diff options
author | Damien Miller <djm@mindrot.org> | 2015-01-15 02:21:31 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2015-01-15 02:28:36 +1100 |
commit | 72ef7c148c42db7d5632a29f137f8b87b579f2d9 (patch) | |
tree | 47954a387f4260cc8b1e0ff33bbbaf22fd6f11fc /openbsd-compat | |
parent | 4f38c61c68ae7e3f9ee4b3c38bc86cd39f65ece9 (diff) |
support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.
Considered highly experimental for now.
Diffstat (limited to 'openbsd-compat')
-rw-r--r-- | openbsd-compat/Makefile.in | 2 | ||||
-rw-r--r-- | openbsd-compat/arc4random.c | 36 | ||||
-rw-r--r-- | openbsd-compat/bcrypt_pbkdf.c | 3 | ||||
-rw-r--r-- | openbsd-compat/openbsd-compat.h | 3 | ||||
-rw-r--r-- | openbsd-compat/openssl-compat.c | 4 | ||||
-rw-r--r-- | openbsd-compat/openssl-compat.h | 3 | ||||
-rw-r--r-- | openbsd-compat/sha2.c | 40 | ||||
-rw-r--r-- | openbsd-compat/sha2.h | 19 | ||||
-rw-r--r-- | openbsd-compat/xcrypt.c | 2 |
9 files changed, 91 insertions, 21 deletions
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index 7be3f72aa..3c5e3b7f7 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in | |||
@@ -16,7 +16,7 @@ RANLIB=@RANLIB@ | |||
16 | INSTALL=@INSTALL@ | 16 | INSTALL=@INSTALL@ |
17 | LDFLAGS=-L. @LDFLAGS@ | 17 | LDFLAGS=-L. @LDFLAGS@ |
18 | 18 | ||
19 | OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o | 19 | OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o |
20 | 20 | ||
21 | COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o | 21 | COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o |
22 | 22 | ||
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c index 09dbfda16..046f57e61 100644 --- a/openbsd-compat/arc4random.c +++ b/openbsd-compat/arc4random.c | |||
@@ -26,15 +26,19 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #include <sys/types.h> | ||
30 | |||
31 | #include <fcntl.h> | ||
29 | #include <stdlib.h> | 32 | #include <stdlib.h> |
30 | #include <string.h> | 33 | #include <string.h> |
31 | #include <unistd.h> | 34 | #include <unistd.h> |
32 | #include <sys/types.h> | ||
33 | 35 | ||
34 | #ifndef HAVE_ARC4RANDOM | 36 | #ifndef HAVE_ARC4RANDOM |
35 | 37 | ||
38 | #ifdef WITH_OPENSSL | ||
36 | #include <openssl/rand.h> | 39 | #include <openssl/rand.h> |
37 | #include <openssl/err.h> | 40 | #include <openssl/err.h> |
41 | #endif | ||
38 | 42 | ||
39 | #include "log.h" | 43 | #include "log.h" |
40 | 44 | ||
@@ -73,14 +77,44 @@ _rs_init(u_char *buf, size_t n) | |||
73 | chacha_ivsetup(&rs, buf + KEYSZ); | 77 | chacha_ivsetup(&rs, buf + KEYSZ); |
74 | } | 78 | } |
75 | 79 | ||
80 | #ifndef WITH_OPENSSL | ||
81 | #define SSH_RANDOM_DEV "/dev/urandom" | ||
82 | /* XXX use getrandom() if supported on Linux */ | ||
83 | static void | ||
84 | getrnd(u_char *s, size_t len) | ||
85 | { | ||
86 | int fd; | ||
87 | ssize_t r; | ||
88 | size_t o = 0; | ||
89 | |||
90 | if ((fd = open(SSH_RANDOM_DEV, O_RDONLY)) == -1) | ||
91 | fatal("Couldn't open %s: %s", SSH_RANDOM_DEV, strerror(errno)); | ||
92 | while (o < len) { | ||
93 | r = read(fd, s + o, len - o); | ||
94 | if (r < 0) { | ||
95 | if (errno == EAGAIN || errno == EINTR || | ||
96 | errno == EWOULDBLOCK) | ||
97 | continue; | ||
98 | fatal("read %s: %s", SSH_RANDOM_DEV, strerror(errno)); | ||
99 | } | ||
100 | o += r; | ||
101 | } | ||
102 | close(fd); | ||
103 | } | ||
104 | #endif | ||
105 | |||
76 | static void | 106 | static void |
77 | _rs_stir(void) | 107 | _rs_stir(void) |
78 | { | 108 | { |
79 | u_char rnd[KEYSZ + IVSZ]; | 109 | u_char rnd[KEYSZ + IVSZ]; |
80 | 110 | ||
111 | #ifdef WITH_OPENSSL | ||
81 | if (RAND_bytes(rnd, sizeof(rnd)) <= 0) | 112 | if (RAND_bytes(rnd, sizeof(rnd)) <= 0) |
82 | fatal("Couldn't obtain random bytes (error %ld)", | 113 | fatal("Couldn't obtain random bytes (error %ld)", |
83 | ERR_get_error()); | 114 | ERR_get_error()); |
115 | #else | ||
116 | getrnd(rnd, sizeof(rnd)); | ||
117 | #endif | ||
84 | 118 | ||
85 | if (!rs_initialized) { | 119 | if (!rs_initialized) { |
86 | rs_initialized = 1; | 120 | rs_initialized = 1; |
diff --git a/openbsd-compat/bcrypt_pbkdf.c b/openbsd-compat/bcrypt_pbkdf.c index 5ed1cc531..16912575a 100644 --- a/openbsd-compat/bcrypt_pbkdf.c +++ b/openbsd-compat/bcrypt_pbkdf.c | |||
@@ -32,6 +32,9 @@ | |||
32 | #endif | 32 | #endif |
33 | 33 | ||
34 | #include "crypto_api.h" | 34 | #include "crypto_api.h" |
35 | #ifdef SHA512_DIGEST_LENGTH | ||
36 | # undef SHA512_DIGEST_LENGTH | ||
37 | #endif | ||
35 | #define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES | 38 | #define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES |
36 | 39 | ||
37 | /* | 40 | /* |
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 94718babd..1cffefe06 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h | |||
@@ -43,7 +43,10 @@ | |||
43 | #include "readpassphrase.h" | 43 | #include "readpassphrase.h" |
44 | #include "vis.h" | 44 | #include "vis.h" |
45 | #include "getrrsetbyname.h" | 45 | #include "getrrsetbyname.h" |
46 | #include "sha1.h" | ||
46 | #include "sha2.h" | 47 | #include "sha2.h" |
48 | #include "rmd160.h" | ||
49 | #include "md5.h" | ||
47 | #include "blf.h" | 50 | #include "blf.h" |
48 | 51 | ||
49 | #ifndef HAVE_BASENAME | 52 | #ifndef HAVE_BASENAME |
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 36570e4ad..63a660c7a 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c | |||
@@ -19,6 +19,8 @@ | |||
19 | #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS | 19 | #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS |
20 | #include "includes.h" | 20 | #include "includes.h" |
21 | 21 | ||
22 | #ifdef WITH_OPENSSL | ||
23 | |||
22 | #include <stdarg.h> | 24 | #include <stdarg.h> |
23 | #include <string.h> | 25 | #include <string.h> |
24 | 26 | ||
@@ -78,3 +80,5 @@ ssh_OpenSSL_add_all_algorithms(void) | |||
78 | OPENSSL_config(NULL); | 80 | OPENSSL_config(NULL); |
79 | } | 81 | } |
80 | #endif | 82 | #endif |
83 | |||
84 | #endif /* WITH_OPENSSL */ | ||
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 3695d412b..8917551d3 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h | |||
@@ -20,6 +20,8 @@ | |||
20 | #define _OPENSSL_COMPAT_H | 20 | #define _OPENSSL_COMPAT_H |
21 | 21 | ||
22 | #include "includes.h" | 22 | #include "includes.h" |
23 | #ifdef WITH_OPENSSL | ||
24 | |||
23 | #include <openssl/opensslv.h> | 25 | #include <openssl/opensslv.h> |
24 | #include <openssl/evp.h> | 26 | #include <openssl/evp.h> |
25 | #include <openssl/rsa.h> | 27 | #include <openssl/rsa.h> |
@@ -90,4 +92,5 @@ void ssh_OpenSSL_add_all_algorithms(void); | |||
90 | 92 | ||
91 | #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ | 93 | #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ |
92 | 94 | ||
95 | #endif /* WITH_OPENSSL */ | ||
93 | #endif /* _OPENSSL_COMPAT_H */ | 96 | #endif /* _OPENSSL_COMPAT_H */ |
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c index f5bf74d1f..737935d46 100644 --- a/openbsd-compat/sha2.c +++ b/openbsd-compat/sha2.c | |||
@@ -38,13 +38,18 @@ | |||
38 | 38 | ||
39 | #include "includes.h" | 39 | #include "includes.h" |
40 | 40 | ||
41 | #include <openssl/opensslv.h> | 41 | #ifdef WITH_OPENSSL |
42 | # include <openssl/opensslv.h> | ||
43 | # if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
44 | # define _NEED_SHA2 1 | ||
45 | # endif | ||
46 | #else | ||
47 | # define _NEED_SHA2 1 | ||
48 | #endif | ||
49 | |||
50 | #if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) | ||
42 | 51 | ||
43 | #if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | ||
44 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
45 | #include <sys/types.h> | ||
46 | #include <string.h> | 52 | #include <string.h> |
47 | #include "sha2.h" | ||
48 | 53 | ||
49 | /* | 54 | /* |
50 | * UNROLLED TRANSFORM LOOP NOTE: | 55 | * UNROLLED TRANSFORM LOOP NOTE: |
@@ -838,7 +843,6 @@ SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context) | |||
838 | } | 843 | } |
839 | 844 | ||
840 | 845 | ||
841 | #if 0 | ||
842 | /*** SHA-384: *********************************************************/ | 846 | /*** SHA-384: *********************************************************/ |
843 | void | 847 | void |
844 | SHA384_Init(SHA384_CTX *context) | 848 | SHA384_Init(SHA384_CTX *context) |
@@ -851,9 +855,29 @@ SHA384_Init(SHA384_CTX *context) | |||
851 | context->bitcount[0] = context->bitcount[1] = 0; | 855 | context->bitcount[0] = context->bitcount[1] = 0; |
852 | } | 856 | } |
853 | 857 | ||
858 | #if 0 | ||
854 | __weak_alias(SHA384_Transform, SHA512_Transform); | 859 | __weak_alias(SHA384_Transform, SHA512_Transform); |
855 | __weak_alias(SHA384_Update, SHA512_Update); | 860 | __weak_alias(SHA384_Update, SHA512_Update); |
856 | __weak_alias(SHA384_Pad, SHA512_Pad); | 861 | __weak_alias(SHA384_Pad, SHA512_Pad); |
862 | #endif | ||
863 | |||
864 | void | ||
865 | SHA384_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) | ||
866 | { | ||
867 | return SHA512_Transform(state, data); | ||
868 | } | ||
869 | |||
870 | void | ||
871 | SHA384_Update(SHA512_CTX *context, const u_int8_t *data, size_t len) | ||
872 | { | ||
873 | SHA512_Update(context, data, len); | ||
874 | } | ||
875 | |||
876 | void | ||
877 | SHA384_Pad(SHA512_CTX *context) | ||
878 | { | ||
879 | SHA512_Pad(context); | ||
880 | } | ||
857 | 881 | ||
858 | void | 882 | void |
859 | SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) | 883 | SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) |
@@ -876,7 +900,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) | |||
876 | /* Zero out state data */ | 900 | /* Zero out state data */ |
877 | memset(context, 0, sizeof(*context)); | 901 | memset(context, 0, sizeof(*context)); |
878 | } | 902 | } |
879 | #endif | ||
880 | 903 | ||
881 | #endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | 904 | #endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */ |
882 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ | ||
diff --git a/openbsd-compat/sha2.h b/openbsd-compat/sha2.h index 73e94f150..c8bfc3cd1 100644 --- a/openbsd-compat/sha2.h +++ b/openbsd-compat/sha2.h | |||
@@ -41,10 +41,16 @@ | |||
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | 43 | ||
44 | #include <openssl/opensslv.h> | 44 | #ifdef WITH_OPENSSL |
45 | # include <openssl/opensslv.h> | ||
46 | # if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
47 | # define _NEED_SHA2 1 | ||
48 | # endif | ||
49 | #else | ||
50 | # define _NEED_SHA2 1 | ||
51 | #endif | ||
45 | 52 | ||
46 | #if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | 53 | #if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) |
47 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
48 | 54 | ||
49 | /*** SHA-256/384/512 Various Length Definitions ***********************/ | 55 | /*** SHA-256/384/512 Various Length Definitions ***********************/ |
50 | #define SHA256_BLOCK_LENGTH 64 | 56 | #define SHA256_BLOCK_LENGTH 64 |
@@ -70,9 +76,7 @@ typedef struct _SHA512_CTX { | |||
70 | u_int8_t buffer[SHA512_BLOCK_LENGTH]; | 76 | u_int8_t buffer[SHA512_BLOCK_LENGTH]; |
71 | } SHA512_CTX; | 77 | } SHA512_CTX; |
72 | 78 | ||
73 | #if 0 | ||
74 | typedef SHA512_CTX SHA384_CTX; | 79 | typedef SHA512_CTX SHA384_CTX; |
75 | #endif | ||
76 | 80 | ||
77 | void SHA256_Init(SHA256_CTX *); | 81 | void SHA256_Init(SHA256_CTX *); |
78 | void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]); | 82 | void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]); |
@@ -91,7 +95,6 @@ char *SHA256_Data(const u_int8_t *, size_t, char *) | |||
91 | __attribute__((__bounded__(__string__,1,2))) | 95 | __attribute__((__bounded__(__string__,1,2))) |
92 | __attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH))); | 96 | __attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH))); |
93 | 97 | ||
94 | #if 0 | ||
95 | void SHA384_Init(SHA384_CTX *); | 98 | void SHA384_Init(SHA384_CTX *); |
96 | void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]); | 99 | void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]); |
97 | void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t) | 100 | void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t) |
@@ -108,7 +111,6 @@ char *SHA384_FileChunk(const char *, char *, off_t, off_t) | |||
108 | char *SHA384_Data(const u_int8_t *, size_t, char *) | 111 | char *SHA384_Data(const u_int8_t *, size_t, char *) |
109 | __attribute__((__bounded__(__string__,1,2))) | 112 | __attribute__((__bounded__(__string__,1,2))) |
110 | __attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH))); | 113 | __attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH))); |
111 | #endif /* 0 */ | ||
112 | 114 | ||
113 | void SHA512_Init(SHA512_CTX *); | 115 | void SHA512_Init(SHA512_CTX *); |
114 | void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]); | 116 | void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]); |
@@ -127,7 +129,6 @@ char *SHA512_Data(const u_int8_t *, size_t, char *) | |||
127 | __attribute__((__bounded__(__string__,1,2))) | 129 | __attribute__((__bounded__(__string__,1,2))) |
128 | __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH))); | 130 | __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH))); |
129 | 131 | ||
130 | #endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | 132 | #endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */ |
131 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ | ||
132 | 133 | ||
133 | #endif /* _SSHSHA2_H */ | 134 | #endif /* _SSHSHA2_H */ |
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c index c8aea461d..8577cbd8a 100644 --- a/openbsd-compat/xcrypt.c +++ b/openbsd-compat/xcrypt.c | |||
@@ -57,7 +57,7 @@ | |||
57 | # include "md5crypt.h" | 57 | # include "md5crypt.h" |
58 | # endif | 58 | # endif |
59 | 59 | ||
60 | # if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) | 60 | # if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) |
61 | # include <openssl/des.h> | 61 | # include <openssl/des.h> |
62 | # define crypt DES_crypt | 62 | # define crypt DES_crypt |
63 | # endif | 63 | # endif |