summaryrefslogtreecommitdiff
path: root/openbsd-compat
diff options
context:
space:
mode:
authorColin Watson <cjwatson@debian.org>2014-10-07 12:13:50 +0100
committerColin Watson <cjwatson@debian.org>2014-10-07 12:13:50 +0100
commit487bdb3a5ef6075887b830ccb8a0b14f6da78e93 (patch)
treea2cff6fec1e6c4b4153a170a3e172cfe6bfdec46 /openbsd-compat
parent796ba4fd011b5d0d9d78d592ba2f30fc9d5ed2e7 (diff)
parent28453d58058a4d60c3ebe7d7f0c31a510cbf6158 (diff)
Import openssh_6.7p1.orig.tar.gz
Diffstat (limited to 'openbsd-compat')
-rw-r--r--openbsd-compat/Makefile.in4
-rw-r--r--openbsd-compat/arc4random.c4
-rw-r--r--openbsd-compat/bsd-cygwin_util.c16
-rw-r--r--openbsd-compat/bsd-cygwin_util.h6
-rw-r--r--openbsd-compat/bsd-snprintf.c4
-rw-r--r--openbsd-compat/explicit_bzero.c26
-rw-r--r--openbsd-compat/kludge-fd_set.c28
-rw-r--r--openbsd-compat/openbsd-compat.h18
-rw-r--r--openbsd-compat/openssl-compat.c166
-rw-r--r--openbsd-compat/openssl-compat.h121
-rw-r--r--openbsd-compat/port-uw.c1
-rw-r--r--openbsd-compat/regress/Makefile.in6
-rw-r--r--openbsd-compat/regress/opensslvertest.c69
13 files changed, 216 insertions, 253 deletions
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 6ecfb93d5..ab1a3e315 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.55 2014/02/04 00:37:50 djm Exp $ 1# $Id: Makefile.in,v 1.56 2014/09/30 23:43:08 djm Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@
18 18
19OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o 19OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
20 20
21COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o 21COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
22 22
23PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o 23PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o
24 24
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
index eac073cc0..09dbfda16 100644
--- a/openbsd-compat/arc4random.c
+++ b/openbsd-compat/arc4random.c
@@ -87,7 +87,7 @@ _rs_stir(void)
87 _rs_init(rnd, sizeof(rnd)); 87 _rs_init(rnd, sizeof(rnd));
88 } else 88 } else
89 _rs_rekey(rnd, sizeof(rnd)); 89 _rs_rekey(rnd, sizeof(rnd));
90 memset(rnd, 0, sizeof(rnd)); 90 explicit_bzero(rnd, sizeof(rnd));
91 91
92 /* invalidate rs_buf */ 92 /* invalidate rs_buf */
93 rs_have = 0; 93 rs_have = 0;
@@ -229,7 +229,7 @@ arc4random_buf(void *_buf, size_t n)
229 buf[i] = r & 0xff; 229 buf[i] = r & 0xff;
230 r >>= 8; 230 r >>= 8;
231 } 231 }
232 i = r = 0; 232 explicit_bzero(&r, sizeof(r));
233} 233}
234#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */ 234#endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */
235 235
diff --git a/openbsd-compat/bsd-cygwin_util.c b/openbsd-compat/bsd-cygwin_util.c
index 267e77a11..a2d82126d 100644
--- a/openbsd-compat/bsd-cygwin_util.c
+++ b/openbsd-compat/bsd-cygwin_util.c
@@ -57,6 +57,22 @@ check_ntsec(const char *filename)
57 return (pathconf(filename, _PC_POSIX_PERMISSIONS)); 57 return (pathconf(filename, _PC_POSIX_PERMISSIONS));
58} 58}
59 59
60const char *
61cygwin_ssh_privsep_user()
62{
63 static char cyg_privsep_user[DNLEN + UNLEN + 2];
64
65 if (!cyg_privsep_user[0])
66 {
67#ifdef CW_CYGNAME_FROM_WINNAME
68 if (cygwin_internal (CW_CYGNAME_FROM_WINNAME, "sshd", cyg_privsep_user,
69 sizeof cyg_privsep_user) != 0)
70#endif
71 strcpy (cyg_privsep_user, "sshd");
72 }
73 return cyg_privsep_user;
74}
75
60#define NL(x) x, (sizeof (x) - 1) 76#define NL(x) x, (sizeof (x) - 1)
61#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) 77#define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0]))
62 78
diff --git a/openbsd-compat/bsd-cygwin_util.h b/openbsd-compat/bsd-cygwin_util.h
index 1177366f1..79cb2a197 100644
--- a/openbsd-compat/bsd-cygwin_util.h
+++ b/openbsd-compat/bsd-cygwin_util.h
@@ -1,4 +1,4 @@
1/* $Id: bsd-cygwin_util.h,v 1.17 2014/01/18 10:04:00 dtucker Exp $ */ 1/* $Id: bsd-cygwin_util.h,v 1.18 2014/05/27 04:34:43 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com> 4 * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com>
@@ -39,6 +39,8 @@
39/* Avoid including windows headers. */ 39/* Avoid including windows headers. */
40typedef void *HANDLE; 40typedef void *HANDLE;
41#define INVALID_HANDLE_VALUE ((HANDLE) -1) 41#define INVALID_HANDLE_VALUE ((HANDLE) -1)
42#define DNLEN 16
43#define UNLEN 256
42 44
43/* Cygwin functions for which declarations are only available when including 45/* Cygwin functions for which declarations are only available when including
44 windows headers, so we have to define them here explicitely. */ 46 windows headers, so we have to define them here explicitely. */
@@ -48,6 +50,8 @@ extern void cygwin_set_impersonation_token (const HANDLE);
48#include <sys/cygwin.h> 50#include <sys/cygwin.h>
49#include <io.h> 51#include <io.h>
50 52
53#define CYGWIN_SSH_PRIVSEP_USER (cygwin_ssh_privsep_user())
54const char *cygwin_ssh_privsep_user();
51 55
52int binary_open(const char *, int , ...); 56int binary_open(const char *, int , ...);
53int check_ntsec(const char *); 57int check_ntsec(const char *);
diff --git a/openbsd-compat/bsd-snprintf.c b/openbsd-compat/bsd-snprintf.c
index 975991e7f..23a635989 100644
--- a/openbsd-compat/bsd-snprintf.c
+++ b/openbsd-compat/bsd-snprintf.c
@@ -538,7 +538,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
538 } 538 }
539 while (*value && (cnt < max)) { 539 while (*value && (cnt < max)) {
540 DOPR_OUTCH(buffer, *currlen, maxlen, *value); 540 DOPR_OUTCH(buffer, *currlen, maxlen, *value);
541 *value++; 541 value++;
542 ++cnt; 542 ++cnt;
543 } 543 }
544 while ((padlen < 0) && (cnt < max)) { 544 while ((padlen < 0) && (cnt < max)) {
@@ -553,7 +553,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen,
553 553
554static int 554static int
555fmtint(char *buffer, size_t *currlen, size_t maxlen, 555fmtint(char *buffer, size_t *currlen, size_t maxlen,
556 LLONG value, int base, int min, int max, int flags) 556 intmax_t value, int base, int min, int max, int flags)
557{ 557{
558 int signvalue = 0; 558 int signvalue = 0;
559 unsigned LLONG uvalue; 559 unsigned LLONG uvalue;
diff --git a/openbsd-compat/explicit_bzero.c b/openbsd-compat/explicit_bzero.c
index b106741e5..3c85a4843 100644
--- a/openbsd-compat/explicit_bzero.c
+++ b/openbsd-compat/explicit_bzero.c
@@ -7,14 +7,34 @@
7 7
8#include "includes.h" 8#include "includes.h"
9 9
10/*
11 * explicit_bzero - don't let the compiler optimize away bzero
12 */
13
10#ifndef HAVE_EXPLICIT_BZERO 14#ifndef HAVE_EXPLICIT_BZERO
11 15
16#ifdef HAVE_MEMSET_S
17
18void
19explicit_bzero(void *p, size_t n)
20{
21 (void)memset_s(p, n, 0, n);
22}
23
24#else /* HAVE_MEMSET_S */
25
12/* 26/*
13 * explicit_bzero - don't let the compiler optimize away bzero 27 * Indirect bzero through a volatile pointer to hopefully avoid
28 * dead-store optimisation eliminating the call.
14 */ 29 */
30static void (* volatile ssh_bzero)(void *, size_t) = bzero;
31
15void 32void
16explicit_bzero(void *p, size_t n) 33explicit_bzero(void *p, size_t n)
17{ 34{
18 bzero(p, n); 35 ssh_bzero(p, n);
19} 36}
20#endif 37
38#endif /* HAVE_MEMSET_S */
39
40#endif /* HAVE_EXPLICIT_BZERO */
diff --git a/openbsd-compat/kludge-fd_set.c b/openbsd-compat/kludge-fd_set.c
new file mode 100644
index 000000000..6c2ffb64b
--- /dev/null
+++ b/openbsd-compat/kludge-fd_set.c
@@ -0,0 +1,28 @@
1/* Placed in the public domain. */
2
3/*
4 * _FORTIFY_SOURCE includes a misguided check for FD_SET(n)/FD_ISSET(b)
5 * where n > FD_SETSIZE. This breaks OpenSSH and other programs that
6 * explicitly allocate fd_sets. To avoid this, we wrap FD_SET in a
7 * function compiled without _FORTIFY_SOURCE.
8 */
9
10#include "config.h"
11
12#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE)
13# include <features.h>
14# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ)
15# if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0)
16# undef _FORTIFY_SOURCE
17# undef __USE_FORTIFY_LEVEL
18# include <sys/socket.h>
19void kludge_FD_SET(int n, fd_set *set) {
20 FD_SET(n, set);
21}
22int kludge_FD_ISSET(int n, fd_set *set) {
23 return FD_ISSET(n, set);
24}
25# endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */
26# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */
27#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */
28
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index bc9888e31..ce6abae82 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openbsd-compat.h,v 1.61 2014/02/04 00:18:23 djm Exp $ */ 1/* $Id: openbsd-compat.h,v 1.62 2014/09/30 23:43:08 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved. 4 * Copyright (c) 1999-2003 Damien Miller. All rights reserved.
@@ -268,4 +268,20 @@ char *shadow_pw(struct passwd *pw);
268#include "port-tun.h" 268#include "port-tun.h"
269#include "port-uw.h" 269#include "port-uw.h"
270 270
271/* _FORTIFY_SOURCE breaks FD_ISSET(n)/FD_SET(n) for n > FD_SETSIZE. Avoid. */
272#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE)
273# include <features.h>
274# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ)
275# if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0)
276# include <sys/socket.h> /* Ensure include guard is defined */
277# undef FD_SET
278# undef FD_ISSET
279# define FD_SET(n, set) kludge_FD_SET(n, set)
280# define FD_ISSET(n, set) kludge_FD_ISSET(n, set)
281void kludge_FD_SET(int, fd_set *);
282int kludge_FD_ISSET(int, fd_set *);
283# endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */
284# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */
285#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */
286
271#endif /* _OPENBSD_COMPAT_H */ 287#endif /* _OPENBSD_COMPAT_H */
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 885c121f2..36570e4ad 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -1,4 +1,4 @@
1/* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */ 1/* $Id: openssl-compat.c,v 1.19 2014/07/02 05:28:07 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> 4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -16,6 +16,7 @@
16 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */ 17 */
18 18
19#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
19#include "includes.h" 20#include "includes.h"
20 21
21#include <stdarg.h> 22#include <stdarg.h>
@@ -26,147 +27,44 @@
26# include <openssl/conf.h> 27# include <openssl/conf.h>
27#endif 28#endif
28 29
29#ifndef HAVE_RSA_GET_DEFAULT_METHOD
30# include <openssl/rsa.h>
31#endif
32
33#include "log.h" 30#include "log.h"
34 31
35#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
36#include "openssl-compat.h" 32#include "openssl-compat.h"
37 33
38#ifdef SSH_OLD_EVP 34/*
39int 35 * OpenSSL version numbers: MNNFFPPS: major minor fix patch status
40ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type, 36 * We match major, minor, fix and status (not patch) for <1.0.0.
41 unsigned char *key, unsigned char *iv, int enc) 37 * After that, we acceptable compatible fix versions (so we
42{ 38 * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed
43 EVP_CipherInit(evp, type, key, iv, enc); 39 * within a patch series.
44 return 1; 40 */
45}
46
47int
48ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len)
49{
50 EVP_Cipher(evp, dst, src, len);
51 return 1;
52}
53
54int
55ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp)
56{
57 EVP_CIPHER_CTX_cleanup(evp);
58 return 1;
59}
60#endif
61
62#ifndef HAVE_EVP_DIGESTINIT_EX
63int
64EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine)
65{
66 if (engine != NULL)
67 fatal("%s: ENGINE is not supported", __func__);
68# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
69 EVP_DigestInit(ctx, md);
70 return 1;
71# else
72 return EVP_DigestInit(ctx, md);
73# endif
74}
75#endif
76
77#ifndef HAVE_EVP_DIGESTFINAL_EX
78int
79EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s)
80{
81# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
82 EVP_DigestFinal(ctx, md, s);
83 return 1;
84# else
85 return EVP_DigestFinal(ctx, md, s);
86# endif
87}
88#endif
89
90#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
91int
92ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt)
93{
94 EVP_DigestUpdate(ctx, d, cnt);
95 return 1;
96}
97#endif
98
99#ifndef HAVE_EVP_MD_CTX_COPY_EX
100int
101EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in)
102{
103 return EVP_MD_CTX_copy(out, in);
104}
105#endif
106
107#ifndef HAVE_BN_IS_PRIME_EX
108int
109BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, void *cb)
110{
111 if (cb != NULL)
112 fatal("%s: callback args not supported", __func__);
113 return BN_is_prime(p, nchecks, NULL, ctx, NULL);
114}
115#endif
116
117#ifndef HAVE_RSA_GENERATE_KEY_EX
118int
119RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *bn_e, void *cb)
120{
121 RSA *new_rsa, tmp_rsa;
122 unsigned long e;
123
124 if (cb != NULL)
125 fatal("%s: callback args not supported", __func__);
126 e = BN_get_word(bn_e);
127 if (e == 0xffffffffL)
128 fatal("%s: value of e too large", __func__);
129 new_rsa = RSA_generate_key(bits, e, NULL, NULL);
130 if (new_rsa == NULL)
131 return 0;
132 /* swap rsa/new_rsa then free new_rsa */
133 tmp_rsa = *rsa;
134 *rsa = *new_rsa;
135 *new_rsa = tmp_rsa;
136 RSA_free(new_rsa);
137 return 1;
138}
139#endif
140 41
141#ifndef HAVE_DSA_GENERATE_PARAMETERS_EX
142int 42int
143DSA_generate_parameters_ex(DSA *dsa, int bits, const unsigned char *seed, 43ssh_compatible_openssl(long headerver, long libver)
144 int seed_len, int *counter_ret, unsigned long *h_ret, void *cb)
145{ 44{
146 DSA *new_dsa, tmp_dsa; 45 long mask, hfix, lfix;
147 46
148 if (cb != NULL) 47 /* exact match is always OK */
149 fatal("%s: callback args not supported", __func__); 48 if (headerver == libver)
150 new_dsa = DSA_generate_parameters(bits, (unsigned char *)seed, seed_len, 49 return 1;
151 counter_ret, h_ret, NULL, NULL); 50
152 if (new_dsa == NULL) 51 /* for versions < 1.0.0, major,minor,fix,status must match */
153 return 0; 52 if (headerver < 0x1000000f) {
154 /* swap dsa/new_dsa then free new_dsa */ 53 mask = 0xfffff00fL; /* major,minor,fix,status */
155 tmp_dsa = *dsa; 54 return (headerver & mask) == (libver & mask);
156 *dsa = *new_dsa; 55 }
157 *new_dsa = tmp_dsa; 56
158 DSA_free(new_dsa); 57 /*
159 return 1; 58 * For versions >= 1.0.0, major,minor,status must match and library
160} 59 * fix version must be equal to or newer than the header.
161#endif 60 */
162 61 mask = 0xfff0000fL; /* major,minor,status */
163#ifndef HAVE_RSA_GET_DEFAULT_METHOD 62 hfix = (headerver & 0x000ff000) >> 12;
164RSA_METHOD * 63 lfix = (libver & 0x000ff000) >> 12;
165RSA_get_default_method(void) 64 if ( (headerver & mask) == (libver & mask) && lfix >= hfix)
166{ 65 return 1;
167 return RSA_PKCS1_SSLeay(); 66 return 0;
168} 67}
169#endif
170 68
171#ifdef USE_OPENSSL_ENGINE 69#ifdef USE_OPENSSL_ENGINE
172void 70void
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 276b9706d..3695d412b 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -1,4 +1,4 @@
1/* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */ 1/* $Id: openssl-compat.h,v 1.31 2014/08/29 18:18:29 djm Exp $ */
2 2
3/* 3/*
4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> 4 * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -16,28 +16,19 @@
16 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */ 17 */
18 18
19#ifndef _OPENSSL_COMPAT_H
20#define _OPENSSL_COMPAT_H
21
19#include "includes.h" 22#include "includes.h"
20#include <openssl/opensslv.h> 23#include <openssl/opensslv.h>
21#include <openssl/evp.h> 24#include <openssl/evp.h>
22#include <openssl/rsa.h> 25#include <openssl/rsa.h>
23#include <openssl/dsa.h> 26#include <openssl/dsa.h>
24 27
25/* Only in 0.9.8 */ 28int ssh_compatible_openssl(long, long);
26#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
27# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
28#endif
29#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
30# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
31#endif
32
33/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */
34#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f)
35# define OPENSSL_free(x) Free(x)
36#endif
37 29
38#if OPENSSL_VERSION_NUMBER < 0x00906000L 30#if (OPENSSL_VERSION_NUMBER <= 0x0090805fL)
39# define SSH_OLD_EVP 31# error OpenSSL 0.9.8f or greater is required
40# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data)
41#endif 32#endif
42 33
43#if OPENSSL_VERSION_NUMBER < 0x10000001L 34#if OPENSSL_VERSION_NUMBER < 0x10000001L
@@ -46,27 +37,17 @@
46# define LIBCRYPTO_EVP_INL_TYPE size_t 37# define LIBCRYPTO_EVP_INL_TYPE size_t
47#endif 38#endif
48 39
49#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES) 40#ifndef OPENSSL_RSA_MAX_MODULUS_BITS
50# define USE_BUILTIN_RIJNDAEL 41# define OPENSSL_RSA_MAX_MODULUS_BITS 16384
51#endif 42#endif
52 43#ifndef OPENSSL_DSA_MAX_MODULUS_BITS
53#ifdef USE_BUILTIN_RIJNDAEL 44# define OPENSSL_DSA_MAX_MODULUS_BITS 10000
54# include "rijndael.h"
55# define AES_KEY rijndael_ctx
56# define AES_BLOCK_SIZE 16
57# define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b)
58# define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1)
59# define EVP_aes_128_cbc evp_rijndael
60# define EVP_aes_192_cbc evp_rijndael
61# define EVP_aes_256_cbc evp_rijndael
62const EVP_CIPHER *evp_rijndael(void);
63void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int);
64#endif 45#endif
65 46
66#ifndef OPENSSL_HAVE_EVPCTR 47#ifndef OPENSSL_HAVE_EVPCTR
67#define EVP_aes_128_ctr evp_aes_128_ctr 48# define EVP_aes_128_ctr evp_aes_128_ctr
68#define EVP_aes_192_ctr evp_aes_128_ctr 49# define EVP_aes_192_ctr evp_aes_128_ctr
69#define EVP_aes_256_ctr evp_aes_128_ctr 50# define EVP_aes_256_ctr evp_aes_128_ctr
70const EVP_CIPHER *evp_aes_128_ctr(void); 51const EVP_CIPHER *evp_aes_128_ctr(void);
71void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); 52void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
72#endif 53#endif
@@ -88,26 +69,9 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
88# endif 69# endif
89#endif 70#endif
90 71
91#if OPENSSL_VERSION_NUMBER < 0x00907000L
92#define EVP_X_STATE(evp) &(evp).c
93#define EVP_X_STATE_LEN(evp) sizeof((evp).c)
94#else
95#define EVP_X_STATE(evp) (evp).cipher_data
96#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size
97#endif
98
99/* OpenSSL 0.9.8e returns cipher key len not context key len */
100#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
101# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
102#endif
103
104#ifndef HAVE_RSA_GET_DEFAULT_METHOD
105RSA_METHOD *RSA_get_default_method(void);
106#endif
107
108/* 72/*
109 * We overload some of the OpenSSL crypto functions with ssh_* equivalents 73 * We overload some of the OpenSSL crypto functions with ssh_* equivalents
110 * which cater for older and/or less featureful OpenSSL version. 74 * to automatically handle OpenSSL engine initialisation.
111 * 75 *
112 * In order for the compat library to call the real functions, it must 76 * In order for the compat library to call the real functions, it must
113 * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and 77 * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and
@@ -115,19 +79,6 @@ RSA_METHOD *RSA_get_default_method(void);
115 */ 79 */
116#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS 80#ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS
117 81
118# ifdef SSH_OLD_EVP
119# ifdef EVP_Cipher
120# undef EVP_Cipher
121# endif
122# define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e))
123# define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d))
124# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a))
125# endif /* SSH_OLD_EVP */
126
127# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID
128# define EVP_DigestUpdate(a,b,c) ssh_EVP_DigestUpdate((a),(b),(c))
129# endif
130
131# ifdef USE_OPENSSL_ENGINE 82# ifdef USE_OPENSSL_ENGINE
132# ifdef OpenSSL_add_all_algorithms 83# ifdef OpenSSL_add_all_algorithms
133# undef OpenSSL_add_all_algorithms 84# undef OpenSSL_add_all_algorithms
@@ -135,48 +86,8 @@ RSA_METHOD *RSA_get_default_method(void);
135# define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms() 86# define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms()
136# endif 87# endif
137 88
138# ifndef HAVE_BN_IS_PRIME_EX
139int BN_is_prime_ex(const BIGNUM *, int, BN_CTX *, void *);
140# endif
141
142# ifndef HAVE_DSA_GENERATE_PARAMETERS_EX
143int DSA_generate_parameters_ex(DSA *, int, const unsigned char *, int, int *,
144 unsigned long *, void *);
145# endif
146
147# ifndef HAVE_RSA_GENERATE_KEY_EX
148int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *);
149# endif
150
151# ifndef HAVE_EVP_DIGESTINIT_EX
152int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, void *);
153# endif
154
155# ifndef HAVE_EVP_DISESTFINAL_EX
156int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *);
157# endif
158
159# ifndef EVP_MD_CTX_COPY_EX
160int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *);
161# endif
162
163int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *,
164 unsigned char *, int);
165int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int);
166int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *);
167void ssh_OpenSSL_add_all_algorithms(void); 89void ssh_OpenSSL_add_all_algorithms(void);
168 90
169# ifndef HAVE_HMAC_CTX_INIT
170# define HMAC_CTX_init(a)
171# endif
172
173# ifndef HAVE_EVP_MD_CTX_INIT
174# define EVP_MD_CTX_init(a)
175# endif
176
177# ifndef HAVE_EVP_MD_CTX_CLEANUP
178# define EVP_MD_CTX_cleanup(a)
179# endif
180
181#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ 91#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
182 92
93#endif /* _OPENSSL_COMPAT_H */
diff --git a/openbsd-compat/port-uw.c b/openbsd-compat/port-uw.c
index b1fbfa208..db24dbb94 100644
--- a/openbsd-compat/port-uw.c
+++ b/openbsd-compat/port-uw.c
@@ -42,6 +42,7 @@
42#include "key.h" 42#include "key.h"
43#include "auth-options.h" 43#include "auth-options.h"
44#include "log.h" 44#include "log.h"
45#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */
45#include "servconf.h" 46#include "servconf.h"
46#include "hostfile.h" 47#include "hostfile.h"
47#include "auth.h" 48#include "auth.h"
diff --git a/openbsd-compat/regress/Makefile.in b/openbsd-compat/regress/Makefile.in
index bcf214bd0..dabdb0912 100644
--- a/openbsd-compat/regress/Makefile.in
+++ b/openbsd-compat/regress/Makefile.in
@@ -1,4 +1,4 @@
1# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $ 1# $Id: Makefile.in,v 1.5 2014/06/17 13:06:08 dtucker Exp $
2 2
3sysconfdir=@sysconfdir@ 3sysconfdir=@sysconfdir@
4piddir=@piddir@ 4piddir=@piddir@
@@ -16,11 +16,11 @@ LIBS=@LIBS@
16LDFLAGS=@LDFLAGS@ $(LIBCOMPAT) 16LDFLAGS=@LDFLAGS@ $(LIBCOMPAT)
17 17
18TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \ 18TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \
19 strtonumtest$(EXEEXT) 19 strtonumtest$(EXEEXT) opensslvertest$(EXEEXT)
20 20
21all: t-exec ${OTHERTESTS} 21all: t-exec ${OTHERTESTS}
22 22
23%$(EXEEXT): %.c 23%$(EXEEXT): %.c $(LIBCOMPAT)
24 $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS) 24 $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS)
25 25
26t-exec: $(TESTPROGS) 26t-exec: $(TESTPROGS)
diff --git a/openbsd-compat/regress/opensslvertest.c b/openbsd-compat/regress/opensslvertest.c
new file mode 100644
index 000000000..5d019b598
--- /dev/null
+++ b/openbsd-compat/regress/opensslvertest.c
@@ -0,0 +1,69 @@
1/*
2 * Copyright (c) 2014 Darren Tucker
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 */
16
17#include <stdio.h>
18#include <stdlib.h>
19
20int ssh_compatible_openssl(long, long);
21
22struct version_test {
23 long headerver;
24 long libver;
25 int result;
26} version_tests[] = {
27 /* built with 0.9.8b release headers */
28 { 0x0090802fL, 0x0090802fL, 1}, /* exact match */
29 { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */
30 { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */
31 { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */
32 { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */
33 { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */
34 { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */
35
36 /* built with 1.0.1b release headers */
37 { 0x1000101fL, 0x1000101fL, 1},/* exact match */
38 { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */
39 { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */
40 { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */
41 { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */
42 { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */
43 { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */
44 { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */
45};
46
47void
48fail(long hver, long lver, int result)
49{
50 fprintf(stderr, "opensslver: header %lx library %lx != %d \n", hver, lver, result);
51 exit(1);
52}
53
54int
55main(void)
56{
57 unsigned int i;
58 int res;
59 long hver, lver;
60
61 for (i = 0; i < sizeof(version_tests) / sizeof(version_tests[0]); i++) {
62 hver = version_tests[i].headerver;
63 lver = version_tests[i].libver;
64 res = version_tests[i].result;
65 if (ssh_compatible_openssl(hver, lver) != res)
66 fail(hver, lver, res);
67 }
68 exit(0);
69}