Hi, Attached is a patch that add supports for building against OpenSSL 1.1.0. I also made a github pull request for it at: https://github.com/openssh/openssh-portable/pull/48 It has the same regression tests failures as the master branch, and it has been tested with both 1.0.2 and 1.1.0. Some comments about the patch: - I've included an libcrypto-compat.c to add new functions from OpenSSL that are needed with 1.1.0 but didn't exist in 1.0.2. Since they are copied from the OpenSSL source code, I also added the OpenSSL license to it. If this is a problem we can probably agree to put that file under a different license. - I've replaced the 2 EVP_CipherInit() calls in cipher_init() with 1. OpenSSL now clears everything when you call EVP_CipherInit() again, so what was passed in the first but not in the second call, and what the function calls between them did, was lost. - The test suite was insitng that things like rsa->n where not NULL in sshkey/test_sshkey.c. sshkey_add_private was also doing something like that for the private parts. I don't agree that it should just have BN members that are not set to a real value. So I removed that code and the checks. I'm not even sure why this was done. But sshkey_add_private() ends up as a rather useless function now. - In sshkey_private_deserialize() there was a KEY_RSA_CERT case. I'm not sure what it's about and I guess the test suite also doesn't check it. But it seems that it only has the private key in that case and OpenSSL now seems to insist that an RSA needs to have the public key information too. PS: I didn't subscribe to the list. Kurt -------------- next part -------------- A non-text attachment was scrubbed... Name: 0001-Make-it-build-using-OpenSSL-1.1.0.patch Type: text/x-diff Size: 76297 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160918/83da29c5/attachment-0001.bin>
On Sun, Sep 18, 2016 at 08:22:31PM +0200, Kurt Roeckx wrote:> Attached is a patch that add supports for building against OpenSSL > 1.1.0. I also made a github pull request for it at: > https://github.com/openssh/openssh-portable/pull/48Hi, Debian unstable now has OpenSSL 1.1.0 as the default, so I'll have to take some kind of positive action if I want my OpenSSH packages to keep building cleanly. I know it's a big patch, but is anyone likely to be able to look at Kurt's changes soon? I'm not very comfortable with applying a change of this size as a local patch. Thanks, -- Colin Watson [cjwatson at debian.org]
On 11/02/2016 01:43 AM, Colin Watson wrote:> On Sun, Sep 18, 2016 at 08:22:31PM +0200, Kurt Roeckx wrote: >> Attached is a patch that add supports for building against OpenSSL >> 1.1.0. I also made a github pull request for it at: >> https://github.com/openssh/openssh-portable/pull/48 > Hi, > > Debian unstable now has OpenSSL 1.1.0 as the default, so I'll have to > take some kind of positive action if I want my OpenSSH packages to keep > building cleanly. I know it's a big patch, but is anyone likely to be > able to look at Kurt's changes soon? I'm not very comfortable with > applying a change of this size as a local patch.Hello Colin, Fedora Rawhide has already OpenSSL 1.1.0 and we use the patch based on the Kurt's one (after fixing initial bugs and extending for GSSAPI and SSH1 client support). The full Fedora patch is available in our git [1]. The current set of patches are rebased on current upstream is attached with few more tweaks needed to build, pass testsuite and make it work. The upstream review and insight would be helpful. [1] https://pkgs.fedoraproject.org/cgit/rpms/openssh.git/tree/openssh-7.3p1-openssl-1.1.0.patch Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat -------------- next part -------------- A non-text attachment was scrubbed... Name: openssh-openssl-1.1.0.patch Type: text/x-patch Size: 123076 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161102/eb27c572/attachment-0001.bin>