Call for testing: OpenSSH 7.9

Mon Oct 15 10:18:52 AEDT 2018

On Fri, 12 Oct 2018, Jakub Jelen wrote:

> Something like this can be used to properly initialize new OpenSSL
> versions:
> 
> @@ -70,12 +70,19 @@ ssh_compatible_openssl(long headerver, long libver)
>  void
>  ssh_OpenSSL_add_all_algorithms(void)
>  {
> +#if OPENSSL_VERSION_NUMBER < 0x10100000L
>  	OpenSSL_add_all_algorithms();
>  
>  	/* Enable use of crypto hardware */
>  	ENGINE_load_builtin_engines();
> +#if OPENSSL_VERSION_NUMBER < 0x10001000L
>  	ENGINE_register_all_complete();
> +#endif
>  	OPENSSL_config(NULL);
> +#else
> +	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_DIGESTS |
> +	    OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG,
> NULL);
> +#endif

I don't think the #ifs match the #endifs properly here - it leaves
the OPENSSL_init_crypto() call inside a #if OPENSSL_VERSION_NUMBER <
0x10100000L...

IMO this is simpler and better preserves the current flow of the code.
OpenSSL_add_all_algorithms() isn't marked as deprecated in the OpenSSL
headers, is used elsewhere in OpenSSH and is still used in most of
OpenSSL's demos/*, so I don't see any need to skip that ATM.

diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 259fccbe..762358f0 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -75,7 +75,13 @@ ssh_OpenSSL_add_all_algorithms(void)
 	/* Enable use of crypto hardware */
 	ENGINE_load_builtin_engines();
 	ENGINE_register_all_complete();
+
+#if OPENSSL_VERSION_NUMBER < 0x10001000L
 	OPENSSL_config(NULL);
+#else
+	OPENSSL_init_crypto(OPENSSL_INIT_ADD_ALL_CIPHERS |
+	    OPENSSL_INIT_ADD_ALL_DIGESTS | OPENSSL_INIT_LOAD_CONFIG);
+#endif
 }
 #endif
 

