Call for testing: OpenSSH 7.9

Jakub Jelen jjelen at redhat.com
Wed Oct 17 05:13:39 AEDT 2018 

On Mon, 2018-10-15 at 10:18 +1100, Damien Miller wrote:
> On Fri, 12 Oct 2018, Jakub Jelen wrote:
> 
> > Something like this can be used to properly initialize new OpenSSL
> > versions:
> > 
> > @@ -70,12 +70,19 @@ ssh_compatible_openssl(long headerver, long
> > libver)
> >  void
> >  ssh_OpenSSL_add_all_algorithms(void)
> >  {
> > +#if OPENSSL_VERSION_NUMBER < 0x10100000L
> >  	OpenSSL_add_all_algorithms();
> >  
> >  	/* Enable use of crypto hardware */
> >  	ENGINE_load_builtin_engines();
> > +#if OPENSSL_VERSION_NUMBER < 0x10001000L
> >  	ENGINE_register_all_complete();
> > +#endif
> >  	OPENSSL_config(NULL);
> > +#else
> > +	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS |
> > +	    OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG,
> > NULL);
> > +#endif
> 
> I don't think the #ifs match the #endifs properly here - it leaves
> the OPENSSL_init_crypto() call inside a #if OPENSSL_VERSION_NUMBER <
> 0x10100000L...
> 
> IMO this is simpler and better preserves the current flow of the
> code.
> OpenSSL_add_all_algorithms() isn't marked as deprecated in the
> OpenSSL
> headers, is used elsewhere in OpenSSH and is still used in most of
> OpenSSL's demos/*, so I don't see any need to skip that ATM.
> 
> diff --git a/openbsd-compat/openssl-compat.c b/openbsd-
> compat/openssl-compat.c
> index 259fccbe..762358f0 100644
> --- a/openbsd-compat/openssl-compat.c
> +++ b/openbsd-compat/openssl-compat.c
> @@ -75,7 +75,13 @@ ssh_OpenSSL_add_all_algorithms(void)
>  	/* Enable use of crypto hardware */
>  	ENGINE_load_builtin_engines();
>  	ENGINE_register_all_complete();
> +
> +#if OPENSSL_VERSION_NUMBER < 0x10001000L
>  	OPENSSL_config(NULL);
> +#else
> +	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
> +	    OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG);
> +#endif
>  }
>  #endif

The version in the last snap 20181017 (master commit [1]) is actually
missing the last (NULL) argument so the master/snap does not compile at
all now with new OpenSSL.

[1] https://github.com/openssh/openssh-portable/commit/4e23deef

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

More information about the openssh-unix-dev mailing list