Call for testing: OpenSSH 6.7

Kevin Brott kevin.brott at gmail.com
Fri Aug 22 01:22:44 EST 2014


Example ...

Using openssh-SNAP-20140822.tar.gz ... on Centos 2.1 ..

$ openssl version
OpenSSL 0.9.6b [engine] 9 Jul 2001

$ ./configure
...
checking OpenSSL header version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
2001)
checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
2001)
checking whether OpenSSL's headers match the library... yes
checking if programs using OpenSSL functions will link... yes
checking whether OpenSSL has crippled AES support... yes
checking whether OpenSSL has AES CTR via EVP... no
checking whether OpenSSL has AES GCM via EVP... no
checking whether OpenSSL has NID_X9_62_prime256v1... no
checking whether OpenSSL has NID_secp384r1... no
checking whether OpenSSL has NID_secp521r1... no
checking whether OpenSSL's PRNG is internally seeded... yes
...
              Host: i686-pc-linux-gnu
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
-Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99
Preprocessor flags:
      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
         Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl  -lcrypt

$ gmake
...
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
-Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
-fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
openssl-compat.c
In file included from openssl-compat.c:32:
openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
gmake[1]: *** [openssl-compat.o] Error 1
gmake[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2

This happens on all the Red Hat based systems where openssl < 1.0.0-fips



On Wed, Aug 20, 2014 at 5:47 PM, Damien Miller <djm at mindrot.org> wrote:

> On Wed, 20 Aug 2014, Kevin Brott wrote:
>
> > FAIL*1 - configure completes without errors ...
> >    make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> > -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> > -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
> > openssl-compat.c
> >    In file included from openssl-compat.c:32:
> >    openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
>
> that's strange - you aren't cross-compiling? The test in configure.ac
> won't work for x-compiles.
>
> If not, what does configure report your OpenSSL version as? e.g.
>
> checking OpenSSL header version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
> checking OpenSSL library version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
>
> >    make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
> >    make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
> >
> > FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h
> isn't
> > part of openssl ...
> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> > -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
> -D_FORTIFY_SOURCE=2
> > -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE  -I. -I.. -I.
> > -I./..  -DHAVE_CONFIG_H -c port-aix.c
> >    In file included from port-aix.c:31:
> >    ../key.h:85: warning: type defaults to ?int? in declaration of
> ?EC_GROUP?
> >    ../key.h:85: error: expected ?;?, ?,? or ?)? before ?*? token
> >    ../key.h:86: warning: type defaults to ?int? in declaration of
> ?EC_KEY?
> >    ../key.h:86: error: expected ?;?, ?,? or ?)? before ?*? token
>
> another missing check for no-ECC OpenSSL:
>
> Index: key.h
> ===================================================================
> RCS file: /var/cvs/openssh/key.h,v
> retrieving revision 1.45
> diff -u -p -r1.45 key.h
> --- key.h       2 Jul 2014 05:28:03 -0000       1.45
> +++ key.h       21 Aug 2014 00:46:48 -0000
> @@ -81,10 +81,10 @@ int  key_cert_check_authority(const Key
>             const char **);
>  char   *key_alg_list(int, int);
>
> -#ifdef WITH_OPENSSL
> +#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
>  int     key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
>  int     key_ec_validate_private(const EC_KEY *);
> -#endif /* WITH_OPENSSL */
> +#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
>
>  Key    *key_from_blob(const u_char *, u_int);
>  int     key_to_blob(const Key *, u_char **, u_int *);
>



-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */


More information about the openssh-unix-dev mailing list