Call for testing: OpenSSH 6.7

Kevin Brott kevin.brott at gmail.com
Fri Aug 22 06:08:32 EST 2014


I've worked it out.  The test in configure.ac (and the resulting test in
configure) is not correct, as it's expecting (I think) a variant of the
value from opensslv.h (i.e. OPENSSL_VERSION_NUMBER  0x009080bfL), which is
not what configure is actually testing against.  That, and it's missing the
second set of brackets needed for the regxep test.

Values of $ssl_library_ver from configure being tested against ...
  Centos 2.1        "90602f (OpenSSL 0.9.6b [engine] 9 Jul 2001)"
  RHEL 3-4          "90701f (OpenSSL 0.9.7a Feb 19 2003)"
  RHEL 5            "90802f (OpenSSL 0.9.8e-rhel5 01 Jul 2008)"
  AIX 5.3           "90811f (OpenSSL 0.9.8k 25 Mar 2009)"
  HP-UX 11.23       "90817f (OpenSSL 0.9.8w 23 Apr 2012)"
  HP-UX 11.31       "90819f (OpenSSL 0.9.8y 5 Feb 2013)"
  RHEL 6.0-4        "10000003 (OpenSSL 1.0.0-fips 29 Mar 2010)"
  AIX 6-7/RHEL 6.5+ "1000105f (OpenSSL 1.0.1e 11 Feb 2013)"

So after applying this patch - and re-running autoconf - configure will
error out on old openssl versions as expected.
---CUT---
*** openssh/configure.ac    2014-08-19 18:05:03.000000000 -0700
--- openssh-fix/configure.ac    2014-08-21 12:39:23.038445826 -0700
***************
*** 2289,2293 ****
          # Check version is supported.
          case "$ssl_library_ver" in
!             0090[0-7]*|009080[0-5]*)
                  AC_MSG_ERROR([OpenSSL >= 0.9.8f required])
                          ;;
--- 2289,2293 ----
          # Check version is supported.
          case "$ssl_library_ver" in
!             90[[0-7]]*|9080[[0-5]]*)
                  AC_MSG_ERROR([OpenSSL >= 0.9.8f required])
                          ;;
---CUT---

It  should generate this (depending on your version of autoconf) in
configure
                ssl_library_ver=`cat conftest.ssllibver`
                # Check version is supported.
                case "$ssl_library_ver" in
                        90[0-7]*|9080[0-5]*)
                                as_fn_error $? "OpenSSL >= 0.9.8f required"
"$LINENO" 5
                                ;;
                        *) ;;
                esac




On Thu, Aug 21, 2014 at 8:22 AM, Kevin Brott <kevin.brott at gmail.com> wrote:

>
> Example ...
>
> Using openssh-SNAP-20140822.tar.gz ... on Centos 2.1 ..
>
> $ openssl version
> OpenSSL 0.9.6b [engine] 9 Jul 2001
>
> $ ./configure
> ...
> checking OpenSSL header version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
> 2001)
> checking OpenSSL library version... 90602f (OpenSSL 0.9.6b [engine] 9 Jul
> 2001)
> checking whether OpenSSL's headers match the library... yes
> checking if programs using OpenSSL functions will link... yes
> checking whether OpenSSL has crippled AES support... yes
> checking whether OpenSSL has AES CTR via EVP... no
> checking whether OpenSSL has AES GCM via EVP... no
> checking whether OpenSSL has NID_X9_62_prime256v1... no
> checking whether OpenSSL has NID_secp384r1... no
> checking whether OpenSSL has NID_secp521r1... no
> checking whether OpenSSL's PRNG is internally seeded... yes
> ...
>               Host: i686-pc-linux-gnu
>           Compiler: gcc
>     Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized
> -Wsign-compare -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99
> Preprocessor flags:
>       Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack
>          Libraries: -lresolv -lcrypto -lrt -ldl -lutil -lz -lnsl  -lcrypt
>
> $ gmake
> ...
> gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
> -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
> -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
> openssl-compat.c
> In file included from openssl-compat.c:32:
> openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
> gmake[1]: *** [openssl-compat.o] Error 1
> gmake[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
> gmake: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>
> This happens on all the Red Hat based systems where openssl < 1.0.0-fips
>
>
>
> On Wed, Aug 20, 2014 at 5:47 PM, Damien Miller <djm at mindrot.org> wrote:
>
>> On Wed, 20 Aug 2014, Kevin Brott wrote:
>>
>> > FAIL*1 - configure completes without errors ...
>> >    make[1]: Entering directory `/usr/src/openssh/openbsd-compat'
>> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>> > -Wformat-security -fno-strict-aliasing -D_FORTIFY_SOURCE=2
>> > -fno-builtin-memset -std=gnu99  -I. -I.. -I. -I./..  -DHAVE_CONFIG_H -c
>> > openssl-compat.c
>> >    In file included from openssl-compat.c:32:
>> >    openssl-compat.h:28:2: #error OpenSSL 0.9.8f or greater is required
>>
>> that's strange - you aren't cross-compiling? The test in configure.ac
>> won't work for x-compiles.
>>
>> If not, what does configure report your OpenSSL version as? e.g.
>>
>> checking OpenSSL header version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
>> checking OpenSSL library version... 1000106f (OpenSSL 1.0.1f 6 Jan 2014)
>>
>> >    make[1]: Leaving directory `/usr/src/openssh/openbsd-compat'
>> >    make: *** [openbsd-compat/libopenbsd-compat.a] Error 2
>> >
>> > FAIL*2 - port-aix.c still fails to compile on RHEL and AIX where ec.h
>> isn't
>> > part of openssl ...
>> >    gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare
>> > -Wformat-security -Wno-pointer-sign -fno-strict-aliasing
>> -D_FORTIFY_SOURCE=2
>> > -ftrapv -fno-builtin-memset -fstack-protector-all -fPIE  -I. -I.. -I.
>> > -I./..  -DHAVE_CONFIG_H -c port-aix.c
>> >    In file included from port-aix.c:31:
>> >    ../key.h:85: warning: type defaults to ?int? in declaration of
>> ?EC_GROUP?
>> >    ../key.h:85: error: expected ?;?, ?,? or ?)? before ?*? token
>> >    ../key.h:86: warning: type defaults to ?int? in declaration of
>> ?EC_KEY?
>> >    ../key.h:86: error: expected ?;?, ?,? or ?)? before ?*? token
>>
>> another missing check for no-ECC OpenSSL:
>>
>> Index: key.h
>> ===================================================================
>> RCS file: /var/cvs/openssh/key.h,v
>> retrieving revision 1.45
>> diff -u -p -r1.45 key.h
>> --- key.h       2 Jul 2014 05:28:03 -0000       1.45
>> +++ key.h       21 Aug 2014 00:46:48 -0000
>> @@ -81,10 +81,10 @@ int  key_cert_check_authority(const Key
>>             const char **);
>>  char   *key_alg_list(int, int);
>>
>> -#ifdef WITH_OPENSSL
>> +#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
>>  int     key_ec_validate_public(const EC_GROUP *, const EC_POINT *);
>>  int     key_ec_validate_private(const EC_KEY *);
>> -#endif /* WITH_OPENSSL */
>> +#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
>>
>>  Key    *key_from_blob(const u_char *, u_int);
>>  int     key_to_blob(const Key *, u_char **, u_int *);
>>
>
>
>
> --
> # include <stddisclaimer.h>
> /* Kevin  Brott <Kevin.Brott at gmail.com> */
>
>


-- 
# include <stddisclaimer.h>
/* Kevin  Brott <Kevin.Brott at gmail.com> */


More information about the openssh-unix-dev mailing list