OpenSSL 1.1.0 support

Mon Sep 19 04:22:31 AEST 2016

Hi,

Attached is a patch that add supports for building against OpenSSL
1.1.0. I also made a github pull request for it at:
https://github.com/openssh/openssh-portable/pull/48

It has the same regression tests failures as the master branch,
and it has been tested with both 1.0.2 and 1.1.0.

Some comments about the patch:
- I've included an libcrypto-compat.c to add new functions from
  OpenSSL that are needed with 1.1.0 but didn't exist in 1.0.2.
  Since they are copied from the OpenSSL source code, I also added
  the OpenSSL license to it. If this is a problem we can probably
  agree to put that file under a different license.
- I've replaced the 2 EVP_CipherInit() calls in cipher_init() with
  1. OpenSSL now clears everything when you call EVP_CipherInit()
  again, so what was passed in the first but not in the second
  call, and what the function calls between them did, was lost.
- The test suite was insitng that things like rsa->n where not
  NULL in sshkey/test_sshkey.c. sshkey_add_private was also doing
  something like that for the private parts. I don't agree that it
  should just have BN members that are not set to a real value. So I
  removed that code and the checks. I'm not even sure why this was
  done. But sshkey_add_private() ends up as a rather useless
  function now.
- In sshkey_private_deserialize() there was a KEY_RSA_CERT case.
  I'm not sure what it's about and I guess the test suite also
  doesn't check it. But it seems that it only has the private key
  in that case and OpenSSL now seems to insist that an RSA needs
  to have the public key information too.

PS: I didn't subscribe to the list.

Kurt

-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Make-it-build-using-OpenSSL-1.1.0.patch
Type: text/x-diff
Size: 76297 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160918/83da29c5/attachment-0001.bin>