forked from pool/openssh
318211936a
Version update to 8.1p1: * ssh-keygen(1): when acting as a CA and signing certificates with an RSA key, default to using the rsa-sha2-512 signature algorithm. Certificates signed by RSA keys will therefore be incompatible with OpenSSH versions prior to 7.2 unless the default is overridden (using "ssh-keygen -t ssh-rsa -s ..."). * ssh(1): Allow %n to be expanded in ProxyCommand strings * ssh(1), sshd(8): Allow prepending a list of algorithms to the default set by starting the list with the '^' character, E.g. "HostKeyAlgorithms ^ssh-ed25519" * ssh-keygen(1): add an experimental lightweight signature and verification ability. Signatures may be made using regular ssh keys held on disk or stored in a ssh-agent and verified against an authorized_keys-like list of allowed keys. Signatures embed a namespace that prevents confusion and attacks between different usage domains (e.g. files vs email). * ssh-keygen(1): print key comment when extracting public key from a private key. * ssh-keygen(1): accept the verbose flag when searching for host keys in known hosts (i.e. "ssh-keygen -vF host") to print the matching host's random-art signature too. * All: support PKCS8 as an optional format for storage of private keys to disk. The OpenSSH native key format remains the default, but PKCS8 is a superior format to PEM if interoperability with non-OpenSSH software is required, as it may use a less insecure key derivation function than PEM's. - Additional changes from 8.0p1 release: * scp(1): Add "-T" flag to disable client-side filtering of server file list. * sshd(8): Remove support for obsolete "host/port" syntax. OBS-URL: https://build.opensuse.org/request/show/737034 OBS-URL: https://build.opensuse.org/package/show/network/openssh?expand=0&rev=197
49 lines
1.4 KiB
Diff
49 lines
1.4 KiB
Diff
# HG changeset patch
|
|
# Parent b13da8c3e99081cb92ab226d2c512241a82cd0d5
|
|
disable run-time check for OpenSSL ABI by version number as that is not a
|
|
reliable indicator of ABI changes and doesn't make much sense in a
|
|
distribution package
|
|
|
|
diff --git a/configure.ac b/configure.ac
|
|
index 42ffd95..20a1884 100644
|
|
--- a/configure.ac
|
|
+++ b/configure.ac
|
|
@@ -4878,6 +4878,19 @@ AC_ARG_WITH([bsd-auth],
|
|
]
|
|
)
|
|
|
|
+# Whether we are using distribution (Open)SSL, so no runtime checks are necessary
|
|
+DISTRO_SSL=no
|
|
+AC_ARG_WITH([distro-ssl],
|
|
+ [ --with-distro-ssl Disable runtime OpenSSL version checks (good for distributions)],
|
|
+ [
|
|
+ if test "x$withval" != "xno" ; then
|
|
+ AC_DEFINE([DISTRO_SSL], [1],
|
|
+ [Define if you are using distribution SSL library and don;t expect its API/ABI to change])
|
|
+ DISTRO_SSL=yes
|
|
+ fi
|
|
+ ]
|
|
+)
|
|
+
|
|
# Where to place sshd.pid
|
|
piddir=/var/run
|
|
# make sure the directory exists
|
|
diff --git a/entropy.c b/entropy.c
|
|
index f8b9f42..4957b23 100644
|
|
--- a/entropy.c
|
|
+++ b/entropy.c
|
|
@@ -223,11 +223,13 @@ seed_rng(void)
|
|
/* Initialise libcrypto */
|
|
ssh_libcrypto_init();
|
|
|
|
+#ifndef DISTRO_SSL
|
|
if (!ssh_compatible_openssl(OPENSSL_VERSION_NUMBER,
|
|
OpenSSL_version_num()))
|
|
fatal("OpenSSL version mismatch. Built against %lx, you "
|
|
"have %lx", (u_long)OPENSSL_VERSION_NUMBER,
|
|
OpenSSL_version_num());
|
|
+#endif
|
|
|
|
#ifndef OPENSSL_PRNG_ONLY
|
|
if (RAND_status() == 1)
|