINE
 #  ifdef OpenSSL_add_all_algorithms
 #   undef OpenSSL_add_all_algorithms
@@ -135,48 +86,8 @@ RSA_METHOD *RSA_get_default_method(void);
 #  define OpenSSL_add_all_algorithms()  ssh_OpenSSL_add_all_algorithms()
 # endif
 
-# ifndef HAVE_BN_IS_PRIME_EX
-int BN_is_prime_ex(const BIGNUM *, int, BN_CTX *, void *);
-# endif
-
-# ifndef HAVE_DSA_GENERATE_PARAMETERS_EX
-int DSA_generate_parameters_ex(DSA *, int, const unsigned char *, int, int *,
-    unsigned long *, void *);
-# endif
-
-# ifndef HAVE_RSA_GENERATE_KEY_EX
-int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *);
-# endif
-
-# ifndef HAVE_EVP_DIGESTINIT_EX
-int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, void *);
-# endif
-
-# ifndef HAVE_EVP_DISESTFINAL_EX
-int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *);
-# endif
-
-# ifndef EVP_MD_CTX_COPY_EX
-int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *);
-# endif
-
-int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
-    unsigned char *, int);
-int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
-int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
 void ssh_OpenSSL_add_all_algorithms(void);
 
-# ifndef HAVE_HMAC_CTX_INIT
-#  define HMAC_CTX_init(a)
-# endif
-
-# ifndef HAVE_EVP_MD_CTX_INIT
-#  define EVP_MD_CTX_init(a)
-# endif
-
-# ifndef HAVE_EVP_MD_CTX_CLEANUP
-#  define EVP_MD_CTX_cleanup(a)
-# endif
-
 #endif  /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
 
+#endif /* _OPENSSL_COMPAT_H */
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c
index b1fbfa208..db24dbb94 100644
--- a/openbsd-compat/port-uw.c
+++ b/openbsd-compat/port-uw.c
@@ -42,6 +42,7 @@
 #include "key.h"
 #include "auth-options.h"
 #include "log.h"
+#include "misc.h"       /* servconf.h needs misc.h for struct ForwardOptions */
 #include "servconf.h"
 #include "hostfile.h"
 #include "auth.h"
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
index bcf214bd0..dabdb0912 100644
--- a/openbsd-compat/regress/Makefile.in
+++ b/openbsd-compat/regress/Makefile.in
@@ -1,4 +1,4 @@
-# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $
+# $Id: Makefile.in,v 1.5 2014/06/17 13:06:08 dtucker Exp $
 
 sysconfdir=@sysconfdir@
 piddir=@piddir@
@@ -16,11 +16,11 @@ LIBS=@LIBS@
 LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
 
 TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
-        strtonumtest$(EXEEXT)
+        strtonumtest$(EXEEXT) opensslvertest$(EXEEXT)
 
 all:    t-exec ${OTHERTESTS}
 
-%$(EXEEXT):     %.c
+%$(EXEEXT):     %.c $(LIBCOMPAT)
         $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
 
 t-exec: $(TESTPROGS)
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
new file mode 100644
index 000000000..5d019b598
--- /dev/null
+++ b/openbsd-compat/regress/opensslvertest.c
@@ -0,0 +1,69 @@
+/*
+ * Copyright (c) 2014 Darren Tucker
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+int ssh_compatible_openssl(long, long);
+
+struct version_test {
+        long headerver;
+        long libver;
+        int result;
+} version_tests[] = {
+        /* built with 0.9.8b release headers */
+        { 0x0090802fL, 0x0090802fL, 1}, /* exact match */
+        { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */
+        { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */
+        { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */
+        { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */
+        { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */
+        { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */
+
+        /* built with 1.0.1b release headers */
+        { 0x1000101fL, 0x1000101fL, 1},/* exact match */
+        { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
+        { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
+        { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
+        { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */
+        { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */
+        { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */
+        { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */
+};
+
+void
+fail(long hver, long lver, int result)
+{
+        fprintf(stderr, "opensslver: header %lx library %lx != %d \n", hver, lver, result);
+        exit(1);
+}
+
+int
+main(void)
+{
+        unsigned int i;
+        int res;
+        long hver, lver;
+
+        for (i = 0; i < sizeof(version_tests) / sizeof(version_tests[0]); i++) {
+                hver = version_tests[i].headerver;
+                lver = version_tests[i].libver;
+                res = version_tests[i].result;
+                if (ssh_compatible_openssl(hver, lver) != res)
+                        fail(hver, lver, res);
+        }
+        exit(0);
+}