Allow building with BoringSSL

diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index d0dd2c3450d53dab4c4bc1af31e43256b735fb42..f6796b3baaa9e0ba012d58716b6a8e41625e6514 100644 (file)
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -55,6 +55,15 @@ void ssh_libcrypto_init(void);
 # endif
 #endif
 
+#ifdef OPENSSL_IS_BORINGSSL
+/*
+ * BoringSSL (rightly) got rid of the BN_FLG_CONSTTIME flag, along with
+ * the entire BN_set_flags() interface.
+ * https://boringssl.googlesource.com/boringssl/+/0a211dfe9
+ */
+# define BN_set_flags(a, b)
+#endif
+
 #ifndef HAVE_EVP_CIPHER_CTX_GET_IV
 # ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV
 #  define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv

diff --git a/sshkey.c b/sshkey.c
index 43712253d72bdd2fb18dc93358f54689a56ce5fd..82af3184e4e54ff6f19a8a0db48c99c134aa93af 100644 (file)
--- a/sshkey.c
+++ b/sshkey.c
@@ -3342,16 +3342,22 @@ translate_libcrypto_error(unsigned long pem_err)
        case ERR_LIB_PEM:
                switch (pem_reason) {
                case PEM_R_BAD_PASSWORD_READ:
+#ifdef PEM_R_PROBLEMS_GETTING_PASSWORD
                case PEM_R_PROBLEMS_GETTING_PASSWORD:
+#endif
+#ifdef PEM_R_BAD_DECRYPT
                case PEM_R_BAD_DECRYPT:
+#endif
                        return SSH_ERR_KEY_WRONG_PASSPHRASE;
                default:
                        return SSH_ERR_INVALID_FORMAT;
                }
        case ERR_LIB_EVP:
                switch (pem_reason) {
+#ifdef EVP_R_BAD_DECRYPT
                case EVP_R_BAD_DECRYPT:
                        return SSH_ERR_KEY_WRONG_PASSPHRASE;
+#endif
 #ifdef EVP_R_BN_DECODE_ERROR
                case EVP_R_BN_DECODE_ERROR:
 #endif