OpenSSL 1.1.0 support
Kurt Roeckx
kurt at roeckx.be
Mon Sep 19 04:22:31 AEST 2016
Hi,
Attached is a patch that add supports for building against OpenSSL
1.1.0. I also made a github pull request for it at:
https://github.com/openssh/openssh-portable/pull/48
It has the same regression tests failures as the master branch,
and it has been tested with both 1.0.2 and 1.1.0.
Some comments about the patch:
- I've included an libcrypto-compat.c to add new functions from
OpenSSL that are needed with 1.1.0 but didn't exist in 1.0.2.
Since they are copied from the OpenSSL source code, I also added
the OpenSSL license to it. If this is a problem we can probably
agree to put that file under a different license.
- I've replaced the 2 EVP_CipherInit() calls in cipher_init() with
1. OpenSSL now clears everything when you call EVP_CipherInit()
again, so what was passed in the first but not in the second
call, and what the function calls between them did, was lost.
- The test suite was insitng that things like rsa->n where not
NULL in sshkey/test_sshkey.c. sshkey_add_private was also doing
something like that for the private parts. I don't agree that it
should just have BN members that are not set to a real value. So I
removed that code and the checks. I'm not even sure why this was
done. But sshkey_add_private() ends up as a rather useless
function now.
- In sshkey_private_deserialize() there was a KEY_RSA_CERT case.
I'm not sure what it's about and I guess the test suite also
doesn't check it. But it seems that it only has the private key
in that case and OpenSSL now seems to insist that an RSA needs
to have the public key information too.
PS: I didn't subscribe to the list.
Kurt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Make-it-build-using-OpenSSL-1.1.0.patch
Type: text/x-diff
Size: 76297 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20160918/83da29c5/attachment-0001.bin>
More information about the openssh-unix-dev
mailing list