From b6b3e047593dff14c871214bf5df691a8c2c23ed Mon Sep 17 00:00:00 2001
From: Michael Alan Dorman <mdorman@ironicdesign.com>
Date: Fri, 28 Feb 2020 15:19:51 -0500
Subject: [PATCH] pam_ssh_agent_auth: fix dependency on insecure openssl

There have been a couple of patches floating around for about the last
18 months.  While they originated with FreeBSD, but they've been
adopted by Gentoo and Debian as well---and the most straightforward
way to get access to them was from the Debian repository.
---
 .../linux/pam_ssh_agent_auth/default.nix      | 23 ++++++++++++++++++-
 pkgs/top-level/all-packages.nix               |  4 +---
 2 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix b/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
index 48c02be9c38..b47ad4815b5 100644
--- a/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
+++ b/pkgs/os-specific/linux/pam_ssh_agent_auth/default.nix
@@ -1,4 +1,4 @@
-{ stdenv, fetchurl, pam, openssl, perl }:
+{ stdenv, fetchpatch, fetchurl, pam, openssl, perl }:
 
 stdenv.mkDerivation rec {
   name = "pam_ssh_agent_auth-0.10.3";
@@ -12,10 +12,31 @@ stdenv.mkDerivation rec {
     [ # Allow multiple colon-separated authorized keys files to be
       # specified in the file= option.
       ./multiple-key-files.patch
+      (fetchpatch {
+        name = "openssl-1.1.1-1.patch";
+        url = "https://sources.debian.org/data/main/p/pam-ssh-agent-auth/0.10.3-3/debian/patches/openssl-1.1.1-1.patch";
+        sha256 = "1ndp5j4xfhzshhnl345gb4mkldx6vjfa7284xgng6ikhzpc6y7pf";
+      })
+      (fetchpatch {
+        name = "openssl-1.1.1-2.patch";
+        url = "https://sources.debian.org/data/main/p/pam-ssh-agent-auth/0.10.3-3/debian/patches/openssl-1.1.1-2.patch";
+        sha256 = "0ksrs4xr417by8klf7862n3dircvnw30an1akq4pnsd3ichscmww";
+      })
     ];
 
   buildInputs = [ pam openssl perl ];
 
+  # It's not clear to me why this is necessary, but without it, you see:
+  #
+  # checking OpenSSL header version... 1010104f (OpenSSL 1.1.1d  10 Sep 2019)
+  # checking OpenSSL library version... 1010104f (OpenSSL 1.1.1d  10 Sep 2019)
+  # checking whether OpenSSL's headers match the library... no
+  # configure: WARNING: Your OpenSSL headers do not match your
+  # library. Check config.log for details.
+  #
+  # ...despite the fact that clearly the values match
+  configureFlags = [ "--without-openssl-header-check" ];
+
   enableParallelBuilding = true;
 
   meta = {
diff --git a/pkgs/top-level/all-packages.nix b/pkgs/top-level/all-packages.nix
index e94c6455140..1c4539c2f1e 100644
--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@@ -17067,9 +17067,7 @@ in
 
   pam_pgsql = callPackage ../os-specific/linux/pam_pgsql { };
 
-  pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth {
-    openssl = openssl_1_0_2;
-  };
+  pam_ssh_agent_auth = callPackage ../os-specific/linux/pam_ssh_agent_auth { };
 
   pam_u2f = callPackage ../os-specific/linux/pam_u2f { };