The attached patches fixes and cleans up the build when configured with --without-openssl. Summary: * Fix KEX_SERVER_ENCRYPT macro in myproposal.h * Fix unresolved symbols in ssh-keygen.c * Isolate openssl code and extend WITH_OPENSSL wrappers around it * Make ed25519 default key type in ssh-keygen when configured --without-openssl
From 96e87ab50e242a2d4a2511418185d1e855d8c793 Mon Sep 17 00:00:00 2001 From: Reuben Hawkins <rhawkins@xxxxxxxxxx> Date: Wed, 22 Apr 2015 11:54:28 -0700 Subject: [PATCH 1/4] myproposal.h: fix newline in KEX_SERVER_ENCRYPT It appears that someone left off a '\' character. KEX_SERVER_ENCRYPT should be defined as... #define KEX_SERVER_ENCRYPT "chacha20-poly1305@xxxxxxxxxxx,""aes128-ctr,aes192-ctr,aes256-ctr" ...but for formatting the string is split up on seperate lines which need to be connected with the '\' characters. --- myproposal.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/myproposal.h b/myproposal.h index 4033110..f624e3b 100644 --- a/myproposal.h +++ b/myproposal.h @@ -148,7 +148,7 @@ "ssh-ed25519-cert-v01@xxxxxxxxxxx," \ "ssh-ed25519" #define KEX_SERVER_ENCRYPT \ - "chacha20-poly1305@xxxxxxxxxxx," + "chacha20-poly1305@xxxxxxxxxxx," \ "aes128-ctr,aes192-ctr,aes256-ctr" #define KEX_SERVER_MAC \ "umac-64-etm@xxxxxxxxxxx," \ -- 1.9.1
From 8fe240e1875e8e6eaf02a2d4d7aad01d13d5bedc Mon Sep 17 00:00:00 2001 From: Reuben Hawkins <rhawkins@xxxxxxxxxx> Date: Wed, 22 Apr 2015 11:58:48 -0700 Subject: [PATCH 2/4] ssh-keygen.c: add needed WITH_OPENSSL gaurds ssh-keygen was failing to link on unresolved gen_candidates and prime_test symbols. These functions are only available when ssh links to ssl. --- ssh-keygen.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/ssh-keygen.c b/ssh-keygen.c index 0518638..dbbfdf3 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -174,10 +174,12 @@ extern char *__progname; char hostname[NI_MAXHOST]; +#ifdef WITH_OPENSSL /* moduli.c */ int gen_candidates(FILE *, u_int32_t, u_int32_t, BIGNUM *); int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long, unsigned long); +#endif static void type_bits_valid(int type, const char *name, u_int32_t *bitsp) @@ -2571,6 +2573,7 @@ main(int argc, char **argv) } } +#ifdef WITH_OPENSSL if (do_gen_candidates) { FILE *out = fopen(out_file, "w"); @@ -2610,6 +2613,7 @@ main(int argc, char **argv) fatal("modulus screening failed"); return (0); } +#endif /* WITH_OPENSSL */ if (gen_all_hostkeys) { do_gen_all_hostkeys(pw); -- 1.9.1
From 4ada5e536399832c0c35baa184369d3346de6172 Mon Sep 17 00:00:00 2001 From: Reuben Hawkins <rhawkins@xxxxxxxxxx> Date: Wed, 22 Apr 2015 12:02:17 -0700 Subject: [PATCH 3/4] ssh-keygen.c: isolate ssl code, wrap in WITH_OPENSSL There are a number of ssh-keygen options which only apply in a with-openssl build. These options were already partially guarded in WITH_OPENSSL macros. This change isolates and wraps the rest of those options producing a clean, warning free build with openssl disabled. --- ssh-keygen.c | 31 ++++++++++++++++++------------- 1 file changed, 18 insertions(+), 13 deletions(-) diff --git a/ssh-keygen.c b/ssh-keygen.c index dbbfdf3..c993736 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -2223,9 +2223,11 @@ usage(void) " ssh-keygen -H [-f known_hosts_file]\n" " ssh-keygen -R hostname [-f known_hosts_file]\n" " ssh-keygen -r hostname [-f input_keyfile] [-g]\n" +#ifdef WITH_OPENSSL " ssh-keygen -G output_file [-v] [-b bits] [-M memory] [-S start_point]\n" " ssh-keygen -T output_file -f input_file [-v] [-a rounds] [-J num_lines]\n" " [-j start_line] [-K checkpt] [-W generator]\n" +#endif " ssh-keygen -s ca_key -I certificate_identity [-h] [-n principals]\n" " [-O option] [-V validity_interval] [-z serial_number] file ...\n" " ssh-keygen -L [-f input_keyfile]\n" @@ -2243,17 +2245,21 @@ int main(int argc, char **argv) { char dotsshdir[PATH_MAX], comment[1024], *passphrase1, *passphrase2; - char *checkpoint = NULL; - char out_file[PATH_MAX], *rr_hostname = NULL, *ep, *fp, *ra; + char *rr_hostname = NULL, *ep, *fp, *ra; struct sshkey *private, *public; struct passwd *pw; struct stat st; int r, opt, type, fd; - u_int32_t memory = 0, generator_wanted = 0; +#ifdef WITH_OPENSSL + char out_file[PATH_MAX]; + u_int32_t generator_wanted = 0; + char *checkpoint = NULL; + u_int32_t memory = 0; int do_gen_candidates = 0, do_screen_candidates = 0; - int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; - unsigned long start_lineno = 0, lines_to_process = 0; BIGNUM *start = NULL; + unsigned long start_lineno = 0, lines_to_process = 0; +#endif + int gen_all_hostkeys = 0, gen_krl = 0, update_krl = 0, check_krl = 0; FILE *f; const char *errstr; @@ -2312,12 +2318,6 @@ main(int argc, char **argv) case 'I': cert_key_id = optarg; break; - case 'J': - lines_to_process = strtoul(optarg, NULL, 10); - break; - case 'j': - start_lineno = strtoul(optarg, NULL, 10); - break; case 'R': delete_host = 1; rr_hostname = optarg; @@ -2432,6 +2432,13 @@ main(int argc, char **argv) case 'r': rr_hostname = optarg; break; +#ifdef WITH_OPENSSL + case 'j': + start_lineno = strtoul(optarg, NULL, 10); + break; + case 'J': + lines_to_process = strtoul(optarg, NULL, 10); + break; case 'W': generator_wanted = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); @@ -2445,7 +2452,6 @@ main(int argc, char **argv) fatal("Invalid number: %s (%s)", optarg, errstr); break; -#ifdef WITH_OPENSSL case 'M': memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); if (errstr) @@ -2589,7 +2595,6 @@ main(int argc, char **argv) return (0); } - if (do_screen_candidates) { FILE *in; FILE *out = fopen(out_file, "a"); -- 1.9.1
From f325b1f7f0f07d0b6bb3b5dfc36374b0d3fe1894 Mon Sep 17 00:00:00 2001 From: Reuben Hawkins <rhawkins@xxxxxxxxxx> Date: Wed, 22 Apr 2015 12:06:24 -0700 Subject: [PATCH 4/4] ssh-keygen.c: man ed25519 default without openssl The default key type was hardcoded to rsa, which isn't available in without-openssl builds. This change makes the default ed25519 when openssl is disabled. --- ssh-keygen.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/ssh-keygen.c b/ssh-keygen.c index c993736..d50dd11 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c @@ -2625,8 +2625,13 @@ main(int argc, char **argv) return (0); } - if (key_type_name == NULL) + if (key_type_name == NULL) { +#ifdef WITH_OPENSSL key_type_name = "rsa"; +#else + key_type_name = "ed25519"; +#endif /* WITH_OPENSSL */ + } type = sshkey_type_from_name(key_type_name); type_bits_valid(type, key_type_name, &bits); -- 1.9.1
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev