- (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac

openbsd-compat/openssl-compat.h] Check for and work around broken AES ciphers >128bit on (some) Solaris 10 systems. ok djm@
author: Darren Tucker <dtucker@zip.com.au> 2005-12-19 17:40:40 +1100
committer: Darren Tucker <dtucker@zip.com.au> 2005-12-19 17:40:40 +1100
commit: 129d0bb6a65dcd9639e841cc3fd2ef3490420d7b (patch)
tree: a56f568a753739143c8662390e8cf6d8f2f34025
parent: d40c66cf3f5d7713ea9489778dc450a48984a81d (diff)
6 files changed, 42 insertions, 16 deletions
diff --git a/ChangeLog b/ChangeLog
index d28bdf5d6..a8074f04a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+20051219
+ - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
+   openbsd-compat/openssl-compat.h] Check for and work around broken AES
+   ciphers >128bit on (some) Solaris 10 systems.  ok djm@
 20051217
 - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
   scp.c also uses, so undef them here.
@@ -3466,4 +3471,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4030 2005/12/17 11:32:03 dtucker Exp $
+$Id: ChangeLog,v 1.4031 2005/12/19 06:40:40 dtucker Exp $
diff --git a/cipher-aes.c b/cipher-aes.c
index 22d500d42..228ddb104 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -23,7 +23,11 @@
 */
 #include "includes.h"
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+/* compatibility with old or broken OpenSSL versions */
+#include "openbsd-compat/openssl-compat.h"
+#ifdef USE_BUILTIN_RIJNDAEL
 RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
 #include <openssl/evp.h>
@@ -31,10 +35,6 @@ RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
 #include "xmalloc.h"
 #include "log.h"
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-#define SSH_OLD_EVP
-#endif
 #define RIJNDAEL_BLOCKSIZE 16
 struct ssh_rijndael_ctx
 {
@@ -157,4 +157,4 @@ evp_rijndael(void)
 #endif
        return (&rijndal_cbc);
 }
-#endif /* OPENSSL_VERSION_NUMBER */
+#endif /* USE_BUILTIN_RIJNDAEL */
diff --git a/cipher-ctr.c b/cipher-ctr.c
index 856177349..8a98f3c42 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -21,11 +21,10 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $");
 #include "log.h"
 #include "xmalloc.h"
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
+/* compatibility with old or broken OpenSSL versions */
-#define SSH_OLD_EVP
+#include "openbsd-compat/openssl-compat.h"
-#endif
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#ifdef USE_BUILTIN_RIJNDAEL
 #include "rijndael.h"
 #define AES_KEY rijndael_ctx
 #define AES_BLOCK_SIZE 16
diff --git a/cipher.c b/cipher.c
index 0dddf270a..1434d5524 100644
--- a/cipher.c
+++ b/cipher.c
@@ -334,7 +334,7 @@ cipher_get_keyiv(CipherContext *cc, u_char *iv, u_int len)
                if ((u_int)evplen != len)
                        fatal("%s: wrong iv length %d != %d", __func__,
                            evplen, len);
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#ifdef USE_BUILTIN_RIJNDAEL
                if (c->evptype == evp_rijndael)
                        ssh_rijndael_iv(&cc->evp, 0, iv, len);
                else
@@ -365,7 +365,7 @@ cipher_set_keyiv(CipherContext *cc, u_char *iv)
                evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
                if (evplen == 0)
                        return;
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#ifdef USE_BUILTIN_RIJNDAEL
                if (c->evptype == evp_rijndael)
                        ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
                else
diff --git a/configure.ac b/configure.ac
index df85e319f..9325c4364 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.315 2005/12/17 11:32:03 dtucker Exp $
+# $Id: configure.ac,v 1.316 2005/12/19 06:40:40 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -1803,6 +1803,24 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.])
        ]
 )
+# Check for OpenSSL without EVP_aes_{192,256}_cbc
+AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
+AC_COMPILE_IFELSE(
+        [AC_LANG_SOURCE([[
+#include <string.h>
+#include <openssl/evp.h>
+int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL)}
+        ]])],
+        [
+                AC_MSG_RESULT(no)
+        ],
+        [
+                AC_MSG_RESULT(yes)
+                AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1,
+                    [libcrypto is missing AES 192 and 256 bit functions])
+        ]
+)
 # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
 # because the system crypt() is more featureful.
 if test "x$check_for_libcrypt_before" = "x1"; then
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 4988485f1..8a015ec43 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.2 2005/11/20 03:10:00 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */
 /*
 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -24,7 +24,11 @@
 # define EVP_CIPHER_CTX_get_app_data(e)         ((e)->app_data)
 #endif
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
+# define USE_BUILTIN_RIJNDAEL
+#endif
+#ifdef USE_BUILTIN_RIJNDAEL
 # define EVP_aes_128_cbc evp_rijndael
 # define EVP_aes_192_cbc evp_rijndael
 # define EVP_aes_256_cbc evp_rijndael
author	Darren Tucker <dtucker@zip.com.au>	2005-12-19 17:40:40 +1100
committer	Darren Tucker <dtucker@zip.com.au>	2005-12-19 17:40:40 +1100
commit	129d0bb6a65dcd9639e841cc3fd2ef3490420d7b (patch)
tree	a56f568a753739143c8662390e8cf6d8f2f34025
parent	d40c66cf3f5d7713ea9489778dc450a48984a81d (diff)

diff --git a/ChangeLog b/ChangeLog index d28bdf5d6..a8074f04a 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -1,3 +1,8 @@
		1	20051219
		2	- (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
		3	openbsd-compat/openssl-compat.h] Check for and work around broken AES
		4	ciphers >128bit on (some) Solaris 10 systems. ok djm@
		5
1	20051217	6	20051217
2	- (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which	7	- (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
3	scp.c also uses, so undef them here.	8	scp.c also uses, so undef them here.
@@ -3466,4 +3471,4 @@
3466	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	3471	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
3467	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	3472	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
3468		3473
3469	$Id: ChangeLog,v 1.4030 2005/12/17 11:32:03 dtucker Exp $	3474	$Id: ChangeLog,v 1.4031 2005/12/19 06:40:40 dtucker Exp $


diff --git a/cipher-aes.c b/cipher-aes.c index 22d500d42..228ddb104 100644 --- a/cipher-aes.c +++ b/cipher-aes.c
@@ -23,7 +23,11 @@
23	*/	23	*/
24		24
25	#include "includes.h"	25	#include "includes.h"
26	#if OPENSSL_VERSION_NUMBER < 0x00907000L	26
		27	/* compatibility with old or broken OpenSSL versions */
		28	#include "openbsd-compat/openssl-compat.h"
		29
		30	#ifdef USE_BUILTIN_RIJNDAEL
27	RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");	31	RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
28		32
29	#include <openssl/evp.h>	33	#include <openssl/evp.h>
@@ -31,10 +35,6 @@ RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
31	#include "xmalloc.h"	35	#include "xmalloc.h"
32	#include "log.h"	36	#include "log.h"
33		37
34	#if OPENSSL_VERSION_NUMBER < 0x00906000L
35	#define SSH_OLD_EVP
36	#endif
37
38	#define RIJNDAEL_BLOCKSIZE 16	38	#define RIJNDAEL_BLOCKSIZE 16
39	struct ssh_rijndael_ctx	39	struct ssh_rijndael_ctx
40	{	40	{
@@ -157,4 +157,4 @@ evp_rijndael(void)
157	#endif	157	#endif
158	return (&rijndal_cbc);	158	return (&rijndal_cbc);
159	}	159	}
160	#endif /* OPENSSL_VERSION_NUMBER */	160	#endif /* USE_BUILTIN_RIJNDAEL */


diff --git a/cipher-ctr.c b/cipher-ctr.c index 856177349..8a98f3c42 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c
@@ -21,11 +21,10 @@ RCSID("$OpenBSD: cipher-ctr.c,v 1.6 2005/07/17 07:17:55 djm Exp $");
21	#include "log.h"	21	#include "log.h"
22	#include "xmalloc.h"	22	#include "xmalloc.h"
23		23
24	#if OPENSSL_VERSION_NUMBER < 0x00906000L	24	/* compatibility with old or broken OpenSSL versions */
25	#define SSH_OLD_EVP	25	#include "openbsd-compat/openssl-compat.h"
26	#endif
27		26
28	#if OPENSSL_VERSION_NUMBER < 0x00907000L	27	#ifdef USE_BUILTIN_RIJNDAEL
29	#include "rijndael.h"	28	#include "rijndael.h"
30	#define AES_KEY rijndael_ctx	29	#define AES_KEY rijndael_ctx
31	#define AES_BLOCK_SIZE 16	30	#define AES_BLOCK_SIZE 16


diff --git a/cipher.c b/cipher.c index 0dddf270a..1434d5524 100644 --- a/cipher.c +++ b/cipher.c
@@ -334,7 +334,7 @@ cipher_get_keyiv(CipherContext cc, u_char iv, u_int len)
334	if ((u_int)evplen != len)	334	if ((u_int)evplen != len)
335	fatal("%s: wrong iv length %d != %d", __func__,	335	fatal("%s: wrong iv length %d != %d", __func__,
336	evplen, len);	336	evplen, len);
337	#if OPENSSL_VERSION_NUMBER < 0x00907000L	337	#ifdef USE_BUILTIN_RIJNDAEL
338	if (c->evptype == evp_rijndael)	338	if (c->evptype == evp_rijndael)
339	ssh_rijndael_iv(&cc->evp, 0, iv, len);	339	ssh_rijndael_iv(&cc->evp, 0, iv, len);
340	else	340	else
@@ -365,7 +365,7 @@ cipher_set_keyiv(CipherContext cc, u_char iv)
365	evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);	365	evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
366	if (evplen == 0)	366	if (evplen == 0)
367	return;	367	return;
368	#if OPENSSL_VERSION_NUMBER < 0x00907000L	368	#ifdef USE_BUILTIN_RIJNDAEL
369	if (c->evptype == evp_rijndael)	369	if (c->evptype == evp_rijndael)
370	ssh_rijndael_iv(&cc->evp, 1, iv, evplen);	370	ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
371	else	371	else


diff --git a/configure.ac b/configure.ac index df85e319f..9325c4364 100644 --- a/configure.ac +++ b/configure.ac
@@ -1,4 +1,4 @@
1	# $Id: configure.ac,v 1.315 2005/12/17 11:32:03 dtucker Exp $	1	# $Id: configure.ac,v 1.316 2005/12/19 06:40:40 dtucker Exp $
2	#	2	#
3	# Copyright (c) 1999-2004 Damien Miller	3	# Copyright (c) 1999-2004 Damien Miller
4	#	4	#
@@ -1803,6 +1803,24 @@ Also see contrib/findssl.sh for help identifying header/library mismatches.])
1803	]	1803	]
1804	)	1804	)
1805		1805
		1806	# Check for OpenSSL without EVP_aes_{192,256}_cbc
		1807	AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
		1808	AC_COMPILE_IFELSE(
		1809	[AC_LANG_SOURCE([[
		1810	#include <string.h>
		1811	#include <openssl/evp.h>
		1812	int main(void) { exit(EVP_aes_192_cbc() == NULL \|\| EVP_aes_256_cbc() == NULL)}
		1813	]])],
		1814	[
		1815	AC_MSG_RESULT(no)
		1816	],
		1817	[
		1818	AC_MSG_RESULT(yes)
		1819	AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1,
		1820	[libcrypto is missing AES 192 and 256 bit functions])
		1821	]
		1822	)
		1823
1806	# Some systems want crypt() from libcrypt, not the version in OpenSSL,	1824	# Some systems want crypt() from libcrypt, not the version in OpenSSL,
1807	# because the system crypt() is more featureful.	1825	# because the system crypt() is more featureful.
1808	if test "x$check_for_libcrypt_before" = "x1"; then	1826	if test "x$check_for_libcrypt_before" = "x1"; then


diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 4988485f1..8a015ec43 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
1	/* $Id: openssl-compat.h,v 1.2 2005/11/20 03:10:00 dtucker Exp $ */	1	/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */
2		2
3	/*	3	/*
4	* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>	4	* Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -24,7 +24,11 @@
24	# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)	24	# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
25	#endif	25	#endif
26		26
27	#if OPENSSL_VERSION_NUMBER < 0x00907000L	27	#if (OPENSSL_VERSION_NUMBER < 0x00907000L) \|\| defined(OPENSSL_LOBOTOMISED_AES)
		28	# define USE_BUILTIN_RIJNDAEL
		29	#endif
		30
		31	#ifdef USE_BUILTIN_RIJNDAEL
28	# define EVP_aes_128_cbc evp_rijndael	32	# define EVP_aes_128_cbc evp_rijndael
29	# define EVP_aes_192_cbc evp_rijndael	33	# define EVP_aes_192_cbc evp_rijndael
30	# define EVP_aes_256_cbc evp_rijndael	34	# define EVP_aes_256_cbc evp_rijndael