From 129d0bb6a65dcd9639e841cc3fd2ef3490420d7b Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Mon, 19 Dec 2005 17:40:40 +1100 Subject: - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac openbsd-compat/openssl-compat.h] Check for and work around broken AES ciphers >128bit on (some) Solaris 10 systems. ok djm@ --- ChangeLog | 7 ++++++- cipher-aes.c | 12 ++++++------ cipher-ctr.c | 7 +++---- cipher.c | 4 ++-- configure.ac | 20 +++++++++++++++++++- openbsd-compat/openssl-compat.h | 8 ++++++-- 6 files changed, 42 insertions(+), 16 deletions(-) diff --git a/ChangeLog b/ChangeLog index d28bdf5d..a8074f04 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,8 @@ +20051219 + - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac + openbsd-compat/openssl-compat.h] Check for and work around broken AES + ciphers >128bit on (some) Solaris 10 systems. ok djm@ + 20051217 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which scp.c also uses, so undef them here. @@ -3466,4 +3471,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4030 2005/12/17 11:32:03 dtucker Exp $ +$Id: ChangeLog,v 1.4031 2005/12/19 06:40:40 dtucker Exp $ diff --git a/cipher-aes.c b/cipher-aes.c index 22d500d4..228ddb10 100644 --- a/cipher-aes.c +++ b/cipher-aes.c @@ -23,7 +23,11 @@ */ #include "includes.h" -#if OPENSSL_VERSION_NUMBER < 0x00907000L + +/* compatibility with old or broken OpenSSL versions */ +#include "openbsd-compat/openssl-compat.h" + +#ifdef USE_BUILTIN_RIJNDAEL RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $"); #include @@ -31,10 +35,6 @@ RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $"); #include "xmalloc.h" #include "log.h" -#if OPENSSL_VERSION_NUMBER < 0x00906000L -#define SSH_OLD_EVP -#endif - #define RIJNDAEL_BLOCKSIZE 16 struct ssh_rijndael_ctx { @@ -157,4 +157,4 @@ evp_rijndael(void) #endif return (&rijndal_cbc); } -#endif /* OPENSSL_VERSION_NUMBER */ +#endif /* USE_BUILTIN_RIJNDAEL */ diff --git a/cipher-ctr.c b/cipher-ctr.c index 85617734..8a98f3c4 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c @@ -21,11 +21,10 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $"); #include "log.h" #include "xmalloc.h" -#if OPENSSL_VERSION_NUMBER < 0x00906000L -#define SSH_OLD_EVP -#endif +/* compatibility with old or broken OpenSSL versions */ +#include "openbsd-compat/openssl-compat.h" -#if OPENSSL_VERSION_NUMBER < 0x00907000L +#ifdef USE_BUILTIN_RIJNDAEL #include "rijndael.h" #define AES_KEY rijndael_ctx #define AES_BLOCK_SIZE 16 diff --git a/cipher.c b/cipher.c index 0dddf270..1434d552 100644 --- a/cipher.c +++ b/cipher.c @@ -334,7 +334,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len) if ((u_int)evplen != len) fatal("%s: wrong iv length %d != %d", __func__, evplen, len); -#if OPENSSL_VERSION_NUMBER < 0x00907000L +#ifdef USE_BUILTIN_RIJNDAEL if (c->evptype == evp_rijndael) ssh_rijndael_iv(&cc->evp, 0, iv, len); else @@ -365,7 +365,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv) evplen = EVP_CIPHER_CTX_iv_length(&cc->evp); if (evplen == 0) return; -#if OPENSSL_VERSION_NUMBER < 0x00907000L +#ifdef USE_BUILTIN_RIJNDAEL if (c->evptype == evp_rijndael) ssh_rijndael_iv(&cc->evp, 1, iv, evplen); else diff --git a/configure.ac b/configure.ac index df85e319..9325c436 100644 --- a/configure.ac +++ b/configure.ac @@ -1,4 +1,4 @@ -# $Id: configure.ac,v 1.315 2005/12/17 11:32:03 dtucker Exp $ +# $Id: configure.ac,v 1.316 2005/12/19 06:40:40 dtucker Exp $ # # Copyright (c) 1999-2004 Damien Miller # @@ -1803,6 +1803,24 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.]) ] ) +# Check for OpenSSL without EVP_aes_{192,256}_cbc +AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) +AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([[ +#include +#include +int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL)} + ]])], + [ + AC_MSG_RESULT(no) + ], + [ + AC_MSG_RESULT(yes) + AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1, + [libcrypto is missing AES 192 and 256 bit functions]) + ] +) + # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, # because the system crypt() is more featureful. if test "x$check_for_libcrypt_before" = "x1"; then diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 4988485f..8a015ec4 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.2 2005/11/20 03:10:00 dtucker Exp $ */ +/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */ /* * Copyright (c) 2005 Darren Tucker @@ -24,7 +24,11 @@ # define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) #endif -#if OPENSSL_VERSION_NUMBER < 0x00907000L +#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES) +# define USE_BUILTIN_RIJNDAEL +#endif + +#ifdef USE_BUILTIN_RIJNDAEL # define EVP_aes_128_cbc evp_rijndael # define EVP_aes_192_cbc evp_rijndael # define EVP_aes_256_cbc evp_rijndael -- cgit v1.2.3