OpenSSH: retire DSA support
ClosedPublic
Actions

Authored by emaste on Wed, Apr 9, 3:22 PM.

Details

Reviewers

jlduran
philip

Commits

rG4c76131024be: OpenSSH: Regen config.h for DSA retirement

Summary

commit e4d6c9fa02164a49bdf1a8c89e603bb1564f912b (HEAD -> main)
Author: Ed Maste <emaste@FreeBSD.org>
Date: Wed Apr 9 11:21:31 2025 -0400

OpenSSH: Regen config.h for DSA retirement

Sponsored by:   The FreeBSD Foundation

commit 8fbe33c604b2e049c77ea7ec489b2283f89107ad
Author: Ed Maste <emaste@FreeBSD.org>
Date: Wed Apr 9 11:17:10 2025 -0400

OpenSSH: remove ability to enable DSA support

DSA is deprecated and upstream OpenSSH is in the process of removing it.

Obtained from:  OpenSSH-portable 6c9872faa1c2
Sponsored by:   The FreeBSD Foundation

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

OpenSSH 10.0 removes the configure machinery to enable DSA, but does not yet remove the code.

When regenerating config.h (second commit), the HAVE_DECL_OPENSSL_IS_BORINGSSL and the HAVE_DECL_OPENSSL_NO_DSA stanzas should be removed as well.

Thanks, updated and will update in a moment. There are two nits to sort out still in config.h generation:

--- a/crypto/openssh/config.h
+++ b/crypto/openssh/config.h
@@ -1863,14 +1863,10 @@
 #define SIZEOF_SHORT_INT 2
 
 /* The size of 'time_t', as computed by sizeof. */
-#ifdef __i386__
-#define SIZEOF_TIME_T 4
-#else
 #define SIZEOF_TIME_T 8
-#endif
 
 /* Define as const if snprintf() can declare const char *fmt */
-#define SNPRINTF_CONST const
+#define SNPRINTF_CONST /* not const */
 
 /* sockaddr_in has sin_len */
 #define SOCK_HAS_LEN 1

regen config.h

In D49739#1134004, @emaste wrote:
Thanks, updated and will update in a moment. There are two nits to sort out still in config.h generation:
--- a/crypto/openssh/config.h
+++ b/crypto/openssh/config.h
@@ -1863,14 +1863,10 @@
 #define SIZEOF_SHORT_INT 2
 
 /* The size of 'time_t', as computed by sizeof. */
-#ifdef __i386__
-#define SIZEOF_TIME_T 4
-#else
 #define SIZEOF_TIME_T 8
-#endif

This one, is OK. It should go away when i386 support ends (wait, hasn't it happened yet?)

/* Define as const if snprintf() can declare const char *fmt */
-#define SNPRINTF_CONST const
+#define SNPRINTF_CONST /* not const */

This one is more complicated. Last time I tried, I could not fix it (@kevans):

conftest.c

#include <stdio.h>
int snprintf(char *a, size_t b, const char *c, ...) { return 0; }

int
main (void)
{
	snprintf(0, 0, 0);

	return (0);
}

$ cc -D_FORTIFY_SOURCE=2 conftest.c
conftest.c:2:5: error: expected identifier or '('
    2 | int snprintf(char *a, size_t b, const char *c, ...) { return 0; }
      |     ^
/usr/include/ssp/stdio.h:88:33: note: expanded from macro 'snprintf'
   88 | #define snprintf(str, len, ...) __extension__ ({        \
      |                                 ^
1 error generated.