Open
Conversation
julek-wolfssl
added a commit
to julek-wolfssl/wolfssl
that referenced
this pull request
Mar 26, 2026
Depends on wolfSSL/osp#327
There was a problem hiding this comment.
Pull request overview
Adds a vendor patch for integrating wolfSSL support into OpenSSH 10.2p1.
Changes:
- Introduces
openssh-10.2p1.patchimplementing wolfSSL build/configure integration and compatibility shims. - Updates OpenSSH build system logic (autoconf/Makefile) to optionally build against wolfSSL and adjust test environment.
- Adds wolfSSL initialization, logging, and RNG seeding integration points in OpenSSH sources (via patch).
Comments suppressed due to low confidence (9)
openssh-patches/openssh-10.2p1.patch:1
test ... == ...is not POSIX-sh and can break on some /bin/sh implementations used by configure. Use=instead of==in alltestexpressions here (and below), and consider restructuring the FIPS >= 5.2 probe so that “compile success => yes” (instead of relying on an intentional compile failure) to avoid fragile logic.
From 362721ed1982880420aa5d5905249ef55641c3e4 Mon Sep 17 00:00:00 2001
openssh-patches/openssh-10.2p1.patch:1
- With wolfSSL enabled,
WITH_OPENSSLis also defined in the patch, which will pull in<openssl/opensslv.h>. That header typically won’t exist in a wolfSSL-only environment (wolfSSL’s compat header is usually<wolfssl/openssl/opensslv.h>), so this is likely to break compilation. Recommendation: guard the OpenSSL header include with!defined(USING_WOLFSSL)or include the wolfSSL compat equivalent whenUSING_WOLFSSLis set.
From 362721ed1982880420aa5d5905249ef55641c3e4 Mon Sep 17 00:00:00 2001
openssh-patches/openssh-10.2p1.patch:1
- Including
<openssl/ssl.h>underWITH_OPENSSLwill likely fail for wolfSSL builds (which generally provide<wolfssl/openssl/ssl.h>instead). Since the patch definesWITH_OPENSSLeven when using wolfSSL, this include path should be switched to the wolfSSL compat header whenUSING_WOLFSSLis defined, or otherwise adjusted to match the include strategy used inincludes.h.
From 362721ed1982880420aa5d5905249ef55641c3e4 Mon Sep 17 00:00:00 2001
openssh-patches/openssh-10.2p1.patch:1
wolfSSL_SetLoggingCb()can cause wolfSSL to emit log messages during/after initialization; routing all of them unconditionally throughdebug()can create very noisy logs and potential sensitive-information exposure depending on wolfSSL log content. Consider enabling the callback only when OpenSSH debug logging is explicitly enabled (or mapping wolfSSL log levels to OpenSSH LogLevel and filtering accordingly).
From 362721ed1982880420aa5d5905249ef55641c3e4 Mon Sep 17 00:00:00 2001
openssh-patches/openssh-10.2p1.patch:1
wolfSSL_Debugging_ON()is enabled unconditionally for all OpenSSH programs inlog_init(), which can significantly increase log volume and overhead in production (and may leak details). Recommendation: do not force-enable wolfSSL debugging in core initialization; instead gate it behind an OpenSSH debug flag/config or compile-time option.
From 362721ed1982880420aa5d5905249ef55641c3e4 Mon Sep 17 00:00:00 2001
openssh-patches/openssh-10.2p1.patch:1
- If
getrandom()returns0, this loop becomes infinite becauseszis never reduced. Also,getrandomtakes asize_tand returnsssize_t; casting tointcan truncate/overflow for larger reads. Fix by usingssize_t len, handlinglen == 0as an error/termination case, and passing a boundedsize_tchunk size (some platforms capgetrandomper call).
From 362721ed1982880420aa5d5905249ef55641c3e4 Mon Sep 17 00:00:00 2001
openssh-patches/openssh-10.2p1.patch:1
AC_TRY_LINK_FUNCis obsolete and commonly triggers warnings with newer autoconf; usingAC_CHECK_FUNC/AC_LINK_IFELSE(orAC_SEARCH_LIBSforwolfSSL_Init) is the recommended/maintained approach. Updating this check will improve long-term portability of the configure logic.
From 362721ed1982880420aa5d5905249ef55641c3e4 Mon Sep 17 00:00:00 2001
openssh-patches/openssh-10.2p1.patch:1
- The warning text mentions “renderer processes”, which appears unrelated to OpenSSH and is confusing in OpenSSH’s configure output. Recommend adjusting the message to refer specifically to OpenSSH/sshd sandboxing (and keep terminology consistent with the rest of the project).
From 362721ed1982880420aa5d5905249ef55641c3e4 Mon Sep 17 00:00:00 2001
openssh-patches/openssh-10.2p1.patch:1
- The new
returnblock uses spaces for indentation and no braces, which is inconsistent with the surrounding OpenSSH style (tabs + aligned indentation). Consider formatting this to match the local convention to keep diffs minimal and readability consistent.
From 362721ed1982880420aa5d5905249ef55641c3e4 Mon Sep 17 00:00:00 2001
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.