diff options
author | Damien Miller <djm@mindrot.org> | 2015-01-15 02:21:31 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-01-15 02:28:36 +1100 |
commit | 72ef7c148c42db7d5632a29f137f8b87b579f2d9 (patch) | |
tree | 47954a387f4260cc8b1e0ff33bbbaf22fd6f11fc | |
parent | 4f38c61c68ae7e3f9ee4b3c38bc86cd39f65ece9 (diff) |
support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.
Considered highly experimental for now.
40 files changed, 689 insertions, 491 deletions
diff --git a/Makefile.in b/Makefile.in index ebd48c303..d7ba813a9 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -76,7 +76,7 @@ LIBOPENSSH_OBJS=\ | |||
76 | 76 | ||
77 | LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 77 | LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
78 | authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 78 | authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
79 | canohost.o channels.o cipher.o cipher-aes.o \ | 79 | canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \ |
80 | cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ | 80 | cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ |
81 | compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ | 81 | compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ |
82 | log.o match.o md-sha256.o moduli.o nchan.o packet.o \ | 82 | log.o match.o md-sha256.o moduli.o nchan.o packet.o \ |
@@ -87,7 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | |||
87 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ | 87 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
88 | ssh-pkcs11.o smult_curve25519_ref.o \ | 88 | ssh-pkcs11.o smult_curve25519_ref.o \ |
89 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ | 89 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ |
90 | ssh-ed25519.o digest-openssl.o hmac.o \ | 90 | ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \ |
91 | sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o | 91 | sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o |
92 | 92 | ||
93 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 93 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
@@ -20,12 +20,15 @@ | |||
20 | 20 | ||
21 | #include "includes.h" | 21 | #include "includes.h" |
22 | 22 | ||
23 | #ifdef WITH_OPENSSL | ||
24 | |||
23 | #include <sys/types.h> | 25 | #include <sys/types.h> |
24 | 26 | ||
25 | #include "buffer.h" | 27 | #include "buffer.h" |
26 | #include "log.h" | 28 | #include "log.h" |
27 | #include "ssherr.h" | 29 | #include "ssherr.h" |
28 | 30 | ||
31 | #ifdef WITH_SSH1 | ||
29 | int | 32 | int |
30 | buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) | 33 | buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) |
31 | { | 34 | { |
@@ -63,6 +66,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) | |||
63 | if (buffer_get_bignum_ret(buffer, value) == -1) | 66 | if (buffer_get_bignum_ret(buffer, value) == -1) |
64 | fatal("%s: buffer error", __func__); | 67 | fatal("%s: buffer error", __func__); |
65 | } | 68 | } |
69 | #endif /* WITH_SSH1 */ | ||
66 | 70 | ||
67 | int | 71 | int |
68 | buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) | 72 | buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) |
@@ -101,3 +105,5 @@ buffer_get_bignum2(Buffer *buffer, BIGNUM *value) | |||
101 | if (buffer_get_bignum2_ret(buffer, value) == -1) | 105 | if (buffer_get_bignum2_ret(buffer, value) == -1) |
102 | fatal("%s: buffer error", __func__); | 106 | fatal("%s: buffer error", __func__); |
103 | } | 107 | } |
108 | |||
109 | #endif /* WITH_OPENSSL */ | ||
diff --git a/cipher-aesctr.c b/cipher-aesctr.c index e13615195..850bbf7db 100644 --- a/cipher-aesctr.c +++ b/cipher-aesctr.c | |||
@@ -18,6 +18,8 @@ | |||
18 | #include <sys/types.h> | 18 | #include <sys/types.h> |
19 | #include <string.h> | 19 | #include <string.h> |
20 | 20 | ||
21 | #ifndef WITH_OPENSSL | ||
22 | |||
21 | #include "cipher-aesctr.h" | 23 | #include "cipher-aesctr.h" |
22 | 24 | ||
23 | /* | 25 | /* |
@@ -76,3 +78,4 @@ aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes) | |||
76 | n = (n + 1) % AES_BLOCK_SIZE; | 78 | n = (n + 1) % AES_BLOCK_SIZE; |
77 | } | 79 | } |
78 | } | 80 | } |
81 | #endif /* !WITH_OPENSSL */ | ||
diff --git a/cipher-bf1.c b/cipher-bf1.c index 64c74bc6f..ee72ac085 100644 --- a/cipher-bf1.c +++ b/cipher-bf1.c | |||
@@ -20,6 +20,8 @@ | |||
20 | 20 | ||
21 | #include "includes.h" | 21 | #include "includes.h" |
22 | 22 | ||
23 | #ifdef WITH_OPENSSL | ||
24 | |||
23 | #include <sys/types.h> | 25 | #include <sys/types.h> |
24 | 26 | ||
25 | #include <stdarg.h> | 27 | #include <stdarg.h> |
@@ -98,3 +100,4 @@ evp_ssh1_bf(void) | |||
98 | ssh1_bf.key_len = 32; | 100 | ssh1_bf.key_len = 32; |
99 | return (&ssh1_bf); | 101 | return (&ssh1_bf); |
100 | } | 102 | } |
103 | #endif /* WITH_OPENSSL */ | ||
diff --git a/cipher-ctr.c b/cipher-ctr.c index ea0f9b3b7..32771f287 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c | |||
@@ -16,7 +16,7 @@ | |||
16 | */ | 16 | */ |
17 | #include "includes.h" | 17 | #include "includes.h" |
18 | 18 | ||
19 | #ifndef OPENSSL_HAVE_EVPCTR | 19 | #if defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) |
20 | #include <sys/types.h> | 20 | #include <sys/types.h> |
21 | 21 | ||
22 | #include <stdarg.h> | 22 | #include <stdarg.h> |
@@ -143,4 +143,4 @@ evp_aes_128_ctr(void) | |||
143 | return (&aes_ctr); | 143 | return (&aes_ctr); |
144 | } | 144 | } |
145 | 145 | ||
146 | #endif /* OPENSSL_HAVE_EVPCTR */ | 146 | #endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) */ |
diff --git a/configure.ac b/configure.ac index 13e25e98f..cb66f54b1 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -121,14 +121,34 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | |||
121 | #include <linux/prctl.h> | 121 | #include <linux/prctl.h> |
122 | ]) | 122 | ]) |
123 | 123 | ||
124 | openssl=yes | ||
124 | ssh1=yes | 125 | ssh1=yes |
125 | AC_ARG_WITH([ssh1], | 126 | AC_ARG_WITH([openssl], |
126 | [ --without-ssh1 Disable support for SSH protocol 1], | 127 | [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], |
127 | [ if test "x$withval" = "xno" ; then | 128 | [ if test "x$withval" = "xno" ; then |
129 | openssl=no | ||
128 | ssh1=no | 130 | ssh1=no |
129 | fi | 131 | fi |
130 | ] | 132 | ] |
131 | ) | 133 | ) |
134 | AC_MSG_CHECKING([whether OpenSSL will be used for cryptography]) | ||
135 | if test "x$openssl" = "xyes" ; then | ||
136 | AC_MSG_RESULT([yes]) | ||
137 | AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) | ||
138 | else | ||
139 | AC_MSG_RESULT([no]) | ||
140 | fi | ||
141 | |||
142 | AC_ARG_WITH([ssh1], | ||
143 | [ --without-ssh1 Disable support for SSH protocol 1], | ||
144 | [ | ||
145 | if test "x$withval" = "xno" ; then | ||
146 | ssh1=no | ||
147 | elif test "x$openssl" = "xno" ; then | ||
148 | AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled]) | ||
149 | fi | ||
150 | ] | ||
151 | ) | ||
132 | AC_MSG_CHECKING([whether SSH protocol 1 support is enabled]) | 152 | AC_MSG_CHECKING([whether SSH protocol 1 support is enabled]) |
133 | if test "x$ssh1" = "xyes" ; then | 153 | if test "x$ssh1" = "xyes" ; then |
134 | AC_MSG_RESULT([yes]) | 154 | AC_MSG_RESULT([yes]) |
@@ -1312,7 +1332,7 @@ g.gl_statv = NULL; | |||
1312 | AC_MSG_RESULT([yes]) | 1332 | AC_MSG_RESULT([yes]) |
1313 | ], [ | 1333 | ], [ |
1314 | AC_MSG_RESULT([no]) | 1334 | AC_MSG_RESULT([no]) |
1315 | 1335 | ||
1316 | ]) | 1336 | ]) |
1317 | 1337 | ||
1318 | AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) | 1338 | AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) |
@@ -1705,10 +1725,13 @@ AC_LINK_IFELSE( | |||
1705 | [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) | 1725 | [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) |
1706 | ]) | 1726 | ]) |
1707 | 1727 | ||
1708 | # PKCS#11 support requires dlopen() and co | 1728 | # PKCS11 depends on OpenSSL. |
1709 | AC_SEARCH_LIBS([dlopen], [dl], | 1729 | if test "x$openssl" = "xyes" ; then |
1710 | [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] | 1730 | # PKCS#11 support requires dlopen() and co |
1711 | ) | 1731 | AC_SEARCH_LIBS([dlopen], [dl], |
1732 | [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] | ||
1733 | ) | ||
1734 | fi | ||
1712 | 1735 | ||
1713 | # IRIX has a const char return value for gai_strerror() | 1736 | # IRIX has a const char return value for gai_strerror() |
1714 | AC_CHECK_FUNCS([gai_strerror], [ | 1737 | AC_CHECK_FUNCS([gai_strerror], [ |
@@ -2197,6 +2220,9 @@ saved_LDFLAGS="$LDFLAGS" | |||
2197 | AC_ARG_WITH([ssl-dir], | 2220 | AC_ARG_WITH([ssl-dir], |
2198 | [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], | 2221 | [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], |
2199 | [ | 2222 | [ |
2223 | if test "x$openssl" = "xno" ; then | ||
2224 | AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled]) | ||
2225 | fi | ||
2200 | if test "x$withval" != "xno" ; then | 2226 | if test "x$withval" != "xno" ; then |
2201 | case "$withval" in | 2227 | case "$withval" in |
2202 | # Relative paths | 2228 | # Relative paths |
@@ -2229,444 +2255,457 @@ AC_ARG_WITH([ssl-dir], | |||
2229 | fi | 2255 | fi |
2230 | ] | 2256 | ] |
2231 | ) | 2257 | ) |
2232 | LIBS="-lcrypto $LIBS" | 2258 | |
2233 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], | 2259 | AC_ARG_WITH([openssl-header-check], |
2234 | [Define if your ssl headers are included | 2260 | [ --without-openssl-header-check Disable OpenSSL version consistency check], |
2235 | with #include <openssl/header.h>])], | ||
2236 | [ | 2261 | [ |
2237 | dnl Check default openssl install dir | 2262 | if test "x$withval" = "xno" ; then |
2238 | if test -n "${need_dash_r}"; then | 2263 | openssl_check_nonfatal=1 |
2239 | LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" | ||
2240 | else | ||
2241 | LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" | ||
2242 | fi | 2264 | fi |
2243 | CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" | ||
2244 | AC_CHECK_HEADER([openssl/opensslv.h], , | ||
2245 | [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) | ||
2246 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])], | ||
2247 | [ | ||
2248 | AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) | ||
2249 | ] | ||
2250 | ) | ||
2251 | ] | 2265 | ] |
2252 | ) | 2266 | ) |
2253 | 2267 | ||
2254 | # Determine OpenSSL header version | 2268 | openssl_engine=no |
2255 | AC_MSG_CHECKING([OpenSSL header version]) | 2269 | AC_ARG_WITH([ssl-engine], |
2256 | AC_RUN_IFELSE( | 2270 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], |
2257 | [AC_LANG_PROGRAM([[ | ||
2258 | #include <stdio.h> | ||
2259 | #include <string.h> | ||
2260 | #include <openssl/opensslv.h> | ||
2261 | #define DATA "conftest.sslincver" | ||
2262 | ]], [[ | ||
2263 | FILE *fd; | ||
2264 | int rc; | ||
2265 | |||
2266 | fd = fopen(DATA,"w"); | ||
2267 | if(fd == NULL) | ||
2268 | exit(1); | ||
2269 | |||
2270 | if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) | ||
2271 | exit(1); | ||
2272 | |||
2273 | exit(0); | ||
2274 | ]])], | ||
2275 | [ | ||
2276 | ssl_header_ver=`cat conftest.sslincver` | ||
2277 | AC_MSG_RESULT([$ssl_header_ver]) | ||
2278 | ], | ||
2279 | [ | ||
2280 | AC_MSG_RESULT([not found]) | ||
2281 | AC_MSG_ERROR([OpenSSL version header not found.]) | ||
2282 | ], | ||
2283 | [ | 2271 | [ |
2284 | AC_MSG_WARN([cross compiling: not checking]) | 2272 | if test "x$openssl" = "xno" ; then |
2273 | AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) | ||
2274 | fi | ||
2275 | if test "x$withval" != "xno" ; then | ||
2276 | openssl_engine=yes | ||
2277 | fi | ||
2285 | ] | 2278 | ] |
2286 | ) | 2279 | ) |
2287 | 2280 | ||
2288 | # Determine OpenSSL library version | 2281 | if test "x$openssl" = "xyes" ; then |
2289 | AC_MSG_CHECKING([OpenSSL library version]) | 2282 | LIBS="-lcrypto $LIBS" |
2290 | AC_RUN_IFELSE( | 2283 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], |
2291 | [AC_LANG_PROGRAM([[ | 2284 | [Define if your ssl headers are included |
2292 | #include <stdio.h> | 2285 | with #include <openssl/header.h>])], |
2293 | #include <string.h> | 2286 | [ |
2294 | #include <openssl/opensslv.h> | 2287 | dnl Check default openssl install dir |
2295 | #include <openssl/crypto.h> | 2288 | if test -n "${need_dash_r}"; then |
2296 | #define DATA "conftest.ssllibver" | 2289 | LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" |
2297 | ]], [[ | 2290 | else |
2298 | FILE *fd; | 2291 | LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" |
2299 | int rc; | 2292 | fi |
2293 | CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" | ||
2294 | AC_CHECK_HEADER([openssl/opensslv.h], , | ||
2295 | [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) | ||
2296 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])], | ||
2297 | [ | ||
2298 | AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) | ||
2299 | ] | ||
2300 | ) | ||
2301 | ] | ||
2302 | ) | ||
2300 | 2303 | ||
2301 | fd = fopen(DATA,"w"); | 2304 | # Determine OpenSSL header version |
2302 | if(fd == NULL) | 2305 | AC_MSG_CHECKING([OpenSSL header version]) |
2303 | exit(1); | 2306 | AC_RUN_IFELSE( |
2307 | [AC_LANG_PROGRAM([[ | ||
2308 | #include <stdio.h> | ||
2309 | #include <string.h> | ||
2310 | #include <openssl/opensslv.h> | ||
2311 | #define DATA "conftest.sslincver" | ||
2312 | ]], [[ | ||
2313 | FILE *fd; | ||
2314 | int rc; | ||
2304 | 2315 | ||
2305 | if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), | 2316 | fd = fopen(DATA,"w"); |
2306 | SSLeay_version(SSLEAY_VERSION))) <0) | 2317 | if(fd == NULL) |
2307 | exit(1); | 2318 | exit(1); |
2308 | 2319 | ||
2309 | exit(0); | 2320 | if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) |
2310 | ]])], | 2321 | exit(1); |
2311 | [ | ||
2312 | ssl_library_ver=`cat conftest.ssllibver` | ||
2313 | # Check version is supported. | ||
2314 | case "$ssl_library_ver" in | ||
2315 | 0090[[0-7]]*|009080[[0-5]]*) | ||
2316 | AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")]) | ||
2317 | ;; | ||
2318 | *) ;; | ||
2319 | esac | ||
2320 | AC_MSG_RESULT([$ssl_library_ver]) | ||
2321 | ], | ||
2322 | [ | ||
2323 | AC_MSG_RESULT([not found]) | ||
2324 | AC_MSG_ERROR([OpenSSL library not found.]) | ||
2325 | ], | ||
2326 | [ | ||
2327 | AC_MSG_WARN([cross compiling: not checking]) | ||
2328 | ] | ||
2329 | ) | ||
2330 | 2322 | ||
2331 | # XXX make --without-openssl work | 2323 | exit(0); |
2332 | AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) | 2324 | ]])], |
2325 | [ | ||
2326 | ssl_header_ver=`cat conftest.sslincver` | ||
2327 | AC_MSG_RESULT([$ssl_header_ver]) | ||
2328 | ], | ||
2329 | [ | ||
2330 | AC_MSG_RESULT([not found]) | ||
2331 | AC_MSG_ERROR([OpenSSL version header not found.]) | ||
2332 | ], | ||
2333 | [ | ||
2334 | AC_MSG_WARN([cross compiling: not checking]) | ||
2335 | ] | ||
2336 | ) | ||
2333 | 2337 | ||
2334 | AC_ARG_WITH([openssl-header-check], | 2338 | # Determine OpenSSL library version |
2335 | [ --without-openssl-header-check Disable OpenSSL version consistency check], | 2339 | AC_MSG_CHECKING([OpenSSL library version]) |
2336 | [ if test "x$withval" = "xno" ; then | 2340 | AC_RUN_IFELSE( |
2337 | openssl_check_nonfatal=1 | 2341 | [AC_LANG_PROGRAM([[ |
2338 | fi | 2342 | #include <stdio.h> |
2339 | ] | 2343 | #include <string.h> |
2340 | ) | 2344 | #include <openssl/opensslv.h> |
2345 | #include <openssl/crypto.h> | ||
2346 | #define DATA "conftest.ssllibver" | ||
2347 | ]], [[ | ||
2348 | FILE *fd; | ||
2349 | int rc; | ||
2341 | 2350 | ||
2342 | # Sanity check OpenSSL headers | 2351 | fd = fopen(DATA,"w"); |
2343 | AC_MSG_CHECKING([whether OpenSSL's headers match the library]) | 2352 | if(fd == NULL) |
2344 | AC_RUN_IFELSE( | 2353 | exit(1); |
2345 | [AC_LANG_PROGRAM([[ | ||
2346 | #include <string.h> | ||
2347 | #include <openssl/opensslv.h> | ||
2348 | ]], [[ | ||
2349 | exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); | ||
2350 | ]])], | ||
2351 | [ | ||
2352 | AC_MSG_RESULT([yes]) | ||
2353 | ], | ||
2354 | [ | ||
2355 | AC_MSG_RESULT([no]) | ||
2356 | if test "x$openssl_check_nonfatal" = "x"; then | ||
2357 | AC_MSG_ERROR([Your OpenSSL headers do not match your | ||
2358 | library. Check config.log for details. | ||
2359 | If you are sure your installation is consistent, you can disable the check | ||
2360 | by running "./configure --without-openssl-header-check". | ||
2361 | Also see contrib/findssl.sh for help identifying header/library mismatches. | ||
2362 | ]) | ||
2363 | else | ||
2364 | AC_MSG_WARN([Your OpenSSL headers do not match your | ||
2365 | library. Check config.log for details. | ||
2366 | Also see contrib/findssl.sh for help identifying header/library mismatches.]) | ||
2367 | fi | ||
2368 | ], | ||
2369 | [ | ||
2370 | AC_MSG_WARN([cross compiling: not checking]) | ||
2371 | ] | ||
2372 | ) | ||
2373 | 2354 | ||
2374 | AC_MSG_CHECKING([if programs using OpenSSL functions will link]) | 2355 | if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), |
2375 | AC_LINK_IFELSE( | 2356 | SSLeay_version(SSLEAY_VERSION))) <0) |
2376 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | 2357 | exit(1); |
2377 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2378 | [ | ||
2379 | AC_MSG_RESULT([yes]) | ||
2380 | ], | ||
2381 | [ | ||
2382 | AC_MSG_RESULT([no]) | ||
2383 | saved_LIBS="$LIBS" | ||
2384 | LIBS="$LIBS -ldl" | ||
2385 | AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) | ||
2386 | AC_LINK_IFELSE( | ||
2387 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | ||
2388 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2389 | [ | ||
2390 | AC_MSG_RESULT([yes]) | ||
2391 | ], | ||
2392 | [ | ||
2393 | AC_MSG_RESULT([no]) | ||
2394 | LIBS="$saved_LIBS" | ||
2395 | ] | ||
2396 | ) | ||
2397 | ] | ||
2398 | ) | ||
2399 | 2358 | ||
2400 | AC_CHECK_FUNCS([ \ | 2359 | exit(0); |
2401 | BN_is_prime_ex \ | 2360 | ]])], |
2402 | DSA_generate_parameters_ex \ | 2361 | [ |
2403 | EVP_DigestInit_ex \ | 2362 | ssl_library_ver=`cat conftest.ssllibver` |
2404 | EVP_DigestFinal_ex \ | 2363 | # Check version is supported. |
2405 | EVP_MD_CTX_init \ | 2364 | case "$ssl_library_ver" in |
2406 | EVP_MD_CTX_cleanup \ | 2365 | 0090[[0-7]]*|009080[[0-5]]*) |
2407 | EVP_MD_CTX_copy_ex \ | 2366 | AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")]) |
2408 | HMAC_CTX_init \ | 2367 | ;; |
2409 | RSA_generate_key_ex \ | 2368 | *) ;; |
2410 | RSA_get_default_method \ | 2369 | esac |
2411 | ]) | 2370 | AC_MSG_RESULT([$ssl_library_ver]) |
2371 | ], | ||
2372 | [ | ||
2373 | AC_MSG_RESULT([not found]) | ||
2374 | AC_MSG_ERROR([OpenSSL library not found.]) | ||
2375 | ], | ||
2376 | [ | ||
2377 | AC_MSG_WARN([cross compiling: not checking]) | ||
2378 | ] | ||
2379 | ) | ||
2412 | 2380 | ||
2413 | AC_ARG_WITH([ssl-engine], | 2381 | # Sanity check OpenSSL headers |
2414 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], | 2382 | AC_MSG_CHECKING([whether OpenSSL's headers match the library]) |
2415 | [ if test "x$withval" != "xno" ; then | 2383 | AC_RUN_IFELSE( |
2384 | [AC_LANG_PROGRAM([[ | ||
2385 | #include <string.h> | ||
2386 | #include <openssl/opensslv.h> | ||
2387 | ]], [[ | ||
2388 | exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); | ||
2389 | ]])], | ||
2390 | [ | ||
2391 | AC_MSG_RESULT([yes]) | ||
2392 | ], | ||
2393 | [ | ||
2394 | AC_MSG_RESULT([no]) | ||
2395 | if test "x$openssl_check_nonfatal" = "x"; then | ||
2396 | AC_MSG_ERROR([Your OpenSSL headers do not match your | ||
2397 | library. Check config.log for details. | ||
2398 | If you are sure your installation is consistent, you can disable the check | ||
2399 | by running "./configure --without-openssl-header-check". | ||
2400 | Also see contrib/findssl.sh for help identifying header/library mismatches. | ||
2401 | ]) | ||
2402 | else | ||
2403 | AC_MSG_WARN([Your OpenSSL headers do not match your | ||
2404 | library. Check config.log for details. | ||
2405 | Also see contrib/findssl.sh for help identifying header/library mismatches.]) | ||
2406 | fi | ||
2407 | ], | ||
2408 | [ | ||
2409 | AC_MSG_WARN([cross compiling: not checking]) | ||
2410 | ] | ||
2411 | ) | ||
2412 | |||
2413 | AC_MSG_CHECKING([if programs using OpenSSL functions will link]) | ||
2414 | AC_LINK_IFELSE( | ||
2415 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | ||
2416 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2417 | [ | ||
2418 | AC_MSG_RESULT([yes]) | ||
2419 | ], | ||
2420 | [ | ||
2421 | AC_MSG_RESULT([no]) | ||
2422 | saved_LIBS="$LIBS" | ||
2423 | LIBS="$LIBS -ldl" | ||
2424 | AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) | ||
2425 | AC_LINK_IFELSE( | ||
2426 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | ||
2427 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2428 | [ | ||
2429 | AC_MSG_RESULT([yes]) | ||
2430 | ], | ||
2431 | [ | ||
2432 | AC_MSG_RESULT([no]) | ||
2433 | LIBS="$saved_LIBS" | ||
2434 | ] | ||
2435 | ) | ||
2436 | ] | ||
2437 | ) | ||
2438 | |||
2439 | AC_CHECK_FUNCS([ \ | ||
2440 | BN_is_prime_ex \ | ||
2441 | DSA_generate_parameters_ex \ | ||
2442 | EVP_DigestInit_ex \ | ||
2443 | EVP_DigestFinal_ex \ | ||
2444 | EVP_MD_CTX_init \ | ||
2445 | EVP_MD_CTX_cleanup \ | ||
2446 | EVP_MD_CTX_copy_ex \ | ||
2447 | HMAC_CTX_init \ | ||
2448 | RSA_generate_key_ex \ | ||
2449 | RSA_get_default_method \ | ||
2450 | ]) | ||
2451 | |||
2452 | if test "x$openssl_engine" = "xyes" ; then | ||
2416 | AC_MSG_CHECKING([for OpenSSL ENGINE support]) | 2453 | AC_MSG_CHECKING([for OpenSSL ENGINE support]) |
2417 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | 2454 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ |
2418 | #include <openssl/engine.h> | 2455 | #include <openssl/engine.h> |
2419 | ]], [[ | 2456 | ]], [[ |
2420 | ENGINE_load_builtin_engines(); | 2457 | ENGINE_load_builtin_engines(); |
2421 | ENGINE_register_all_complete(); | 2458 | ENGINE_register_all_complete(); |
2422 | ]])], | 2459 | ]])], |
2423 | [ AC_MSG_RESULT([yes]) | 2460 | [ AC_MSG_RESULT([yes]) |
2424 | AC_DEFINE([USE_OPENSSL_ENGINE], [1], | 2461 | AC_DEFINE([USE_OPENSSL_ENGINE], [1], |
2425 | [Enable OpenSSL engine support]) | 2462 | [Enable OpenSSL engine support]) |
2426 | ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) | 2463 | ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) |
2427 | ]) | 2464 | ]) |
2428 | fi ] | 2465 | fi |
2429 | ) | ||
2430 | 2466 | ||
2431 | # Check for OpenSSL without EVP_aes_{192,256}_cbc | 2467 | # Check for OpenSSL without EVP_aes_{192,256}_cbc |
2432 | AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) | 2468 | AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) |
2433 | AC_LINK_IFELSE( | 2469 | AC_LINK_IFELSE( |
2434 | [AC_LANG_PROGRAM([[ | 2470 | [AC_LANG_PROGRAM([[ |
2435 | #include <string.h> | 2471 | #include <string.h> |
2436 | #include <openssl/evp.h> | 2472 | #include <openssl/evp.h> |
2437 | ]], [[ | 2473 | ]], [[ |
2438 | exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); | 2474 | exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); |
2439 | ]])], | 2475 | ]])], |
2440 | [ | 2476 | [ |
2441 | AC_MSG_RESULT([no]) | 2477 | AC_MSG_RESULT([no]) |
2442 | ], | 2478 | ], |
2443 | [ | 2479 | [ |
2444 | AC_MSG_RESULT([yes]) | 2480 | AC_MSG_RESULT([yes]) |
2445 | AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], | 2481 | AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], |
2446 | [libcrypto is missing AES 192 and 256 bit functions]) | 2482 | [libcrypto is missing AES 192 and 256 bit functions]) |
2447 | ] | 2483 | ] |
2448 | ) | 2484 | ) |
2449 | 2485 | ||
2450 | # Check for OpenSSL with EVP_aes_*ctr | 2486 | # Check for OpenSSL with EVP_aes_*ctr |
2451 | AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) | 2487 | AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) |
2452 | AC_LINK_IFELSE( | 2488 | AC_LINK_IFELSE( |
2453 | [AC_LANG_PROGRAM([[ | 2489 | [AC_LANG_PROGRAM([[ |
2454 | #include <string.h> | 2490 | #include <string.h> |
2455 | #include <openssl/evp.h> | 2491 | #include <openssl/evp.h> |
2456 | ]], [[ | 2492 | ]], [[ |
2457 | exit(EVP_aes_128_ctr() == NULL || | 2493 | exit(EVP_aes_128_ctr() == NULL || |
2458 | EVP_aes_192_cbc() == NULL || | 2494 | EVP_aes_192_cbc() == NULL || |
2459 | EVP_aes_256_cbc() == NULL); | 2495 | EVP_aes_256_cbc() == NULL); |
2460 | ]])], | 2496 | ]])], |
2461 | [ | 2497 | [ |
2462 | AC_MSG_RESULT([yes]) | 2498 | AC_MSG_RESULT([yes]) |
2463 | AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], | 2499 | AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], |
2464 | [libcrypto has EVP AES CTR]) | 2500 | [libcrypto has EVP AES CTR]) |
2465 | ], | 2501 | ], |
2466 | [ | 2502 | [ |
2467 | AC_MSG_RESULT([no]) | 2503 | AC_MSG_RESULT([no]) |
2468 | ] | 2504 | ] |
2469 | ) | 2505 | ) |
2470 | 2506 | ||
2471 | # Check for OpenSSL with EVP_aes_*gcm | 2507 | # Check for OpenSSL with EVP_aes_*gcm |
2472 | AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) | 2508 | AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) |
2473 | AC_LINK_IFELSE( | 2509 | AC_LINK_IFELSE( |
2474 | [AC_LANG_PROGRAM([[ | 2510 | [AC_LANG_PROGRAM([[ |
2475 | #include <string.h> | 2511 | #include <string.h> |
2476 | #include <openssl/evp.h> | 2512 | #include <openssl/evp.h> |
2477 | ]], [[ | 2513 | ]], [[ |
2478 | exit(EVP_aes_128_gcm() == NULL || | 2514 | exit(EVP_aes_128_gcm() == NULL || |
2479 | EVP_aes_256_gcm() == NULL || | 2515 | EVP_aes_256_gcm() == NULL || |
2480 | EVP_CTRL_GCM_SET_IV_FIXED == 0 || | 2516 | EVP_CTRL_GCM_SET_IV_FIXED == 0 || |
2481 | EVP_CTRL_GCM_IV_GEN == 0 || | 2517 | EVP_CTRL_GCM_IV_GEN == 0 || |
2482 | EVP_CTRL_GCM_SET_TAG == 0 || | 2518 | EVP_CTRL_GCM_SET_TAG == 0 || |
2483 | EVP_CTRL_GCM_GET_TAG == 0 || | 2519 | EVP_CTRL_GCM_GET_TAG == 0 || |
2484 | EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); | 2520 | EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); |
2485 | ]])], | 2521 | ]])], |
2486 | [ | 2522 | [ |
2487 | AC_MSG_RESULT([yes]) | 2523 | AC_MSG_RESULT([yes]) |
2488 | AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], | 2524 | AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], |
2489 | [libcrypto has EVP AES GCM]) | 2525 | [libcrypto has EVP AES GCM]) |
2490 | ], | 2526 | ], |
2491 | [ | 2527 | [ |
2492 | AC_MSG_RESULT([no]) | 2528 | AC_MSG_RESULT([no]) |
2493 | unsupported_algorithms="$unsupported_cipers \ | 2529 | unsupported_algorithms="$unsupported_cipers \ |
2494 | aes128-gcm@openssh.com aes256-gcm@openssh.com" | 2530 | aes128-gcm@openssh.com aes256-gcm@openssh.com" |
2495 | ] | 2531 | ] |
2496 | ) | 2532 | ) |
2497 | 2533 | ||
2498 | AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], | 2534 | AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], |
2499 | [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], | 2535 | [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], |
2500 | [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) | 2536 | [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) |
2501 | 2537 | ||
2502 | AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) | 2538 | AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) |
2503 | AC_LINK_IFELSE( | 2539 | AC_LINK_IFELSE( |
2504 | [AC_LANG_PROGRAM([[ | 2540 | [AC_LANG_PROGRAM([[ |
2505 | #include <string.h> | 2541 | #include <string.h> |
2506 | #include <openssl/evp.h> | 2542 | #include <openssl/evp.h> |
2507 | ]], [[ | 2543 | ]], [[ |
2508 | if(EVP_DigestUpdate(NULL, NULL,0)) | 2544 | if(EVP_DigestUpdate(NULL, NULL,0)) |
2509 | exit(0); | 2545 | exit(0); |
2510 | ]])], | 2546 | ]])], |
2511 | [ | 2547 | [ |
2512 | AC_MSG_RESULT([yes]) | 2548 | AC_MSG_RESULT([yes]) |
2513 | ], | 2549 | ], |
2514 | [ | 2550 | [ |
2515 | AC_MSG_RESULT([no]) | 2551 | AC_MSG_RESULT([no]) |
2516 | AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], | 2552 | AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], |
2517 | [Define if EVP_DigestUpdate returns void]) | 2553 | [Define if EVP_DigestUpdate returns void]) |
2518 | ] | 2554 | ] |
2519 | ) | 2555 | ) |
2520 | 2556 | ||
2521 | # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, | 2557 | # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, |
2522 | # because the system crypt() is more featureful. | 2558 | # because the system crypt() is more featureful. |
2523 | if test "x$check_for_libcrypt_before" = "x1"; then | 2559 | if test "x$check_for_libcrypt_before" = "x1"; then |
2524 | AC_CHECK_LIB([crypt], [crypt]) | 2560 | AC_CHECK_LIB([crypt], [crypt]) |
2525 | fi | 2561 | fi |
2526 | 2562 | ||
2527 | # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the | 2563 | # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the |
2528 | # version in OpenSSL. | 2564 | # version in OpenSSL. |
2529 | if test "x$check_for_libcrypt_later" = "x1"; then | 2565 | if test "x$check_for_libcrypt_later" = "x1"; then |
2530 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) | 2566 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) |
2531 | fi | 2567 | fi |
2532 | AC_CHECK_FUNCS([crypt DES_crypt]) | ||
2533 | |||
2534 | # Search for SHA256 support in libc and/or OpenSSL | ||
2535 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , | ||
2536 | [unsupported_algorithms="$unsupported_algorithms \ | ||
2537 | hmac-sha2-256 hmac-sha2-512 \ | ||
2538 | diffie-hellman-group-exchange-sha256 \ | ||
2539 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" | ||
2540 | ] | ||
2541 | ) | ||
2542 | # Search for RIPE-MD support in OpenSSL | ||
2543 | AC_CHECK_FUNCS([EVP_ripemd160], , | ||
2544 | [unsupported_algorithms="$unsupported_algorithms \ | ||
2545 | hmac-ripemd160 | ||
2546 | hmac-ripemd160@openssh.com | ||
2547 | hmac-ripemd160-etm@openssh.com" | ||
2548 | ] | ||
2549 | ) | ||
2550 | 2568 | ||
2551 | # Check complete ECC support in OpenSSL | 2569 | # Search for SHA256 support in libc and/or OpenSSL |
2552 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) | 2570 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , |
2553 | AC_LINK_IFELSE( | 2571 | [unsupported_algorithms="$unsupported_algorithms \ |
2554 | [AC_LANG_PROGRAM([[ | 2572 | hmac-sha2-256 hmac-sha2-512 \ |
2555 | #include <openssl/ec.h> | 2573 | diffie-hellman-group-exchange-sha256 \ |
2556 | #include <openssl/ecdh.h> | 2574 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" |
2557 | #include <openssl/ecdsa.h> | 2575 | ] |
2558 | #include <openssl/evp.h> | 2576 | ) |
2559 | #include <openssl/objects.h> | 2577 | # Search for RIPE-MD support in OpenSSL |
2560 | #include <openssl/opensslv.h> | 2578 | AC_CHECK_FUNCS([EVP_ripemd160], , |
2561 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2579 | [unsupported_algorithms="$unsupported_algorithms \ |
2562 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2580 | hmac-ripemd160 |
2563 | #endif | 2581 | hmac-ripemd160@openssh.com |
2564 | ]], [[ | 2582 | hmac-ripemd160-etm@openssh.com" |
2565 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | 2583 | ] |
2566 | const EVP_MD *m = EVP_sha256(); /* We need this too */ | 2584 | ) |
2567 | ]])], | ||
2568 | [ AC_MSG_RESULT([yes]) | ||
2569 | enable_nistp256=1 ], | ||
2570 | [ AC_MSG_RESULT([no]) ] | ||
2571 | ) | ||
2572 | 2585 | ||
2573 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) | 2586 | # Check complete ECC support in OpenSSL |
2574 | AC_LINK_IFELSE( | 2587 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) |
2575 | [AC_LANG_PROGRAM([[ | 2588 | AC_LINK_IFELSE( |
2576 | #include <openssl/ec.h> | 2589 | [AC_LANG_PROGRAM([[ |
2577 | #include <openssl/ecdh.h> | 2590 | #include <openssl/ec.h> |
2578 | #include <openssl/ecdsa.h> | 2591 | #include <openssl/ecdh.h> |
2579 | #include <openssl/evp.h> | 2592 | #include <openssl/ecdsa.h> |
2580 | #include <openssl/objects.h> | 2593 | #include <openssl/evp.h> |
2581 | #include <openssl/opensslv.h> | 2594 | #include <openssl/objects.h> |
2582 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2595 | #include <openssl/opensslv.h> |
2583 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2596 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2584 | #endif | 2597 | # error "OpenSSL < 0.9.8g has unreliable ECC code" |
2585 | ]], [[ | 2598 | #endif |
2586 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); | 2599 | ]], [[ |
2587 | const EVP_MD *m = EVP_sha384(); /* We need this too */ | 2600 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
2588 | ]])], | 2601 | const EVP_MD *m = EVP_sha256(); /* We need this too */ |
2589 | [ AC_MSG_RESULT([yes]) | 2602 | ]])], |
2590 | enable_nistp384=1 ], | 2603 | [ AC_MSG_RESULT([yes]) |
2591 | [ AC_MSG_RESULT([no]) ] | 2604 | enable_nistp256=1 ], |
2592 | ) | 2605 | [ AC_MSG_RESULT([no]) ] |
2606 | ) | ||
2593 | 2607 | ||
2594 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) | 2608 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) |
2595 | AC_LINK_IFELSE( | 2609 | AC_LINK_IFELSE( |
2596 | [AC_LANG_PROGRAM([[ | 2610 | [AC_LANG_PROGRAM([[ |
2597 | #include <openssl/ec.h> | 2611 | #include <openssl/ec.h> |
2598 | #include <openssl/ecdh.h> | 2612 | #include <openssl/ecdh.h> |
2599 | #include <openssl/ecdsa.h> | 2613 | #include <openssl/ecdsa.h> |
2600 | #include <openssl/evp.h> | 2614 | #include <openssl/evp.h> |
2601 | #include <openssl/objects.h> | 2615 | #include <openssl/objects.h> |
2602 | #include <openssl/opensslv.h> | 2616 | #include <openssl/opensslv.h> |
2603 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2617 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2604 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2618 | # error "OpenSSL < 0.9.8g has unreliable ECC code" |
2605 | #endif | 2619 | #endif |
2606 | ]], [[ | 2620 | ]], [[ |
2607 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | 2621 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); |
2608 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | 2622 | const EVP_MD *m = EVP_sha384(); /* We need this too */ |
2609 | ]])], | 2623 | ]])], |
2610 | [ AC_MSG_RESULT([yes]) | 2624 | [ AC_MSG_RESULT([yes]) |
2611 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) | 2625 | enable_nistp384=1 ], |
2612 | AC_RUN_IFELSE( | 2626 | [ AC_MSG_RESULT([no]) ] |
2627 | ) | ||
2628 | |||
2629 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) | ||
2630 | AC_LINK_IFELSE( | ||
2613 | [AC_LANG_PROGRAM([[ | 2631 | [AC_LANG_PROGRAM([[ |
2614 | #include <openssl/ec.h> | 2632 | #include <openssl/ec.h> |
2615 | #include <openssl/ecdh.h> | 2633 | #include <openssl/ecdh.h> |
2616 | #include <openssl/ecdsa.h> | 2634 | #include <openssl/ecdsa.h> |
2617 | #include <openssl/evp.h> | 2635 | #include <openssl/evp.h> |
2618 | #include <openssl/objects.h> | 2636 | #include <openssl/objects.h> |
2619 | #include <openssl/opensslv.h> | 2637 | #include <openssl/opensslv.h> |
2620 | ]],[[ | 2638 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2639 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2640 | #endif | ||
2641 | ]], [[ | ||
2621 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | 2642 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); |
2622 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | 2643 | const EVP_MD *m = EVP_sha512(); /* We need this too */ |
2623 | exit(e == NULL || m == NULL); | ||
2624 | ]])], | 2644 | ]])], |
2625 | [ AC_MSG_RESULT([yes]) | 2645 | [ AC_MSG_RESULT([yes]) |
2626 | enable_nistp521=1 ], | 2646 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) |
2627 | [ AC_MSG_RESULT([no]) ], | 2647 | AC_RUN_IFELSE( |
2628 | [ AC_MSG_WARN([cross-compiling: assuming yes]) | 2648 | [AC_LANG_PROGRAM([[ |
2629 | enable_nistp521=1 ] | 2649 | #include <openssl/ec.h> |
2630 | )], | 2650 | #include <openssl/ecdh.h> |
2631 | AC_MSG_RESULT([no]) | 2651 | #include <openssl/ecdsa.h> |
2632 | ) | 2652 | #include <openssl/evp.h> |
2653 | #include <openssl/objects.h> | ||
2654 | #include <openssl/opensslv.h> | ||
2655 | ]],[[ | ||
2656 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | ||
2657 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | ||
2658 | exit(e == NULL || m == NULL); | ||
2659 | ]])], | ||
2660 | [ AC_MSG_RESULT([yes]) | ||
2661 | enable_nistp521=1 ], | ||
2662 | [ AC_MSG_RESULT([no]) ], | ||
2663 | [ AC_MSG_WARN([cross-compiling: assuming yes]) | ||
2664 | enable_nistp521=1 ] | ||
2665 | )], | ||
2666 | AC_MSG_RESULT([no]) | ||
2667 | ) | ||
2633 | 2668 | ||
2634 | COMMENT_OUT_ECC="#no ecc#" | 2669 | COMMENT_OUT_ECC="#no ecc#" |
2635 | TEST_SSH_ECC=no | 2670 | TEST_SSH_ECC=no |
2636 | 2671 | ||
2637 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ | 2672 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ |
2638 | test x$enable_nistp521 = x1; then | 2673 | test x$enable_nistp521 = x1; then |
2639 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) | 2674 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) |
2640 | fi | 2675 | fi |
2641 | if test x$enable_nistp256 = x1; then | 2676 | if test x$enable_nistp256 = x1; then |
2642 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], | 2677 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], |
2643 | [libcrypto has NID_X9_62_prime256v1]) | 2678 | [libcrypto has NID_X9_62_prime256v1]) |
2644 | TEST_SSH_ECC=yes | 2679 | TEST_SSH_ECC=yes |
2645 | COMMENT_OUT_ECC="" | 2680 | COMMENT_OUT_ECC="" |
2646 | else | 2681 | else |
2647 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ | 2682 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ |
2648 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" | 2683 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" |
2649 | fi | 2684 | fi |
2650 | if test x$enable_nistp384 = x1; then | 2685 | if test x$enable_nistp384 = x1; then |
2651 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) | 2686 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) |
2652 | TEST_SSH_ECC=yes | 2687 | TEST_SSH_ECC=yes |
2653 | COMMENT_OUT_ECC="" | 2688 | COMMENT_OUT_ECC="" |
2654 | else | 2689 | else |
2655 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ | 2690 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ |
2656 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" | 2691 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" |
2657 | fi | 2692 | fi |
2658 | if test x$enable_nistp521 = x1; then | 2693 | if test x$enable_nistp521 = x1; then |
2659 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) | 2694 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) |
2660 | TEST_SSH_ECC=yes | 2695 | TEST_SSH_ECC=yes |
2661 | COMMENT_OUT_ECC="" | 2696 | COMMENT_OUT_ECC="" |
2697 | else | ||
2698 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | ||
2699 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | ||
2700 | fi | ||
2701 | |||
2702 | AC_SUBST([TEST_SSH_ECC]) | ||
2703 | AC_SUBST([COMMENT_OUT_ECC]) | ||
2662 | else | 2704 | else |
2663 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | 2705 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) |
2664 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | 2706 | AC_CHECK_FUNCS([crypt DES_crypt]) |
2665 | fi | 2707 | fi |
2666 | 2708 | ||
2667 | AC_SUBST([TEST_SSH_ECC]) | ||
2668 | AC_SUBST([COMMENT_OUT_ECC]) | ||
2669 | |||
2670 | AC_CHECK_FUNCS([ \ | 2709 | AC_CHECK_FUNCS([ \ |
2671 | arc4random \ | 2710 | arc4random \ |
2672 | arc4random_buf \ | 2711 | arc4random_buf \ |
@@ -2687,28 +2726,30 @@ LIBS="$saved_LIBS" | |||
2687 | ### Configure cryptographic random number support | 2726 | ### Configure cryptographic random number support |
2688 | 2727 | ||
2689 | # Check wheter OpenSSL seeds itself | 2728 | # Check wheter OpenSSL seeds itself |
2690 | AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) | 2729 | if test "x$openssl" = "xyes" ; then |
2691 | AC_RUN_IFELSE( | 2730 | AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) |
2692 | [AC_LANG_PROGRAM([[ | 2731 | AC_RUN_IFELSE( |
2693 | #include <string.h> | 2732 | [AC_LANG_PROGRAM([[ |
2694 | #include <openssl/rand.h> | 2733 | #include <string.h> |
2695 | ]], [[ | 2734 | #include <openssl/rand.h> |
2696 | exit(RAND_status() == 1 ? 0 : 1); | 2735 | ]], [[ |
2697 | ]])], | 2736 | exit(RAND_status() == 1 ? 0 : 1); |
2698 | [ | 2737 | ]])], |
2699 | OPENSSL_SEEDS_ITSELF=yes | 2738 | [ |
2700 | AC_MSG_RESULT([yes]) | 2739 | OPENSSL_SEEDS_ITSELF=yes |
2701 | ], | 2740 | AC_MSG_RESULT([yes]) |
2702 | [ | 2741 | ], |
2703 | AC_MSG_RESULT([no]) | 2742 | [ |
2704 | ], | 2743 | AC_MSG_RESULT([no]) |
2705 | [ | 2744 | ], |
2706 | AC_MSG_WARN([cross compiling: assuming yes]) | 2745 | [ |
2707 | # This is safe, since we will fatal() at runtime if | 2746 | AC_MSG_WARN([cross compiling: assuming yes]) |
2708 | # OpenSSL is not seeded correctly. | 2747 | # This is safe, since we will fatal() at runtime if |
2709 | OPENSSL_SEEDS_ITSELF=yes | 2748 | # OpenSSL is not seeded correctly. |
2710 | ] | 2749 | OPENSSL_SEEDS_ITSELF=yes |
2711 | ) | 2750 | ] |
2751 | ) | ||
2752 | fi | ||
2712 | 2753 | ||
2713 | # PRNGD TCP socket | 2754 | # PRNGD TCP socket |
2714 | AC_ARG_WITH([prngd-port], | 2755 | AC_ARG_WITH([prngd-port], |
@@ -2790,8 +2831,10 @@ elif test ! -z "$PRNGD_SOCKET" ; then | |||
2790 | RAND_MSG="PRNGd socket $PRNGD_SOCKET" | 2831 | RAND_MSG="PRNGd socket $PRNGD_SOCKET" |
2791 | elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then | 2832 | elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then |
2792 | AC_DEFINE([OPENSSL_PRNG_ONLY], [1], | 2833 | AC_DEFINE([OPENSSL_PRNG_ONLY], [1], |
2793 | [Define if you want OpenSSL's internally seeded PRNG only]) | 2834 | [Define if you want the OpenSSL internally seeded PRNG only]) |
2794 | RAND_MSG="OpenSSL internal ONLY" | 2835 | RAND_MSG="OpenSSL internal ONLY" |
2836 | elif test "x$openssl" = "xno" ; then | ||
2837 | AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible]) | ||
2795 | else | 2838 | else |
2796 | AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) | 2839 | AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) |
2797 | fi | 2840 | fi |
@@ -2853,7 +2896,7 @@ if test "x$PAM_MSG" = "xyes" ; then | |||
2853 | which takes only one argument to pam_strerror]) | 2896 | which takes only one argument to pam_strerror]) |
2854 | AC_MSG_RESULT([yes]) | 2897 | AC_MSG_RESULT([yes]) |
2855 | PAM_MSG="yes (old library)" | 2898 | PAM_MSG="yes (old library)" |
2856 | 2899 | ||
2857 | ]) | 2900 | ]) |
2858 | fi | 2901 | fi |
2859 | 2902 | ||
diff --git a/digest-libc.c b/digest-libc.c index 169ded075..a216e784e 100644 --- a/digest-libc.c +++ b/digest-libc.c | |||
@@ -18,15 +18,19 @@ | |||
18 | 18 | ||
19 | #include "includes.h" | 19 | #include "includes.h" |
20 | 20 | ||
21 | #ifndef WITH_OPENSSL | ||
22 | |||
21 | #include <sys/types.h> | 23 | #include <sys/types.h> |
22 | #include <limits.h> | 24 | #include <limits.h> |
23 | #include <stdlib.h> | 25 | #include <stdlib.h> |
24 | #include <string.h> | 26 | #include <string.h> |
25 | 27 | ||
28 | #if 0 | ||
26 | #include <md5.h> | 29 | #include <md5.h> |
27 | #include <rmd160.h> | 30 | #include <rmd160.h> |
28 | #include <sha1.h> | 31 | #include <sha1.h> |
29 | #include <sha2.h> | 32 | #include <sha2.h> |
33 | #endif | ||
30 | 34 | ||
31 | #include "ssherr.h" | 35 | #include "ssherr.h" |
32 | #include "sshbuf.h" | 36 | #include "sshbuf.h" |
@@ -89,30 +93,30 @@ const struct ssh_digest digests[SSH_DIGEST_MAX] = { | |||
89 | "SHA256", | 93 | "SHA256", |
90 | SHA256_BLOCK_LENGTH, | 94 | SHA256_BLOCK_LENGTH, |
91 | SHA256_DIGEST_LENGTH, | 95 | SHA256_DIGEST_LENGTH, |
92 | sizeof(SHA2_CTX), | 96 | sizeof(SHA256_CTX), |
93 | (md_init_fn *) SHA256Init, | 97 | (md_init_fn *) SHA256_Init, |
94 | (md_update_fn *) SHA256Update, | 98 | (md_update_fn *) SHA256_Update, |
95 | (md_final_fn *) SHA256Final | 99 | (md_final_fn *) SHA256_Final |
96 | }, | 100 | }, |
97 | { | 101 | { |
98 | SSH_DIGEST_SHA384, | 102 | SSH_DIGEST_SHA384, |
99 | "SHA384", | 103 | "SHA384", |
100 | SHA384_BLOCK_LENGTH, | 104 | SHA384_BLOCK_LENGTH, |
101 | SHA384_DIGEST_LENGTH, | 105 | SHA384_DIGEST_LENGTH, |
102 | sizeof(SHA2_CTX), | 106 | sizeof(SHA384_CTX), |
103 | (md_init_fn *) SHA384Init, | 107 | (md_init_fn *) SHA384_Init, |
104 | (md_update_fn *) SHA384Update, | 108 | (md_update_fn *) SHA384_Update, |
105 | (md_final_fn *) SHA384Final | 109 | (md_final_fn *) SHA384_Final |
106 | }, | 110 | }, |
107 | { | 111 | { |
108 | SSH_DIGEST_SHA512, | 112 | SSH_DIGEST_SHA512, |
109 | "SHA512", | 113 | "SHA512", |
110 | SHA512_BLOCK_LENGTH, | 114 | SHA512_BLOCK_LENGTH, |
111 | SHA512_DIGEST_LENGTH, | 115 | SHA512_DIGEST_LENGTH, |
112 | sizeof(SHA2_CTX), | 116 | sizeof(SHA512_CTX), |
113 | (md_init_fn *) SHA512Init, | 117 | (md_init_fn *) SHA512_Init, |
114 | (md_update_fn *) SHA512Update, | 118 | (md_update_fn *) SHA512_Update, |
115 | (md_final_fn *) SHA512Final | 119 | (md_final_fn *) SHA512_Final |
116 | } | 120 | } |
117 | }; | 121 | }; |
118 | 122 | ||
@@ -257,3 +261,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen) | |||
257 | { | 261 | { |
258 | return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen); | 262 | return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen); |
259 | } | 263 | } |
264 | #endif /* !WITH_OPENSSL */ | ||
diff --git a/digest-openssl.c b/digest-openssl.c index bb58ff226..13b63c2f0 100644 --- a/digest-openssl.c +++ b/digest-openssl.c | |||
@@ -17,6 +17,8 @@ | |||
17 | 17 | ||
18 | #include "includes.h" | 18 | #include "includes.h" |
19 | 19 | ||
20 | #ifdef WITH_OPENSSL | ||
21 | |||
20 | #include <sys/types.h> | 22 | #include <sys/types.h> |
21 | #include <limits.h> | 23 | #include <limits.h> |
22 | #include <stdlib.h> | 24 | #include <stdlib.h> |
@@ -200,3 +202,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen) | |||
200 | { | 202 | { |
201 | return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen); | 203 | return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen); |
202 | } | 204 | } |
205 | #endif /* WITH_OPENSSL */ | ||
@@ -24,6 +24,8 @@ | |||
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | 26 | ||
27 | #ifdef WITH_OPENSSL | ||
28 | |||
27 | #include <sys/types.h> | 29 | #include <sys/types.h> |
28 | #include <sys/socket.h> | 30 | #include <sys/socket.h> |
29 | #ifdef HAVE_SYS_UN_H | 31 | #ifdef HAVE_SYS_UN_H |
@@ -230,3 +232,13 @@ seed_rng(void) | |||
230 | if (RAND_status() != 1) | 232 | if (RAND_status() != 1) |
231 | fatal("PRNG is not seeded"); | 233 | fatal("PRNG is not seeded"); |
232 | } | 234 | } |
235 | |||
236 | #else /* WITH_OPENSSL */ | ||
237 | |||
238 | /* Handled in arc4random() */ | ||
239 | void | ||
240 | seed_rng(void) | ||
241 | { | ||
242 | } | ||
243 | |||
244 | #endif /* WITH_OPENSSL */ | ||
diff --git a/includes.h b/includes.h index 095161c28..c3034e37d 100644 --- a/includes.h +++ b/includes.h | |||
@@ -167,7 +167,9 @@ | |||
167 | # endif | 167 | # endif |
168 | #endif | 168 | #endif |
169 | 169 | ||
170 | #ifdef WITH_OPENSSL | ||
170 | #include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */ | 171 | #include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */ |
172 | #endif | ||
171 | 173 | ||
172 | #include "defines.h" | 174 | #include "defines.h" |
173 | 175 | ||
@@ -90,9 +90,9 @@ static const struct kexalg kexalgs[] = { | |||
90 | # endif /* OPENSSL_HAS_NISTP521 */ | 90 | # endif /* OPENSSL_HAS_NISTP521 */ |
91 | #endif /* OPENSSL_HAS_ECC */ | 91 | #endif /* OPENSSL_HAS_ECC */ |
92 | #endif /* WITH_OPENSSL */ | 92 | #endif /* WITH_OPENSSL */ |
93 | #ifdef HAVE_EVP_SHA256 | 93 | #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) |
94 | { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, | 94 | { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, |
95 | #endif /* HAVE_EVP_SHA256 */ | 95 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
96 | { NULL, -1, -1, -1}, | 96 | { NULL, -1, -1, -1}, |
97 | }; | 97 | }; |
98 | 98 | ||
@@ -25,6 +25,8 @@ | |||
25 | 25 | ||
26 | #include "includes.h" | 26 | #include "includes.h" |
27 | 27 | ||
28 | #ifdef WITH_OPENSSL | ||
29 | |||
28 | #include <sys/types.h> | 30 | #include <sys/types.h> |
29 | 31 | ||
30 | #include <signal.h> | 32 | #include <signal.h> |
@@ -85,3 +87,4 @@ kex_dh_hash( | |||
85 | *hash = digest; | 87 | *hash = digest; |
86 | *hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1); | 88 | *hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1); |
87 | } | 89 | } |
90 | #endif /* WITH_OPENSSL */ | ||
@@ -25,6 +25,8 @@ | |||
25 | 25 | ||
26 | #include "includes.h" | 26 | #include "includes.h" |
27 | 27 | ||
28 | #ifdef WITH_OPENSSL | ||
29 | |||
28 | #include <sys/types.h> | 30 | #include <sys/types.h> |
29 | 31 | ||
30 | #include <openssl/dh.h> | 32 | #include <openssl/dh.h> |
@@ -159,3 +161,4 @@ kexdh_client(Kex *kex) | |||
159 | BN_clear_free(shared_secret); | 161 | BN_clear_free(shared_secret); |
160 | kex_finish(kex); | 162 | kex_finish(kex); |
161 | } | 163 | } |
164 | #endif /* WITH_OPENSSL */ | ||
@@ -25,6 +25,8 @@ | |||
25 | 25 | ||
26 | #include "includes.h" | 26 | #include "includes.h" |
27 | 27 | ||
28 | #ifdef WITH_OPENSSL | ||
29 | |||
28 | #include <sys/types.h> | 30 | #include <sys/types.h> |
29 | 31 | ||
30 | #include <stdarg.h> | 32 | #include <stdarg.h> |
@@ -158,3 +160,4 @@ kexdh_server(Kex *kex) | |||
158 | BN_clear_free(shared_secret); | 160 | BN_clear_free(shared_secret); |
159 | kex_finish(kex); | 161 | kex_finish(kex); |
160 | } | 162 | } |
163 | #endif /* WITH_OPENSSL */ | ||
@@ -26,7 +26,7 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #ifdef OPENSSL_HAS_ECC | 29 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) |
30 | 30 | ||
31 | #include <sys/types.h> | 31 | #include <sys/types.h> |
32 | 32 | ||
@@ -94,4 +94,4 @@ kex_ecdh_hash( | |||
94 | *hash = digest; | 94 | *hash = digest; |
95 | *hashlen = ssh_digest_bytes(hash_alg); | 95 | *hashlen = ssh_digest_bytes(hash_alg); |
96 | } | 96 | } |
97 | #endif /* OPENSSL_HAS_ECC */ | 97 | #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */ |
diff --git a/kexecdhc.c b/kexecdhc.c index 2f7629cca..2019940e5 100644 --- a/kexecdhc.c +++ b/kexecdhc.c | |||
@@ -26,6 +26,8 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) | ||
30 | |||
29 | #include <sys/types.h> | 31 | #include <sys/types.h> |
30 | 32 | ||
31 | #include <stdio.h> | 33 | #include <stdio.h> |
@@ -42,8 +44,6 @@ | |||
42 | #include "dh.h" | 44 | #include "dh.h" |
43 | #include "ssh2.h" | 45 | #include "ssh2.h" |
44 | 46 | ||
45 | #ifdef OPENSSL_HAS_ECC | ||
46 | |||
47 | #include <openssl/ecdh.h> | 47 | #include <openssl/ecdh.h> |
48 | 48 | ||
49 | void | 49 | void |
@@ -156,10 +156,4 @@ kexecdh_client(Kex *kex) | |||
156 | BN_clear_free(shared_secret); | 156 | BN_clear_free(shared_secret); |
157 | kex_finish(kex); | 157 | kex_finish(kex); |
158 | } | 158 | } |
159 | #else /* OPENSSL_HAS_ECC */ | 159 | #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */ |
160 | void | ||
161 | kexecdh_client(Kex *kex) | ||
162 | { | ||
163 | fatal("ECC support is not enabled"); | ||
164 | } | ||
165 | #endif /* OPENSSL_HAS_ECC */ | ||
diff --git a/kexecdhs.c b/kexecdhs.c index 2700b7219..48bc56dc6 100644 --- a/kexecdhs.c +++ b/kexecdhs.c | |||
@@ -26,6 +26,8 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) | ||
30 | |||
29 | #include <sys/types.h> | 31 | #include <sys/types.h> |
30 | #include <string.h> | 32 | #include <string.h> |
31 | #include <signal.h> | 33 | #include <signal.h> |
@@ -39,8 +41,6 @@ | |||
39 | #include "packet.h" | 41 | #include "packet.h" |
40 | #include "ssh2.h" | 42 | #include "ssh2.h" |
41 | 43 | ||
42 | #ifdef OPENSSL_HAS_ECC | ||
43 | |||
44 | #include <openssl/ecdh.h> | 44 | #include <openssl/ecdh.h> |
45 | 45 | ||
46 | void | 46 | void |
@@ -152,10 +152,4 @@ kexecdh_server(Kex *kex) | |||
152 | BN_clear_free(shared_secret); | 152 | BN_clear_free(shared_secret); |
153 | kex_finish(kex); | 153 | kex_finish(kex); |
154 | } | 154 | } |
155 | #else /* OPENSSL_HAS_ECC */ | 155 | #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */ |
156 | void | ||
157 | kexecdh_server(Kex *kex) | ||
158 | { | ||
159 | fatal("ECC support is not enabled"); | ||
160 | } | ||
161 | #endif /* OPENSSL_HAS_ECC */ | ||
@@ -26,6 +26,8 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #ifdef WITH_OPENSSL | ||
30 | |||
29 | #include <sys/types.h> | 31 | #include <sys/types.h> |
30 | 32 | ||
31 | #include <openssl/evp.h> | 33 | #include <openssl/evp.h> |
@@ -96,3 +98,4 @@ kexgex_hash( | |||
96 | *hash = digest; | 98 | *hash = digest; |
97 | *hashlen = ssh_digest_bytes(hash_alg); | 99 | *hashlen = ssh_digest_bytes(hash_alg); |
98 | } | 100 | } |
101 | #endif /* WITH_OPENSSL */ | ||
@@ -26,6 +26,8 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #ifdef WITH_OPENSSL | ||
30 | |||
29 | #include <sys/types.h> | 31 | #include <sys/types.h> |
30 | 32 | ||
31 | #include <openssl/dh.h> | 33 | #include <openssl/dh.h> |
@@ -205,3 +207,4 @@ kexgex_client(Kex *kex) | |||
205 | 207 | ||
206 | kex_finish(kex); | 208 | kex_finish(kex); |
207 | } | 209 | } |
210 | #endif /* WITH_OPENSSL */ | ||
@@ -26,6 +26,8 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #ifdef WITH_OPENSSL | ||
30 | |||
29 | #include <sys/param.h> | 31 | #include <sys/param.h> |
30 | 32 | ||
31 | #include <stdarg.h> | 33 | #include <stdarg.h> |
@@ -206,3 +208,4 @@ kexgex_server(Kex *kex) | |||
206 | 208 | ||
207 | kex_finish(kex); | 209 | kex_finish(kex); |
208 | } | 210 | } |
211 | #endif /* WITH_OPENSSL */ | ||
@@ -18,6 +18,8 @@ | |||
18 | 18 | ||
19 | #include "includes.h" | 19 | #include "includes.h" |
20 | 20 | ||
21 | #ifdef WITH_OPENSSL /* XXX just fix bignums and this is good */ | ||
22 | |||
21 | #include <sys/types.h> | 23 | #include <sys/types.h> |
22 | #include <sys/param.h> | 24 | #include <sys/param.h> |
23 | #include <openbsd-compat/sys-tree.h> | 25 | #include <openbsd-compat/sys-tree.h> |
@@ -1282,3 +1284,4 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key) | |||
1282 | errno = oerrno; | 1284 | errno = oerrno; |
1283 | return r; | 1285 | return r; |
1284 | } | 1286 | } |
1287 | #endif /* WITH_OPENSSL */ | ||
@@ -39,6 +39,8 @@ | |||
39 | 39 | ||
40 | #include "includes.h" | 40 | #include "includes.h" |
41 | 41 | ||
42 | #ifdef WITH_OPENSSL | ||
43 | |||
42 | #include <sys/param.h> | 44 | #include <sys/param.h> |
43 | #include <sys/types.h> | 45 | #include <sys/types.h> |
44 | 46 | ||
@@ -802,3 +804,5 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, | |||
802 | 804 | ||
803 | return (res); | 805 | return (res); |
804 | } | 806 | } |
807 | |||
808 | #endif /* WITH_OPENSSL */ | ||
diff --git a/monitor_wrap.c b/monitor_wrap.c index f4e11c966..b0dbb3f70 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -151,8 +151,10 @@ mm_request_receive(int sock, Buffer *m) | |||
151 | debug3("%s entering", __func__); | 151 | debug3("%s entering", __func__); |
152 | 152 | ||
153 | if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { | 153 | if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { |
154 | if (errno == EPIPE) | 154 | if (errno == EPIPE) { |
155 | error("%s: socket closed", __func__); | ||
155 | cleanup_exit(255); | 156 | cleanup_exit(255); |
157 | } | ||
156 | fatal("%s: read: %s", __func__, strerror(errno)); | 158 | fatal("%s: read: %s", __func__, strerror(errno)); |
157 | } | 159 | } |
158 | msg_len = get_u32(buf); | 160 | msg_len = get_u32(buf); |
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index 7be3f72aa..3c5e3b7f7 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in | |||
@@ -16,7 +16,7 @@ RANLIB=@RANLIB@ | |||
16 | INSTALL=@INSTALL@ | 16 | INSTALL=@INSTALL@ |
17 | LDFLAGS=-L. @LDFLAGS@ | 17 | LDFLAGS=-L. @LDFLAGS@ |
18 | 18 | ||
19 | OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o | 19 | OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o |
20 | 20 | ||
21 | COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o | 21 | COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o |
22 | 22 | ||
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c index 09dbfda16..046f57e61 100644 --- a/openbsd-compat/arc4random.c +++ b/openbsd-compat/arc4random.c | |||
@@ -26,15 +26,19 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #include <sys/types.h> | ||
30 | |||
31 | #include <fcntl.h> | ||
29 | #include <stdlib.h> | 32 | #include <stdlib.h> |
30 | #include <string.h> | 33 | #include <string.h> |
31 | #include <unistd.h> | 34 | #include <unistd.h> |
32 | #include <sys/types.h> | ||
33 | 35 | ||
34 | #ifndef HAVE_ARC4RANDOM | 36 | #ifndef HAVE_ARC4RANDOM |
35 | 37 | ||
38 | #ifdef WITH_OPENSSL | ||
36 | #include <openssl/rand.h> | 39 | #include <openssl/rand.h> |
37 | #include <openssl/err.h> | 40 | #include <openssl/err.h> |
41 | #endif | ||
38 | 42 | ||
39 | #include "log.h" | 43 | #include "log.h" |
40 | 44 | ||
@@ -73,14 +77,44 @@ _rs_init(u_char *buf, size_t n) | |||
73 | chacha_ivsetup(&rs, buf + KEYSZ); | 77 | chacha_ivsetup(&rs, buf + KEYSZ); |
74 | } | 78 | } |
75 | 79 | ||
80 | #ifndef WITH_OPENSSL | ||
81 | #define SSH_RANDOM_DEV "/dev/urandom" | ||
82 | /* XXX use getrandom() if supported on Linux */ | ||
83 | static void | ||
84 | getrnd(u_char *s, size_t len) | ||
85 | { | ||
86 | int fd; | ||
87 | ssize_t r; | ||
88 | size_t o = 0; | ||
89 | |||
90 | if ((fd = open(SSH_RANDOM_DEV, O_RDONLY)) == -1) | ||
91 | fatal("Couldn't open %s: %s", SSH_RANDOM_DEV, strerror(errno)); | ||
92 | while (o < len) { | ||
93 | r = read(fd, s + o, len - o); | ||
94 | if (r < 0) { | ||
95 | if (errno == EAGAIN || errno == EINTR || | ||
96 | errno == EWOULDBLOCK) | ||
97 | continue; | ||
98 | fatal("read %s: %s", SSH_RANDOM_DEV, strerror(errno)); | ||
99 | } | ||
100 | o += r; | ||
101 | } | ||
102 | close(fd); | ||
103 | } | ||
104 | #endif | ||
105 | |||
76 | static void | 106 | static void |
77 | _rs_stir(void) | 107 | _rs_stir(void) |
78 | { | 108 | { |
79 | u_char rnd[KEYSZ + IVSZ]; | 109 | u_char rnd[KEYSZ + IVSZ]; |
80 | 110 | ||
111 | #ifdef WITH_OPENSSL | ||
81 | if (RAND_bytes(rnd, sizeof(rnd)) <= 0) | 112 | if (RAND_bytes(rnd, sizeof(rnd)) <= 0) |
82 | fatal("Couldn't obtain random bytes (error %ld)", | 113 | fatal("Couldn't obtain random bytes (error %ld)", |
83 | ERR_get_error()); | 114 | ERR_get_error()); |
115 | #else | ||
116 | getrnd(rnd, sizeof(rnd)); | ||
117 | #endif | ||
84 | 118 | ||
85 | if (!rs_initialized) { | 119 | if (!rs_initialized) { |
86 | rs_initialized = 1; | 120 | rs_initialized = 1; |
diff --git a/openbsd-compat/bcrypt_pbkdf.c b/openbsd-compat/bcrypt_pbkdf.c index 5ed1cc531..16912575a 100644 --- a/openbsd-compat/bcrypt_pbkdf.c +++ b/openbsd-compat/bcrypt_pbkdf.c | |||
@@ -32,6 +32,9 @@ | |||
32 | #endif | 32 | #endif |
33 | 33 | ||
34 | #include "crypto_api.h" | 34 | #include "crypto_api.h" |
35 | #ifdef SHA512_DIGEST_LENGTH | ||
36 | # undef SHA512_DIGEST_LENGTH | ||
37 | #endif | ||
35 | #define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES | 38 | #define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES |
36 | 39 | ||
37 | /* | 40 | /* |
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 94718babd..1cffefe06 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h | |||
@@ -43,7 +43,10 @@ | |||
43 | #include "readpassphrase.h" | 43 | #include "readpassphrase.h" |
44 | #include "vis.h" | 44 | #include "vis.h" |
45 | #include "getrrsetbyname.h" | 45 | #include "getrrsetbyname.h" |
46 | #include "sha1.h" | ||
46 | #include "sha2.h" | 47 | #include "sha2.h" |
48 | #include "rmd160.h" | ||
49 | #include "md5.h" | ||
47 | #include "blf.h" | 50 | #include "blf.h" |
48 | 51 | ||
49 | #ifndef HAVE_BASENAME | 52 | #ifndef HAVE_BASENAME |
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 36570e4ad..63a660c7a 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c | |||
@@ -19,6 +19,8 @@ | |||
19 | #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS | 19 | #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS |
20 | #include "includes.h" | 20 | #include "includes.h" |
21 | 21 | ||
22 | #ifdef WITH_OPENSSL | ||
23 | |||
22 | #include <stdarg.h> | 24 | #include <stdarg.h> |
23 | #include <string.h> | 25 | #include <string.h> |
24 | 26 | ||
@@ -78,3 +80,5 @@ ssh_OpenSSL_add_all_algorithms(void) | |||
78 | OPENSSL_config(NULL); | 80 | OPENSSL_config(NULL); |
79 | } | 81 | } |
80 | #endif | 82 | #endif |
83 | |||
84 | #endif /* WITH_OPENSSL */ | ||
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 3695d412b..8917551d3 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h | |||
@@ -20,6 +20,8 @@ | |||
20 | #define _OPENSSL_COMPAT_H | 20 | #define _OPENSSL_COMPAT_H |
21 | 21 | ||
22 | #include "includes.h" | 22 | #include "includes.h" |
23 | #ifdef WITH_OPENSSL | ||
24 | |||
23 | #include <openssl/opensslv.h> | 25 | #include <openssl/opensslv.h> |
24 | #include <openssl/evp.h> | 26 | #include <openssl/evp.h> |
25 | #include <openssl/rsa.h> | 27 | #include <openssl/rsa.h> |
@@ -90,4 +92,5 @@ void ssh_OpenSSL_add_all_algorithms(void); | |||
90 | 92 | ||
91 | #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ | 93 | #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ |
92 | 94 | ||
95 | #endif /* WITH_OPENSSL */ | ||
93 | #endif /* _OPENSSL_COMPAT_H */ | 96 | #endif /* _OPENSSL_COMPAT_H */ |
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c index f5bf74d1f..737935d46 100644 --- a/openbsd-compat/sha2.c +++ b/openbsd-compat/sha2.c | |||
@@ -38,13 +38,18 @@ | |||
38 | 38 | ||
39 | #include "includes.h" | 39 | #include "includes.h" |
40 | 40 | ||
41 | #include <openssl/opensslv.h> | 41 | #ifdef WITH_OPENSSL |
42 | # include <openssl/opensslv.h> | ||
43 | # if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
44 | # define _NEED_SHA2 1 | ||
45 | # endif | ||
46 | #else | ||
47 | # define _NEED_SHA2 1 | ||
48 | #endif | ||
49 | |||
50 | #if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) | ||
42 | 51 | ||
43 | #if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | ||
44 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
45 | #include <sys/types.h> | ||
46 | #include <string.h> | 52 | #include <string.h> |
47 | #include "sha2.h" | ||
48 | 53 | ||
49 | /* | 54 | /* |
50 | * UNROLLED TRANSFORM LOOP NOTE: | 55 | * UNROLLED TRANSFORM LOOP NOTE: |
@@ -838,7 +843,6 @@ SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context) | |||
838 | } | 843 | } |
839 | 844 | ||
840 | 845 | ||
841 | #if 0 | ||
842 | /*** SHA-384: *********************************************************/ | 846 | /*** SHA-384: *********************************************************/ |
843 | void | 847 | void |
844 | SHA384_Init(SHA384_CTX *context) | 848 | SHA384_Init(SHA384_CTX *context) |
@@ -851,9 +855,29 @@ SHA384_Init(SHA384_CTX *context) | |||
851 | context->bitcount[0] = context->bitcount[1] = 0; | 855 | context->bitcount[0] = context->bitcount[1] = 0; |
852 | } | 856 | } |
853 | 857 | ||
858 | #if 0 | ||
854 | __weak_alias(SHA384_Transform, SHA512_Transform); | 859 | __weak_alias(SHA384_Transform, SHA512_Transform); |
855 | __weak_alias(SHA384_Update, SHA512_Update); | 860 | __weak_alias(SHA384_Update, SHA512_Update); |
856 | __weak_alias(SHA384_Pad, SHA512_Pad); | 861 | __weak_alias(SHA384_Pad, SHA512_Pad); |
862 | #endif | ||
863 | |||
864 | void | ||
865 | SHA384_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) | ||
866 | { | ||
867 | return SHA512_Transform(state, data); | ||
868 | } | ||
869 | |||
870 | void | ||
871 | SHA384_Update(SHA512_CTX *context, const u_int8_t *data, size_t len) | ||
872 | { | ||
873 | SHA512_Update(context, data, len); | ||
874 | } | ||
875 | |||
876 | void | ||
877 | SHA384_Pad(SHA512_CTX *context) | ||
878 | { | ||
879 | SHA512_Pad(context); | ||
880 | } | ||
857 | 881 | ||
858 | void | 882 | void |
859 | SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) | 883 | SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) |
@@ -876,7 +900,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) | |||
876 | /* Zero out state data */ | 900 | /* Zero out state data */ |
877 | memset(context, 0, sizeof(*context)); | 901 | memset(context, 0, sizeof(*context)); |
878 | } | 902 | } |
879 | #endif | ||
880 | 903 | ||
881 | #endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | 904 | #endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */ |
882 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ | ||
diff --git a/openbsd-compat/sha2.h b/openbsd-compat/sha2.h index 73e94f150..c8bfc3cd1 100644 --- a/openbsd-compat/sha2.h +++ b/openbsd-compat/sha2.h | |||
@@ -41,10 +41,16 @@ | |||
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | 43 | ||
44 | #include <openssl/opensslv.h> | 44 | #ifdef WITH_OPENSSL |
45 | # include <openssl/opensslv.h> | ||
46 | # if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
47 | # define _NEED_SHA2 1 | ||
48 | # endif | ||
49 | #else | ||
50 | # define _NEED_SHA2 1 | ||
51 | #endif | ||
45 | 52 | ||
46 | #if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | 53 | #if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) |
47 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
48 | 54 | ||
49 | /*** SHA-256/384/512 Various Length Definitions ***********************/ | 55 | /*** SHA-256/384/512 Various Length Definitions ***********************/ |
50 | #define SHA256_BLOCK_LENGTH 64 | 56 | #define SHA256_BLOCK_LENGTH 64 |
@@ -70,9 +76,7 @@ typedef struct _SHA512_CTX { | |||
70 | u_int8_t buffer[SHA512_BLOCK_LENGTH]; | 76 | u_int8_t buffer[SHA512_BLOCK_LENGTH]; |
71 | } SHA512_CTX; | 77 | } SHA512_CTX; |
72 | 78 | ||
73 | #if 0 | ||
74 | typedef SHA512_CTX SHA384_CTX; | 79 | typedef SHA512_CTX SHA384_CTX; |
75 | #endif | ||
76 | 80 | ||
77 | void SHA256_Init(SHA256_CTX *); | 81 | void SHA256_Init(SHA256_CTX *); |
78 | void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]); | 82 | void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]); |
@@ -91,7 +95,6 @@ char *SHA256_Data(const u_int8_t *, size_t, char *) | |||
91 | __attribute__((__bounded__(__string__,1,2))) | 95 | __attribute__((__bounded__(__string__,1,2))) |
92 | __attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH))); | 96 | __attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH))); |
93 | 97 | ||
94 | #if 0 | ||
95 | void SHA384_Init(SHA384_CTX *); | 98 | void SHA384_Init(SHA384_CTX *); |
96 | void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]); | 99 | void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]); |
97 | void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t) | 100 | void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t) |
@@ -108,7 +111,6 @@ char *SHA384_FileChunk(const char *, char *, off_t, off_t) | |||
108 | char *SHA384_Data(const u_int8_t *, size_t, char *) | 111 | char *SHA384_Data(const u_int8_t *, size_t, char *) |
109 | __attribute__((__bounded__(__string__,1,2))) | 112 | __attribute__((__bounded__(__string__,1,2))) |
110 | __attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH))); | 113 | __attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH))); |
111 | #endif /* 0 */ | ||
112 | 114 | ||
113 | void SHA512_Init(SHA512_CTX *); | 115 | void SHA512_Init(SHA512_CTX *); |
114 | void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]); | 116 | void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]); |
@@ -127,7 +129,6 @@ char *SHA512_Data(const u_int8_t *, size_t, char *) | |||
127 | __attribute__((__bounded__(__string__,1,2))) | 129 | __attribute__((__bounded__(__string__,1,2))) |
128 | __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH))); | 130 | __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH))); |
129 | 131 | ||
130 | #endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | 132 | #endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */ |
131 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ | ||
132 | 133 | ||
133 | #endif /* _SSHSHA2_H */ | 134 | #endif /* _SSHSHA2_H */ |
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c index c8aea461d..8577cbd8a 100644 --- a/openbsd-compat/xcrypt.c +++ b/openbsd-compat/xcrypt.c | |||
@@ -57,7 +57,7 @@ | |||
57 | # include "md5crypt.h" | 57 | # include "md5crypt.h" |
58 | # endif | 58 | # endif |
59 | 59 | ||
60 | # if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) | 60 | # if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) |
61 | # include <openssl/des.h> | 61 | # include <openssl/des.h> |
62 | # define crypt DES_crypt | 62 | # define crypt DES_crypt |
63 | # endif | 63 | # endif |
@@ -1612,6 +1612,7 @@ packet_get_ecpoint(const EC_GROUP *curve, EC_POINT *point) | |||
1612 | buffer_get_ecpoint(&active_state->incoming_packet, curve, point); | 1612 | buffer_get_ecpoint(&active_state->incoming_packet, curve, point); |
1613 | } | 1613 | } |
1614 | #endif | 1614 | #endif |
1615 | #endif | ||
1615 | 1616 | ||
1616 | void * | 1617 | void * |
1617 | packet_get_raw(u_int *length_ptr) | 1618 | packet_get_raw(u_int *length_ptr) |
@@ -1622,7 +1623,6 @@ packet_get_raw(u_int *length_ptr) | |||
1622 | *length_ptr = bytes; | 1623 | *length_ptr = bytes; |
1623 | return buffer_ptr(&active_state->incoming_packet); | 1624 | return buffer_ptr(&active_state->incoming_packet); |
1624 | } | 1625 | } |
1625 | #endif | ||
1626 | 1626 | ||
1627 | int | 1627 | int |
1628 | packet_remaining(void) | 1628 | packet_remaining(void) |
@@ -70,11 +70,13 @@ extern char *__progname; | |||
70 | 70 | ||
71 | /* Default files to add */ | 71 | /* Default files to add */ |
72 | static char *default_files[] = { | 72 | static char *default_files[] = { |
73 | #ifdef WITH_OPENSSL | ||
73 | _PATH_SSH_CLIENT_ID_RSA, | 74 | _PATH_SSH_CLIENT_ID_RSA, |
74 | _PATH_SSH_CLIENT_ID_DSA, | 75 | _PATH_SSH_CLIENT_ID_DSA, |
75 | #ifdef OPENSSL_HAS_ECC | 76 | #ifdef OPENSSL_HAS_ECC |
76 | _PATH_SSH_CLIENT_ID_ECDSA, | 77 | _PATH_SSH_CLIENT_ID_ECDSA, |
77 | #endif | 78 | #endif |
79 | #endif /* WITH_OPENSSL */ | ||
78 | _PATH_SSH_CLIENT_ID_ED25519, | 80 | _PATH_SSH_CLIENT_ID_ED25519, |
79 | _PATH_SSH_CLIENT_IDENTITY, | 81 | _PATH_SSH_CLIENT_IDENTITY, |
80 | NULL | 82 | NULL |
@@ -440,7 +442,9 @@ main(int argc, char **argv) | |||
440 | __progname = ssh_get_progname(argv[0]); | 442 | __progname = ssh_get_progname(argv[0]); |
441 | seed_rng(); | 443 | seed_rng(); |
442 | 444 | ||
445 | #ifdef WITH_OPENSSL | ||
443 | OpenSSL_add_all_algorithms(); | 446 | OpenSSL_add_all_algorithms(); |
447 | #endif | ||
444 | 448 | ||
445 | setvbuf(stdout, NULL, _IOLBF, 0); | 449 | setvbuf(stdout, NULL, _IOLBF, 0); |
446 | 450 | ||
@@ -25,6 +25,8 @@ | |||
25 | 25 | ||
26 | #include "includes.h" | 26 | #include "includes.h" |
27 | 27 | ||
28 | #ifdef WITH_OPENSSL | ||
29 | |||
28 | #include <sys/types.h> | 30 | #include <sys/types.h> |
29 | 31 | ||
30 | #include <openssl/bn.h> | 32 | #include <openssl/bn.h> |
@@ -217,3 +219,4 @@ ssh_dss_verify(const struct sshkey *key, | |||
217 | } | 219 | } |
218 | return ret; | 220 | return ret; |
219 | } | 221 | } |
222 | #endif /* WITH_OPENSSL */ | ||
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index 1119db045..2c76f8b43 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c | |||
@@ -26,7 +26,7 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #ifdef OPENSSL_HAS_ECC | 29 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) |
30 | 30 | ||
31 | #include <sys/types.h> | 31 | #include <sys/types.h> |
32 | 32 | ||
@@ -189,4 +189,4 @@ ssh_ecdsa_verify(const struct sshkey *key, | |||
189 | return ret; | 189 | return ret; |
190 | } | 190 | } |
191 | 191 | ||
192 | #endif /* OPENSSL_HAS_ECC */ | 192 | #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 8daea7f76..75f8e2e09 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -19,9 +19,11 @@ | |||
19 | #include <sys/stat.h> | 19 | #include <sys/stat.h> |
20 | #include <sys/param.h> | 20 | #include <sys/param.h> |
21 | 21 | ||
22 | #ifdef WITH_OPENSSL | ||
22 | #include <openssl/evp.h> | 23 | #include <openssl/evp.h> |
23 | #include <openssl/pem.h> | 24 | #include <openssl/pem.h> |
24 | #include "openbsd-compat/openssl-compat.h" | 25 | #include "openbsd-compat/openssl-compat.h" |
26 | #endif | ||
25 | 27 | ||
26 | #include <errno.h> | 28 | #include <errno.h> |
27 | #include <fcntl.h> | 29 | #include <fcntl.h> |
@@ -179,7 +181,9 @@ int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long, | |||
179 | static void | 181 | static void |
180 | type_bits_valid(int type, u_int32_t *bitsp) | 182 | type_bits_valid(int type, u_int32_t *bitsp) |
181 | { | 183 | { |
184 | #ifdef WITH_OPENSSL | ||
182 | u_int maxbits; | 185 | u_int maxbits; |
186 | #endif | ||
183 | 187 | ||
184 | if (type == KEY_UNSPEC) { | 188 | if (type == KEY_UNSPEC) { |
185 | fprintf(stderr, "unknown key type %s\n", key_type_name); | 189 | fprintf(stderr, "unknown key type %s\n", key_type_name); |
@@ -193,13 +197,13 @@ type_bits_valid(int type, u_int32_t *bitsp) | |||
193 | else | 197 | else |
194 | *bitsp = DEFAULT_BITS; | 198 | *bitsp = DEFAULT_BITS; |
195 | } | 199 | } |
200 | #ifdef WITH_OPENSSL | ||
196 | maxbits = (type == KEY_DSA) ? | 201 | maxbits = (type == KEY_DSA) ? |
197 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; | 202 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; |
198 | if (*bitsp > maxbits) { | 203 | if (*bitsp > maxbits) { |
199 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); | 204 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); |
200 | exit(1); | 205 | exit(1); |
201 | } | 206 | } |
202 | #ifdef WITH_OPENSSL | ||
203 | if (type == KEY_DSA && *bitsp != 1024) | 207 | if (type == KEY_DSA && *bitsp != 1024) |
204 | fatal("DSA keys must be 1024 bits"); | 208 | fatal("DSA keys must be 1024 bits"); |
205 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) | 209 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) |
@@ -2102,10 +2106,12 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, | |||
2102 | fclose(krl_spec); | 2106 | fclose(krl_spec); |
2103 | free(path); | 2107 | free(path); |
2104 | } | 2108 | } |
2109 | #endif /* WITH_OPENSSL */ | ||
2105 | 2110 | ||
2106 | static void | 2111 | static void |
2107 | do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) | 2112 | do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) |
2108 | { | 2113 | { |
2114 | #ifdef WITH_OPENSSL | ||
2109 | struct ssh_krl *krl; | 2115 | struct ssh_krl *krl; |
2110 | struct stat sb; | 2116 | struct stat sb; |
2111 | Key *ca = NULL; | 2117 | Key *ca = NULL; |
@@ -2155,11 +2161,15 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) | |||
2155 | ssh_krl_free(krl); | 2161 | ssh_krl_free(krl); |
2156 | if (ca != NULL) | 2162 | if (ca != NULL) |
2157 | key_free(ca); | 2163 | key_free(ca); |
2164 | #else /* WITH_OPENSSL */ | ||
2165 | fatal("KRLs not supported without OpenSSL"); | ||
2166 | #endif /* WITH_OPENSSL */ | ||
2158 | } | 2167 | } |
2159 | 2168 | ||
2160 | static void | 2169 | static void |
2161 | do_check_krl(struct passwd *pw, int argc, char **argv) | 2170 | do_check_krl(struct passwd *pw, int argc, char **argv) |
2162 | { | 2171 | { |
2172 | #ifdef WITH_OPENSSL | ||
2163 | int i, r, ret = 0; | 2173 | int i, r, ret = 0; |
2164 | char *comment; | 2174 | char *comment; |
2165 | struct ssh_krl *krl; | 2175 | struct ssh_krl *krl; |
@@ -2182,8 +2192,10 @@ do_check_krl(struct passwd *pw, int argc, char **argv) | |||
2182 | } | 2192 | } |
2183 | ssh_krl_free(krl); | 2193 | ssh_krl_free(krl); |
2184 | exit(ret); | 2194 | exit(ret); |
2195 | #else /* WITH_OPENSSL */ | ||
2196 | fatal("KRLs not supported without OpenSSL"); | ||
2197 | #endif /* WITH_OPENSSL */ | ||
2185 | } | 2198 | } |
2186 | #endif | ||
2187 | 2199 | ||
2188 | static void | 2200 | static void |
2189 | usage(void) | 2201 | usage(void) |
@@ -2249,7 +2261,9 @@ main(int argc, char **argv) | |||
2249 | 2261 | ||
2250 | __progname = ssh_get_progname(argv[0]); | 2262 | __progname = ssh_get_progname(argv[0]); |
2251 | 2263 | ||
2264 | #ifdef WITH_OPENSSL | ||
2252 | OpenSSL_add_all_algorithms(); | 2265 | OpenSSL_add_all_algorithms(); |
2266 | #endif | ||
2253 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); | 2267 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); |
2254 | 2268 | ||
2255 | seed_rng(); | 2269 | seed_rng(); |
@@ -2427,6 +2441,7 @@ main(int argc, char **argv) | |||
2427 | fatal("Invalid number: %s (%s)", | 2441 | fatal("Invalid number: %s (%s)", |
2428 | optarg, errstr); | 2442 | optarg, errstr); |
2429 | break; | 2443 | break; |
2444 | #ifdef WITH_OPENSSL | ||
2430 | case 'M': | 2445 | case 'M': |
2431 | memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); | 2446 | memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); |
2432 | if (errstr) | 2447 | if (errstr) |
@@ -2454,6 +2469,7 @@ main(int argc, char **argv) | |||
2454 | if (BN_hex2bn(&start, optarg) == 0) | 2469 | if (BN_hex2bn(&start, optarg) == 0) |
2455 | fatal("Invalid start point."); | 2470 | fatal("Invalid start point."); |
2456 | break; | 2471 | break; |
2472 | #endif /* WITH_OPENSSL */ | ||
2457 | case 'V': | 2473 | case 'V': |
2458 | parse_cert_times(optarg); | 2474 | parse_cert_times(optarg); |
2459 | break; | 2475 | break; |
@@ -2493,7 +2509,6 @@ main(int argc, char **argv) | |||
2493 | printf("Cannot use -l with -H or -R.\n"); | 2509 | printf("Cannot use -l with -H or -R.\n"); |
2494 | usage(); | 2510 | usage(); |
2495 | } | 2511 | } |
2496 | #ifdef WITH_OPENSSL | ||
2497 | if (gen_krl) { | 2512 | if (gen_krl) { |
2498 | do_gen_krl(pw, update_krl, argc, argv); | 2513 | do_gen_krl(pw, update_krl, argc, argv); |
2499 | return (0); | 2514 | return (0); |
@@ -2502,7 +2517,6 @@ main(int argc, char **argv) | |||
2502 | do_check_krl(pw, argc, argv); | 2517 | do_check_krl(pw, argc, argv); |
2503 | return (0); | 2518 | return (0); |
2504 | } | 2519 | } |
2505 | #endif | ||
2506 | if (ca_key_path != NULL) { | 2520 | if (ca_key_path != NULL) { |
2507 | if (cert_key_id == NULL) | 2521 | if (cert_key_id == NULL) |
2508 | fatal("Must specify key id (-I) when certifying"); | 2522 | fatal("Must specify key id (-I) when certifying"); |
diff --git a/ssh-keysign.c b/ssh-keysign.c index d59f115fc..821939997 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c | |||
@@ -35,9 +35,11 @@ | |||
35 | #include <string.h> | 35 | #include <string.h> |
36 | #include <unistd.h> | 36 | #include <unistd.h> |
37 | 37 | ||
38 | #ifdef WITH_OPENSSL | ||
38 | #include <openssl/evp.h> | 39 | #include <openssl/evp.h> |
39 | #include <openssl/rand.h> | 40 | #include <openssl/rand.h> |
40 | #include <openssl/rsa.h> | 41 | #include <openssl/rsa.h> |
42 | #endif | ||
41 | 43 | ||
42 | #include "xmalloc.h" | 44 | #include "xmalloc.h" |
43 | #include "log.h" | 45 | #include "log.h" |
@@ -161,7 +163,9 @@ main(int argc, char **argv) | |||
161 | u_char *signature, *data; | 163 | u_char *signature, *data; |
162 | char *host, *fp; | 164 | char *host, *fp; |
163 | u_int slen, dlen; | 165 | u_int slen, dlen; |
166 | #ifdef WITH_OPENSSL | ||
164 | u_int32_t rnd[256]; | 167 | u_int32_t rnd[256]; |
168 | #endif | ||
165 | 169 | ||
166 | /* Ensure that stdin and stdout are connected */ | 170 | /* Ensure that stdin and stdout are connected */ |
167 | if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2) | 171 | if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2) |
@@ -204,9 +208,11 @@ main(int argc, char **argv) | |||
204 | if (found == 0) | 208 | if (found == 0) |
205 | fatal("could not open any host key"); | 209 | fatal("could not open any host key"); |
206 | 210 | ||
211 | #ifdef WITH_OPENSSL | ||
207 | OpenSSL_add_all_algorithms(); | 212 | OpenSSL_add_all_algorithms(); |
208 | arc4random_buf(rnd, sizeof(rnd)); | 213 | arc4random_buf(rnd, sizeof(rnd)); |
209 | RAND_seed(rnd, sizeof(rnd)); | 214 | RAND_seed(rnd, sizeof(rnd)); |
215 | #endif | ||
210 | 216 | ||
211 | found = 0; | 217 | found = 0; |
212 | for (i = 0; i < NUM_KEYTYPES; i++) { | 218 | for (i = 0; i < NUM_KEYTYPES; i++) { |
@@ -17,6 +17,8 @@ | |||
17 | 17 | ||
18 | #include "includes.h" | 18 | #include "includes.h" |
19 | 19 | ||
20 | #ifdef WITH_OPENSSL | ||
21 | |||
20 | #include <sys/types.h> | 22 | #include <sys/types.h> |
21 | 23 | ||
22 | #include <openssl/evp.h> | 24 | #include <openssl/evp.h> |
@@ -263,3 +265,4 @@ done: | |||
263 | } | 265 | } |
264 | return ret; | 266 | return ret; |
265 | } | 267 | } |
268 | #endif /* WITH_OPENSSL */ | ||
@@ -623,7 +623,9 @@ privsep_preauth_child(void) | |||
623 | 623 | ||
624 | arc4random_stir(); | 624 | arc4random_stir(); |
625 | arc4random_buf(rnd, sizeof(rnd)); | 625 | arc4random_buf(rnd, sizeof(rnd)); |
626 | #ifdef WITH_OPENSSL | ||
626 | RAND_seed(rnd, sizeof(rnd)); | 627 | RAND_seed(rnd, sizeof(rnd)); |
628 | #endif | ||
627 | explicit_bzero(rnd, sizeof(rnd)); | 629 | explicit_bzero(rnd, sizeof(rnd)); |
628 | 630 | ||
629 | /* Demote the private keys to public keys. */ | 631 | /* Demote the private keys to public keys. */ |
@@ -758,7 +760,9 @@ privsep_postauth(Authctxt *authctxt) | |||
758 | 760 | ||
759 | arc4random_stir(); | 761 | arc4random_stir(); |
760 | arc4random_buf(rnd, sizeof(rnd)); | 762 | arc4random_buf(rnd, sizeof(rnd)); |
763 | #ifdef WITH_OPENSSL | ||
761 | RAND_seed(rnd, sizeof(rnd)); | 764 | RAND_seed(rnd, sizeof(rnd)); |
765 | #endif | ||
762 | explicit_bzero(rnd, sizeof(rnd)); | 766 | explicit_bzero(rnd, sizeof(rnd)); |
763 | 767 | ||
764 | /* Drop privileges */ | 768 | /* Drop privileges */ |
@@ -988,7 +992,7 @@ send_rexec_state(int fd, Buffer *conf) | |||
988 | #endif | 992 | #endif |
989 | buffer_put_int(&m, 0); | 993 | buffer_put_int(&m, 0); |
990 | 994 | ||
991 | #ifndef OPENSSL_PRNG_ONLY | 995 | #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) |
992 | rexec_send_rng_seed(&m); | 996 | rexec_send_rng_seed(&m); |
993 | #endif | 997 | #endif |
994 | 998 | ||
@@ -1041,7 +1045,7 @@ recv_rexec_state(int fd, Buffer *conf) | |||
1041 | #endif | 1045 | #endif |
1042 | } | 1046 | } |
1043 | 1047 | ||
1044 | #ifndef OPENSSL_PRNG_ONLY | 1048 | #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) |
1045 | rexec_recv_rng_seed(&m); | 1049 | rexec_recv_rng_seed(&m); |
1046 | #endif | 1050 | #endif |
1047 | 1051 | ||
@@ -1372,7 +1376,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
1372 | */ | 1376 | */ |
1373 | arc4random_stir(); | 1377 | arc4random_stir(); |
1374 | arc4random_buf(rnd, sizeof(rnd)); | 1378 | arc4random_buf(rnd, sizeof(rnd)); |
1379 | #ifdef WITH_OPENSSL | ||
1375 | RAND_seed(rnd, sizeof(rnd)); | 1380 | RAND_seed(rnd, sizeof(rnd)); |
1381 | #endif | ||
1376 | explicit_bzero(rnd, sizeof(rnd)); | 1382 | explicit_bzero(rnd, sizeof(rnd)); |
1377 | } | 1383 | } |
1378 | 1384 | ||