[PATCH] openssh: make OpenSSL optional

[PATCH] openssh: make OpenSSL optional

[Max Kellermann]

From: Max Kellermann <max.kellermann@gmail.com>

Without OpenSSL, OpenSSH can still do ed25519, which is enough for
many users; and it saves a rather heavy dependency.

This requires a patch because lots of `#ifdef WITH_OPENSSL` are
missing.

Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
---
 .../openssh/openssh/fix_without-openssl.patch | 165 ++++++++++++++++++
 .../openssh/openssh_7.8p1+git.bb              |   6 +-
 2 files changed, 170 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch b/meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch
new file mode 100644
index 0000000000..6840b79a73
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch
@@ -0,0 +1,165 @@
+commit 14f336a04748d50e058e24b0be991b3e99f1dbfc
+Author: Max Kellermann <max.kellermann@gmail.com>
+Date:   Thu Sep 20 20:04:14 2018 +0200
+
+    auth, ...: add missing `#ifdef WITH_OPENSSL`
+    
+    Even though OpenSSH doesn't use OpenSSL when built with
+    `--without-openssl`, it still needs to include its headers to compile
+    code which is unused in this configuration.
+
+diff --git a/auth.h b/auth.h
+index 977562f0..f68731ef 100644
+--- a/auth.h
++++ b/auth.h
+@@ -30,7 +30,9 @@
+ 
+ #include <signal.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/rsa.h>
++#endif
+ 
+ #ifdef HAVE_LOGIN_CAP
+ #include <login_cap.h>
+diff --git a/cipher.c b/cipher.c
+index 12c59888..43c2e4df 100644
+--- a/cipher.c
++++ b/cipher.c
+@@ -55,7 +55,9 @@
+ struct sshcipher_ctx {
+ 	int	plaintext;
+ 	int	encrypt;
++#ifdef WITH_OPENSSL
+ 	EVP_CIPHER_CTX *evp;
++#endif
+ 	struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
+ 	struct aesctr_ctx ac_ctx; /* XXX union with evp? */
+ 	const struct sshcipher *cipher;
+diff --git a/cipher.h b/cipher.h
+index dc1571d2..954c356a 100644
+--- a/cipher.h
++++ b/cipher.h
+@@ -38,7 +38,9 @@
+ #define CIPHER_H
+ 
+ #include <sys/types.h>
++#ifdef WITH_OPENSSL
+ #include <openssl/evp.h>
++#endif
+ #include "cipher-chachapoly.h"
+ #include "cipher-aesctr.h"
+ 
+diff --git a/kexc25519.c b/kexc25519.c
+index 0897b8c5..6a54cf9b 100644
+--- a/kexc25519.c
++++ b/kexc25519.c
+@@ -32,8 +32,10 @@
+ #include <signal.h>
+ #include <string.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/bn.h>
+ #include <openssl/evp.h>
++#endif
+ 
+ #include "sshbuf.h"
+ #include "ssh2.h"
+diff --git a/loginrec.c b/loginrec.c
+index 9a427dec..49abe918 100644
+--- a/loginrec.c
++++ b/loginrec.c
+@@ -166,6 +166,7 @@
+ #include <string.h>
+ #include <time.h>
+ #include <unistd.h>
++#include <stdlib.h>
+ 
+ #include "xmalloc.h"
+ #include "sshkey.h"
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 644da081..56079d97 100644
+--- a/monitor_wrap.h
++++ b/monitor_wrap.h
+@@ -40,7 +40,9 @@ struct sshauthopt;
+ 
+ void mm_log_handler(LogLevel, const char *, void *);
+ int mm_is_monitor(void);
++#ifdef WITH_OPENSSL
+ DH *mm_choose_dh(int, int, int);
++#endif
+ int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
+     const char *, u_int compat);
+ void mm_inform_authserv(char *, char *);
+diff --git a/myproposal.h b/myproposal.h
+index 27b4a15a..ad62ef80 100644
+--- a/myproposal.h
++++ b/myproposal.h
+@@ -24,7 +24,9 @@
+  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  */
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/opensslv.h>
++#endif
+ 
+ /* conditional algorithm support */
+ 
+diff --git a/ssh-add.c b/ssh-add.c
+index adcc4599..526eb39c 100644
+--- a/ssh-add.c
++++ b/ssh-add.c
+@@ -40,7 +40,9 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/evp.h>
++#endif
+ #include "openbsd-compat/openssl-compat.h"
+ 
+ #include <errno.h>
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index 38b1c548..47da5f67 100644
+--- a/ssh-keyscan.c
++++ b/ssh-keyscan.c
+@@ -19,7 +19,9 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/bn.h>
++#endif
+ 
+ #include <netdb.h>
+ #include <errno.h>
+diff --git a/sshbuf-getput-crypto.c b/sshbuf-getput-crypto.c
+index d0d791b5..96c8e629 100644
+--- a/sshbuf-getput-crypto.c
++++ b/sshbuf-getput-crypto.c
+@@ -18,6 +18,8 @@
+ #define SSHBUF_INTERNAL
+ #include "includes.h"
+ 
++#ifdef WITH_OPENSSL
++
+ #include <sys/types.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+@@ -222,3 +224,4 @@ sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v)
+ }
+ #endif /* OPENSSL_HAS_ECC */
+ 
++#endif /* WITH_OPENSSL */
+diff --git a/sshkey.c b/sshkey.c
+index 63c01ea6..c82f0fbe 100644
+--- a/sshkey.c
++++ b/sshkey.c
+@@ -27,6 +27,7 @@
+ 
+ #include "includes.h"
+ 
++#include <time.h>
+ #include <sys/types.h>
+ #include <netinet/in.h>
+ 
diff --git a/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb b/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
index f54dfb5de4..802e9c023b 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
@@ -8,7 +8,7 @@ SECTION = "console/network"
 LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
 
-DEPENDS = "zlib openssl"
+DEPENDS = "zlib"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "git://github.com/openssh/openssh-portable;branch=master \
@@ -24,6 +24,7 @@ SRC_URI = "git://github.com/openssh/openssh-portable;branch=master \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
+           file://fix_without-openssl.patch \
            "
 
 PAM_SRC_URI = "file://sshd"
@@ -71,6 +72,9 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
 # We don't want to depend on libblockfile
 CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
+PACKAGECONFIG ??= "openssl"
+PACKAGECONFIG[openssl] = ",--without-openssl,openssl"
+
 do_configure_prepend () {
 	export LD="${CC}"
 	install -m 0644 ${WORKDIR}/sshd_config ${B}/
-- 
2.18.0

✗ patchtest: failure for openssh: make OpenSSL optional

[Patchwork]

== Series Details ==

Series: openssh: make OpenSSL optional
Revision: 1
URL   : https://patchwork.openembedded.org/series/14158/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] 
  Suggested fix    Sign off the added patch file (meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch)

* Issue             Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format] 
  Suggested fix    Add Upstream-Status: <Valid status> to the header of meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

[PATCH v3] openssh: make OpenSSL optional

[Max Kellermann]

From: Max Kellermann <max.kellermann@gmail.com>

Without OpenSSL, OpenSSH can still do ed25519, which is enough for
many users; and it saves a rather heavy dependency.

This requires a patch because lots of `#ifdef WITH_OPENSSL` are
missing.

Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
---
 .../openssh/openssh/fix_without-openssl.patch | 169 ++++++++++++++++++
 .../openssh/openssh_7.8p1+git.bb              |   6 +-
 2 files changed, 174 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch b/meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch
new file mode 100644
index 0000000000..32b324e634
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch
@@ -0,0 +1,169 @@
+commit b9c78fd9915cfd10e0ad70eba34b15e0036d2911
+Author: Max Kellermann <max.kellermann@gmail.com>
+Date:   Thu Sep 20 20:04:14 2018 +0200
+
+    auth, ...: add missing `#ifdef WITH_OPENSSL`
+    
+    Even though OpenSSH doesn't use OpenSSL when built with
+    `--without-openssl`, it still needs to include its headers to compile
+    code which is unused in this configuration.
+    
+    Upstream-Status: Pending
+    
+    Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
+
+diff --git a/auth.h b/auth.h
+index 977562f0..f68731ef 100644
+--- a/auth.h
++++ b/auth.h
+@@ -30,7 +30,9 @@
+ 
+ #include <signal.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/rsa.h>
++#endif
+ 
+ #ifdef HAVE_LOGIN_CAP
+ #include <login_cap.h>
+diff --git a/cipher.c b/cipher.c
+index 12c59888..43c2e4df 100644
+--- a/cipher.c
++++ b/cipher.c
+@@ -55,7 +55,9 @@
+ struct sshcipher_ctx {
+ 	int	plaintext;
+ 	int	encrypt;
++#ifdef WITH_OPENSSL
+ 	EVP_CIPHER_CTX *evp;
++#endif
+ 	struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
+ 	struct aesctr_ctx ac_ctx; /* XXX union with evp? */
+ 	const struct sshcipher *cipher;
+diff --git a/cipher.h b/cipher.h
+index dc1571d2..954c356a 100644
+--- a/cipher.h
++++ b/cipher.h
+@@ -38,7 +38,9 @@
+ #define CIPHER_H
+ 
+ #include <sys/types.h>
++#ifdef WITH_OPENSSL
+ #include <openssl/evp.h>
++#endif
+ #include "cipher-chachapoly.h"
+ #include "cipher-aesctr.h"
+ 
+diff --git a/kexc25519.c b/kexc25519.c
+index 0897b8c5..6a54cf9b 100644
+--- a/kexc25519.c
++++ b/kexc25519.c
+@@ -32,8 +32,10 @@
+ #include <signal.h>
+ #include <string.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/bn.h>
+ #include <openssl/evp.h>
++#endif
+ 
+ #include "sshbuf.h"
+ #include "ssh2.h"
+diff --git a/loginrec.c b/loginrec.c
+index 9a427dec..49abe918 100644
+--- a/loginrec.c
++++ b/loginrec.c
+@@ -166,6 +166,7 @@
+ #include <string.h>
+ #include <time.h>
+ #include <unistd.h>
++#include <stdlib.h>
+ 
+ #include "xmalloc.h"
+ #include "sshkey.h"
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 644da081..56079d97 100644
+--- a/monitor_wrap.h
++++ b/monitor_wrap.h
+@@ -40,7 +40,9 @@ struct sshauthopt;
+ 
+ void mm_log_handler(LogLevel, const char *, void *);
+ int mm_is_monitor(void);
++#ifdef WITH_OPENSSL
+ DH *mm_choose_dh(int, int, int);
++#endif
+ int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
+     const char *, u_int compat);
+ void mm_inform_authserv(char *, char *);
+diff --git a/myproposal.h b/myproposal.h
+index 27b4a15a..ad62ef80 100644
+--- a/myproposal.h
++++ b/myproposal.h
+@@ -24,7 +24,9 @@
+  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  */
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/opensslv.h>
++#endif
+ 
+ /* conditional algorithm support */
+ 
+diff --git a/ssh-add.c b/ssh-add.c
+index adcc4599..526eb39c 100644
+--- a/ssh-add.c
++++ b/ssh-add.c
+@@ -40,7 +40,9 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/evp.h>
++#endif
+ #include "openbsd-compat/openssl-compat.h"
+ 
+ #include <errno.h>
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index 38b1c548..47da5f67 100644
+--- a/ssh-keyscan.c
++++ b/ssh-keyscan.c
+@@ -19,7 +19,9 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/bn.h>
++#endif
+ 
+ #include <netdb.h>
+ #include <errno.h>
+diff --git a/sshbuf-getput-crypto.c b/sshbuf-getput-crypto.c
+index d0d791b5..96c8e629 100644
+--- a/sshbuf-getput-crypto.c
++++ b/sshbuf-getput-crypto.c
+@@ -18,6 +18,8 @@
+ #define SSHBUF_INTERNAL
+ #include "includes.h"
+ 
++#ifdef WITH_OPENSSL
++
+ #include <sys/types.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+@@ -222,3 +224,4 @@ sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v)
+ }
+ #endif /* OPENSSL_HAS_ECC */
+ 
++#endif /* WITH_OPENSSL */
+diff --git a/sshkey.c b/sshkey.c
+index 63c01ea6..c82f0fbe 100644
+--- a/sshkey.c
++++ b/sshkey.c
+@@ -27,6 +27,7 @@
+ 
+ #include "includes.h"
+ 
++#include <time.h>
+ #include <sys/types.h>
+ #include <netinet/in.h>
+ 
diff --git a/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb b/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
index f54dfb5de4..802e9c023b 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
@@ -8,7 +8,7 @@ SECTION = "console/network"
 LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
 
-DEPENDS = "zlib openssl"
+DEPENDS = "zlib"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "git://github.com/openssh/openssh-portable;branch=master \
@@ -24,6 +24,7 @@ SRC_URI = "git://github.com/openssh/openssh-portable;branch=master \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
+           file://fix_without-openssl.patch \
            "
 
 PAM_SRC_URI = "file://sshd"
@@ -71,6 +72,9 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
 # We don't want to depend on libblockfile
 CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
+PACKAGECONFIG ??= "openssl"
+PACKAGECONFIG[openssl] = ",--without-openssl,openssl"
+
 do_configure_prepend () {
 	export LD="${CC}"
 	install -m 0644 ${WORKDIR}/sshd_config ${B}/
-- 
2.18.0

✗ patchtest: failure for openssh: make OpenSSL optional (rev2)

[Patchwork]

== Series Details ==

Series: openssh: make OpenSSL optional (rev2)
Revision: 2
URL   : https://patchwork.openembedded.org/series/14158/
State : failure

== Summary ==


Thank you for submitting this patch series to OpenEmbedded Core. This is
an automated response. Several tests have been executed on the proposed
series by patchtest resulting in the following failures:



* Issue             A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] 
  Suggested fix    Sign off the added patch file (meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch)

* Issue             Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format] 
  Suggested fix    Add Upstream-Status: <Valid status> to the header of meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch
  Standard format  Upstream-Status: <Valid status>
  Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]



If you believe any of these test results are incorrect, please reply to the
mailing list (openembedded-core@lists.openembedded.org) raising your concerns.
Otherwise we would appreciate you correcting the issues and submitting a new
version of the patchset if applicable. Please ensure you add/increment the
version number when sending the new version (i.e. [PATCH] -> [PATCH v2] ->
[PATCH v3] -> ...).

---
Guidelines:     https://www.openembedded.org/wiki/Commit_Patch_Message_Guidelines
Test framework: http://git.yoctoproject.org/cgit/cgit.cgi/patchtest
Test suite:     http://git.yoctoproject.org/cgit/cgit.cgi/patchtest-oe

Re: ✗ patchtest: failure for openssh: make OpenSSL optional (rev2)

[Max Kellermann]

On 2018/09/20 21:02, Patchwork <patchwork@patchwork.openembedded.org> wrote:
> * Issue             A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence] 
>   Suggested fix    Sign off the added patch file (meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch)
> 
> * Issue             Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format] 
>   Suggested fix    Add Upstream-Status: <Valid status> to the header of meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch
>   Standard format  Upstream-Status: <Valid status>
>   Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]

Hmm, both is present in my (newest) patch.

 https://patchwork.openembedded.org/patch/155025/

Can somebody explain this Patchwork failure to me?

Max

Re: ✗ patchtest: failure for openssh: make OpenSSL optional (rev2)

[Andre McCurdy]

On Thu, Sep 20, 2018 at 12:07 PM, Max Kellermann
<max+openembedded@blarg.de> wrote:
> On 2018/09/20 21:02, Patchwork <patchwork@patchwork.openembedded.org> wrote:
>> * Issue             A patch file has been added, but does not have a Signed-off-by tag [test_signed_off_by_presence]
>>   Suggested fix    Sign off the added patch file (meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch)
>>
>> * Issue             Added patch file is missing Upstream-Status in the header [test_upstream_status_presence_format]
>>   Suggested fix    Add Upstream-Status: <Valid status> to the header of meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch
>>   Standard format  Upstream-Status: <Valid status>
>>   Valid status     Pending, Accepted, Backport, Denied, Inappropriate [reason], Submitted [where]
>
> Hmm, both is present in my (newest) patch.
>
>  https://patchwork.openembedded.org/patch/155025/
>
> Can somebody explain this Patchwork failure to me?

Try putting both tags at the start of a line rather than indenting.

Re: ✗ patchtest: failure for openssh: make OpenSSL optional (rev2)

[Max Kellermann]

On 2018/09/20 21:13, Andre McCurdy <armccurdy@gmail.com> wrote:
> Try putting both tags at the start of a line rather than indenting.

That's what "git show" does, which I used to generate the patch file.
I'll resend without indent, thanks.

Re: ✗ patchtest: failure for openssh: make OpenSSL optional (rev2)

[Andreas Oberritter]

On Thu, 20 Sep 2018 21:29:20 +0200
Max Kellermann <max+openembedded@blarg.de> wrote:

> On 2018/09/20 21:13, Andre McCurdy <armccurdy@gmail.com> wrote:
> > Try putting both tags at the start of a line rather than indenting.  
> 
> That's what "git show" does, which I used to generate the patch file.
> I'll resend without indent, thanks.

Try "git format-patch" instead.

Regards,
Andreas

Re: ✗ patchtest: failure for openssh: make OpenSSL optional (rev2)

[Alexander Kanavin]

2018-09-20 23:10 GMT+02:00 Andreas Oberritter <obi@opendreambox.org>:
>> That's what "git show" does, which I used to generate the patch file.
>> I'll resend without indent, thanks.
>
> Try "git format-patch" instead.

git send-email is even more direct :)

Alex

[PATCH v4] openssh: make OpenSSL optional

[Max Kellermann]

From: Max Kellermann <max.kellermann@gmail.com>

Without OpenSSL, OpenSSH can still do ed25519, which is enough for
many users; and it saves a rather heavy dependency.

This requires a patch because lots of `#ifdef WITH_OPENSSL` are
missing.

Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
---
 .../openssh/openssh/fix_without-openssl.patch | 184 ++++++++++++++++++
 .../openssh/openssh_7.8p1+git.bb              |   6 +-
 2 files changed, 189 insertions(+), 1 deletion(-)
 create mode 100644 meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch

diff --git a/meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch b/meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch
new file mode 100644
index 0000000000..04c4153409
--- /dev/null
+++ b/meta/recipes-connectivity/openssh/openssh/fix_without-openssl.patch
@@ -0,0 +1,184 @@
+From b9c78fd9915cfd10e0ad70eba34b15e0036d2911 Mon Sep 17 00:00:00 2001
+From: Max Kellermann <max.kellermann@gmail.com>
+Date: Thu, 20 Sep 2018 20:04:14 +0200
+Subject: [PATCH] auth, ...: add missing `#ifdef WITH_OPENSSL`
+
+Even though OpenSSH doesn't use OpenSSL when built with
+`--without-openssl`, it still needs to include its headers to compile
+code which is unused in this configuration.
+
+Upstream-Status: Pending
+
+Signed-off-by: Max Kellermann <max.kellermann@gmail.com>
+---
+ auth.h                 | 2 ++
+ cipher.c               | 2 ++
+ cipher.h               | 2 ++
+ kexc25519.c            | 2 ++
+ loginrec.c             | 1 +
+ monitor_wrap.h         | 2 ++
+ myproposal.h           | 2 ++
+ ssh-add.c              | 2 ++
+ ssh-keyscan.c          | 2 ++
+ sshbuf-getput-crypto.c | 3 +++
+ sshkey.c               | 1 +
+ 11 files changed, 21 insertions(+)
+
+diff --git a/auth.h b/auth.h
+index 977562f0..f68731ef 100644
+--- a/auth.h
++++ b/auth.h
+@@ -30,7 +30,9 @@
+ 
+ #include <signal.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/rsa.h>
++#endif
+ 
+ #ifdef HAVE_LOGIN_CAP
+ #include <login_cap.h>
+diff --git a/cipher.c b/cipher.c
+index 12c59888..43c2e4df 100644
+--- a/cipher.c
++++ b/cipher.c
+@@ -55,7 +55,9 @@
+ struct sshcipher_ctx {
+ 	int	plaintext;
+ 	int	encrypt;
++#ifdef WITH_OPENSSL
+ 	EVP_CIPHER_CTX *evp;
++#endif
+ 	struct chachapoly_ctx cp_ctx; /* XXX union with evp? */
+ 	struct aesctr_ctx ac_ctx; /* XXX union with evp? */
+ 	const struct sshcipher *cipher;
+diff --git a/cipher.h b/cipher.h
+index dc1571d2..954c356a 100644
+--- a/cipher.h
++++ b/cipher.h
+@@ -38,7 +38,9 @@
+ #define CIPHER_H
+ 
+ #include <sys/types.h>
++#ifdef WITH_OPENSSL
+ #include <openssl/evp.h>
++#endif
+ #include "cipher-chachapoly.h"
+ #include "cipher-aesctr.h"
+ 
+diff --git a/kexc25519.c b/kexc25519.c
+index 0897b8c5..6a54cf9b 100644
+--- a/kexc25519.c
++++ b/kexc25519.c
+@@ -32,8 +32,10 @@
+ #include <signal.h>
+ #include <string.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/bn.h>
+ #include <openssl/evp.h>
++#endif
+ 
+ #include "sshbuf.h"
+ #include "ssh2.h"
+diff --git a/loginrec.c b/loginrec.c
+index 9a427dec..49abe918 100644
+--- a/loginrec.c
++++ b/loginrec.c
+@@ -166,6 +166,7 @@
+ #include <string.h>
+ #include <time.h>
+ #include <unistd.h>
++#include <stdlib.h>
+ 
+ #include "xmalloc.h"
+ #include "sshkey.h"
+diff --git a/monitor_wrap.h b/monitor_wrap.h
+index 644da081..56079d97 100644
+--- a/monitor_wrap.h
++++ b/monitor_wrap.h
+@@ -40,7 +40,9 @@ struct sshauthopt;
+ 
+ void mm_log_handler(LogLevel, const char *, void *);
+ int mm_is_monitor(void);
++#ifdef WITH_OPENSSL
+ DH *mm_choose_dh(int, int, int);
++#endif
+ int mm_sshkey_sign(struct sshkey *, u_char **, size_t *, const u_char *, size_t,
+     const char *, u_int compat);
+ void mm_inform_authserv(char *, char *);
+diff --git a/myproposal.h b/myproposal.h
+index 27b4a15a..ad62ef80 100644
+--- a/myproposal.h
++++ b/myproposal.h
+@@ -24,7 +24,9 @@
+  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+  */
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/opensslv.h>
++#endif
+ 
+ /* conditional algorithm support */
+ 
+diff --git a/ssh-add.c b/ssh-add.c
+index adcc4599..526eb39c 100644
+--- a/ssh-add.c
++++ b/ssh-add.c
+@@ -40,7 +40,9 @@
+ #include <sys/types.h>
+ #include <sys/stat.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/evp.h>
++#endif
+ #include "openbsd-compat/openssl-compat.h"
+ 
+ #include <errno.h>
+diff --git a/ssh-keyscan.c b/ssh-keyscan.c
+index 38b1c548..47da5f67 100644
+--- a/ssh-keyscan.c
++++ b/ssh-keyscan.c
+@@ -19,7 +19,9 @@
+ #include <netinet/in.h>
+ #include <arpa/inet.h>
+ 
++#ifdef WITH_OPENSSL
+ #include <openssl/bn.h>
++#endif
+ 
+ #include <netdb.h>
+ #include <errno.h>
+diff --git a/sshbuf-getput-crypto.c b/sshbuf-getput-crypto.c
+index d0d791b5..96c8e629 100644
+--- a/sshbuf-getput-crypto.c
++++ b/sshbuf-getput-crypto.c
+@@ -18,6 +18,8 @@
+ #define SSHBUF_INTERNAL
+ #include "includes.h"
+ 
++#ifdef WITH_OPENSSL
++
+ #include <sys/types.h>
+ #include <stdlib.h>
+ #include <stdio.h>
+@@ -222,3 +224,4 @@ sshbuf_put_eckey(struct sshbuf *buf, const EC_KEY *v)
+ }
+ #endif /* OPENSSL_HAS_ECC */
+ 
++#endif /* WITH_OPENSSL */
+diff --git a/sshkey.c b/sshkey.c
+index 63c01ea6..c82f0fbe 100644
+--- a/sshkey.c
++++ b/sshkey.c
+@@ -27,6 +27,7 @@
+ 
+ #include "includes.h"
+ 
++#include <time.h>
+ #include <sys/types.h>
+ #include <netinet/in.h>
+ 
+-- 
+2.18.0
+
diff --git a/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb b/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
index f54dfb5de4..802e9c023b 100644
--- a/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
+++ b/meta/recipes-connectivity/openssh/openssh_7.8p1+git.bb
@@ -8,7 +8,7 @@ SECTION = "console/network"
 LICENSE = "BSD"
 LIC_FILES_CHKSUM = "file://LICENCE;md5=429658c6612f3a9b1293782366ab29d8"
 
-DEPENDS = "zlib openssl"
+DEPENDS = "zlib"
 DEPENDS += "${@bb.utils.contains('DISTRO_FEATURES', 'pam', 'libpam', '', d)}"
 
 SRC_URI = "git://github.com/openssh/openssh-portable;branch=master \
@@ -24,6 +24,7 @@ SRC_URI = "git://github.com/openssh/openssh-portable;branch=master \
            file://fix-potential-signed-overflow-in-pointer-arithmatic.patch \
            file://sshd_check_keys \
            file://add-test-support-for-busybox.patch \
+           file://fix_without-openssl.patch \
            "
 
 PAM_SRC_URI = "file://sshd"
@@ -71,6 +72,9 @@ CACHED_CONFIGUREVARS += "ac_cv_path_PATH_PASSWD_PROG=${bindir}/passwd"
 # We don't want to depend on libblockfile
 CACHED_CONFIGUREVARS += "ac_cv_header_maillock_h=no"
 
+PACKAGECONFIG ??= "openssl"
+PACKAGECONFIG[openssl] = ",--without-openssl,openssl"
+
 do_configure_prepend () {
 	export LD="${CC}"
 	install -m 0644 ${WORKDIR}/sshd_config ${B}/
-- 
2.18.0