- (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have

   the required OpenSSL support.  Patch from naddy at freebsd.

2 files changed, 10 insertions, 1 deletions

diff --git a/ChangeLog b/ChangeLog
index a7ab9a693..6805e8a10 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -11,6 +11,8 @@
      bz#1917, also reported and tested by tedu@.  ok djm@ markus@.
  - (dtucker) [Makefile.in configure.ac fixalgorithms] Remove unsupported
    algorithms (Ciphers, MACs and HostKeyAlgorithms) from man pages.
+ - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have
+   the required OpenSSL support.  Patch from naddy at freebsd.
 
 20130605
  - (dtucker) [myproposal.h] Enable sha256 kex methods based on the presence of
diff --git a/myproposal.h b/myproposal.h
index f13c74850..276108bf6 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -45,6 +45,13 @@
 # define HOSTKEY_ECDSA_METHODS
 #endif
 
+#ifdef OPENSSL_HAVE_EVPGCM
+# define AESGCM_CIPHER_MODES \
+        "aes128-gcm@openssh.com,aes256-gcm@openssh.com,"
+#else
+# define AESGCM_CIPHER_MODES
+#endif
+
 /* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
 #ifdef HAVE_EVP_SHA256
 # define KEX_SHA256_METHODS \
@@ -73,7 +80,7 @@
 #define KEX_DEFAULT_ENCRYPT \
         "aes128-ctr,aes192-ctr,aes256-ctr," \
         "arcfour256,arcfour128," \
-        "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \
+        AESGCM_CIPHER_MODES \
         "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
         "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
 #ifdef HAVE_EVP_SHA256