gentoo resync : 03.11.2018

20 files changed, 2246 insertions, 14 deletions

diff --git a/sys-auth/Manifest.gz b/sys-auth/Manifest.gz
index b584fe9ed5de..8286273d7693 100644
--- a/sys-auth/Manifest.gz
+++ b/sys-auth/Manifest.gz
diff --git a/sys-auth/keystone/Manifest b/sys-auth/keystone/Manifest
index ad0c9f663285..4962e1fbfee1 100644
--- a/sys-auth/keystone/Manifest
+++ b/sys-auth/keystone/Manifest
@@ -1,13 +1,21 @@
 DIST keystone-12.0.1.tar.gz 1492793 BLAKE2B db2d9292be475b73398e767505bbd73d33397a4d7a4bd671877c4a4b7ee22b1e4aa63d86b7a251c1de51bfc74f06d384f2c25242e0b25901db93d627f993e660 SHA512 e6fc4b3c26c58adfe896070fb5034b9ad1fa8c281824177b9ffd0d3aa5f0d5cec7ed3e6e91d404f2bd3bb1cd913819941b25edd0e5c414fa9a9c5f403575141e
+DIST keystone-12.0.2.tar.gz 1492547 BLAKE2B 2f7b8b5535cb75dd846a1570fabf95c47e64b162d70c4af3e66d5f379c1a45d383b0ac9fce0a7b48875c210e9c4306476938fe8ddbb04dfc9f75cfc51ce10856 SHA512 8468ef9967b95cc75b02c5b9c66ff71033853674c5012aecf37b98c71af72451e8cdbb4070c1a9197c404f97a5948f214adf6911a3ac5d5ee23c75ec3593433b
 DIST keystone-13.0.1.tar.gz 1460979 BLAKE2B 9a22b0ba0c66cab9a65f3197c08f93a4c592f4bd67ae59b3dec182db589ff50c2bbf8e269706859d285a4811a1cd32533b7c07b595d2697bba1c487908b1a975 SHA512 cfe89be9b49dd54095ff38b5d2f13eba0e41ecf111ce0dcd40cfc64eaccc1f1105f870f866a2cc49f89c72d0981d5112ee0f8444fc5810f79b65c0f5de7bfc15
+DIST keystone-13.0.2.tar.gz 1462728 BLAKE2B 8bcdbaecf79e2f5e1fbcd840dd27967312320c5f0fe45ed40aa1b339f627cb96ce8186ece9c0b6ab40e66e3699e5be25b0978af056aa86f6da4d5e9b6031285a SHA512 d600ea56acb14a9d34461e599375d6f1b62deb8e8cc33c939e8dec885539aaaa6f57e86e4d8334b92ecd00a68f881f3dd4805feca5cdb3de808743893ce07c68
 DIST keystone-14.0.0.tar.gz 1525077 BLAKE2B a91071c7a5ead2ec31039a216a434c85623c76cf3409da049d23726c7ff051a729c925d6107b745b47a67a52b6d07e8853def7f7823d63f055532dfa2bbf3a0b SHA512 90f61c5d408dafddffb41b1dcfcc9372366129558df538606abfd3716a41b88d9430ffb0d1dc20f31ca0a82b1a691b7dc5d47a448dadbe970773902c898e2cf8
+DIST keystone-14.0.1.tar.gz 1526741 BLAKE2B 5ae1a6f0e7a7ce737b3a0fdbd2900e8cb1541ec3b1e08228d4abf58d8021a06a6c9db654ef71c22636436f2601bd49d4934f24650e2a44c101c9610ed7b011af SHA512 87065a16ca70dc9115d331f1e0f3669ac9661f5172f9e8afbecef48e7dd9a4726438b4d757fa54bbd6095a5543427dc913f90a765e83ffb30284b1f8dbfbb8e7
 DIST keystone.conf.sample-14.0.0 119794 BLAKE2B 3f3c43b0972230a57b444ffe3ca41fa94a0886831941c8c259738e6575b74776a6add907fac833ba178769bbecd4bc16fe383b53344c1e3cebf3d4eacdbcb50d SHA512 5513b4e3bed869d6fa56bf6163355de2dcbf859dd8f7e76ffa3a0e7b644fe367bbde75a4e090098faba473e1fb26b061d434771e9e6bb8cb105ca609c161e5c1
+DIST keystone.conf.sample-14.0.1 119794 BLAKE2B 3f3c43b0972230a57b444ffe3ca41fa94a0886831941c8c259738e6575b74776a6add907fac833ba178769bbecd4bc16fe383b53344c1e3cebf3d4eacdbcb50d SHA512 5513b4e3bed869d6fa56bf6163355de2dcbf859dd8f7e76ffa3a0e7b644fe367bbde75a4e090098faba473e1fb26b061d434771e9e6bb8cb105ca609c161e5c1
 DIST keystone.conf.sample-2018.2.9999 119794 BLAKE2B 3f3c43b0972230a57b444ffe3ca41fa94a0886831941c8c259738e6575b74776a6add907fac833ba178769bbecd4bc16fe383b53344c1e3cebf3d4eacdbcb50d SHA512 5513b4e3bed869d6fa56bf6163355de2dcbf859dd8f7e76ffa3a0e7b644fe367bbde75a4e090098faba473e1fb26b061d434771e9e6bb8cb105ca609c161e5c1
 DIST keystone.policy.yaml.sample-14.0.0 38318 BLAKE2B a27e4ea59c99dc91dde9d1cc62340faa4b91e644dc6b8725c2d7de731e44684d8d59571e6470da3ab9fa191087a890a0b417b58b1473038bf39cfc75e5b2bad4 SHA512 95fad079d1fb77d15b9f8e507be8b1e01b493c3f1dd4e992567fe9c905bae01a058e93d59677d472ae47856b13d5cffa213d89e8e267f081a2bad1bf8e1f6036
+DIST keystone.policy.yaml.sample-14.0.1 38318 BLAKE2B a27e4ea59c99dc91dde9d1cc62340faa4b91e644dc6b8725c2d7de731e44684d8d59571e6470da3ab9fa191087a890a0b417b58b1473038bf39cfc75e5b2bad4 SHA512 95fad079d1fb77d15b9f8e507be8b1e01b493c3f1dd4e992567fe9c905bae01a058e93d59677d472ae47856b13d5cffa213d89e8e267f081a2bad1bf8e1f6036
 DIST keystone.policy.yaml.sample-2018.2.9999 38318 BLAKE2B a27e4ea59c99dc91dde9d1cc62340faa4b91e644dc6b8725c2d7de731e44684d8d59571e6470da3ab9fa191087a890a0b417b58b1473038bf39cfc75e5b2bad4 SHA512 95fad079d1fb77d15b9f8e507be8b1e01b493c3f1dd4e992567fe9c905bae01a058e93d59677d472ae47856b13d5cffa213d89e8e267f081a2bad1bf8e1f6036
 EBUILD keystone-12.0.1.ebuild 6280 BLAKE2B ffb752f981b0e72674cd6dac474a9f475123994cc2eba0ea24eed4d01acccdba9f9ec009c38a42e8e4084e0e6a95e03d794ef4b6be0328e3c87e8e0a17f4f5fa SHA512 32b5582c8e4bb24c3799b3716ac9cc62a254ed694e10e2c72ff275b69535639c442f66baa5eecd81fdca0d8007e1c4e2154eeaa00f07c3f169a7b698aec49230
+EBUILD keystone-12.0.2.ebuild 6279 BLAKE2B 81e4da5649a4545d77086989c8f9e6f25ddad78e568d19bd5431c88207dfa9cee23a9aef83f81d904ae83116e66f8f0418eda5adbc2b1419dc132030e42acc10 SHA512 b6539df2f7b02a1d7f5ea0b09e37f7cf0824073253997514c3626d5236450b932acfd04b42c441aa419219af651a32cbb3e2a0c5d91c12c7fce9060fbb510a8a
 EBUILD keystone-13.0.1.ebuild 6185 BLAKE2B dc880b6445ed20b3f50e062b338a92576ae8d9d267021550dc817e7d527078715af0521ea8ce910a69c26fd1cee1225e99a7536837ba0a2ceb0e9c01c8b47e15 SHA512 fbc2762108c126f086dbeebb829e0417f54bdccc936c2f72c9667100776b4b94ba4e9c9fca22bc850cb339d54130e3f7b4dc8de936009ab0efb2b92ce9e8c3b3
+EBUILD keystone-13.0.2.ebuild 6184 BLAKE2B 71602626a3ce9f5d34bcd82549b40fbb88f3feacaae10bdfd9e0c5dfbd164042ccb20feeae75af4aff25f29927e4dd57fff1262718998f9b5cf24a66e1ccb764 SHA512 e5ea9e1f103f69749895bea1f7b8ffcb75831b2cac8247f00ad446035892349ffab4e9c70dcb0ff25ea9e955394c6991dd606c5a987af3b73cf7b1536c1a5d5b
 EBUILD keystone-14.0.0.ebuild 6745 BLAKE2B dfa88d3773cd388b1f01fa03667b80643a3deb4cbfbbb4fa3d1febc3e53cb12a41560e92e9b275224a869b5c2c4c8f6479a0154c3b471827fc94fe506ba85242 SHA512 a194f98e0dc066a70dd4afd55d8f9aab68560087121c55cca2bf12b8bca7dcaffab2984eda0417bd2fe77b084a58d788244a3d58b796f8b17ffc3978c5c01c2f
+EBUILD keystone-14.0.1.ebuild 6747 BLAKE2B 80f20a03a8f966590d3880135bd53105f9c0cdacc92bacae08f44ff0933421a5d7fb50651b1f6984c54a6619b67bbb2152a3c0db3c4e7aa61cf40b9e24294019 SHA512 41a7b83d7ae5990b059ff1a6ef62d4b06fd9060be647b0304d34d621ceb93cb33c7cf6cc329597256944ddbdfc3bc11037a1e0ac3d625442bdaf59de50bf08f2
 EBUILD keystone-2017.2.9999.ebuild 6298 BLAKE2B 0ffe1ffd9ce957b38693ae38470823461b2f88741e679788ab149d545584e12fd244c8f7c648bd3de0dd1903b9b12e029e7583087a3d4a4861dceacc63bbf6b3 SHA512 c1d8594a094dd25bbbb7119d41a9ce32d302b1af7b6ccf7e59fc1ecc7a2f72c99dfd07a40aed8e2338f20511d019592753c4bd491f9e3405557d694f0fbcf9c0
 EBUILD keystone-2018.1.9999.ebuild 6187 BLAKE2B 14d660926e2c4063ede68932eccf12a32a5ca8970d42b858614acb985167b797a9fd47d50ace7b06114f971243886ade20b1c32b5bac237cb36171d2657a8b43 SHA512 ff7fdb04866207596c3923a92b42fdab4bcf9ad1eb6ceb5958d23c0c6fb2eb98c2ca0ce06c92c1c4abfc0f8d561d8021a80acf0ad3c3d486e2223cc5075f8d93
 EBUILD keystone-2018.2.9999.ebuild 6750 BLAKE2B 6036789299ec6679527ed0a862310ea34d85540d09c82ac13b5deae92dd55654b669bf46f6cc80a0e88c2abb9137713704290063dc65759abbbea11d5e3c05bb SHA512 c7394c367e842abcef65887f9dc66701352c50dd330f4f0738bf70c35fb6414028369426cfa19dd08b1e520db3c722c918182f256b15398ba9601b32caff33f6
diff --git a/sys-auth/keystone/keystone-12.0.2.ebuild b/sys-auth/keystone/keystone-12.0.2.ebuild
new file mode 100644
index 000000000000..e344b5b3f121
--- /dev/null
+++ b/sys-auth/keystone/keystone-12.0.2.ebuild
@@ -0,0 +1,175 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 python3_{4,5} )
+
+inherit distutils-r1 user
+
+DESCRIPTION="The Openstack authentication, authorization, and service catalog"
+HOMEPAGE="https://launchpad.net/keystone"
+SRC_URI="https://tarballs.openstack.org/${PN}/${P}.tar.gz"
+
+LICENSE="Apache-2.0"
+SLOT="0"
+KEYWORDS="~amd64 ~arm64 ~x86"
+IUSE="+sqlite ldap memcached mongo mysql postgres test"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+
+CDEPEND=">=dev-python/pbr-2.0.0[${PYTHON_USEDEP}]
+	!~dev-python/pbr-2.1.0"
+DEPEND="
+	dev-python/setuptools[${PYTHON_USEDEP}]
+	${CDEPEND}"
+RDEPEND="
+	${CDEPEND}
+	>=dev-python/Babel-2.3.4[${PYTHON_USEDEP}]
+	!~dev-python/Babel-2.4.0[${PYTHON_USEDEP}]
+	>=dev-python/webob-1.7.1[${PYTHON_USEDEP}]
+	>=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
+	dev-python/paste[${PYTHON_USEDEP}]
+	>=dev-python/routes-2.3.1[${PYTHON_USEDEP}]
+	>=dev-python/cryptography-1.6[${PYTHON_USEDEP}]
+	!~dev-python/cryptography-2.0[${PYTHON_USEDEP}]
+	>=dev-python/six-1.9.0[${PYTHON_USEDEP}]
+	sqlite? (
+		>=dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.5[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.6[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.7[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.8[sqlite,${PYTHON_USEDEP}]
+	)
+	mysql? (
+		>=dev-python/pymysql-0.7.6[${PYTHON_USEDEP}]
+		!~dev-python/pymysql-0.7.7[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.5[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.6[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.7[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.8[${PYTHON_USEDEP}]
+	)
+	postgres? (
+		>=dev-python/psycopg-2.5.0[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.5[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.6[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.7[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.8[${PYTHON_USEDEP}]
+	)
+	>=dev-python/sqlalchemy-migrate-0.11.0[${PYTHON_USEDEP}]
+	>=dev-python/stevedore-1.20.0[${PYTHON_USEDEP}]
+	>=dev-python/passlib-1.7.0[${PYTHON_USEDEP}]
+	>=dev-python/python-keystoneclient-3.8.0[${PYTHON_USEDEP}]
+	>=dev-python/keystonemiddleware-4.12.0[${PYTHON_USEDEP}]
+	>=dev-python/bcrypt-3.1.3[${PYTHON_USEDEP}]
+	>=dev-python/scrypt-0.8.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-cache-1.5.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-concurrency-3.8.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-config-4.0.0[${PYTHON_USEDEP}]
+	!~dev-python/oslo-config-4.3.0[${PYTHON_USEDEP}]
+	!~dev-python/oslo-config-4.4.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-context-2.14.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-messaging-5.24.2[${PYTHON_USEDEP}]
+	!~dev-python/oslo-messaging-5.25.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-db-4.24.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-i18n-2.1.0[${PYTHON_USEDEP}]
+	!~dev-python/oslo-i18n-3.15.2[${PYTHON_USEDEP}]
+	>=dev-python/oslo-log-3.22.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-middleware-3.27.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-policy-1.23.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-serialization-1.10.0[${PYTHON_USEDEP}]
+	!~dev-python/oslo-serialization-1.19.1[${PYTHON_USEDEP}]
+	>=dev-python/oslo-utils-3.20.0[${PYTHON_USEDEP}]
+	>=dev-python/oauthlib-0.6.0[${PYTHON_USEDEP}]
+	>=dev-python/pysaml2-2.4.0[${PYTHON_USEDEP}]
+	<dev-python/pysaml2-4.0.3[${PYTHON_USEDEP}]
+	>=dev-python/dogpile-cache-0.6.2[${PYTHON_USEDEP}]
+	>=dev-python/jsonschema-2.0.0[${PYTHON_USEDEP}]
+	!~dev-python/jsonschema-2.5.0[${PYTHON_USEDEP}]
+	<dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}]
+	>=dev-python/pycadf-1.1.0[${PYTHON_USEDEP}]
+	!~dev-python/pycadf-2.0.0[${PYTHON_USEDEP}]
+	>=dev-python/msgpack-0.4.0[${PYTHON_USEDEP}]
+	>=dev-python/osprofiler-1.4.0[${PYTHON_USEDEP}]
+	>=dev-python/pytz-2013.6[${PYTHON_USEDEP}]
+	memcached? (
+		>=dev-python/python-memcached-1.56[${PYTHON_USEDEP}]
+	)
+	mongo? (
+		>=dev-python/pymongo-3.0.2[${PYTHON_USEDEP}]
+		!~dev-python/pymongo-3.1[${PYTHON_USEDEP}]
+	)
+	ldap? (
+		>=dev-python/pyldap-2.4.20[${PYTHON_USEDEP}]
+		>=dev-python/ldappool-2.0.0[${PYTHON_USEDEP}]
+	)
+	|| (
+		www-servers/uwsgi[python,${PYTHON_USEDEP}]
+		www-apache/mod_wsgi[${PYTHON_USEDEP}]
+		www-servers/gunicorn[${PYTHON_USEDEP}]
+	)"
+
+#PATCHES=(
+#)
+
+pkg_setup() {
+	enewgroup keystone
+	enewuser keystone -1 -1 /var/lib/keystone keystone
+}
+
+python_prepare_all() {
+	# it's in git, but not in the tarball.....
+	sed -i '/^hacking/d' test-requirements.txt || die
+	mkdir -p ${PN}/tests/tmp/ || die
+	cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die
+	sed -i 's|/usr/local|/usr|g' httpd/keystone-uwsgi-* || die
+	sed -i 's|python|python27|g' httpd/keystone-uwsgi-* || die
+	# allow useage of renamed msgpack
+	sed -i '/^msgpack/d' requirements.txt || die
+	distutils-r1_python_prepare_all
+}
+
+python_test() {
+	nosetests -I 'test_keystoneclient*' \
+		-e test_static_translated_string_is_Message \
+		-e test_get_token_id_error_handling \
+		-e test_provider_token_expiration_validation \
+		-e test_import --process-restartworker --process-timeout=60 || die "testsuite failed under python2.7"
+}
+
+python_install_all() {
+	distutils-r1_python_install_all
+
+	diropts -m 0750
+	keepdir /etc/keystone /var/log/keystone
+	insinto /etc/keystone
+	insopts -m0640 -okeystone -gkeystone
+	doins etc/keystone.conf.sample etc/logging.conf.sample
+	doins etc/default_catalog.templates
+	doins etc/policy.v3cloudsample.json etc/keystone-paste.ini
+	insinto /etc/keystone/httpd
+	doins httpd/*
+
+	fowners keystone:keystone /etc/keystone /etc/keystone/httpd /var/log/keystone
+}
+
+pkg_postinst() {
+	elog "You might want to run:"
+	elog "emerge --config =${CATEGORY}/${PF}"
+	elog "if this is a new install."
+	elog "If you have not already configured your openssl installation"
+	elog "please do it by modifying /etc/ssl/openssl.cnf"
+	elog "BEFORE issuing the configuration command."
+	elog "Otherwise default values will be used."
+}
+
+pkg_config() {
+	if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then
+		einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..."
+		read
+		"${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
+	else
+		einfo "keystone PKI certificates directory already present, skipping configuration"
+	fi
+}
diff --git a/sys-auth/keystone/keystone-13.0.2.ebuild b/sys-auth/keystone/keystone-13.0.2.ebuild
new file mode 100644
index 000000000000..dadc589f637c
--- /dev/null
+++ b/sys-auth/keystone/keystone-13.0.2.ebuild
@@ -0,0 +1,176 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 python3_{4,5,6} )
+
+inherit distutils-r1 user
+
+DESCRIPTION="The Openstack authentication, authorization, and service catalog"
+HOMEPAGE="https://launchpad.net/keystone"
+if [[ ${PV} == *9999 ]];then
+	inherit git-r3
+	EGIT_REPO_URI="https://github.com/openstack/keystone.git"
+	EGIT_BRANCH="stable/queens"
+else
+	SRC_URI="https://tarballs.openstack.org/${PN}/${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm64 ~x86"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="+sqlite ldap memcached mongo mysql postgres test"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+
+CDEPEND=">=dev-python/pbr-2.0.0[${PYTHON_USEDEP}]
+	!~dev-python/pbr-2.1.0"
+DEPEND="
+	dev-python/setuptools[${PYTHON_USEDEP}]
+	${CDEPEND}"
+RDEPEND="
+	${CDEPEND}
+	>=dev-python/Babel-2.3.4[${PYTHON_USEDEP}]
+	!~dev-python/Babel-2.4.0[${PYTHON_USEDEP}]
+	>=dev-python/webob-1.7.1[${PYTHON_USEDEP}]
+	>=dev-python/pastedeploy-1.5.0[${PYTHON_USEDEP}]
+	>=dev-python/paste-2.0.2[${PYTHON_USEDEP}]
+	>=dev-python/routes-2.3.1[${PYTHON_USEDEP}]
+	>=dev-python/cryptography-1.9[${PYTHON_USEDEP}]
+	!~dev-python/cryptography-2.0[${PYTHON_USEDEP}]
+	>=dev-python/six-1.10.0[${PYTHON_USEDEP}]
+	sqlite? (
+		>=dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.5[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.6[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.7[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.8[sqlite,${PYTHON_USEDEP}]
+	)
+	mysql? (
+		>=dev-python/pymysql-0.7.6[${PYTHON_USEDEP}]
+		!~dev-python/pymysql-0.7.7[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.5[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.6[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.7[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.8[${PYTHON_USEDEP}]
+	)
+	postgres? (
+		>=dev-python/psycopg-2.5.0[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.5[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.6[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.7[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.8[${PYTHON_USEDEP}]
+	)
+	>=dev-python/sqlalchemy-migrate-0.11.0[${PYTHON_USEDEP}]
+	>=dev-python/stevedore-1.20.0[${PYTHON_USEDEP}]
+	>=dev-python/passlib-1.7.0[${PYTHON_USEDEP}]
+	>=dev-python/python-keystoneclient-3.8.0[${PYTHON_USEDEP}]
+	>=dev-python/keystonemiddleware-4.17.0[${PYTHON_USEDEP}]
+	>=dev-python/bcrypt-3.1.3[${PYTHON_USEDEP}]
+	>=dev-python/scrypt-0.8.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-cache-1.26.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-concurrency-3.25.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-config-5.1.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-context-2.14.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-messaging-5.29.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-db-4.27.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-i18n-3.15.3[${PYTHON_USEDEP}]
+	>=dev-python/oslo-log-3.36.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-middleware-3.31.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-policy-1.30.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-serialization-1.18.0[${PYTHON_USEDEP}]
+	!~dev-python/oslo-serialization-1.19.1[${PYTHON_USEDEP}]
+	>=dev-python/oslo-utils-3.33.0[${PYTHON_USEDEP}]
+	>=dev-python/oauthlib-0.6.0[${PYTHON_USEDEP}]
+	>=dev-python/pysaml2-4.0.2[${PYTHON_USEDEP}]
+	<dev-python/pysaml2-4.0.3[${PYTHON_USEDEP}]
+	>=dev-python/dogpile-cache-0.6.2[${PYTHON_USEDEP}]
+	>=dev-python/jsonschema-2.6.0[${PYTHON_USEDEP}]
+	<dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}]
+	>=dev-python/pycadf-1.1.0[${PYTHON_USEDEP}]
+	!~dev-python/pycadf-2.0.0[${PYTHON_USEDEP}]
+	>=dev-python/msgpack-0.4.0[${PYTHON_USEDEP}]
+	>=dev-python/osprofiler-1.4.0[${PYTHON_USEDEP}]
+	>=dev-python/pytz-2013.6[${PYTHON_USEDEP}]
+	memcached? (
+		>=dev-python/python-memcached-1.56[${PYTHON_USEDEP}]
+	)
+	mongo? (
+		>=dev-python/pymongo-3.0.2[${PYTHON_USEDEP}]
+		!~dev-python/pymongo-3.1[${PYTHON_USEDEP}]
+	)
+	ldap? (
+		>=dev-python/pyldap-2.4.20[${PYTHON_USEDEP}]
+		>=dev-python/ldappool-2.0.0[${PYTHON_USEDEP}]
+	)
+	|| (
+		www-servers/uwsgi[python,${PYTHON_USEDEP}]
+		www-apache/mod_wsgi[${PYTHON_USEDEP}]
+		www-servers/gunicorn[${PYTHON_USEDEP}]
+	)"
+
+#PATCHES=(
+#)
+
+pkg_setup() {
+	enewgroup keystone
+	enewuser keystone -1 -1 /var/lib/keystone keystone
+}
+
+python_prepare_all() {
+	# it's in git, but not in the tarball.....
+	sed -i '/^hacking/d' test-requirements.txt || die
+	mkdir -p ${PN}/tests/tmp/ || die
+	cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die
+	sed -i 's|/usr/local|/usr|g' httpd/keystone-uwsgi-* || die
+	sed -i 's|python|python27|g' httpd/keystone-uwsgi-* || die
+	# allow useage of renamed msgpack
+	sed -i '/^msgpack/d' requirements.txt || die
+	distutils-r1_python_prepare_all
+}
+
+python_test() {
+	nosetests -I 'test_keystoneclient*' \
+		-e test_static_translated_string_is_Message \
+		-e test_get_token_id_error_handling \
+		-e test_provider_token_expiration_validation \
+		-e test_import --process-restartworker --process-timeout=60 || die "testsuite failed under python2.7"
+}
+
+python_install_all() {
+	distutils-r1_python_install_all
+
+	diropts -m 0750
+	keepdir /etc/keystone /var/log/keystone
+	insinto /etc/keystone
+	insopts -m0640 -okeystone -gkeystone
+	doins etc/keystone.conf.sample etc/logging.conf.sample
+	doins etc/default_catalog.templates
+	doins etc/policy.v3cloudsample.json etc/keystone-paste.ini
+	insinto /etc/keystone/httpd
+	doins httpd/*
+
+	fowners keystone:keystone /etc/keystone /etc/keystone/httpd /var/log/keystone
+}
+
+pkg_postinst() {
+	elog "You might want to run:"
+	elog "emerge --config =${CATEGORY}/${PF}"
+	elog "if this is a new install."
+	elog "If you have not already configured your openssl installation"
+	elog "please do it by modifying /etc/ssl/openssl.cnf"
+	elog "BEFORE issuing the configuration command."
+	elog "Otherwise default values will be used."
+}
+
+pkg_config() {
+	if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then
+		einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..."
+		read
+		"${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
+	else
+		einfo "keystone PKI certificates directory already present, skipping configuration"
+	fi
+}
diff --git a/sys-auth/keystone/keystone-14.0.1.ebuild b/sys-auth/keystone/keystone-14.0.1.ebuild
new file mode 100644
index 000000000000..09d71b567d32
--- /dev/null
+++ b/sys-auth/keystone/keystone-14.0.1.ebuild
@@ -0,0 +1,181 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python2_7 python3_{4,5,6} )
+
+inherit distutils-r1 user
+
+DESCRIPTION="The Openstack authentication, authorization, and service catalog"
+HOMEPAGE="https://launchpad.net/keystone"
+if [[ ${PV} == *9999 ]];then
+	inherit git-r3
+	SRC_URI="https://dev.gentoo.org/~prometheanfire/dist/openstack/keystone/rocky/keystone.conf.sample -> keystone.conf.sample-${PV}
+	https://dev.gentoo.org/~prometheanfire/dist/openstack/keystone/rocky/keystone.policy.yaml.sample -> keystone.policy.yaml.sample-${PV}"
+	EGIT_REPO_URI="https://github.com/openstack/keystone.git"
+	EGIT_BRANCH="stable/rocky"
+else
+	SRC_URI="https://dev.gentoo.org/~prometheanfire/dist/openstack/keystone/rocky/keystone.conf.sample -> keystone.conf.sample-${PV}
+	https://dev.gentoo.org/~prometheanfire/dist/openstack/keystone/rocky/keystone.policy.yaml.sample -> keystone.policy.yaml.sample-${PV}
+	https://tarballs.openstack.org/${PN}/${P}.tar.gz"
+	KEYWORDS="~amd64 ~arm64 ~x86"
+fi
+
+LICENSE="Apache-2.0"
+SLOT="0"
+IUSE="+sqlite ldap memcached mongo mysql postgres test"
+REQUIRED_USE="|| ( mysql postgres sqlite )"
+
+CDEPEND=">=dev-python/pbr-2.0.0[${PYTHON_USEDEP}]
+	!~dev-python/pbr-2.1.0"
+DEPEND="
+	dev-python/setuptools[${PYTHON_USEDEP}]
+	${CDEPEND}"
+RDEPEND="
+	${CDEPEND}
+	>=dev-python/Babel-2.3.4[${PYTHON_USEDEP}]
+	!~dev-python/Babel-2.4.0[${PYTHON_USEDEP}]
+	>=dev-python/webob-1.7.1[${PYTHON_USEDEP}]
+	>=dev-python/routes-2.3.1[${PYTHON_USEDEP}]
+	>=dev-python/flask-1.0.2[${PYTHON_USEDEP}]
+	>=dev-python/flask-restful-0.3.5[${PYTHON_USEDEP}]
+	>=dev-python/cryptography-2.1[${PYTHON_USEDEP}]
+	>=dev-python/six-1.10.0[${PYTHON_USEDEP}]
+	sqlite? (
+		>=dev-python/sqlalchemy-1.0.10[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.5[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.6[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.7[sqlite,${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.8[sqlite,${PYTHON_USEDEP}]
+	)
+	mysql? (
+		>=dev-python/pymysql-0.7.6[${PYTHON_USEDEP}]
+		!~dev-python/pymysql-0.7.7[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.5[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.6[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.7[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.8[${PYTHON_USEDEP}]
+	)
+	postgres? (
+		>=dev-python/psycopg-2.5.0[${PYTHON_USEDEP}]
+		>=dev-python/sqlalchemy-1.0.10[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.5[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.6[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.7[${PYTHON_USEDEP}]
+		!~dev-python/sqlalchemy-1.1.8[${PYTHON_USEDEP}]
+	)
+	>=dev-python/sqlalchemy-migrate-0.11.0[${PYTHON_USEDEP}]
+	>=dev-python/stevedore-1.20.0[${PYTHON_USEDEP}]
+	>=dev-python/passlib-1.7.0[${PYTHON_USEDEP}]
+	>=dev-python/python-keystoneclient-3.8.0[${PYTHON_USEDEP}]
+	>=dev-python/keystonemiddleware-4.17.0[${PYTHON_USEDEP}]
+	>=dev-python/bcrypt-3.1.3[${PYTHON_USEDEP}]
+	>=dev-python/scrypt-0.8.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-cache-1.26.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-concurrency-3.26.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-config-5.2.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-context-2.21.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-messaging-5.29.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-db-4.27.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-i18n-3.15.3[${PYTHON_USEDEP}]
+	>=dev-python/oslo-log-3.36.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-middleware-3.31.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-policy-1.30.0[${PYTHON_USEDEP}]
+	>=dev-python/oslo-serialization-1.18.0[${PYTHON_USEDEP}]
+	!~dev-python/oslo-serialization-1.19.1[${PYTHON_USEDEP}]
+	>=dev-python/oslo-utils-3.33.0[${PYTHON_USEDEP}]
+	>=dev-python/oauthlib-0.6.2[${PYTHON_USEDEP}]
+	>=dev-python/pysaml2-4.5.0[${PYTHON_USEDEP}]
+	>=dev-python/dogpile-cache-0.6.2[${PYTHON_USEDEP}]
+	>=dev-python/jsonschema-2.6.0[${PYTHON_USEDEP}]
+	<dev-python/jsonschema-3.0.0[${PYTHON_USEDEP}]
+	>=dev-python/pycadf-1.1.0[${PYTHON_USEDEP}]
+	!~dev-python/pycadf-2.0.0[${PYTHON_USEDEP}]
+	>=dev-python/msgpack-0.4.0[${PYTHON_USEDEP}]
+	>=dev-python/osprofiler-1.4.0[${PYTHON_USEDEP}]
+	>=dev-python/pytz-2013.6[${PYTHON_USEDEP}]
+	memcached? (
+		>=dev-python/python-memcached-1.56[${PYTHON_USEDEP}]
+	)
+	mongo? (
+		>=dev-python/pymongo-3.0.2[${PYTHON_USEDEP}]
+		!~dev-python/pymongo-3.1[${PYTHON_USEDEP}]
+	)
+	ldap? (
+		>=dev-python/pyldap-2.4.20[${PYTHON_USEDEP}]
+		>=dev-python/ldappool-2.0.0[${PYTHON_USEDEP}]
+	)
+	|| (
+		www-servers/uwsgi[python,${PYTHON_USEDEP}]
+		www-apache/mod_wsgi[${PYTHON_USEDEP}]
+		www-servers/gunicorn[${PYTHON_USEDEP}]
+	)"
+
+#PATCHES=(
+#)
+
+pkg_setup() {
+	enewgroup keystone
+	enewuser keystone -1 -1 /var/lib/keystone keystone
+}
+
+python_prepare_all() {
+	# it's in git, but not in the tarball.....
+	sed -i '/^hacking/d' test-requirements.txt || die
+	mkdir -p ${PN}/tests/tmp/ || die
+	cp etc/keystone-paste.ini ${PN}/tests/tmp/ || die
+	sed -i 's|/usr/local|/usr|g' httpd/keystone-uwsgi-* || die
+	sed -i 's|python|python27|g' httpd/keystone-uwsgi-* || die
+	# allow useage of renamed msgpack
+	sed -i '/^msgpack/d' requirements.txt || die
+	distutils-r1_python_prepare_all
+}
+
+python_test() {
+	nosetests -I 'test_keystoneclient*' \
+		-e test_static_translated_string_is_Message \
+		-e test_get_token_id_error_handling \
+		-e test_provider_token_expiration_validation \
+		-e test_import --process-restartworker --process-timeout=60 || die "testsuite failed under python2.7"
+}
+
+python_install_all() {
+	distutils-r1_python_install_all
+
+	diropts -m 0750
+	keepdir /etc/keystone /var/log/keystone
+	insinto /etc/keystone
+	insopts -m0640 -okeystone -gkeystone
+	newins "${DISTDIR}/keystone.conf.sample-${PV}" keystone.conf.sample
+	newins "${DISTDIR}/keystone.policy.yaml.sample-${PV}" keystone.policy.yaml.sample
+	doins etc/logging.conf.sample
+	doins etc/default_catalog.templates
+	doins etc/policy.v3cloudsample.json
+	doins etc/keystone-paste.ini
+	insinto /etc/keystone/httpd
+	doins httpd/*
+
+	fowners keystone:keystone /etc/keystone /etc/keystone/httpd /var/log/keystone
+}
+
+pkg_postinst() {
+	elog "You might want to run:"
+	elog "emerge --config =${CATEGORY}/${PF}"
+	elog "if this is a new install."
+	elog "If you have not already configured your openssl installation"
+	elog "please do it by modifying /etc/ssl/openssl.cnf"
+	elog "BEFORE issuing the configuration command."
+	elog "Otherwise default values will be used."
+}
+
+pkg_config() {
+	if [ ! -d "${ROOT}"/etc/keystone/ssl ] ; then
+		einfo "Press ENTER to configure the keystone PKI, or Control-C to abort now..."
+		read
+		"${ROOT}"/usr/bin/keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
+	else
+		einfo "keystone PKI certificates directory already present, skipping configuration"
+	fi
+}
diff --git a/sys-auth/oath-toolkit/Manifest b/sys-auth/oath-toolkit/Manifest
index 62b98c6de795..73896a14f528 100644
--- a/sys-auth/oath-toolkit/Manifest
+++ b/sys-auth/oath-toolkit/Manifest
@@ -1,6 +1,7 @@
 AUX oath-toolkit-2.6.2-gcc7.patch 3526 BLAKE2B 07966d96b4362cb7c271fa745cf9be843e14db9cade77768a9f31bbb0435c4f1f56c81464630871ad337213cbdc97ed0c1cf9ad9d261e29812984bab767c1eb1 SHA512 4bf9bc8e176861f044c55aab6c6cb48dcd7ac1d887f71f08475cc1e7f2b14cb04edc8417532613433af35687169667b073ea57556c85114e5a763a03443a85b9
+AUX oath-toolkit-2.6.2-glibc228.patch 4786 BLAKE2B 7690a2b5249b7c668be5a516fa0a298d789ac4d259a27ea3b5c9d5a581990ebc2431074f7e7adcc61c03ce2e0979cfbd2220c4335959c3f4f7279e758b954451 SHA512 4d015bc760b9df074441f93cd94342aff595b5ad5215165d64c0557222123b821c791a87afcba15a3ce0acfbe6945d96330468673249f4a2b1dc1700ab9040b2
 DIST oath-toolkit-2.6.1.tar.gz 4238966 BLAKE2B 7af4f4997b18278aa1903470c79e5a7734e9e97e62a2de4685eee58ead59e3294cef0d6da0147746932a2891f59648b5473f02b5edd6c4fd81b4a9c80d9bde60 SHA512 59feadbc06d11a52bf5879493227c40358fc1f4f17ec3ff92e3a313e47b92f3154396fa3ff38ef163852b32c8bfcef1f59753b614d0138478b8f7e7971f55e62
 DIST oath-toolkit-2.6.2.tar.gz 4295786 BLAKE2B 2b97ab73339647b560b46373922095f18655a167b613b15d4ee2fd507d430025628d20eb111ff1d8025e78646b1d61d9680a7082caba1c75d247bb1d8b9b99dd SHA512 201a702a05a2e9fb3a66d04750e1a34e293342126caf02c344954a0d9fd0daafe73ca7f1fe273be129ae555a29b82b72fa2b4770ea2ad10711924e1926ec2cfb
 EBUILD oath-toolkit-2.6.1.ebuild 1456 BLAKE2B cf19d07cdb90a67e55e581593b5819ad9c4d75e0751afc21db7dd0dda4dc6d239b3d43bd377106591af4769edc36ed12b8a90b6cc47fa1183d3babde017d67fb SHA512 0c03c380e36070e9030575d63435554ec573cd0ea75bb87bc28cfda3e5a8ca10c025fdc6b14f670a3db200c78064ff12e92db4b8ae1f935c71b778728ffab414
-EBUILD oath-toolkit-2.6.2.ebuild 1500 BLAKE2B 5f0202b63c0eddd14763d8281200eafe7361336d2c1e5fa34be0a61c95d18d5eb5b80fe5ab52c103bfd5b7223126e6fb9d177fb923dd8f896bae749962210bf6 SHA512 d0225d4edaf4890bc22aa03e3835f85ff8137af525a874369eaf2880b76bf424ad2ecb0ea0da7163d9896307508ddf4091660ac4cfef283adc2e791547792beb
+EBUILD oath-toolkit-2.6.2.ebuild 1533 BLAKE2B e9711d2452a738eef9d553ffc3471880993421296e122d595153d69a9caf2302078b5e6c9e8ccb2cce05e5033aaee1d94cf20abff17d3747063954c122d26a2e SHA512 861a17031cdfce9d8db722f3f7a617f4a42dbb7190768c8adf0aaa37f097694bff84ecac0ee9a4079c977b62504080c0b87ddf5e9376a7f867c9bbe149b39126
 MISC metadata.xml 560 BLAKE2B 946cac9a0134fb3291ad816283326746067411e000e98be05cd8f87dfa0455ef3558b1bdabcb537356fed867d8667850d929747592e7c79212c7ad3357434c84 SHA512 4d6506e02bb4a6f6069dfe357cc3e05c897699a067771baa995af823d4de587d2580b01bf1c2a38cb8f8f679ba0702498ad904b6bb1d685a2759c2b7752be7f2
diff --git a/sys-auth/oath-toolkit/files/oath-toolkit-2.6.2-glibc228.patch b/sys-auth/oath-toolkit/files/oath-toolkit-2.6.2-glibc228.patch
new file mode 100644
index 000000000000..c43f7aee0fe7
--- /dev/null
+++ b/sys-auth/oath-toolkit/files/oath-toolkit-2.6.2-glibc228.patch
@@ -0,0 +1,100 @@
+diff -ruN oath-toolkit-2.6.2.orig/liboath/gl/fseeko.c oath-toolkit-2.6.2/liboath/gl/fseeko.c
+--- oath-toolkit-2.6.2.orig/liboath/gl/fseeko.c	2016-08-27 13:15:06.000000000 +0200
++++ oath-toolkit-2.6.2/liboath/gl/fseeko.c	2018-10-27 22:07:53.836832404 +0200
+@@ -1,18 +1,18 @@
+ /* An fseeko() function that, together with fflush(), is POSIX compliant.
+-   Copyright (C) 2007-2016 Free Software Foundation, Inc.
++   Copyright (C) 2007-2018 Free Software Foundation, Inc.
+ 
+    This program is free software; you can redistribute it and/or modify
+-   it under the terms of the GNU Lesser General Public License as published by
+-   the Free Software Foundation; either version 2.1, or (at your option)
++   it under the terms of the GNU General Public License as published by
++   the Free Software Foundation; either version 2, or (at your option)
+    any later version.
+ 
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+-   GNU Lesser General Public License for more details.
++   GNU General Public License for more details.
+ 
+-   You should have received a copy of the GNU Lesser General Public License along
+-   with this program; if not, see <http://www.gnu.org/licenses/>.  */
++   You should have received a copy of the GNU General Public License along
++   with this program; if not, see <https://www.gnu.org/licenses/>.  */
+ 
+ #include <config.h>
+ 
+@@ -33,9 +33,9 @@
+ #endif
+ #if _GL_WINDOWS_64_BIT_OFF_T
+ # undef fseeko
+-# if HAVE__FSEEKI64 /* msvc, mingw64 */
++# if HAVE__FSEEKI64 && HAVE_DECL__FSEEKI64 /* msvc, mingw since msvcrt8.0, mingw64 */
+ #  define fseeko _fseeki64
+-# else /* mingw */
++# else /* mingw before msvcrt8.0 */
+ #  define fseeko fseeko64
+ # endif
+ #endif
+@@ -47,12 +47,13 @@
+ #endif
+ 
+   /* These tests are based on fpurge.c.  */
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1
++  /* GNU libc, BeOS, Haiku, Linux libc5 */
+   if (fp->_IO_read_end == fp->_IO_read_ptr
+       && fp->_IO_write_ptr == fp->_IO_write_base
+       && fp->_IO_save_base == NULL)
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+-  /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
++  /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+ # if defined __SL64 && defined __SCLE /* Cygwin */
+   if ((fp->_flags & __SL64) == 0)
+     {
+@@ -80,7 +81,7 @@
+ #elif defined __minix               /* Minix */
+   if (fp_->_ptr == fp_->_buf
+       && (fp_->_ptr == NULL || fp_->_count == 0))
+-#elif defined _IOERR                /* AIX, HP-UX, IRIX, OSF/1, Solaris, OpenServer, mingw, NonStop Kernel */
++#elif defined _IOERR                /* AIX, HP-UX, IRIX, OSF/1, Solaris, OpenServer, mingw, MSVC, NonStop Kernel, OpenVMS */
+   if (fp_->_ptr == fp_->_base
+       && (fp_->_ptr == NULL || fp_->_cnt == 0))
+ #elif defined __UCLIBC__            /* uClibc */
+@@ -117,18 +118,19 @@
+       if (pos == -1)
+         {
+ #if defined __sferror || defined __DragonFly__ || defined __ANDROID__
+-          /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
++          /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
+           fp_->_flags &= ~__SOFF;
+ #endif
+           return -1;
+         }
+ 
+-#if defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1 /* GNU libc, BeOS, Haiku, Linux libc5 */
++#if defined _IO_EOF_SEEN || defined _IO_ftrylockfile || __GNU_LIBRARY__ == 1
++      /* GNU libc, BeOS, Haiku, Linux libc5 */
+       fp->_flags &= ~_IO_EOF_SEEN;
+       fp->_offset = pos;
+ #elif defined __sferror || defined __DragonFly__ || defined __ANDROID__
+-      /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Android */
+-# if defined __CYGWIN__ || (defined __NetBSD__ && __NetBSD_Version__ >= 600000000)
++      /* FreeBSD, NetBSD, OpenBSD, DragonFly, Mac OS X, Cygwin, Minix 3, Android */
++# if defined __CYGWIN__ || (defined __NetBSD__ && __NetBSD_Version__ >= 600000000) || defined __minix
+       /* fp_->_offset is typed as an integer.  */
+       fp_->_offset = pos;
+ # else
+@@ -150,8 +152,8 @@
+       fp_->_flags &= ~__SEOF;
+ #elif defined __EMX__               /* emx+gcc */
+       fp->_flags &= ~_IOEOF;
+-#elif defined _IOERR                /* AIX, HP-UX, IRIX, OSF/1, Solaris, OpenServer, mingw, NonStop Kernel */
+-      fp->_flag &= ~_IOEOF;
++#elif defined _IOERR                /* AIX, HP-UX, IRIX, OSF/1, Solaris, OpenServer, mingw, MSVC, NonStop Kernel, OpenVMS */
++      fp_->_flag &= ~_IOEOF;
+ #elif defined __MINT__              /* Atari FreeMiNT */
+       fp->__offset = pos;
+       fp->__eof = 0;
diff --git a/sys-auth/oath-toolkit/oath-toolkit-2.6.2.ebuild b/sys-auth/oath-toolkit/oath-toolkit-2.6.2.ebuild
index f3d38999c1e5..26a301c88498 100644
--- a/sys-auth/oath-toolkit/oath-toolkit-2.6.2.ebuild
+++ b/sys-auth/oath-toolkit/oath-toolkit-2.6.2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -20,7 +20,10 @@ DEPEND="${RDEPEND}
 	test? ( dev-libs/libxml2 )
 	dev-util/gtk-doc-am"
 
-PATCHES=( "${FILESDIR}"/${P}-gcc7.patch )
+PATCHES=(
+	"${FILESDIR}"/${P}-gcc7.patch
+	"${FILESDIR}"/${P}-glibc228.patch
+)
 
 src_prepare() {
 	default
diff --git a/sys-auth/pam_ssh_agent_auth/Manifest b/sys-auth/pam_ssh_agent_auth/Manifest
index 6bd9831a06d7..561c8176a138 100644
--- a/sys-auth/pam_ssh_agent_auth/Manifest
+++ b/sys-auth/pam_ssh_agent_auth/Manifest
@@ -1,10 +1,14 @@
+AUX pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch 46417 BLAKE2B bb62c32fc9c1eb5dc0788b9a535fdf6000812c57a6a758e693406a0d01bcf0cc5ec9f7622c4f21cee74895657a5a3ad13255e19d51e20eca8978e63864266629 SHA512 279fad3be9289c1da06d34e08d2b81a8ad863e07c7b0471419c029aa121abe9942ae4cc4259b7f1e2c2dd32368fc07dc1f9432aba860820455e0d9419c9e7f74
 AUX pam_ssh_agent_auth-0.9.2-libs.patch 1314 BLAKE2B fcbb332e2dbfa47d983970e66586d38f403ea2ea50f25f0273a2868560c1f4962db4b1be2ade94b42f3bed23cbf427710ad71400e5181b0b6f5d4c76d24d2f74 SHA512 ea99c2253081543e041ec043b62df9531ea9ffad029f213f17ce9e8b8b6d673cb4e7a794ddfe57fcea995b49c26a5cb775433e3dc413800c45d625c4e3c8808c
 DIST pam_ssh_agent_auth-0.10.2.tar.bz2 246412 BLAKE2B 3adf2bcc76559733f997744c95c660c67010b124db6e811559625a2ad7cbc7339d43d22dd5144135ae36ab90fdeb3c80c887e3157241936ceeb6026c8aa298fe SHA512 b4b9bc4486d873f236f7c54874c996e24f344f889dfda3beadb12b97cbb89078028a103a4a7175cd919fb0a12fd5bcefef50420510ae5eff9252e494e0124b38
+DIST pam_ssh_agent_auth-0.10.3.tar.bz2 1066393 BLAKE2B 07b113d05e09f770d63dbea813ea644199d2b103f9c6d7e5960bfad37cb181ce5a5f111f72e0274c0335e4c217ccd19bd53d61af23f8bc6aff14c1995fc4edc9 SHA512 d75062c4e46b0b011f46aed9704a99049995fea8b5115ff7ee26dad7e93cbcf54a8af7efc6b521109d77dc03c6f5284574d2e1b84c6829cec25610f24fb4bd66
 DIST pam_ssh_agent_auth-0.9.2.tar.bz2 237156 BLAKE2B b9d09920e10b454ea739e44c38daba6a509fbd4a96f01e26a82e0a8c58b696806b1f3ea95d53c10b55ed01e5804dfb687dd4545b87d85fa4f6a474548c3666d5 SHA512 e710a4dff315c8d79c5d5edc4ebe1629a8fc6d09651813fd4792a2021e7c2d5768d6b7e8539801e31b947cc30817f32375d751fc396707fc4f257df4f33cd408
 DIST pam_ssh_agent_auth-0.9.3.tar.bz2 239596 BLAKE2B 7be6af1c78457e082d34f5df406fccf74fbda48d1fe87be0592b927ea296b6db3cf1f9a58bcdd61c50556ffc53c16276dc87e5970d9caa0e51fb520e0473240b SHA512 c2304dcf623858339b5fd77bcf64e9c980a3ee241384b9125d64ba6ab9539a65eacbd3576b31a94bb390e4c089e702f9df2963119250b773bd8be872ae63a050
 DIST pam_ssh_agent_auth-0.9.4.tar.bz2 239250 BLAKE2B fee1e009a5374126db0b0df9f05436521e215933ed2eabdcd1983e6372fc7160c6a6c53d07b9ddc7bdd8b9529a27c7da4ef35aad2c80ea1ef2f895f3fb237135 SHA512 3d469e85bf7c49dcf9345c63678ebe050db4d15447592bc337bfc762f2337f92cebd7e840fc12d7be94acf1aa47b0272efe2c1688888ecd8f9daf63549520792
 EBUILD pam_ssh_agent_auth-0.10.2.ebuild 790 BLAKE2B 2ecff3ae129494ef13289417ed46219e1894506eaf070301089dd61d58362b462f24e3e306118e54650ac5e10a9a52f19cd5d624232977966d2e35709b954ff4 SHA512 49c0e34eae182fccef342a3d4afa3bdcf9932222866478b028b6ce071a2afe14783ba3a6083411b074db4c9795854e22eb3391f103fa6ecac9b3a7c72853066d
+EBUILD pam_ssh_agent_auth-0.10.3.ebuild 990 BLAKE2B 8d67820e853e5631da52f007913ce66fd3e409d24cc493f7cd7cee5e5c72e79afbd3d04e5d7318972150195ae76e3e2312564931aa71729053dea936875d57a7 SHA512 a765b39e419749f5ffeab11665f0dacb2ca4fc811b6cee2b2a1753b8690f600f2e216f830f5568645ff38864bffb20d2677f9eff08f69b51f4961903b078fa4e
 EBUILD pam_ssh_agent_auth-0.9.2.ebuild 853 BLAKE2B 61a7e4feba97b652892c96f5901b60a04f482b806faf84b2e2fa451974545afa4b1bb1e36289f6765e57a0295af040eaa9d36a4ea7f9ef8ae83d14891be74fff SHA512 326af2ffaa4d7f871584e2f0c659e23c6f089f86eade0f85eee50785e1810f2fe394459f9b977f47142ecbb26317572c812a585d0d9bf61be555fd868493e6c4
 EBUILD pam_ssh_agent_auth-0.9.3.ebuild 873 BLAKE2B ede6573827d2c3b58fee9bd7af4aecfe6f81d14e326eef76f7053d936a1c0fa9a869bedc30ccc8d91000f3e739c7ba3bbb3ce49e13ea05b0890d95fcfcfe21dd SHA512 d3aaac053792d87967fb01cc16dec5b3d3efe58fef3a1b0443c87121d01d34305b9d9fbe25dcafa277638e78801d03238d88160796e97601dc4708def758277e
 EBUILD pam_ssh_agent_auth-0.9.4.ebuild 802 BLAKE2B ab45042fc1e54c318a696004576d75c69882eb4a679f3486809efe533ba5ccd4d51a9b5cdaa61bd2866c660982132635f4dd4c3a86d56aca43ba880d6cd793cb SHA512 4a94a25449e2313a8ec657f62a378e6452af8b6a944fa54b31eeecea2753f475d2ded378b59eadf9b2233c39cfaa168f432c7f2bbbd95ee0782b38d0d9c06061
-MISC metadata.xml 305 BLAKE2B 2fbbd79c315ccb13a14dde087b8f444497988f0680a14282016effa3eccdc803f9f5b32fa31af2ded101c5e83ad346738e3b16329d1b4f04daa498a3a4c2b9e8 SHA512 4bbf43d0541b9313197f5883f7913d9a611d8cc549829e652ef24fda5b2e9ae55f3f52ff04b85f143fb8a3c9cecf0f4d164384241af53f453abe42b9aaa022bd
+EBUILD pam_ssh_agent_auth-9999.ebuild 938 BLAKE2B 1bf278f334da97723e7bfaae19ba60371cb7dd04aeb5998db26377f91b41af1ebf4fa402b6706dac2365473d45ee535b7d09deaabb7ca0a09b09bf457cb8fb36 SHA512 cad3c6b589740e3d811b0f9a4d6b00fb1c85beaeff5024173cab02514ed4524daf02616a2c8135202e4fd7200926cf765578701ba2df0ee14d209145cb3c3bb2
+MISC metadata.xml 372 BLAKE2B 00c28dfa41217cc3c687c7ecea1c15b7e29cf1972e501dade823f2a87b814d2400a4185e1942e3785d88c47dc0357c8b29c0698ecaecea7469312f7b3d9845e4 SHA512 f6d0735120460a980030b24d8b29dcdf5e53137e4ce565a99140040b96e620f5d0564e28a6c76df16520cb62d2a6ec46313607c9b5e31635616b45d7f7e069e8
diff --git a/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch b/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch
new file mode 100644
index 000000000000..a422cd5e479f
--- /dev/null
+++ b/sys-auth/pam_ssh_agent_auth/files/pam_ssh_agent_auth-0.10.3-openssl-1.1.1.patch
@@ -0,0 +1,1244 @@
+From eef90424a0545b7b0125dfaf5e3cef3c5248ada0 Mon Sep 17 00:00:00 2001
+From: Guido Falsi <mad@madpilot.net>
+Date: Sat, 20 Oct 2018 14:29:43 +0200
+Subject: [PATCH 1/2] Adapt to OpenSSL 1.1.1.
+
+The FreeBSD operating system is migrating to OpenSSL 1.1.1 and I have created this set of patches to make pam_ssh_agent_auth compile with it.
+
+The patch comments out some parts of include files which are not actually used and reference now opaque OpenSSL internals.
+
+I also have migrated the source files to use accessors to use the OpenSSL objects.
+
+The patch works on FreeBSD head (will be 12.0) but the --without-openssl-header-check argument is required in configure there.
+---
+ authfd.c    |  50 ++++++++++++++++++++
+ bufbn.c     |   4 ++
+ cipher.h    |   6 ++-
+ kex.h       |   9 +++-
+ key.c       | 133 ++++++++++++++++++++++++++++++++++++++++++++++++++--
+ ssh-dss.c   |  51 ++++++++++++++++----
+ ssh-ecdsa.c |  40 ++++++++++++----
+ ssh-rsa.c   |  22 +++++++--
+ 8 files changed, 287 insertions(+), 28 deletions(-)
+
+diff --git a/authfd.c b/authfd.c
+index 7b96921..35f8de1 100644
+--- a/authfd.c
++++ b/authfd.c
+@@ -372,6 +372,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
+ 	case 1:
+ 		key = pamsshagentauth_key_new(KEY_RSA1);
+ 		bits = pamsshagentauth_buffer_get_int(&auth->identities);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->e);
+ 		pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->n);
+ 		*comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL);
+@@ -379,6 +380,15 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
+ 		if (keybits < 0 || bits != (u_int)keybits)
+ 			pamsshagentauth_logit("Warning: identity keysize mismatch: actual %d, announced %u",
+ 			    BN_num_bits(key->rsa->n), bits);
++#else
++		pamsshagentauth_buffer_get_bignum(&auth->identities, RSA_get0_e(key->rsa));
++		pamsshagentauth_buffer_get_bignum(&auth->identities, RSA_get0_n(key->rsa));
++		*comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL);
++		keybits = BN_num_bits(RSA_get0_n(key->rsa));
++		if (keybits < 0 || bits != (u_int)keybits)
++			pamsshagentauth_logit("Warning: identity keysize mismatch: actual %d, announced %u",
++			    BN_num_bits(RSA_get0_n(key->rsa)), bits);
++#endif
+ 		break;
+ 	case 2:
+ 		blob = pamsshagentauth_buffer_get_string(&auth->identities, &blen);
+@@ -422,9 +432,15 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
+ 	}
+ 	pamsshagentauth_buffer_init(&buffer);
+ 	pamsshagentauth_buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(key->rsa->n));
+ 	pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->e);
+ 	pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->n);
++#else
++	pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(RSA_get0_n(key->rsa)));
++	pamsshagentauth_buffer_put_bignum(&buffer, RSA_get0_e(key->rsa));
++	pamsshagentauth_buffer_put_bignum(&buffer, RSA_get0_n(key->rsa));
++#endif
+ 	pamsshagentauth_buffer_put_bignum(&buffer, challenge);
+ 	pamsshagentauth_buffer_append(&buffer, session_id, 16);
+ 	pamsshagentauth_buffer_put_int(&buffer, response_type);
+@@ -501,6 +517,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
+ static void
+ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
+ {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	pamsshagentauth_buffer_put_int(b, BN_num_bits(key->n));
+ 	pamsshagentauth_buffer_put_bignum(b, key->n);
+ 	pamsshagentauth_buffer_put_bignum(b, key->e);
+@@ -509,6 +526,16 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
+ 	pamsshagentauth_buffer_put_bignum(b, key->iqmp);	/* ssh key->u */
+ 	pamsshagentauth_buffer_put_bignum(b, key->q);	/* ssh key->p, SSL key->q */
+ 	pamsshagentauth_buffer_put_bignum(b, key->p);	/* ssh key->q, SSL key->p */
++#else
++	pamsshagentauth_buffer_put_int(b, BN_num_bits(RSA_get0_n(key)));
++	pamsshagentauth_buffer_put_bignum(b, RSA_get0_n(key));
++	pamsshagentauth_buffer_put_bignum(b, RSA_get0_e(key));
++	pamsshagentauth_buffer_put_bignum(b, RSA_get0_d(key));
++	/* To keep within the protocol: p < q for ssh. in SSL p > q */
++	pamsshagentauth_buffer_put_bignum(b, RSA_get0_iqmp(key));	/* ssh key->u */
++	pamsshagentauth_buffer_put_bignum(b, RSA_get0_q(key));	/* ssh key->p, SSL key->q */
++	pamsshagentauth_buffer_put_bignum(b, RSA_get0_p(key));	/* ssh key->q, SSL key->p */
++#endif
+ 	pamsshagentauth_buffer_put_cstring(b, comment);
+ }
+ 
+@@ -518,19 +545,36 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
+ 	pamsshagentauth_buffer_put_cstring(b, key_ssh_name(key));
+ 	switch (key->type) {
+ 	case KEY_RSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		pamsshagentauth_buffer_put_bignum2(b, key->rsa->n);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->rsa->e);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->rsa->d);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->rsa->iqmp);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->rsa->p);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->rsa->q);
++#else
++		pamsshagentauth_buffer_put_bignum2(b, RSA_get0_n(key->rsa));
++		pamsshagentauth_buffer_put_bignum2(b, RSA_get0_e(key->rsa));
++		pamsshagentauth_buffer_put_bignum2(b, RSA_get0_d(key->rsa));
++		pamsshagentauth_buffer_put_bignum2(b, RSA_get0_iqmp(key->rsa));
++		pamsshagentauth_buffer_put_bignum2(b, RSA_get0_p(key->rsa));
++		pamsshagentauth_buffer_put_bignum2(b, RSA_get0_q(key->rsa));
++#endif
+ 		break;
+ 	case KEY_DSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		pamsshagentauth_buffer_put_bignum2(b, key->dsa->p);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->dsa->q);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->dsa->g);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->dsa->pub_key);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->dsa->priv_key);
++#else
++		pamsshagentauth_buffer_put_bignum2(b, DSA_get0_p(key->dsa));
++		pamsshagentauth_buffer_put_bignum2(b, DSA_get0_q(key->dsa));
++		pamsshagentauth_buffer_put_bignum2(b, DSA_get0_g(key->dsa));
++		pamsshagentauth_buffer_put_bignum2(b, DSA_get0_pub_key(key->dsa));
++		pamsshagentauth_buffer_put_bignum2(b, DSA_get0_priv_key(key->dsa));
++#endif
+ 		break;
+ 	}
+ 	pamsshagentauth_buffer_put_cstring(b, comment);
+@@ -610,9 +654,15 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
+ 
+ 	if (key->type == KEY_RSA1) {
+ 		pamsshagentauth_buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		pamsshagentauth_buffer_put_int(&msg, BN_num_bits(key->rsa->n));
+ 		pamsshagentauth_buffer_put_bignum(&msg, key->rsa->e);
+ 		pamsshagentauth_buffer_put_bignum(&msg, key->rsa->n);
++#else
++		pamsshagentauth_buffer_put_int(&msg, BN_num_bits(RSA_get0_n(key->rsa)));
++		pamsshagentauth_buffer_put_bignum(&msg, RSA_get0_e(key->rsa));
++		pamsshagentauth_buffer_put_bignum(&msg, RSA_get0_n(key->rsa));
++#endif
+ 	} else if (key->type == KEY_DSA || key->type == KEY_RSA) {
+ 		pamsshagentauth_key_to_blob(key, &blob, &blen);
+ 		pamsshagentauth_buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
+diff --git a/bufbn.c b/bufbn.c
+index 6a49c73..4ecedc1 100644
+--- a/bufbn.c
++++ b/bufbn.c
+@@ -151,7 +151,11 @@ pamsshagentauth_buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
+ 		pamsshagentauth_buffer_put_int(buffer, 0);
+ 		return 0;
+ 	}
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	if (value->neg) {
++#else
++	if (BN_is_negative(value)) {
++#endif
+ 		pamsshagentauth_logerror("buffer_put_bignum2_ret: negative numbers not supported");
+ 		return (-1);
+ 	}
+diff --git a/cipher.h b/cipher.h
+index 49bbc16..64f59ca 100644
+--- a/cipher.h
++++ b/cipher.h
+@@ -59,15 +59,18 @@
+ #define CIPHER_DECRYPT		0
+ 
+ typedef struct Cipher Cipher;
+-typedef struct CipherContext CipherContext;
++// typedef struct CipherContext CipherContext;
+ 
+ struct Cipher;
++/*
+ struct CipherContext {
+ 	int	plaintext;
+ 	EVP_CIPHER_CTX evp;
+ 	Cipher *cipher;
+ };
++*/
+ 
++/*
+ u_int	 cipher_mask_ssh1(int);
+ Cipher	*cipher_by_name(const char *);
+ Cipher	*cipher_by_number(int);
+@@ -88,4 +91,5 @@ void	 cipher_set_keyiv(CipherContext *, u_char *);
+ int	 cipher_get_keyiv_len(const CipherContext *);
+ int	 cipher_get_keycontext(const CipherContext *, u_char *);
+ void	 cipher_set_keycontext(CipherContext *, u_char *);
++*/
+ #endif				/* CIPHER_H */
+diff --git a/kex.h b/kex.h
+index 8e29c90..81ca57d 100644
+--- a/kex.h
++++ b/kex.h
+@@ -70,7 +70,7 @@ enum kex_exchange {
+ #define KEX_INIT_SENT	0x0001
+ 
+ typedef struct Kex Kex;
+-typedef struct Mac Mac;
++// typedef struct Mac Mac;
+ typedef struct Comp Comp;
+ typedef struct Enc Enc;
+ typedef struct Newkeys Newkeys;
+@@ -84,6 +84,7 @@ struct Enc {
+ 	u_char	*key;
+ 	u_char	*iv;
+ };
++/*
+ struct Mac {
+ 	char	*name;
+ 	int	enabled;
+@@ -95,11 +96,13 @@ struct Mac {
+ 	HMAC_CTX	evp_ctx;
+ 	struct umac_ctx *umac_ctx;
+ };
++*/
+ struct Comp {
+ 	int	type;
+ 	int	enabled;
+ 	char	*name;
+ };
++/*
+ struct Newkeys {
+ 	Enc	enc;
+ 	Mac	mac;
+@@ -126,7 +129,9 @@ struct Kex {
+ 	int	(*host_key_index)(Key *);
+ 	void	(*kex[KEX_MAX])(Kex *);
+ };
++*/
+ 
++/*
+ Kex	*kex_setup(char *[PROPOSAL_MAX]);
+ void	 kex_finish(Kex *);
+ 
+@@ -152,6 +157,8 @@ kexgex_hash(const EVP_MD *, char *, char *, char *, int, char *,
+ void
+ derive_ssh1_session_id(BIGNUM *, BIGNUM *, u_int8_t[8], u_int8_t[16]);
+ 
++*/
++
+ #if defined(DEBUG_KEX) || defined(DEBUG_KEXDH)
+ void	dump_digest(char *, u_char *, int);
+ #endif
+diff --git a/key.c b/key.c
+index 107a442..aedbbb5 100644
+--- a/key.c
++++ b/key.c
+@@ -77,15 +77,21 @@ pamsshagentauth_key_new(int type)
+ 	case KEY_RSA:
+ 		if ((rsa = RSA_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new: RSA_new failed");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if ((rsa->n = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new: BN_new failed");
+ 		if ((rsa->e = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new: BN_new failed");
++#else
++		if (RSA_set0_key(rsa, BN_new(), BN_new(), NULL) != 1)
++			pamsshagentauth_fatal("key_new: RSA_set0_key failed");
++#endif
+ 		k->rsa = rsa;
+ 		break;
+ 	case KEY_DSA:
+ 		if ((dsa = DSA_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new: DSA_new failed");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if ((dsa->p = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new: BN_new failed");
+ 		if ((dsa->q = BN_new()) == NULL)
+@@ -94,6 +100,12 @@ pamsshagentauth_key_new(int type)
+ 			pamsshagentauth_fatal("key_new: BN_new failed");
+ 		if ((dsa->pub_key = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new: BN_new failed");
++#else
++		if (DSA_set0_pqg(dsa, BN_new(), BN_new(), BN_new()) != 1)
++			pamsshagentauth_fatal("key_new: DSA_set0_pqg failed");
++		if (DSA_set0_key(dsa, BN_new(), NULL) != 1)
++			pamsshagentauth_fatal("key_new: DSA_set0_key failed");
++#endif
+ 		k->dsa = dsa;
+ 		break;
+ 	case KEY_ECDSA:
+@@ -118,6 +130,7 @@ pamsshagentauth_key_new_private(int type)
+ 	switch (k->type) {
+ 	case KEY_RSA1:
+ 	case KEY_RSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if ((k->rsa->d = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new_private: BN_new failed");
+ 		if ((k->rsa->iqmp = BN_new()) == NULL)
+@@ -130,14 +143,30 @@ pamsshagentauth_key_new_private(int type)
+ 			pamsshagentauth_fatal("key_new_private: BN_new failed");
+ 		if ((k->rsa->dmp1 = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new_private: BN_new failed");
++#else
++		if (RSA_set0_key(k->rsa, NULL, NULL, BN_new()) != 1)
++			pamsshagentauth_fatal("key_new: RSA_set0_key failed");
++		if (RSA_set0_crt_params(k->rsa, BN_new(), BN_new(), BN_new()) != 1)
++			pamsshagentauth_fatal("key_new: RSA_set0_crt_params failed");
++		if (RSA_set0_factors(k->rsa, BN_new(), BN_new()) != 1)
++			pamsshagentauth_fatal("key_new: RSA_set0_factors failed");
++#endif
+ 		break;
+ 	case KEY_DSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if ((k->dsa->priv_key = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new_private: BN_new failed");
++#else
++		if (DSA_set0_key(k->dsa, NULL, BN_new()) != 1)
++			pamsshagentauth_fatal("key_new_private: DSA_set0_key failed");
++#endif
+ 		break;
+ 	case KEY_ECDSA:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if (EC_KEY_set_private_key(k->ecdsa, BN_new()) != 1)
+ 			pamsshagentauth_fatal("key_new_private: EC_KEY_set_private_key failed");
++#else
++#endif
+ 		break;
+ 	case KEY_ED25519:
+ 		RAND_bytes(k->ed25519->sk, sizeof(k->ed25519->sk));
+@@ -195,14 +224,26 @@ pamsshagentauth_key_equal(const Key *a, const Key *b)
+ 	case KEY_RSA1:
+ 	case KEY_RSA:
+ 		return a->rsa != NULL && b->rsa != NULL &&
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		    BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
+ 		    BN_cmp(a->rsa->n, b->rsa->n) == 0;
++#else
++		    BN_cmp(RSA_get0_e(a->rsa), RSA_get0_e(b->rsa)) == 0 &&
++		    BN_cmp(RSA_get0_n(a->rsa), RSA_get0_n(b->rsa)) == 0;
++#endif
+ 	case KEY_DSA:
+ 		return a->dsa != NULL && b->dsa != NULL &&
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		    BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
+ 		    BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
+ 		    BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
+ 		    BN_cmp(a->dsa->pub_key, b->dsa->pub_key) == 0;
++#else
++		    BN_cmp(DSA_get0_p(a->dsa), DSA_get0_p(b->dsa)) == 0 &&
++		    BN_cmp(DSA_get0_q(a->dsa), DSA_get0_q(b->dsa)) == 0 &&
++		    BN_cmp(DSA_get0_g(a->dsa), DSA_get0_g(b->dsa)) == 0 &&
++		    BN_cmp(DSA_get0_pub_key(a->dsa), DSA_get0_pub_key(b->dsa)) == 0;
++#endif
+ 	case KEY_ECDSA:
+ 		return a->ecdsa != NULL && b->ecdsa != NULL &&
+ 			EC_KEY_check_key(a->ecdsa) == 1 &&
+@@ -231,7 +272,7 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+     u_int *dgst_raw_length)
+ {
+ 	const EVP_MD *md = NULL;
+-	EVP_MD_CTX ctx;
++	EVP_MD_CTX *ctx;
+ 	u_char *blob = NULL;
+ 	u_char *retval = NULL;
+ 	u_int len = 0;
+@@ -252,12 +293,21 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+ 	}
+ 	switch (k->type) {
+ 	case KEY_RSA1:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		nlen = BN_num_bytes(k->rsa->n);
+ 		elen = BN_num_bytes(k->rsa->e);
+ 		len = nlen + elen;
+ 		blob = pamsshagentauth_xmalloc(len);
+ 		BN_bn2bin(k->rsa->n, blob);
+ 		BN_bn2bin(k->rsa->e, blob + nlen);
++#else
++		nlen = BN_num_bytes(RSA_get0_n(k->rsa));
++		elen = BN_num_bytes(RSA_get0_e(k->rsa));
++		len = nlen + elen;
++		blob = pamsshagentauth_xmalloc(len);
++		BN_bn2bin(RSA_get0_n(k->rsa), blob);
++		BN_bn2bin(RSA_get0_e(k->rsa), blob + nlen);
++#endif
+ 		break;
+ 	case KEY_DSA:
+ 	case KEY_ECDSA:
+@@ -273,11 +323,14 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+ 	}
+ 	if (blob != NULL) {
+ 		retval = pamsshagentauth_xmalloc(EVP_MAX_MD_SIZE);
+-		EVP_DigestInit(&ctx, md);
+-		EVP_DigestUpdate(&ctx, blob, len);
+-		EVP_DigestFinal(&ctx, retval, dgst_raw_length);
++		/* XXX Errors from EVP_* functions are not hadled */
++		ctx = EVP_MD_CTX_create();
++		EVP_DigestInit(ctx, md);
++		EVP_DigestUpdate(ctx, blob, len);
++		EVP_DigestFinal(ctx, retval, dgst_raw_length);
+ 		memset(blob, 0, len);
+ 		pamsshagentauth_xfree(blob);
++		EVP_MD_CTX_destroy(ctx);
+ 	} else {
+ 		pamsshagentauth_fatal("key_fingerprint_raw: blob is null");
+ 	}
+@@ -457,10 +510,17 @@ pamsshagentauth_key_read(Key *ret, char **cpp)
+ 			return -1;
+ 		*cpp = cp;
+ 		/* Get public exponent, public modulus. */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if (!read_bignum(cpp, ret->rsa->e))
+ 			return -1;
+ 		if (!read_bignum(cpp, ret->rsa->n))
+ 			return -1;
++#else
++		if (!read_bignum(cpp, RSA_get0_e(ret->rsa)))
++			return -1;
++		if (!read_bignum(cpp, RSA_get0_n(ret->rsa)))
++			return -1;
++#endif
+ 		success = 1;
+ 		break;
+ 	case KEY_UNSPEC:
+@@ -583,10 +643,17 @@ pamsshagentauth_key_write(const Key *key, FILE *f)
+ 
+ 	if (key->type == KEY_RSA1 && key->rsa != NULL) {
+ 		/* size of modulus 'n' */
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		bits = BN_num_bits(key->rsa->n);
+ 		fprintf(f, "%u", bits);
+ 		if (write_bignum(f, key->rsa->e) &&
+ 		    write_bignum(f, key->rsa->n)) {
++#else
++		bits = BN_num_bits(RSA_get0_n(key->rsa));
++		fprintf(f, "%u", bits);
++		if (write_bignum(f, RSA_get0_e(key->rsa)) &&
++		    write_bignum(f, RSA_get0_n(key->rsa))) {
++#endif
+ 			success = 1;
+ 		} else {
+ 			pamsshagentauth_logerror("key_write: failed for RSA key");
+@@ -675,10 +742,17 @@ pamsshagentauth_key_size(const Key *k)
+ {
+ 	switch (k->type) {
+ 	case KEY_RSA1:
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	case KEY_RSA:
+ 		return BN_num_bits(k->rsa->n);
+ 	case KEY_DSA:
+ 		return BN_num_bits(k->dsa->p);
++#else
++	case KEY_RSA:
++		return BN_num_bits(RSA_get0_n(k->rsa));
++	case KEY_DSA:
++		return BN_num_bits(DSA_get0_p(k->dsa));
++#endif
+ 	case KEY_ECDSA:
+ 	{
+ 		int nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(k->ecdsa));
+@@ -769,17 +843,29 @@ pamsshagentauth_key_from_private(const Key *k)
+ 	switch (k->type) {
+ 	case KEY_DSA:
+ 		n = pamsshagentauth_key_new(k->type);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
+ 		    (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
+ 		    (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
+ 		    (BN_copy(n->dsa->pub_key, k->dsa->pub_key) == NULL))
++#else
++		if ((BN_copy(DSA_get0_p(n->dsa), DSA_get0_p(k->dsa)) == NULL) ||
++		    (BN_copy(DSA_get0_q(n->dsa), DSA_get0_q(k->dsa)) == NULL) ||
++		    (BN_copy(DSA_get0_g(n->dsa), DSA_get0_g(k->dsa)) == NULL) ||
++		    (BN_copy(DSA_get0_pub_key(n->dsa), DSA_get0_pub_key(k->dsa)) == NULL))
++#endif
+ 			pamsshagentauth_fatal("key_from_private: BN_copy failed");
+ 		break;
+ 	case KEY_RSA:
+ 	case KEY_RSA1:
+ 		n = pamsshagentauth_key_new(k->type);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
+ 		    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
++#else
++		if ((BN_copy(RSA_get0_n(n->rsa), RSA_get0_n(k->rsa)) == NULL) ||
++		    (BN_copy(RSA_get0_e(n->rsa), RSA_get0_e(k->rsa)) == NULL))
++#endif
+ 			pamsshagentauth_fatal("key_from_private: BN_copy failed");
+ 		break;
+ 	case KEY_ECDSA:
+@@ -881,8 +967,13 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
+ 	switch (type) {
+ 	case KEY_RSA:
+ 		key = pamsshagentauth_key_new(type);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
+ 		    pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
++#else
++		if (pamsshagentauth_buffer_get_bignum2_ret(&b, RSA_get0_e(key->rsa)) == -1 ||
++		    pamsshagentauth_buffer_get_bignum2_ret(&b, RSA_get0_n(key->rsa)) == -1) {
++#endif
+ 			pamsshagentauth_logerror("key_from_blob: can't read rsa key");
+ 			pamsshagentauth_key_free(key);
+ 			key = NULL;
+@@ -894,10 +985,17 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
+ 		break;
+ 	case KEY_DSA:
+ 		key = pamsshagentauth_key_new(type);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
+ 		    pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
+ 		    pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
+ 		    pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->pub_key) == -1) {
++#else
++		if (pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_p(key->dsa)) == -1 ||
++		    pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_q(key->dsa)) == -1 ||
++		    pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_g(key->dsa)) == -1 ||
++		    pamsshagentauth_buffer_get_bignum2_ret(&b, DSA_get0_pub_key(key->dsa)) == -1) {
++#endif
+ 			pamsshagentauth_logerror("key_from_blob: can't read dsa key");
+ 			pamsshagentauth_key_free(key);
+ 			key = NULL;
+@@ -1015,6 +1113,7 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
+ 	}
+ 	pamsshagentauth_buffer_init(&b);
+ 	switch (key->type) {
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	case KEY_DSA:
+ 		pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
+ 		pamsshagentauth_buffer_put_bignum2(&b, key->dsa->p);
+@@ -1027,6 +1126,20 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
+ 		pamsshagentauth_buffer_put_bignum2(&b, key->rsa->e);
+ 		pamsshagentauth_buffer_put_bignum2(&b, key->rsa->n);
+ 		break;
++#else
++	case KEY_DSA:
++		pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
++		pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_p(key->dsa));
++		pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_q(key->dsa));
++		pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_g(key->dsa));
++		pamsshagentauth_buffer_put_bignum2(&b, DSA_get0_pub_key(key->dsa));
++		break;
++	case KEY_RSA:
++		pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
++		pamsshagentauth_buffer_put_bignum2(&b, RSA_get0_e(key->rsa));
++		pamsshagentauth_buffer_put_bignum2(&b, RSA_get0_n(key->rsa));
++		break;
++#endif
+ 	case KEY_ECDSA:
+ 	{
+ 		size_t l = 0;
+@@ -1138,14 +1251,20 @@ pamsshagentauth_key_demote(const Key *k)
+ 	case KEY_RSA:
+ 		if ((pk->rsa = RSA_new()) == NULL)
+ 			pamsshagentauth_fatal("key_demote: RSA_new failed");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
+ 			pamsshagentauth_fatal("key_demote: BN_dup failed");
+ 		if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
+ 			pamsshagentauth_fatal("key_demote: BN_dup failed");
++#else
++		if (RSA_set0_key(pk->rsa, BN_dup(RSA_get0_n(k->rsa)), BN_dup(RSA_get0_e(k->rsa)), NULL) != 1)
++			pamsshagentauth_fatal("key_demote: RSA_set0_key failed");
++#endif
+ 		break;
+ 	case KEY_DSA:
+ 		if ((pk->dsa = DSA_new()) == NULL)
+ 			pamsshagentauth_fatal("key_demote: DSA_new failed");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
+ 			pamsshagentauth_fatal("key_demote: BN_dup failed");
+ 		if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
+@@ -1154,6 +1273,12 @@ pamsshagentauth_key_demote(const Key *k)
+ 			pamsshagentauth_fatal("key_demote: BN_dup failed");
+ 		if ((pk->dsa->pub_key = BN_dup(k->dsa->pub_key)) == NULL)
+ 			pamsshagentauth_fatal("key_demote: BN_dup failed");
++#else
++		if (DSA_set0_pqg(pk->dsa, BN_dup(DSA_get0_p(k->dsa)), BN_dup(DSA_get0_q(k->dsa)), BN_dup(DSA_get0_g(k->dsa))) != 1)
++			pamsshagentauth_fatal("key_demote: DSA_set0_pqg failed");
++		if (DSA_set0_key(pk->dsa, BN_dup(DSA_get0_pub_key(k->dsa)), NULL) != 1)
++			pamsshagentauth_fatal("key_demote: DSA_set0_key failed");
++#endif
+ 		break;
+ 	case KEY_ECDSA:
+ 		pamsshagentauth_fatal("key_demote: implement me");
+diff --git a/ssh-dss.c b/ssh-dss.c
+index 9fdaa5d..1051ae2 100644
+--- a/ssh-dss.c
++++ b/ssh-dss.c
+@@ -48,37 +48,53 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
+ {
+ 	DSA_SIG *sig;
+ 	const EVP_MD *evp_md = EVP_sha1();
+-	EVP_MD_CTX md;
++	EVP_MD_CTX *md;
+ 	u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
+ 	u_int rlen, slen, len, dlen;
+ 	Buffer b;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	const BIGNUM *r, *s;
++#endif
+ 
+ 	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
+ 		pamsshagentauth_logerror("ssh_dss_sign: no DSA key");
+ 		return -1;
+ 	}
+-	EVP_DigestInit(&md, evp_md);
+-	EVP_DigestUpdate(&md, data, datalen);
+-	EVP_DigestFinal(&md, digest, &dlen);
++	md = EVP_MD_CTX_create();
++	EVP_DigestInit(md, evp_md);
++	EVP_DigestUpdate(md, data, datalen);
++	EVP_DigestFinal(md, digest, &dlen);
+ 
+ 	sig = DSA_do_sign(digest, dlen, key->dsa);
+ 	memset(digest, 'd', sizeof(digest));
++	EVP_MD_CTX_destroy(md);
+ 
+ 	if (sig == NULL) {
+ 		pamsshagentauth_logerror("ssh_dss_sign: sign failed");
+ 		return -1;
+ 	}
+ 
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	rlen = BN_num_bytes(sig->r);
+ 	slen = BN_num_bytes(sig->s);
++#else
++	DSA_SIG_get0((const DSA_SIG *)sig, (const BIGNUM **)r, (const BIGNUM **)s);
++	rlen = BN_num_bytes(r);
++	slen = BN_num_bytes(s);
++#endif
+ 	if (rlen > INTBLOB_LEN || slen > INTBLOB_LEN) {
+ 		pamsshagentauth_logerror("bad sig size %u %u", rlen, slen);
+ 		DSA_SIG_free(sig);
+ 		return -1;
+ 	}
+ 	memset(sigblob, 0, SIGBLOB_LEN);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
+ 	BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
++#else
++	BN_bn2bin(r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
++	BN_bn2bin(s, sigblob+ SIGBLOB_LEN - slen);
++#endif
+ 	DSA_SIG_free(sig);
+ 
+ 	if (datafellows & SSH_BUG_SIGBLOB) {
+@@ -110,11 +126,14 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ {
+ 	DSA_SIG *sig;
+ 	const EVP_MD *evp_md = EVP_sha1();
+-	EVP_MD_CTX md;
++	EVP_MD_CTX *md;
+ 	u_char digest[EVP_MAX_MD_SIZE], *sigblob;
+ 	u_int len, dlen;
+ 	int rlen, ret;
+ 	Buffer b;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	BIGNUM *r, *s;
++#endif
+ 
+ 	if (key == NULL || key->type != KEY_DSA || key->dsa == NULL) {
+ 		pamsshagentauth_logerror("ssh_dss_verify: no DSA key");
+@@ -157,6 +176,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 	/* parse signature */
+ 	if ((sig = DSA_SIG_new()) == NULL)
+ 		pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_new failed");
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	if ((sig->r = BN_new()) == NULL)
+ 		pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
+ 	if ((sig->s = BN_new()) == NULL)
+@@ -164,18 +184,33 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 	if ((BN_bin2bn(sigblob, INTBLOB_LEN, sig->r) == NULL) ||
+ 	    (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, sig->s) == NULL))
+ 		pamsshagentauth_fatal("ssh_dss_verify: BN_bin2bn failed");
++#else
++	if ((r = BN_new()) == NULL)
++		pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
++	if ((s = BN_new()) == NULL)
++		pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
++	if (DSA_SIG_set0(sig, r, s) != 1)
++		pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_set0 failed");
++	if ((BN_bin2bn(sigblob, INTBLOB_LEN, r) == NULL) ||
++	    (BN_bin2bn(sigblob+ INTBLOB_LEN, INTBLOB_LEN, s) == NULL))
++		pamsshagentauth_fatal("ssh_dss_verify: BN_bin2bn failed");
++	if (DSA_SIG_set0(sig, r, s) != 1)
++		pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_set0 failed");
++#endif
+ 
+ 	/* clean up */
+ 	memset(sigblob, 0, len);
+ 	pamsshagentauth_xfree(sigblob);
+ 
+ 	/* sha1 the data */
+-	EVP_DigestInit(&md, evp_md);
+-	EVP_DigestUpdate(&md, data, datalen);
+-	EVP_DigestFinal(&md, digest, &dlen);
++	md = EVP_MD_CTX_create();
++	EVP_DigestInit(md, evp_md);
++	EVP_DigestUpdate(md, data, datalen);
++	EVP_DigestFinal(md, digest, &dlen);
+ 
+ 	ret = DSA_do_verify(digest, dlen, sig, key->dsa);
+ 	memset(digest, 'd', sizeof(digest));
++	EVP_MD_CTX_destroy(md);
+ 
+ 	DSA_SIG_free(sig);
+ 
+diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
+index efa0f3d..c213959 100644
+--- a/ssh-ecdsa.c
++++ b/ssh-ecdsa.c
+@@ -41,22 +41,27 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+ {
+     ECDSA_SIG *sig;
+     const EVP_MD *evp_md = evp_from_key(key);
+-    EVP_MD_CTX md;
++    EVP_MD_CTX *md;
+     u_char digest[EVP_MAX_MD_SIZE];
+     u_int len, dlen;
+     Buffer b, bb;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	BIGNUM *r, *s;
++#endif
+ 
+     if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) {
+         pamsshagentauth_logerror("ssh_ecdsa_sign: no ECDSA key");
+         return -1;
+     }
+ 
+-    EVP_DigestInit(&md, evp_md);
+-    EVP_DigestUpdate(&md, data, datalen);
+-    EVP_DigestFinal(&md, digest, &dlen);
++    md = EVP_MD_CTX_create();
++    EVP_DigestInit(md, evp_md);
++    EVP_DigestUpdate(md, data, datalen);
++    EVP_DigestFinal(md, digest, &dlen);
+ 
+     sig = ECDSA_do_sign(digest, dlen, key->ecdsa);
+     memset(digest, 'd', sizeof(digest));
++    EVP_MD_CTX_destroy(md);
+ 
+     if (sig == NULL) {
+         pamsshagentauth_logerror("ssh_ecdsa_sign: sign failed");
+@@ -64,8 +69,14 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+     }
+ 
+     pamsshagentauth_buffer_init(&bb);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+     if (pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->r) == -1 ||
+         pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->s) == -1) {
++#else
++    DSA_SIG_get0(sig, &r, &s);
++    if (pamsshagentauth_buffer_get_bignum2_ret(&bb, r) == -1 ||
++        pamsshagentauth_buffer_get_bignum2_ret(&bb, s) == -1) {
++#endif
+         pamsshagentauth_logerror("couldn't serialize signature");
+         ECDSA_SIG_free(sig);
+         return -1;
+@@ -94,11 +105,14 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ {
+     ECDSA_SIG *sig;
+     const EVP_MD *evp_md = evp_from_key(key);
+-    EVP_MD_CTX md;
++    EVP_MD_CTX *md;
+     u_char digest[EVP_MAX_MD_SIZE], *sigblob;
+     u_int len, dlen;
+     int rlen, ret;
+     Buffer b;
++#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++	BIGNUM *r, *s;
++#endif
+ 
+     if (key == NULL || key->type != KEY_ECDSA || key->ecdsa == NULL) {
+         pamsshagentauth_logerror("ssh_ecdsa_sign: no ECDSA key");
+@@ -127,8 +141,14 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 
+     pamsshagentauth_buffer_init(&b);
+     pamsshagentauth_buffer_append(&b, sigblob, len);
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+     if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) ||
+         (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1))
++#else
++    DSA_SIG_get0(sig, &r, &s);
++    if ((pamsshagentauth_buffer_get_bignum2_ret(&b, r) == -1) ||
++        (pamsshagentauth_buffer_get_bignum2_ret(&b, s) == -1))
++#endif
+         pamsshagentauth_fatal("ssh_ecdsa_verify:"
+             "pamsshagentauth_buffer_get_bignum2_ret failed");
+ 
+@@ -137,16 +157,18 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+     pamsshagentauth_xfree(sigblob);
+ 
+     /* sha256 the data */
+-    EVP_DigestInit(&md, evp_md);
+-    EVP_DigestUpdate(&md, data, datalen);
+-    EVP_DigestFinal(&md, digest, &dlen);
++    md = EVP_MD_CTX_create();
++    EVP_DigestInit(md, evp_md);
++    EVP_DigestUpdate(md, data, datalen);
++    EVP_DigestFinal(md, digest, &dlen);
+ 
+     ret = ECDSA_do_verify(digest, dlen, sig, key->ecdsa);
+     memset(digest, 'd', sizeof(digest));
++    EVP_MD_CTX_destroy(md);
+ 
+     ECDSA_SIG_free(sig);
+ 
+     pamsshagentauth_verbose("ssh_ecdsa_verify: signature %s",
+         ret == 1 ? "correct" : ret == 0 ? "incorrect" : "error");
+     return ret;
+-}
+\ No newline at end of file
++}
+diff --git a/ssh-rsa.c b/ssh-rsa.c
+index d05844b..9d74eb6 100644
+--- a/ssh-rsa.c
++++ b/ssh-rsa.c
+@@ -40,7 +40,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+     const u_char *data, u_int datalen)
+ {
+ 	const EVP_MD *evp_md;
+-	EVP_MD_CTX md;
++	EVP_MD_CTX *md;
+ 	u_char digest[EVP_MAX_MD_SIZE], *sig;
+ 	u_int slen, dlen, len;
+ 	int ok, nid;
+@@ -55,6 +55,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+ 		pamsshagentauth_logerror("ssh_rsa_sign: EVP_get_digestbynid %d failed", nid);
+ 		return -1;
+ 	}
++	md = EVP_MD_CTX_create();
+ 	EVP_DigestInit(&md, evp_md);
+ 	EVP_DigestUpdate(&md, data, datalen);
+ 	EVP_DigestFinal(&md, digest, &dlen);
+@@ -64,6 +65,7 @@ ssh_rsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+ 
+ 	ok = RSA_sign(nid, digest, dlen, sig, &len, key->rsa);
+ 	memset(digest, 'd', sizeof(digest));
++	EVP_MD_CTX_destroy(md);
+ 
+ 	if (ok != 1) {
+ 		int ecode = ERR_get_error();
+@@ -107,7 +109,7 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ {
+ 	Buffer b;
+ 	const EVP_MD *evp_md;
+-	EVP_MD_CTX md;
++	EVP_MD_CTX *md;
+ 	char *ktype;
+ 	u_char digest[EVP_MAX_MD_SIZE], *sigblob;
+ 	u_int len, dlen, modlen;
+@@ -117,9 +119,17 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 		pamsshagentauth_logerror("ssh_rsa_verify: no RSA key");
+ 		return -1;
+ 	}
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
++#else
++	if (BN_num_bits(RSA_get0_n(key->rsa)) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
++#endif
+ 		pamsshagentauth_logerror("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits",
++#if OPENSSL_VERSION_NUMBER < 0x10100000L
+ 		    BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
++#else
++		    BN_num_bits(RSA_get0_n(key->rsa)), SSH_RSA_MINIMUM_MODULUS_SIZE);
++#endif
+ 		return -1;
+ 	}
+ 	pamsshagentauth_buffer_init(&b);
+@@ -161,12 +171,14 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 		pamsshagentauth_xfree(sigblob);
+ 		return -1;
+ 	}
+-	EVP_DigestInit(&md, evp_md);
+-	EVP_DigestUpdate(&md, data, datalen);
+-	EVP_DigestFinal(&md, digest, &dlen);
++	md = EVP_MD_CTX_create();
++	EVP_DigestInit(md, evp_md);
++	EVP_DigestUpdate(md, data, datalen);
++	EVP_DigestFinal(md, digest, &dlen);
+ 
+ 	ret = openssh_RSA_verify(nid, digest, dlen, sigblob, len, key->rsa);
+ 	memset(digest, 'd', sizeof(digest));
++	EVP_MD_CTX_destroy(md);
+ 	memset(sigblob, 's', len);
+ 	pamsshagentauth_xfree(sigblob);
+ 	pamsshagentauth_verbose("ssh_rsa_verify: signature %scorrect", (ret==0) ? "in" : "");
+
+From 4dc87369134f215378042ec4d971a4fe48d1a02b Mon Sep 17 00:00:00 2001
+From: Guido Falsi <mad@madpilot.net>
+Date: Wed, 24 Oct 2018 20:36:15 +0200
+Subject: [PATCH 2/2] Check against the correct OPENSSL_VERSION_NUMBER
+
+Alexey Dokuchaev (a fellow FreeBSD developer) pointed out to me the opaque structures were introduced in 1.1.0-pre
+5, so the correct OPENSSL_VERSION_NUMBER to discriminate is 0x10100005L.
+---
+ authfd.c    | 12 ++++++------
+ bufbn.c     |  2 +-
+ key.c       | 36 ++++++++++++++++++------------------
+ ssh-dss.c   | 10 +++++-----
+ ssh-ecdsa.c |  8 ++++----
+ ssh-rsa.c   |  4 ++--
+ 6 files changed, 36 insertions(+), 36 deletions(-)
+
+diff --git a/authfd.c b/authfd.c
+index 35f8de1..01d1d89 100644
+--- a/authfd.c
++++ b/authfd.c
+@@ -372,7 +372,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
+ 	case 1:
+ 		key = pamsshagentauth_key_new(KEY_RSA1);
+ 		bits = pamsshagentauth_buffer_get_int(&auth->identities);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->e);
+ 		pamsshagentauth_buffer_get_bignum(&auth->identities, key->rsa->n);
+ 		*comment = pamsshagentauth_buffer_get_string(&auth->identities, NULL);
+@@ -432,7 +432,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
+ 	}
+ 	pamsshagentauth_buffer_init(&buffer);
+ 	pamsshagentauth_buffer_put_char(&buffer, SSH_AGENTC_RSA_CHALLENGE);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 	pamsshagentauth_buffer_put_int(&buffer, BN_num_bits(key->rsa->n));
+ 	pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->e);
+ 	pamsshagentauth_buffer_put_bignum(&buffer, key->rsa->n);
+@@ -517,7 +517,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
+ static void
+ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
+ {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 	pamsshagentauth_buffer_put_int(b, BN_num_bits(key->n));
+ 	pamsshagentauth_buffer_put_bignum(b, key->n);
+ 	pamsshagentauth_buffer_put_bignum(b, key->e);
+@@ -545,7 +545,7 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
+ 	pamsshagentauth_buffer_put_cstring(b, key_ssh_name(key));
+ 	switch (key->type) {
+ 	case KEY_RSA:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		pamsshagentauth_buffer_put_bignum2(b, key->rsa->n);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->rsa->e);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->rsa->d);
+@@ -562,7 +562,7 @@ ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
+ #endif
+ 		break;
+ 	case KEY_DSA:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		pamsshagentauth_buffer_put_bignum2(b, key->dsa->p);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->dsa->q);
+ 		pamsshagentauth_buffer_put_bignum2(b, key->dsa->g);
+@@ -654,7 +654,7 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
+ 
+ 	if (key->type == KEY_RSA1) {
+ 		pamsshagentauth_buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		pamsshagentauth_buffer_put_int(&msg, BN_num_bits(key->rsa->n));
+ 		pamsshagentauth_buffer_put_bignum(&msg, key->rsa->e);
+ 		pamsshagentauth_buffer_put_bignum(&msg, key->rsa->n);
+diff --git a/bufbn.c b/bufbn.c
+index 4ecedc1..b4754cc 100644
+--- a/bufbn.c
++++ b/bufbn.c
+@@ -151,7 +151,7 @@ pamsshagentauth_buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
+ 		pamsshagentauth_buffer_put_int(buffer, 0);
+ 		return 0;
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 	if (value->neg) {
+ #else
+ 	if (BN_is_negative(value)) {
+diff --git a/key.c b/key.c
+index aedbbb5..dcc5fc8 100644
+--- a/key.c
++++ b/key.c
+@@ -77,7 +77,7 @@ pamsshagentauth_key_new(int type)
+ 	case KEY_RSA:
+ 		if ((rsa = RSA_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new: RSA_new failed");
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if ((rsa->n = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new: BN_new failed");
+ 		if ((rsa->e = BN_new()) == NULL)
+@@ -91,7 +91,7 @@ pamsshagentauth_key_new(int type)
+ 	case KEY_DSA:
+ 		if ((dsa = DSA_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new: DSA_new failed");
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if ((dsa->p = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new: BN_new failed");
+ 		if ((dsa->q = BN_new()) == NULL)
+@@ -130,7 +130,7 @@ pamsshagentauth_key_new_private(int type)
+ 	switch (k->type) {
+ 	case KEY_RSA1:
+ 	case KEY_RSA:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if ((k->rsa->d = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new_private: BN_new failed");
+ 		if ((k->rsa->iqmp = BN_new()) == NULL)
+@@ -153,7 +153,7 @@ pamsshagentauth_key_new_private(int type)
+ #endif
+ 		break;
+ 	case KEY_DSA:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if ((k->dsa->priv_key = BN_new()) == NULL)
+ 			pamsshagentauth_fatal("key_new_private: BN_new failed");
+ #else
+@@ -162,7 +162,7 @@ pamsshagentauth_key_new_private(int type)
+ #endif
+ 		break;
+ 	case KEY_ECDSA:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if (EC_KEY_set_private_key(k->ecdsa, BN_new()) != 1)
+ 			pamsshagentauth_fatal("key_new_private: EC_KEY_set_private_key failed");
+ #else
+@@ -224,7 +224,7 @@ pamsshagentauth_key_equal(const Key *a, const Key *b)
+ 	case KEY_RSA1:
+ 	case KEY_RSA:
+ 		return a->rsa != NULL && b->rsa != NULL &&
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		    BN_cmp(a->rsa->e, b->rsa->e) == 0 &&
+ 		    BN_cmp(a->rsa->n, b->rsa->n) == 0;
+ #else
+@@ -233,7 +233,7 @@ pamsshagentauth_key_equal(const Key *a, const Key *b)
+ #endif
+ 	case KEY_DSA:
+ 		return a->dsa != NULL && b->dsa != NULL &&
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		    BN_cmp(a->dsa->p, b->dsa->p) == 0 &&
+ 		    BN_cmp(a->dsa->q, b->dsa->q) == 0 &&
+ 		    BN_cmp(a->dsa->g, b->dsa->g) == 0 &&
+@@ -293,7 +293,7 @@ pamsshagentauth_key_fingerprint_raw(const Key *k, enum fp_type dgst_type,
+ 	}
+ 	switch (k->type) {
+ 	case KEY_RSA1:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		nlen = BN_num_bytes(k->rsa->n);
+ 		elen = BN_num_bytes(k->rsa->e);
+ 		len = nlen + elen;
+@@ -510,7 +510,7 @@ pamsshagentauth_key_read(Key *ret, char **cpp)
+ 			return -1;
+ 		*cpp = cp;
+ 		/* Get public exponent, public modulus. */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if (!read_bignum(cpp, ret->rsa->e))
+ 			return -1;
+ 		if (!read_bignum(cpp, ret->rsa->n))
+@@ -643,7 +643,7 @@ pamsshagentauth_key_write(const Key *key, FILE *f)
+ 
+ 	if (key->type == KEY_RSA1 && key->rsa != NULL) {
+ 		/* size of modulus 'n' */
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		bits = BN_num_bits(key->rsa->n);
+ 		fprintf(f, "%u", bits);
+ 		if (write_bignum(f, key->rsa->e) &&
+@@ -742,7 +742,7 @@ pamsshagentauth_key_size(const Key *k)
+ {
+ 	switch (k->type) {
+ 	case KEY_RSA1:
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 	case KEY_RSA:
+ 		return BN_num_bits(k->rsa->n);
+ 	case KEY_DSA:
+@@ -843,7 +843,7 @@ pamsshagentauth_key_from_private(const Key *k)
+ 	switch (k->type) {
+ 	case KEY_DSA:
+ 		n = pamsshagentauth_key_new(k->type);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if ((BN_copy(n->dsa->p, k->dsa->p) == NULL) ||
+ 		    (BN_copy(n->dsa->q, k->dsa->q) == NULL) ||
+ 		    (BN_copy(n->dsa->g, k->dsa->g) == NULL) ||
+@@ -859,7 +859,7 @@ pamsshagentauth_key_from_private(const Key *k)
+ 	case KEY_RSA:
+ 	case KEY_RSA1:
+ 		n = pamsshagentauth_key_new(k->type);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if ((BN_copy(n->rsa->n, k->rsa->n) == NULL) ||
+ 		    (BN_copy(n->rsa->e, k->rsa->e) == NULL))
+ #else
+@@ -967,7 +967,7 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
+ 	switch (type) {
+ 	case KEY_RSA:
+ 		key = pamsshagentauth_key_new(type);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->e) == -1 ||
+ 		    pamsshagentauth_buffer_get_bignum2_ret(&b, key->rsa->n) == -1) {
+ #else
+@@ -985,7 +985,7 @@ pamsshagentauth_key_from_blob(const u_char *blob, u_int blen)
+ 		break;
+ 	case KEY_DSA:
+ 		key = pamsshagentauth_key_new(type);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if (pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->p) == -1 ||
+ 		    pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->q) == -1 ||
+ 		    pamsshagentauth_buffer_get_bignum2_ret(&b, key->dsa->g) == -1 ||
+@@ -1113,7 +1113,7 @@ pamsshagentauth_key_to_blob(const Key *key, u_char **blobp, u_int *lenp)
+ 	}
+ 	pamsshagentauth_buffer_init(&b);
+ 	switch (key->type) {
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 	case KEY_DSA:
+ 		pamsshagentauth_buffer_put_cstring(&b, key_ssh_name(key));
+ 		pamsshagentauth_buffer_put_bignum2(&b, key->dsa->p);
+@@ -1251,7 +1251,7 @@ pamsshagentauth_key_demote(const Key *k)
+ 	case KEY_RSA:
+ 		if ((pk->rsa = RSA_new()) == NULL)
+ 			pamsshagentauth_fatal("key_demote: RSA_new failed");
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if ((pk->rsa->e = BN_dup(k->rsa->e)) == NULL)
+ 			pamsshagentauth_fatal("key_demote: BN_dup failed");
+ 		if ((pk->rsa->n = BN_dup(k->rsa->n)) == NULL)
+@@ -1264,7 +1264,7 @@ pamsshagentauth_key_demote(const Key *k)
+ 	case KEY_DSA:
+ 		if ((pk->dsa = DSA_new()) == NULL)
+ 			pamsshagentauth_fatal("key_demote: DSA_new failed");
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		if ((pk->dsa->p = BN_dup(k->dsa->p)) == NULL)
+ 			pamsshagentauth_fatal("key_demote: BN_dup failed");
+ 		if ((pk->dsa->q = BN_dup(k->dsa->q)) == NULL)
+diff --git a/ssh-dss.c b/ssh-dss.c
+index 1051ae2..9b96274 100644
+--- a/ssh-dss.c
++++ b/ssh-dss.c
+@@ -52,7 +52,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
+ 	u_char digest[EVP_MAX_MD_SIZE], sigblob[SIGBLOB_LEN];
+ 	u_int rlen, slen, len, dlen;
+ 	Buffer b;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ 	const BIGNUM *r, *s;
+ #endif
+ 
+@@ -74,7 +74,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
+ 		return -1;
+ 	}
+ 
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 	rlen = BN_num_bytes(sig->r);
+ 	slen = BN_num_bytes(sig->s);
+ #else
+@@ -88,7 +88,7 @@ ssh_dss_sign(const Key *key, u_char **sigp, u_int *lenp,
+ 		return -1;
+ 	}
+ 	memset(sigblob, 0, SIGBLOB_LEN);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 	BN_bn2bin(sig->r, sigblob+ SIGBLOB_LEN - INTBLOB_LEN - rlen);
+ 	BN_bn2bin(sig->s, sigblob+ SIGBLOB_LEN - slen);
+ #else
+@@ -131,7 +131,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 	u_int len, dlen;
+ 	int rlen, ret;
+ 	Buffer b;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ 	BIGNUM *r, *s;
+ #endif
+ 
+@@ -176,7 +176,7 @@ ssh_dss_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 	/* parse signature */
+ 	if ((sig = DSA_SIG_new()) == NULL)
+ 		pamsshagentauth_fatal("ssh_dss_verify: DSA_SIG_new failed");
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 	if ((sig->r = BN_new()) == NULL)
+ 		pamsshagentauth_fatal("ssh_dss_verify: BN_new failed");
+ 	if ((sig->s = BN_new()) == NULL)
+diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
+index c213959..5b13b30 100644
+--- a/ssh-ecdsa.c
++++ b/ssh-ecdsa.c
+@@ -45,7 +45,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+     u_char digest[EVP_MAX_MD_SIZE];
+     u_int len, dlen;
+     Buffer b, bb;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ 	BIGNUM *r, *s;
+ #endif
+ 
+@@ -69,7 +69,7 @@ ssh_ecdsa_sign(const Key *key, u_char **sigp, u_int *lenp,
+     }
+ 
+     pamsshagentauth_buffer_init(&bb);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+     if (pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->r) == -1 ||
+         pamsshagentauth_buffer_get_bignum2_ret(&bb, sig->s) == -1) {
+ #else
+@@ -110,7 +110,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+     u_int len, dlen;
+     int rlen, ret;
+     Buffer b;
+-#if OPENSSL_VERSION_NUMBER >= 0x10100000L
++#if OPENSSL_VERSION_NUMBER >= 0x10100005L
+ 	BIGNUM *r, *s;
+ #endif
+ 
+@@ -141,7 +141,7 @@ ssh_ecdsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 
+     pamsshagentauth_buffer_init(&b);
+     pamsshagentauth_buffer_append(&b, sigblob, len);
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+     if ((pamsshagentauth_buffer_get_bignum2_ret(&b, sig->r) == -1) ||
+         (pamsshagentauth_buffer_get_bignum2_ret(&b, sig->s) == -1))
+ #else
+diff --git a/ssh-rsa.c b/ssh-rsa.c
+index 9d74eb6..35f2e36 100644
+--- a/ssh-rsa.c
++++ b/ssh-rsa.c
+@@ -119,13 +119,13 @@ ssh_rsa_verify(const Key *key, const u_char *signature, u_int signaturelen,
+ 		pamsshagentauth_logerror("ssh_rsa_verify: no RSA key");
+ 		return -1;
+ 	}
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 	if (BN_num_bits(key->rsa->n) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ #else
+ 	if (BN_num_bits(RSA_get0_n(key->rsa)) < SSH_RSA_MINIMUM_MODULUS_SIZE) {
+ #endif
+ 		pamsshagentauth_logerror("ssh_rsa_verify: RSA modulus too small: %d < minimum %d bits",
+-#if OPENSSL_VERSION_NUMBER < 0x10100000L
++#if OPENSSL_VERSION_NUMBER < 0x10100005L
+ 		    BN_num_bits(key->rsa->n), SSH_RSA_MINIMUM_MODULUS_SIZE);
+ #else
+ 		    BN_num_bits(RSA_get0_n(key->rsa)), SSH_RSA_MINIMUM_MODULUS_SIZE);
diff --git a/sys-auth/pam_ssh_agent_auth/metadata.xml b/sys-auth/pam_ssh_agent_auth/metadata.xml
index b2c4b0002ee6..cbaa4da90d44 100644
--- a/sys-auth/pam_ssh_agent_auth/metadata.xml
+++ b/sys-auth/pam_ssh_agent_auth/metadata.xml
@@ -6,5 +6,6 @@
 	</maintainer>
 	<upstream>
 		<remote-id type="sourceforge">pamsshagentauth</remote-id>
+		<remote-id type="github">jbeverly/pam_ssh_agent_auth</remote-id>
 	</upstream>
 </pkgmetadata>
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild
new file mode 100644
index 000000000000..8afccd4a9863
--- /dev/null
+++ b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-0.10.3.ebuild
@@ -0,0 +1,51 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit pam
+
+DESCRIPTION="Simple module to authenticate users against their ssh-agent keys"
+HOMEPAGE="http://pamsshagentauth.sourceforge.net"
+
+if [[ ${PV} == *9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/jbeverly/${PN}.git"
+	inherit git-r3
+else
+	SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2"
+	KEYWORDS="~amd64 ~arm ~x86"
+fi
+
+LICENSE="MIT"
+SLOT="0"
+IUSE=""
+
+PATCHES=(
+	"${FILESDIR}/${P}-openssl-1.1.1.patch"
+)
+DEPEND="virtual/pam
+	dev-libs/openssl:0="
+
+RDEPEND="${DEPEND}
+	virtual/ssh"
+
+# needed for pod2man
+DEPEND="${DEPEND}
+	dev-lang/perl"
+
+src_configure() {
+	pammod_hide_symbols
+
+	econf \
+		--without-openssl-header-check \
+		--libexecdir="$(getpam_mod_dir)"
+}
+
+src_install() {
+	# Don't use emake install as it makes it harder to have proper
+	# install paths.
+	dopammod pam_ssh_agent_auth.so
+	doman pam_ssh_agent_auth.8
+
+	dodoc CONTRIBUTORS
+}
diff --git a/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild
new file mode 100644
index 000000000000..2b877364229c
--- /dev/null
+++ b/sys-auth/pam_ssh_agent_auth/pam_ssh_agent_auth-9999.ebuild
@@ -0,0 +1,48 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=7
+
+inherit pam
+
+DESCRIPTION="Simple module to authenticate users against their ssh-agent keys"
+HOMEPAGE="http://pamsshagentauth.sourceforge.net"
+
+if [[ ${PV} == *9999 ]] ; then
+	EGIT_REPO_URI="https://github.com/jbeverly/${PN}.git"
+	inherit git-r3
+else
+	SRC_URI="mirror://sourceforge/pamsshagentauth/${PN}/v${PV}/${P}.tar.bz2"
+	KEYWORDS="~amd64 ~arm ~x86"
+fi
+
+LICENSE="MIT"
+SLOT="0"
+IUSE=""
+
+DEPEND="virtual/pam
+	dev-libs/openssl:0="
+
+RDEPEND="${DEPEND}
+	virtual/ssh"
+
+# needed for pod2man
+DEPEND="${DEPEND}
+	dev-lang/perl"
+
+src_configure() {
+	pammod_hide_symbols
+
+	econf \
+		--without-openssl-header-check \
+		--libexecdir="$(getpam_mod_dir)"
+}
+
+src_install() {
+	# Don't use emake install as it makes it harder to have proper
+	# install paths.
+	dopammod pam_ssh_agent_auth.so
+	doman pam_ssh_agent_auth.8
+
+	dodoc CONTRIBUTORS
+}
diff --git a/sys-auth/pambase/Manifest b/sys-auth/pambase/Manifest
index 66d580387cb3..63adbe510944 100644
--- a/sys-auth/pambase/Manifest
+++ b/sys-auth/pambase/Manifest
@@ -8,5 +8,5 @@ DIST pambase-20101024.tar.bz2 3201 BLAKE2B 714da8dd0b354cee29ad175a0ed2094fba8f3
 DIST pambase-20150213.tar.xz 3480 BLAKE2B 7c59774bb8888fd2c4656264f1d8ea8cdd5ffffff4dc5d03091592726c8bd7775ba1573091c8616aa891298a1fe309b19885b5ec21efb45fe38900b7c959aaf5 SHA512 3b49dd3f06a0942fcced95527f62cbc4ff723c48dc896a0b57ecd19736d2892db974c782be3fe24e8e6e17294869a772ae9ee6118af96dfdc7a3a6561dc3f3e5
 EBUILD pambase-20101024-r2.ebuild 2725 BLAKE2B 77a4d16cd30dedfa2256fd687cbb4b54555aeb1abf36123d340e9354d6cf67e503b9feb26daf55eb508c87dacc8c7df996510bf65ad32e818e74bc1f0873eb0e SHA512 307ebed59ea5f7fbe48ff343833c4fc6ca54520434452823b21e76c25c5c173738fd8637869e9a9eb9025e1d2b4cd090b7421e0a35333217bae87e450c7eaa1d
 EBUILD pambase-20150213-r1.ebuild 2869 BLAKE2B 4edfad559a57065dba9b243c3e53505e1521be771042a4028516492d3eedd4b6508a03db4c489b96bb3ebf24438aaf04d943a67ffd9b3435169f3899cd06c4ba SHA512 888ca20c747ee47056873f407e13f9675012ac160b5c55dd5128ddf9be31af91996aeddaf5d863d2e38b3c4863bb9325ca247d16b3785396863d7e97d10c06ce
-EBUILD pambase-20150213-r2.ebuild 2818 BLAKE2B fd9f990aaec3008040577bde0c98fb732f38db4e5006c669fda62a5533c8ac19760d014ccf13acfa15595dadf95cbe0cdfd7b74c321397671b63d5c5dd069d28 SHA512 84a7cf2012493b57ad60b41de3fa99ab0c83857898e394bfc9141aa5ba09a179fa02c48916b9564e5a967fe66a29e3b19a804108903bd6cd836f1b56c1ba53ab
+EBUILD pambase-20150213-r2.ebuild 2816 BLAKE2B 7e0aa4b3b51f4f4785b58169aa0f4bacbbfd1a316e46ebae1d3ca268f8fd5ded938afad9589b94dc007788ad131197af7de8b3ea10688e8cd7b835f931d24011 SHA512 f9226c09dfee5417b50de562bfc1852eba0da8eccb044a1507a09501efeeecb6d37d9fe60b3e8eb07b892606df64c4c958ffca8d6aaded7da08f4a6f50b06861
 MISC metadata.xml 4297 BLAKE2B 53d6b14f5e6cf707666441f1bef3c975d43f33387ceb482dd7c41e97b2771466a02efb3db1c881d354bcfff42010e1da47a28579972169e3c7edac33f43f565d SHA512 d717c2916e154630a756f7925794d43d43c5881bc9df53b82b35f86104366902a76f2d9298cf5a8511431084f0103fe91234c5e4172555677bbdc00db0a73a04
diff --git a/sys-auth/pambase/pambase-20150213-r2.ebuild b/sys-auth/pambase/pambase-20150213-r2.ebuild
index 2ca79c1cc5f6..b602ef57d193 100644
--- a/sys-auth/pambase/pambase-20150213-r2.ebuild
+++ b/sys-auth/pambase/pambase-20150213-r2.ebuild
@@ -9,7 +9,7 @@ SRC_URI="https://dev.gentoo.org/~vapier/dist/${P}.tar.xz"
 
 LICENSE="GPL-2"
 SLOT="0"
-KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ppc64 ~s390 ~sh ~sparc x86 -x86-fbsd ~amd64-linux ~x86-linux"
+KEYWORDS="~alpha amd64 ~arm ~arm64 ~hppa ia64 ~m68k ~mips ~ppc ppc64 ~s390 ~sh ~sparc x86 -x86-fbsd ~amd64-linux ~x86-linux"
 IUSE="consolekit +cracklib debug elogind minimal mktemp +nullok pam_krb5 pam_ssh passwdqc securetty selinux +sha512 systemd"
 
 RESTRICT="binchecks"
diff --git a/sys-auth/polkit-qt/Manifest b/sys-auth/polkit-qt/Manifest
index 91e156293824..c5ff9d2e6606 100644
--- a/sys-auth/polkit-qt/Manifest
+++ b/sys-auth/polkit-qt/Manifest
@@ -1,3 +1,3 @@
 DIST polkit-qt-1-0.112.0_p20160416.tar.xz 64540 BLAKE2B fbc3631585801f42ff92324576a2bd82d61aa5b24317f95e1182c300073a8e746007fa3409127a50d7d3433c5092f56d72e2e579683d08145067d4424c4dfe7e SHA512 90677af780a2bbcb33b6a54702ba96f965eb8561f2636af7aa0146f9b2450f9e89f67e022ffa99742afe50e3d1f570eabfad686e9e08e629a1e662d9f5abf2ea
-EBUILD polkit-qt-0.112.0_p20160416-r2.ebuild 827 BLAKE2B 853a15e7486a934a10aa4c1422129b1e5cb5207e1bd79febd2f004721fa0fd64dbe9136df90b3f8a46c8dc128be7b33058e989fff7422f9b9656d56be75671c3 SHA512 bc2339eb96e4897cae2a9cd23d1133858e11fc0052b942fb42600b80f6d88f47171163a923e9357dba6174732feb08ae95d738c1296bbf349e88597329353512
+EBUILD polkit-qt-0.112.0_p20160416-r2.ebuild 772 BLAKE2B 7c000cf2cb82eb4ee93af0f8748e08d1a996dda74ea744a323fd99fc86324898f02751bcd5b3e3525fb28cf98db28701ff0d0bb69e725a2f289d61b43d783ac6 SHA512 cbec6528f24aec75cf776e330eccade8dd9a7eaad5e1f3fba2d7366f0c1f338cb3c31ffe8786662d7c5f5d788870a70f8bf8c17eeed29754855756b9e5034b6b
 MISC metadata.xml 249 BLAKE2B ad415db89e5dee1627aa77f44ded9d4e1e5b8217d06c7ca25bbaa3fe92ce67c2b1090957c45a821b407d7927e5af798498aa6a5b903895ee1af8ee20a446c7f7 SHA512 76a5a340b13f0053ca3c5e94ed24380ea8d29b45ac8655419e22eaadb1e4a827c04d2e7e36b65145c4964e6526f656618fc6ac144e277ef53cb7373e6239e3c3
diff --git a/sys-auth/polkit-qt/polkit-qt-0.112.0_p20160416-r2.ebuild b/sys-auth/polkit-qt/polkit-qt-0.112.0_p20160416-r2.ebuild
index cfd05deaabce..bc0b5722ceca 100644
--- a/sys-auth/polkit-qt/polkit-qt-0.112.0_p20160416-r2.ebuild
+++ b/sys-auth/polkit-qt/polkit-qt-0.112.0_p20160416-r2.ebuild
@@ -1,4 +1,4 @@
-# Copyright 1999-2018 Gentoo Foundation
+# Copyright 1999-2018 Gentoo Authors
 # Distributed under the terms of the GNU General Public License v2
 
 EAPI=6
@@ -13,7 +13,7 @@ SRC_URI="https://dev.gentoo.org/~kensington/distfiles/${MY_P}.tar.xz"
 LICENSE="LGPL-2"
 SLOT="0"
 KEYWORDS="amd64 ~arm ~arm64 ~ppc ~ppc64 x86 ~x86-fbsd"
-IUSE="debug examples"
+IUSE="debug"
 
 RDEPEND="
 	dev-libs/glib:2
@@ -22,7 +22,6 @@ RDEPEND="
 	dev-qt/qtgui:5
 	dev-qt/qtwidgets:5
 	>=sys-auth/polkit-0.103
-	examples? ( dev-qt/qtxml:5 )
 "
 DEPEND="${RDEPEND}"
 
@@ -32,7 +31,7 @@ S=${WORKDIR}/${MY_P}
 
 src_configure() {
 	local mycmakeargs=(
-		-DBUILD_EXAMPLES=$(usex examples)
+		-DBUILD_EXAMPLES=OFF
 		-DUSE_QT4=OFF
 		-DUSE_QT5=ON
 	)
diff --git a/sys-auth/sssd/Manifest b/sys-auth/sssd/Manifest
index 5d38714ab219..b4a50ea3daa3 100644
--- a/sys-auth/sssd/Manifest
+++ b/sys-auth/sssd/Manifest
@@ -3,5 +3,7 @@ AUX sssd-1.13.0-fix-init.patch 814 BLAKE2B f7b242d81cae98a96c21c64b2ad672123acbc
 AUX sssd.conf 124 BLAKE2B b6f9c016a014510f97b036d23d5f50e1e13085220fe82b0e6ef7a3ceeb114e59af935f39e66e4ad60a46f43983930e5d381b16b0ed31ba4349abe38c4b509367 SHA512 f16908c44b213edbf6b0c6e8d49df92e8c06fc623279037074fe51e49b8aca7dc18f5ed83f71909fc8209df80dfc150583edb1687f88e61588bdf9d1fbf6ed5a
 AUX sssd.service 341 BLAKE2B 0cffcd43786633aa8e5bb42c54741cba676021c5a07554b08499504f8f630ff821ff334a21e2a4f9ae2d77d70d969018dd5a85d11b12bb31235a0ffcda4105c8 SHA512 99510d11f390722f56bc164059033fc40299dd4ea29f98cd5f08b2648f31b2e70afeb6b2d90f919bde595546c80b4e6941cf6f48130661ead09c0576043e4cf5
 DIST sssd-1.16.3.tar.gz 6217114 BLAKE2B eefaf8de466d0d76e9a4b60aefef6eb63c17a55b9a1f2e07e973a61d71cbe5432e92357656a1eb353d45bbc2fa92290cef45898d0b315d4a4c4074652ff25a23 SHA512 6165923f652f624bbe3ddc625ae682c4867eb7a20652d0cf74bbb8dda2307c917d3189ede26fd21a4fb5fd5926149271a65fa09f3affe928029ed99e6422b728
+DIST sssd-2.0.0.tar.gz 6263376 BLAKE2B 9785710d62485a1168749bf9a2989999f721e390356e599092f3274b6d7029af1f7d4c0a1b2b09d0d55233fd30cc661d4ad5bf9ca6ca53c75151dd1dab7515c5 SHA512 affeb0799d8a4fcbcb4b2ed7925b397ae6ba0e2982c5603e98636b765d3820a3b29ac58b0771e5cc00c752512f091ae4fd271d441544147a0570d3c14b535701
 EBUILD sssd-1.16.3.ebuild 6152 BLAKE2B e7f48ce2e4f31e9357c34f0bcdea27279450a4a1ea98d1aa9f681d88c53e7c4608d349762d24ddeaa000128453ec5fd60931a8ac52e79eec6b0054015cf8f9f7 SHA512 0c009b5e3d0ed083622239f728f9bb52dc27c2ae1643f4c5f1e3e5e849d02a1103b11d7bb6f61407eb63dfbcff0c45274cf6a87e5303329d2b80128e965c696d
-MISC metadata.xml 979 BLAKE2B ae7a77ef24839b280479080a868386834b66060e675425133765ffa37f582b8d9d26a879c502c7241e47f8cab952d37ca01d294d75b2c80637f45208240cbd41 SHA512 b4181dc83bf2308005fdc77632d8a3da55ac1fb3c09d4b89b4e1f08ba9c016d2a16adef1c6715eb036e6bac663f4afac6e5924f5da4ac8f1b3af9d7680c29d04
+EBUILD sssd-2.0.0.ebuild 6154 BLAKE2B f06bf92fedf1bb63849a072a2b7009abb6616dda008d0761c96bfc71b62e4c230795e0aedfb36083f4b0b5b1b540f848d970bb4c6a6d09fcdae6d1e9dbdd0ef2 SHA512 3d92a360e9de6315f2d74d6eabb76cca9e616dcfd1e51c9f61e2908ee065dbd27b970c79b9df7335c199b1a3836bfa06807de9d7976a58df72314c4ca95fbd7e
+MISC metadata.xml 1090 BLAKE2B 7085d66b3454b3756d7dab49b6d9525c4ba90156d07f2710f4eb3c5bf3bbd9d10412d511dc0fe091ac4c5291f87a258fac6adbe9732d20a96660f4e0a66cf247 SHA512 2cbf20cd206a45bd82b1416926a02de06bf40b1b4168f19202c367cf8e24d764745b8a5116366ee10520cae15800e17b43d3000995419117f02b2d37474f142e
diff --git a/sys-auth/sssd/metadata.xml b/sys-auth/sssd/metadata.xml
index 4a4874f3d84e..852be6ff3f90 100644
--- a/sys-auth/sssd/metadata.xml
+++ b/sys-auth/sssd/metadata.xml
@@ -2,8 +2,12 @@
 <!DOCTYPE pkgmetadata SYSTEM "http://www.gentoo.org/dtd/metadata.dtd">
 <pkgmetadata>
 	<maintainer type="person">
-	<email>zlogene@gentoo.org</email>
-	<name>Mikle Kolyada</name>
+		<email>zlogene@gentoo.org</email>
+		<name>Mikle Kolyada</name>
+	</maintainer>
+	<maintainer type="person">
+		<email>alexxy@gentoo.org</email>
+		<name>Alexey Shvetsov</name>
 	</maintainer>
 	<use>
 		<flag name="acl"> Build and use the cifsidmap plugin</flag>
diff --git a/sys-auth/sssd/sssd-2.0.0.ebuild b/sys-auth/sssd/sssd-2.0.0.ebuild
new file mode 100644
index 000000000000..89c48c4c915c
--- /dev/null
+++ b/sys-auth/sssd/sssd-2.0.0.ebuild
@@ -0,0 +1,235 @@
+# Copyright 1999-2018 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=6
+
+PYTHON_COMPAT=( python{2_7,3_3,3_4,3_5,3_6,3_7} )
+
+inherit autotools flag-o-matic linux-info multilib-minimal pam python-r1 systemd toolchain-funcs
+
+DESCRIPTION="System Security Services Daemon provides access to identity and authentication"
+HOMEPAGE="https://pagure.io/SSSD/sssd"
+SRC_URI="http://releases.pagure.org/SSSD/${PN}/${P}.tar.gz"
+KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~ia64 ~m68k ~mips ~ppc ~ppc64 ~s390 ~sh ~sparc ~x86"
+
+LICENSE="GPL-3"
+SLOT="0"
+IUSE="acl autofs +locator +netlink nfsv4 nls +manpages python samba selinux sudo ssh test"
+
+COMMON_DEP="
+	>=virtual/pam-0-r1[${MULTILIB_USEDEP}]
+	>=dev-libs/popt-1.16
+	dev-libs/glib:2
+	>=dev-libs/ding-libs-0.2
+	>=sys-libs/talloc-2.0.7
+	>=sys-libs/tdb-1.2.9
+	>=sys-libs/tevent-0.9.16
+	>=sys-libs/ldb-1.1.17-r1:=
+	>=net-nds/openldap-2.4.30[sasl]
+	net-libs/http-parser
+	>=dev-libs/libpcre-8.30
+	>=app-crypt/mit-krb5-1.10.3
+	dev-libs/jansson
+	locator? (
+		>=app-crypt/mit-krb5-1.12.2[${MULTILIB_USEDEP}]
+		>=net-dns/c-ares-1.10.0-r1[${MULTILIB_USEDEP}]
+	)
+	>=sys-apps/keyutils-1.5
+	>=net-dns/c-ares-1.7.4
+	>=dev-libs/nss-3.12.9
+	selinux? (
+		>=sys-libs/libselinux-2.1.9
+		>=sys-libs/libsemanage-2.1
+	)
+	>=net-dns/bind-tools-9.9[gssapi]
+	>=dev-libs/cyrus-sasl-2.1.25-r3[kerberos]
+	>=sys-apps/dbus-1.6
+	acl? ( net-fs/cifs-utils[acl] )
+	nfsv4? ( || ( >=net-fs/nfs-utils-2.3.1-r2 net-libs/libnfsidmap ) )
+	nls? ( >=sys-devel/gettext-0.18 )
+	virtual/libintl
+	netlink? ( dev-libs/libnl:3 )
+	samba? ( >=net-fs/samba-4.5 )
+	"
+
+RDEPEND="${COMMON_DEP}
+	>=sys-libs/glibc-2.17[nscd]
+	selinux? ( >=sec-policy/selinux-sssd-2.20120725-r9 )
+	"
+DEPEND="${COMMON_DEP}
+	test? ( dev-libs/check )
+	manpages? (
+		>=dev-libs/libxslt-1.1.26
+		app-text/docbook-xml-dtd:4.4
+		)"
+
+CONFIG_CHECK="~KEYS"
+
+MULTILIB_WRAPPED_HEADERS=(
+	/usr/include/ipa_hbac.h
+	/usr/include/sss_idmap.h
+	/usr/include/sss_nss_idmap.h
+	/usr/include/wbclient_sssd.h
+	# --with-ifp
+	/usr/include/sss_sifp.h
+	/usr/include/sss_sifp_dbus.h
+	# from 1.15.3
+	/usr/include/sss_certmap.h
+)
+
+pkg_setup(){
+	linux-info_pkg_setup
+}
+
+src_prepare() {
+	sed -i 's:#!/sbin/runscript:#!/sbin/openrc-run:' \
+		"${S}"/src/sysv/gentoo/sssd.in || die "sed sssd.in"
+
+	default
+	eautoreconf
+	multilib_copy_sources
+}
+
+src_configure() {
+	local native_dbus_cflags=$($(tc-getPKG_CONFIG) --cflags dbus-1)
+
+	multilib-minimal_src_configure
+}
+
+multilib_src_configure() {
+	# set initscript to sysv because the systemd option needs systemd to
+	# be installed. We provide our own systemd file anyway.
+	local myconf=()
+	if [[ "${PYTHON_TARGETS}" == *python2* ]]; then
+		myconf+=($(multilib_native_use_with python python2-bindings))
+	fi
+	if [[ "${PYTHON_TARGETS}" == *python3* ]]; then
+		myconf+=($(multilib_native_use_with python python3-bindings))
+	fi
+	#Work around linker dependency problem.
+	append-ldflags "-Wl,--allow-shlib-undefined"
+
+	myconf+=(
+		--localstatedir="${EPREFIX}"/var
+		--enable-nsslibdir="${EPREFIX}"/$(get_libdir)
+		--with-plugin-path="${EPREFIX}"/usr/$(get_libdir)/sssd
+		--enable-pammoddir="${EPREFIX}"/$(getpam_mod_dir)
+		--with-ldb-lib-dir="${EPREFIX}"/usr/$(get_libdir)/samba/ldb
+		--with-os=gentoo
+		--with-nscd
+		--with-unicode-lib="glib2"
+		--disable-rpath
+		--disable-silent-rules
+		--sbindir=/usr/sbin
+		--without-kcm
+		$(use_with samba libwbclient)
+		--with-secrets
+		$(multilib_native_use_with samba)
+		$(multilib_native_use_enable acl cifs-idmap-plugin)
+		$(multilib_native_use_with selinux)
+		$(multilib_native_use_with selinux semanage)
+		$(use_enable locator krb5-locator-plugin)
+		$(multilib_native_use_with nfsv4 nfsv4-idmapd-plugin)
+		$(use_enable nls )
+		$(multilib_native_use_with netlink libnl)
+		$(multilib_native_use_with manpages)
+		$(multilib_native_use_with sudo)
+		$(multilib_native_use_with autofs)
+		$(multilib_native_use_with ssh)
+		--with-crypto="nss"
+		--with-initscript="sysv"
+
+		KRB5_CONFIG=/usr/bin/${CHOST}-krb5-config
+	)
+
+	if ! multilib_is_native_abi; then
+		# work-around all the libraries that are used for CLI and server
+		myconf+=(
+			{POPT,TALLOC,TDB,TEVENT,LDB}_{CFLAGS,LIBS}=' '
+			# ldb headers are fine since native needs it
+			# ldb lib fails... but it does not seem to bother
+			{DHASH,COLLECTION,INI_CONFIG_V{0,1,1_1}}_{CFLAGS,LIBS}=' '
+			{PCRE,CARES,SYSTEMD_LOGIN,SASL,GLIB2,DBUS,CRYPTO}_{CFLAGS,LIBS}=' '
+
+			# use native include path for dbus (needed for build)
+			DBUS_CFLAGS="${native_dbus_cflags}"
+
+			# non-pkgconfig checks
+			ac_cv_lib_ldap_ldap_search=yes
+			--without-secrets
+			--without-libwbclient
+			--without-kcm
+			--with-crypto=""
+		)
+
+		use locator || myconf+=(
+				KRB5_CONFIG=/bin/true
+		)
+	fi
+
+	econf "${myconf[@]}"
+}
+
+multilib_src_compile() {
+	if multilib_is_native_abi; then
+		default
+	else
+		emake libnss_sss.la pam_sss.la
+		use locator && emake sssd_krb5_locator_plugin.la
+	fi
+}
+
+multilib_src_install() {
+	if multilib_is_native_abi; then
+		emake -j1 DESTDIR="${D}" "${_at_args[@]}" install
+	else
+		# easier than playing with automake...
+		dopammod .libs/pam_sss.so
+
+		into /
+		dolib .libs/libnss_sss.so*
+
+		if use locator; then
+			exeinto /usr/$(get_libdir)/krb5/plugins/libkrb5
+			doexe .libs/sssd_krb5_locator_plugin.so
+		fi
+	fi
+}
+
+multilib_src_install_all() {
+	einstalldocs
+	find "${ED}" -type f -name '*.la' -delete || die
+
+	insinto /etc/sssd
+	insopts -m600
+	doins "${S}"/src/examples/sssd-example.conf
+
+	insinto /etc/logrotate.d
+	insopts -m644
+	newins "${S}"/src/examples/logrotate sssd
+
+	newconfd "${FILESDIR}"/sssd.conf sssd
+	newinitd "${FILESDIR}"/sssd sssd
+
+	keepdir /var/lib/sss/db
+	keepdir /var/lib/sss/deskprofile
+	keepdir /var/lib/sss/gpo_cache
+	keepdir /var/lib/sss/keytabs
+	keepdir /var/lib/sss/mc
+	keepdir /var/lib/sss/pipes/private
+	keepdir /var/lib/sss/pubconf/krb5.include.d
+	keepdir /var/lib/sss/secrets
+	keepdir /var/log/sssd
+
+	systemd_dounit "${FILESDIR}/${PN}.service"
+}
+
+multilib_src_test() {
+	default
+}
+
+pkg_postinst(){
+	elog "You must set up sssd.conf (default installed into /etc/sssd)"
+	elog "and (optionally) configuration in /etc/pam.d in order to use SSSD"
+	elog "features. Please see howto in	http://fedorahosted.org/sssd/wiki/HOWTO_Configure_1_0_2"
+}