diff options
| author | Darren Tucker <dtucker@zip.com.au> | 2005-12-19 17:40:40 +1100 |
|---|---|---|
| committer | Darren Tucker <dtucker@zip.com.au> | 2005-12-19 17:40:40 +1100 |
| commit | 129d0bb6a65dcd9639e841cc3fd2ef3490420d7b (patch) | |
| tree | a56f568a753739143c8662390e8cf6d8f2f34025 | |
| parent | d40c66cf3f5d7713ea9489778dc450a48984a81d (diff) | |
| download | openssh-git-129d0bb6a65dcd9639e841cc3fd2ef3490420d7b.tar.gz | |
- (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
openbsd-compat/openssl-compat.h] Check for and work around broken AES
ciphers >128bit on (some) Solaris 10 systems. ok djm@
| -rw-r--r-- | ChangeLog | 7 | ||||
| -rw-r--r-- | cipher-aes.c | 12 | ||||
| -rw-r--r-- | cipher-ctr.c | 7 | ||||
| -rw-r--r-- | cipher.c | 4 | ||||
| -rw-r--r-- | configure.ac | 20 | ||||
| -rw-r--r-- | openbsd-compat/openssl-compat.h | 8 |
6 files changed, 42 insertions, 16 deletions
@@ -1,3 +1,8 @@ +20051219 + - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac + openbsd-compat/openssl-compat.h] Check for and work around broken AES + ciphers >128bit on (some) Solaris 10 systems. ok djm@ + 20051217 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which scp.c also uses, so undef them here. @@ -3466,4 +3471,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4030 2005/12/17 11:32:03 dtucker Exp $ +$Id: ChangeLog,v 1.4031 2005/12/19 06:40:40 dtucker Exp $ diff --git a/cipher-aes.c b/cipher-aes.c index 22d500d4..228ddb10 100644 --- a/cipher-aes.c +++ b/cipher-aes.c @@ -23,7 +23,11 @@ */ #include "includes.h" -#if OPENSSL_VERSION_NUMBER < 0x00907000L + +/* compatibility with old or broken OpenSSL versions */ +#include "openbsd-compat/openssl-compat.h" + +#ifdef USE_BUILTIN_RIJNDAEL RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $"); #include <openssl/evp.h> @@ -31,10 +35,6 @@ RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $"); #include "xmalloc.h" #include "log.h" -#if OPENSSL_VERSION_NUMBER < 0x00906000L -#define SSH_OLD_EVP -#endif - #define RIJNDAEL_BLOCKSIZE 16 struct ssh_rijndael_ctx { @@ -157,4 +157,4 @@ evp_rijndael(void) #endif return (&rijndal_cbc); } -#endif /* OPENSSL_VERSION_NUMBER */ +#endif /* USE_BUILTIN_RIJNDAEL */ diff --git a/cipher-ctr.c b/cipher-ctr.c index 85617734..8a98f3c4 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -21,11 +21,10 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $"); #include "log.h" #include "xmalloc.h" -#if OPENSSL_VERSION_NUMBER < 0x00906000L -#define SSH_OLD_EVP -#endif +/* compatibility with old or broken OpenSSL versions */ +#include "openbsd-compat/openssl-compat.h" -#if OPENSSL_VERSION_NUMBER < 0x00907000L +#ifdef USE_BUILTIN_RIJNDAEL #include "rijndael.h" #define AES_KEY rijndael_ctx #define AES_BLOCK_SIZE 16 @@ -334,7 +334,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) if ((u_int)evplen != len) fatal("%s: wrong iv length %d != %d", __func__, evplen, len); -#if OPENSSL_VERSION_NUMBER < 0x00907000L +#ifdef USE_BUILTIN_RIJNDAEL if (c->evptype == evp_rijndael) ssh_rijndael_iv(&cc->evp, 0, iv, len); else @@ -365,7 +365,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); if (evplen == 0) return; -#if OPENSSL_VERSION_NUMBER < 0x00907000L +#ifdef USE_BUILTIN_RIJNDAEL if (c->evptype == evp_rijndael) ssh_rijndael_iv(&cc->evp, 1, iv, evplen); else diff --git a/configure.ac b/configure.ac index df85e319..9325c436 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.315 2005/12/17 11:32:03 dtucker Exp $ +# $Id: configure.ac,v 1.316 2005/12/19 06:40:40 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -1803,6 +1803,24 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.]) ] ) +# Check for OpenSSL without EVP_aes_{192,256}_cbc +AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) +AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([[ +#include <string.h> +#include <openssl/evp.h> +int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL)} + ]])], + [ + AC_MSG_RESULT(no) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1, + [libcrypto is missing AES 192 and 256 bit functions]) + ] +) + # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, # because the system crypt() is more featureful. if test "x$check_for_libcrypt_before" = "x1"; then diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 4988485f..8a015ec4 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.2 2005/11/20 03:10:00 dtucker Exp $ */ +/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> @@ -24,7 +24,11 @@ # define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) #endif -#if OPENSSL_VERSION_NUMBER < 0x00907000L +#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES) +# define USE_BUILTIN_RIJNDAEL +#endif + +#ifdef USE_BUILTIN_RIJNDAEL # define EVP_aes_128_cbc evp_rijndael # define EVP_aes_192_cbc evp_rijndael # define EVP_aes_256_cbc evp_rijndael |