? scp/obj
? sftp/obj
? sftp-server/obj
? ssh/obj
? ssh-add/obj
? ssh-agent/obj
? ssh-keygen/obj
? ssh-keyscan/obj
? ssh-keysign/obj
? ssh-pkcs11-helper/obj
? sshd/obj
Index: Makefile.inc
===================================================================
RCS file: /cvs/src/usr.bin/ssh/Makefile.inc,v
retrieving revision 1.60
diff -u -p -r1.60 Makefile.inc
--- Makefile.inc	18 Jul 2018 11:34:04 -0000	1.60
+++ Makefile.inc	12 Oct 2018 02:55:00 -0000
@@ -20,7 +20,7 @@ CDIAGFLAGS+=	-Wstrict-aliasing=2
 CDIAGFLAGS+=	-Wold-style-definition
 .endif
 
-#CDIAGFLAGS+=	-Werror
+CDIAGFLAGS+=	-Werror
 #DEBUG=-g
 #INSTALL_STRIP=
 
@@ -55,6 +55,7 @@ SRCS_KEXC+=	kexgexc.c
 SRCS_KEXS+=	kexdhs.c
 SRCS_KEXS+=	kexecdhs.c
 SRCS_KEXS+=	kexgexs.c
+SRCS_KEY+=	libressl-api-compat.c
 .endif
 SRCS_KEX+=	kexc25519.c
 SRCS_KEX+=	smult_curve25519_ref.c
Index: cipher.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/cipher.c,v
retrieving revision 1.112
diff -u -p -r1.112 cipher.c
--- cipher.c	13 Sep 2018 02:08:33 -0000	1.112
+++ cipher.c	12 Oct 2018 02:55:00 -0000
@@ -41,6 +41,8 @@
 #include <stdarg.h>
 #include <stdio.h>
 
+#include "libressl-api-compat.h"
+
 #include "cipher.h"
 #include "misc.h"
 #include "sshbuf.h"
Index: dh.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/dh.c,v
retrieving revision 1.68
diff -u -p -r1.68 dh.c
--- dh.c	17 Sep 2018 15:40:14 -0000	1.68
+++ dh.c	12 Oct 2018 02:55:00 -0000
@@ -33,6 +33,8 @@
 #include <string.h>
 #include <limits.h>
 
+#include "libressl-api-compat.h"
+
 #include "dh.h"
 #include "pathnames.h"
 #include "log.h"
Index: digest-openssl.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/digest-openssl.c,v
retrieving revision 1.8
diff -u -p -r1.8 digest-openssl.c
--- digest-openssl.c	13 Sep 2018 02:08:33 -0000	1.8
+++ digest-openssl.c	12 Oct 2018 02:55:00 -0000
@@ -22,6 +22,8 @@
 
 #include <openssl/evp.h>
 
+#include "libressl-api-compat.h"
+
 #include "sshbuf.h"
 #include "digest.h"
 #include "ssherr.h"
Index: kexdhc.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/kexdhc.c,v
retrieving revision 1.23
diff -u -p -r1.23 kexdhc.c
--- kexdhc.c	13 Sep 2018 02:08:33 -0000	1.23
+++ kexdhc.c	12 Oct 2018 02:55:00 -0000
@@ -31,6 +31,8 @@
 #include <string.h>
 #include <signal.h>
 
+#include "libressl-api-compat.h"
+
 #include "sshkey.h"
 #include "cipher.h"
 #include "digest.h"
Index: kexdhs.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/kexdhs.c,v
retrieving revision 1.28
diff -u -p -r1.28 kexdhs.c
--- kexdhs.c	13 Sep 2018 02:08:33 -0000	1.28
+++ kexdhs.c	12 Oct 2018 02:55:00 -0000
@@ -30,6 +30,8 @@
 
 #include <openssl/dh.h>
 
+#include "libressl-api-compat.h"
+
 #include "sshkey.h"
 #include "cipher.h"
 #include "digest.h"
Index: kexecdhc.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/kexecdhc.c,v
retrieving revision 1.13
diff -u -p -r1.13 kexecdhc.c
--- kexecdhc.c	7 Feb 2018 02:06:51 -0000	1.13
+++ kexecdhc.c	12 Oct 2018 02:55:00 -0000
@@ -32,6 +32,8 @@
 
 #include <openssl/ecdh.h>
 
+#include "libressl-api-compat.h"
+
 #include "sshkey.h"
 #include "cipher.h"
 #include "digest.h"
Index: kexecdhs.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/kexecdhs.c,v
retrieving revision 1.17
diff -u -p -r1.17 kexecdhs.c
--- kexecdhs.c	7 Feb 2018 02:06:51 -0000	1.17
+++ kexecdhs.c	12 Oct 2018 02:55:00 -0000
@@ -30,6 +30,8 @@
 
 #include <openssl/ecdh.h>
 
+#include "libressl-api-compat.h"
+
 #include "sshkey.h"
 #include "cipher.h"
 #include "digest.h"
Index: kexgexc.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/kexgexc.c,v
retrieving revision 1.28
diff -u -p -r1.28 kexgexc.c
--- kexgexc.c	13 Sep 2018 02:08:33 -0000	1.28
+++ kexgexc.c	12 Oct 2018 02:55:05 -0000
@@ -32,6 +32,8 @@
 #include <string.h>
 #include <signal.h>
 
+#include "libressl-api-compat.h"
+
 #include "sshkey.h"
 #include "cipher.h"
 #include "digest.h"
Index: kexgexs.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/kexgexs.c,v
retrieving revision 1.35
diff -u -p -r1.35 kexgexs.c
--- kexgexs.c	4 Oct 2018 00:04:41 -0000	1.35
+++ kexgexs.c	12 Oct 2018 02:55:05 -0000
@@ -31,6 +31,8 @@
 
 #include <openssl/dh.h>
 
+#include "libressl-api-compat.h"
+
 #include "sshkey.h"
 #include "cipher.h"
 #include "digest.h"
Index: libressl-api-compat.c
===================================================================
RCS file: libressl-api-compat.c
diff -N libressl-api-compat.c
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ libressl-api-compat.c	12 Oct 2018 02:55:05 -0000
@@ -0,0 +1,637 @@
+/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */
+/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */
+/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */
+/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */
+/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */
+/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
+/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
+ * All rights reserved.
+ *
+ * This package is an SSL implementation written
+ * by Eric Young (eay@cryptsoft.com).
+ * The implementation was written so as to conform with Netscapes SSL.
+ * 
+ * This library is free for commercial and non-commercial use as long as
+ * the following conditions are aheared to.  The following conditions
+ * apply to all code found in this distribution, be it the RC4, RSA,
+ * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
+ * included with this distribution is covered by the same copyright terms
+ * except that the holder is Tim Hudson (tjh@cryptsoft.com).
+ * 
+ * Copyright remains Eric Young's, and as such any Copyright notices in
+ * the code are not to be removed.
+ * If this package is used in a product, Eric Young should be given attribution
+ * as the author of the parts of the library used.
+ * This can be in the form of a textual message at program startup or
+ * in documentation (online or textual) provided with the package.
+ * 
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ * 3. All advertising materials mentioning features or use of this software
+ *    must display the following acknowledgement:
+ *    "This product includes cryptographic software written by
+ *     Eric Young (eay@cryptsoft.com)"
+ *    The word 'cryptographic' can be left out if the rouines from the library
+ *    being used are not cryptographic related :-).
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
+ *    the apps directory (application code) you must include an acknowledgement:
+ *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
+ * 
+ * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
+ * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
+ * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
+ * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
+ * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
+ * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
+ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
+ * SUCH DAMAGE.
+ * 
+ * The licence and distribution terms for any publically available version or
+ * derivative of this code cannot be changed.  i.e. this code cannot simply be
+ * copied and put under another distribution licence
+ * [including the GNU Public Licence.]
+ */
+
+/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */
+/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */
+/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * project 2000.
+ */
+/* ====================================================================
+ * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    licensing@OpenSSL.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
+
+/*	$OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $	*/
+/*
+ * Copyright (c) 2018 Theo Buehler <tb@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifdef WITH_OPENSSL
+
+#include <sys/types.h>
+
+#include <stdlib.h>
+#include <string.h>
+#include <limits.h>
+
+#include <openssl/err.h>
+#include <openssl/bn.h>
+#include <openssl/dsa.h>
+#include <openssl/rsa.h>
+#include <openssl/evp.h>
+#include <openssl/ecdsa.h>
+#include <openssl/dh.h>
+
+#include "libressl-api-compat.h"
+
+#ifndef HAVE_DSA_GET0_PQG
+void
+DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+{
+	if (p != NULL)
+		*p = d->p;
+	if (q != NULL)
+		*q = d->q;
+	if (g != NULL)
+		*g = d->g;
+}
+#endif /* HAVE_DSA_GET0_PQG */
+
+#ifndef HAVE_DSA_SET0_PQG
+int
+DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+	if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) ||
+	    (d->g == NULL && g == NULL))
+		return 0;
+
+	if (p != NULL) {
+		BN_free(d->p);
+		d->p = p;
+	}
+	if (q != NULL) {
+		BN_free(d->q);
+		d->q = q;
+	}
+	if (g != NULL) {
+		BN_free(d->g);
+		d->g = g;
+	}
+
+	return 1;
+}
+#endif /* HAVE_DSA_SET0_PQG */
+
+#ifndef HAVE_DSA_GET0_KEY
+void
+DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key)
+{
+	if (pub_key != NULL)
+		*pub_key = d->pub_key;
+	if (priv_key != NULL)
+		*priv_key = d->priv_key;
+}
+#endif /* HAVE_DSA_GET0_KEY */
+
+#ifndef HAVE_DSA_SET0_KEY
+int
+DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
+{
+	if (d->pub_key == NULL && pub_key == NULL)
+		return 0;
+
+	if (pub_key != NULL) {
+		BN_free(d->pub_key);
+		d->pub_key = pub_key;
+	}
+	if (priv_key != NULL) {
+		BN_free(d->priv_key);
+		d->priv_key = priv_key;
+	}
+
+	return 1;
+}
+#endif /* HAVE_DSA_SET0_KEY */
+
+#ifndef HAVE_RSA_GET0_KEY
+void
+RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
+{
+	if (n != NULL)
+		*n = r->n;
+	if (e != NULL)
+		*e = r->e;
+	if (d != NULL)
+		*d = r->d;
+}
+#endif /* HAVE_RSA_GET0_KEY */
+
+#ifndef HAVE_RSA_SET0_KEY
+int
+RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
+{
+	if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL))
+		return 0;
+
+	if (n != NULL) {
+		BN_free(r->n);
+		r->n = n;
+	}
+	if (e != NULL) {
+		BN_free(r->e);
+		r->e = e;
+	}
+	if (d != NULL) {
+		BN_free(r->d);
+		r->d = d;
+	}
+
+	return 1;
+}
+#endif /* HAVE_RSA_SET0_KEY */
+
+#ifndef HAVE_RSA_GET0_CRT_PARAMS
+void
+RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
+    const BIGNUM **iqmp)
+{
+	if (dmp1 != NULL)
+		*dmp1 = r->dmp1;
+	if (dmq1 != NULL)
+		*dmq1 = r->dmq1;
+	if (iqmp != NULL)
+		*iqmp = r->iqmp;
+}
+#endif /* HAVE_RSA_GET0_CRT_PARAMS */
+
+#ifndef HAVE_RSA_SET0_CRT_PARAMS
+int
+RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
+{
+	if ((r->dmp1 == NULL && dmp1 == NULL) ||
+	    (r->dmq1 == NULL && dmq1 == NULL) ||
+	    (r->iqmp == NULL && iqmp == NULL))
+	       	return 0;
+
+	if (dmp1 != NULL) {
+		BN_free(r->dmp1);
+		r->dmp1 = dmp1;
+	}
+	if (dmq1 != NULL) {
+		BN_free(r->dmq1);
+		r->dmq1 = dmq1;
+	}
+	if (iqmp != NULL) {
+		BN_free(r->iqmp);
+		r->iqmp = iqmp;
+	}
+
+	return 1;
+}
+#endif /* HAVE_RSA_SET0_CRT_PARAMS */
+
+#ifndef HAVE_RSA_GET0_FACTORS
+void
+RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
+{
+	if (p != NULL)
+		*p = r->p;
+	if (q != NULL)
+		*q = r->q;
+}
+#endif /* HAVE_RSA_GET0_FACTORS */
+
+#ifndef HAVE_RSA_SET0_FACTORS
+int
+RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
+{
+	if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL))
+		return 0;
+
+	if (p != NULL) {
+		BN_free(r->p);
+		r->p = p;
+	}
+	if (q != NULL) {
+		BN_free(r->q);
+		r->q = q;
+	}
+
+	return 1;
+}
+#endif /* HAVE_RSA_SET0_FACTORS */
+
+#ifndef HAVE_EVP_CIPHER_CTX_GET_IV
+int
+EVP_CIPHER_CTX_get_iv(const EVP_CIPHER_CTX *ctx, unsigned char *iv, size_t len)
+{
+	if (ctx == NULL)
+		return 0;
+	if (EVP_CIPHER_CTX_iv_length(ctx) < 0)
+		return 0;
+	if (len != (size_t)EVP_CIPHER_CTX_iv_length(ctx))
+		return 0;
+	if (len > EVP_MAX_IV_LENGTH)
+		return 0; /* sanity check; shouldn't happen */
+	/*
+	 * Skip the memcpy entirely when the requested IV length is zero,
+	 * since the iv pointer may be NULL or invalid.
+	 */
+	if (len != 0) {
+		if (iv == NULL)
+			return 0;
+# ifdef HAVE_EVP_CIPHER_CTX_IV
+		memcpy(iv, EVP_CIPHER_CTX_iv(ctx), len);
+# else
+		memcpy(iv, ctx->iv, len);
+# endif /* HAVE_EVP_CIPHER_CTX_IV */
+	}
+	return 1;
+}
+#endif /* HAVE_EVP_CIPHER_CTX_GET_IV */
+
+#ifndef HAVE_EVP_CIPHER_CTX_SET_IV
+int
+EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len)
+{
+	if (ctx == NULL)
+		return 0;
+	if (EVP_CIPHER_CTX_iv_length(ctx) < 0)
+		return 0;
+	if (len != (size_t)EVP_CIPHER_CTX_iv_length(ctx))
+		return 0;
+	if (len > EVP_MAX_IV_LENGTH)
+		return 0; /* sanity check; shouldn't happen */
+	/*
+	 * Skip the memcpy entirely when the requested IV length is zero,
+	 * since the iv pointer may be NULL or invalid.
+	 */
+	if (len != 0) {
+		if (iv == NULL)
+			return 0;
+# ifdef HAVE_EVP_CIPHER_CTX_IV_NOCONST
+		memcpy(EVP_CIPHER_CTX_iv_noconst(ctx), iv, len);
+# else
+		memcpy(ctx->iv, iv, len);
+# endif /* HAVE_EVP_CIPHER_CTX_IV_NOCONST */
+	}
+	return 1;
+}
+#endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
+
+#ifndef HAVE_DSA_SIG_GET0
+void
+DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
+{
+	if (pr != NULL)
+		*pr = sig->r;
+	if (ps != NULL)
+		*ps = sig->s;
+}
+#endif /* HAVE_DSA_SIG_GET0 */
+
+#ifndef HAVE_DSA_SIG_SET0
+int
+DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+{
+	if (r == NULL || s == NULL)
+		return 0;
+
+	BN_clear_free(sig->r);
+	sig->r = r;
+	BN_clear_free(sig->s);
+	sig->s = s;
+
+	return 1;
+}
+#endif /* HAVE_DSA_SIG_SET0 */
+
+#ifndef HAVE_ECDSA_SIG_GET0
+void
+ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
+{
+	if (pr != NULL)
+		*pr = sig->r;
+	if (ps != NULL)
+		*ps = sig->s;
+}
+#endif /* HAVE_ECDSA_SIG_GET0 */
+
+#ifndef HAVE_ECDSA_SIG_SET0
+int
+ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
+{
+	if (r == NULL || s == NULL)
+		return 0;
+
+	BN_clear_free(sig->r);
+	BN_clear_free(sig->s);
+	sig->r = r;
+	sig->s = s;
+	return 1;
+}
+#endif /* HAVE_ECDSA_SIG_SET0 */
+
+#ifndef HAVE_DH_GET0_PQG
+void
+DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
+{
+	if (p != NULL)
+		*p = dh->p;
+	if (q != NULL)
+		*q = dh->q;
+	if (g != NULL)
+		*g = dh->g;
+}
+#endif /* HAVE_DH_GET0_PQG */
+
+#ifndef HAVE_DH_SET0_PQG
+int
+DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
+{
+	if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL))
+		return 0;
+
+	if (p != NULL) {
+		BN_free(dh->p);
+		dh->p = p;
+	}
+	if (q != NULL) {
+		BN_free(dh->q);
+		dh->q = q;
+	}
+	if (g != NULL) {
+		BN_free(dh->g);
+		dh->g = g;
+	}
+
+	return 1;
+}
+#endif /* HAVE_DH_SET0_PQG */
+
+#ifndef HAVE_DH_GET0_KEY
+void
+DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
+{
+	if (pub_key != NULL)
+		*pub_key = dh->pub_key;
+	if (priv_key != NULL)
+		*priv_key = dh->priv_key;
+}
+#endif /* HAVE_DH_GET0_KEY */
+
+#ifndef HAVE_DH_SET0_KEY
+int
+DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
+{
+	if (pub_key != NULL) {
+		BN_free(dh->pub_key);
+		dh->pub_key = pub_key;
+	}
+	if (priv_key != NULL) {
+		BN_free(dh->priv_key);
+		dh->priv_key = priv_key;
+	}
+
+	return 1;
+}
+#endif /* HAVE_DH_SET0_KEY */
+
+#ifndef HAVE_DH_SET_LENGTH
+int
+DH_set_length(DH *dh, long length)
+{
+	if (length < 0 || length > INT_MAX)
+		return 0;
+
+	dh->length = length;
+	return 1;
+}
+#endif /* HAVE_DH_SET_LENGTH */
+
+#ifndef HAVE_RSA_METH_FREE
+void
+RSA_meth_free(RSA_METHOD *meth)
+{
+	if (meth != NULL) {
+		free((char *)meth->name);
+		free(meth);
+	}
+}
+#endif /* HAVE_RSA_METH_FREE */
+
+#ifndef HAVE_RSA_METH_DUP
+RSA_METHOD *
+RSA_meth_dup(const RSA_METHOD *meth)
+{
+	RSA_METHOD *copy;
+
+	if ((copy = calloc(1, sizeof(*copy))) == NULL)
+		return NULL;
+	memcpy(copy, meth, sizeof(*copy));
+	if ((copy->name = strdup(meth->name)) == NULL) {
+		free(copy);
+		return NULL;
+	}
+
+	return copy;
+}
+#endif /* HAVE_RSA_METH_DUP */
+
+#ifndef HAVE_RSA_METH_SET1_NAME
+int
+RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
+{
+	char *copy;
+
+	if ((copy = strdup(name)) == NULL)
+		return 0;
+	free((char *)meth->name);
+	meth->name = copy;
+	return 1;
+}
+#endif /* HAVE_RSA_METH_SET1_NAME */
+
+#ifndef HAVE_RSA_METH_GET_FINISH
+int
+(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa)
+{
+	return meth->finish;
+}
+#endif /* HAVE_RSA_METH_GET_FINISH */
+
+#ifndef HAVE_RSA_METH_SET_PRIV_ENC
+int
+RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
+    const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
+{
+	meth->rsa_priv_enc = priv_enc;
+	return 1;
+}
+#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
+
+#ifndef HAVE_RSA_METH_SET_PRIV_DEC
+int
+RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
+    const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
+{
+	meth->rsa_priv_dec = priv_dec;
+	return 1;
+}
+#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
+
+#ifndef HAVE_RSA_METH_SET_FINISH
+int
+RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
+{
+	meth->finish = finish;
+	return 1;
+}
+#endif /* HAVE_RSA_METH_SET_FINISH */
+
+#ifndef HAVE_EVP_PKEY_GET0_RSA
+RSA *
+EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
+{
+	if (pkey->type != EVP_PKEY_RSA) {
+		/* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */
+		return NULL;
+	}
+	return pkey->pkey.rsa;
+}
+#endif /* HAVE_EVP_PKEY_GET0_RSA */
+
+#ifndef HAVE_EVP_MD_CTX_NEW
+EVP_MD_CTX *
+EVP_MD_CTX_new(void)
+{
+	return calloc(1, sizeof(EVP_MD_CTX));
+}
+#endif /* HAVE_EVP_MD_CTX_NEW */
+
+#ifndef HAVE_EVP_MD_CTX_FREE
+void
+EVP_MD_CTX_free(EVP_MD_CTX *ctx)
+{
+	if (ctx == NULL)
+		return;
+
+	EVP_MD_CTX_cleanup(ctx);
+
+	free(ctx);
+}
+#endif /* HAVE_EVP_MD_CTX_FREE */
+
+#endif /* WITH_OPENSSL */
Index: libressl-api-compat.h
===================================================================
RCS file: libressl-api-compat.h
diff -N libressl-api-compat.h
--- /dev/null	1 Jan 1970 00:00:00 -0000
+++ libressl-api-compat.h	12 Oct 2018 02:55:05 -0000
@@ -0,0 +1,164 @@
+/*
+ * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF MIND, USE, DATA OR PROFITS, WHETHER
+ * IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING
+ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#ifndef _LIBRESSL_API_COMPAT_H
+#define _LIBRESSL_API_COMPAT_H
+
+#ifdef WITH_OPENSSL
+
+#include <openssl/opensslv.h>
+#include <openssl/evp.h>
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/ecdsa.h>
+#include <openssl/dh.h>
+
+/* LibreSSL/OpenSSL 1.1x API compat */
+#ifndef HAVE_DSA_GET0_PQG
+void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
+    const BIGNUM **g);
+#endif /* HAVE_DSA_GET0_PQG */
+
+#ifndef HAVE_DSA_SET0_PQG
+int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+#endif /* HAVE_DSA_SET0_PQG */
+
+#ifndef HAVE_DSA_GET0_KEY
+void DSA_get0_key(const DSA *d, const BIGNUM **pub_key,
+    const BIGNUM **priv_key);
+#endif /* HAVE_DSA_GET0_KEY */
+
+#ifndef HAVE_DSA_SET0_KEY
+int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
+#endif /* HAVE_DSA_SET0_KEY */
+
+#ifndef HAVE_EVP_CIPHER_CTX_GET_IV
+int EVP_CIPHER_CTX_get_iv(const EVP_CIPHER_CTX *ctx,
+    unsigned char *iv, size_t len);
+#endif /* HAVE_EVP_CIPHER_CTX_GET_IV */
+
+#ifndef HAVE_EVP_CIPHER_CTX_SET_IV
+int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx,
+    const unsigned char *iv, size_t len);
+#endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
+
+#ifndef HAVE_RSA_GET0_KEY
+void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
+    const BIGNUM **d);
+#endif /* HAVE_RSA_GET0_KEY */
+
+#ifndef HAVE_RSA_SET0_KEY
+int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
+#endif /* HAVE_RSA_SET0_KEY */
+
+#ifndef HAVE_RSA_GET0_CRT_PARAMS
+void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
+    const BIGNUM **iqmp);
+#endif /* HAVE_RSA_GET0_CRT_PARAMS */
+
+#ifndef HAVE_RSA_SET0_CRT_PARAMS
+int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
+#endif /* HAVE_RSA_SET0_CRT_PARAMS */
+
+#ifndef HAVE_RSA_GET0_FACTORS
+void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
+#endif /* HAVE_RSA_GET0_FACTORS */
+
+#ifndef HAVE_RSA_SET0_FACTORS
+int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
+#endif /* HAVE_RSA_SET0_FACTORS */
+
+#ifndef DSA_SIG_GET0
+void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+#endif /* DSA_SIG_GET0 */
+
+#ifndef DSA_SIG_SET0
+int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+#endif /* DSA_SIG_SET0 */
+
+#ifndef HAVE_ECDSA_SIG_GET0
+void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
+#endif /* HAVE_ECDSA_SIG_GET0 */
+
+#ifndef HAVE_ECDSA_SIG_SET0
+int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
+#endif /* HAVE_ECDSA_SIG_SET0 */
+
+#ifndef HAVE_DH_GET0_PQG
+void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
+    const BIGNUM **g);
+#endif /* HAVE_DH_GET0_PQG */
+
+#ifndef HAVE_DH_SET0_PQG
+int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
+#endif /* HAVE_DH_SET0_PQG */
+
+#ifndef HAVE_DH_GET0_KEY
+void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
+#endif /* HAVE_DH_GET0_KEY */
+
+#ifndef HAVE_DH_SET0_KEY
+int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
+#endif /* HAVE_DH_SET0_KEY */
+
+#ifndef HAVE_DH_SET_LENGTH
+int DH_set_length(DH *dh, long length);
+#endif /* HAVE_DH_SET_LENGTH */
+
+#ifndef HAVE_RSA_METH_FREE
+void RSA_meth_free(RSA_METHOD *meth);
+#endif /* HAVE_RSA_METH_FREE */
+
+#ifndef HAVE_RSA_METH_DUP
+RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
+#endif /* HAVE_RSA_METH_DUP */
+
+#ifndef HAVE_RSA_METH_SET1_NAME
+int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
+#endif /* HAVE_RSA_METH_SET1_NAME */
+
+#ifndef HAVE_RSA_METH_GET_FINISH
+int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa);
+#endif /* HAVE_RSA_METH_GET_FINISH */
+
+#ifndef HAVE_RSA_METH_SET_PRIV_ENC
+int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
+    const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
+#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
+
+#ifndef HAVE_RSA_METH_SET_PRIV_DEC
+int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
+    const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
+#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
+
+#ifndef HAVE_RSA_METH_SET_FINISH
+int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa));
+#endif /* HAVE_RSA_METH_SET_FINISH */
+
+#ifndef HAVE_EVP_PKEY_GET0_RSA
+RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
+#endif /* HAVE_EVP_PKEY_GET0_RSA */
+
+#ifndef HAVE_EVP_MD_CTX_new
+EVP_MD_CTX *EVP_MD_CTX_new(void);
+#endif /* HAVE_EVP_MD_CTX_new */
+
+#ifndef HAVE_EVP_MD_CTX_free
+void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
+#endif /* HAVE_EVP_MD_CTX_free */
+
+#endif /* WITH_OPENSSL */
+#endif /* _LIBRESSL_API_COMPAT_H */
Index: monitor.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/monitor.c,v
retrieving revision 1.187
diff -u -p -r1.187 monitor.c
--- monitor.c	13 Sep 2018 02:08:33 -0000	1.187
+++ monitor.c	12 Oct 2018 02:55:05 -0000
@@ -35,6 +35,8 @@
 #include <openssl/dh.h>
 #endif
 
+#include "libressl-api-compat.h"
+
 #include <errno.h>
 #include <fcntl.h>
 #include <limits.h>
Index: ssh-dss.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-dss.c,v
retrieving revision 1.38
diff -u -p -r1.38 ssh-dss.c
--- ssh-dss.c	13 Sep 2018 02:08:33 -0000	1.38
+++ ssh-dss.c	12 Oct 2018 02:55:05 -0000
@@ -30,6 +30,8 @@
 
 #include <string.h>
 
+#include "libressl-api-compat.h"
+
 #include "sshbuf.h"
 #include "compat.h"
 #include "ssherr.h"
Index: ssh-ecdsa.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-ecdsa.c,v
retrieving revision 1.15
diff -u -p -r1.15 ssh-ecdsa.c
--- ssh-ecdsa.c	13 Sep 2018 02:08:33 -0000	1.15
+++ ssh-ecdsa.c	12 Oct 2018 02:55:05 -0000
@@ -33,6 +33,8 @@
 
 #include <string.h>
 
+#include "libressl-api-compat.h"
+
 #include "sshbuf.h"
 #include "ssherr.h"
 #include "digest.h"
Index: ssh-keygen.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-keygen.c,v
retrieving revision 1.322
diff -u -p -r1.322 ssh-keygen.c
--- ssh-keygen.c	14 Sep 2018 04:17:44 -0000	1.322
+++ ssh-keygen.c	12 Oct 2018 02:55:06 -0000
@@ -30,6 +30,8 @@
 #include <limits.h>
 #include <locale.h>
 
+#include "libressl-api-compat.h"
+
 #include "xmalloc.h"
 #include "sshkey.h"
 #include "authfile.h"
Index: ssh-pkcs11-client.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-pkcs11-client.c,v
retrieving revision 1.11
diff -u -p -r1.11 ssh-pkcs11-client.c
--- ssh-pkcs11-client.c	13 Sep 2018 02:08:33 -0000	1.11
+++ ssh-pkcs11-client.c	12 Oct 2018 02:55:06 -0000
@@ -26,6 +26,8 @@
 
 #include <openssl/rsa.h>
 
+#include "libressl-api-compat.h"
+
 #include "pathnames.h"
 #include "xmalloc.h"
 #include "sshbuf.h"
Index: ssh-pkcs11.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-pkcs11.c,v
retrieving revision 1.27
diff -u -p -r1.27 ssh-pkcs11.c
--- ssh-pkcs11.c	13 Sep 2018 02:08:33 -0000	1.27
+++ ssh-pkcs11.c	12 Oct 2018 02:55:06 -0000
@@ -28,6 +28,8 @@
 #define CRYPTOKI_COMPAT
 #include "pkcs11.h"
 
+#include "libressl-api-compat.h"
+
 #include "log.h"
 #include "misc.h"
 #include "sshkey.h"
Index: ssh-rsa.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh-rsa.c,v
retrieving revision 1.68
diff -u -p -r1.68 ssh-rsa.c
--- ssh-rsa.c	13 Sep 2018 02:08:33 -0000	1.68
+++ ssh-rsa.c	12 Oct 2018 02:55:06 -0000
@@ -22,6 +22,8 @@
 
 #include <string.h>
 
+#include "libressl-api-compat.h"
+
 #include "sshbuf.h"
 #include "compat.h"
 #include "ssherr.h"
Index: sshkey.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/sshkey.c,v
retrieving revision 1.72
diff -u -p -r1.72 sshkey.c
--- sshkey.c	11 Oct 2018 00:52:46 -0000	1.72
+++ sshkey.c	12 Oct 2018 02:55:11 -0000
@@ -34,6 +34,8 @@
 #include <openssl/pem.h>
 #endif
 
+#include "libressl-api-compat.h"
+
 #include "crypto_api.h"
 
 #include <errno.h>