- markus@cvs.openbsd.org 2014/04/29 18:01:49

     [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
     make compiling against OpenSSL optional (make OPENSSL=no);
     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
     allows us to explore further options; with and ok djm

1 files changed, 38 insertions, 4 deletions

diff --git a/sshd.c b/sshd.c
index b955f1921..6e7192cf5 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.425 2014/04/19 14:53:48 tedu Exp $ */
+/* $OpenBSD: sshd.c,v 1.426 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -72,10 +72,12 @@
 #include <string.h>
 #include <unistd.h>
 
+#ifdef WITH_OPENSSL
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include "openbsd-compat/openssl-compat.h"
+#endif
 
 #ifdef HAVE_SECUREWARE
 #include <sys/security.h>
@@ -98,7 +100,6 @@
 #include "digest.h"
 #include "key.h"
 #include "kex.h"
-#include "dh.h"
 #include "myproposal.h"
 #include "authfile.h"
 #include "pathnames.h"
@@ -256,7 +257,9 @@ struct passwd *privsep_pw = NULL;
 void destroy_sensitive_data(void);
 void demote_sensitive_data(void);
 
+#ifdef WITH_SSH1
 static void do_ssh1_kex(void);
+#endif
 static void do_ssh2_kex(void);
 
 /*
@@ -931,7 +934,13 @@ static void
 usage(void)
 {
         fprintf(stderr, "%s, %s\n",
-            SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
+            SSH_RELEASE,
+#ifdef WITH_OPENSSL
+            SSLeay_version(SSLEAY_VERSION)
+#else
+            "without OpenSSL"
+#endif
+        );
         fprintf(stderr,
 "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n"
 "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
@@ -964,6 +973,7 @@ send_rexec_state(int fd, Buffer *conf)
         buffer_init(&m);
         buffer_put_cstring(&m, buffer_ptr(conf));
 
+#ifdef WITH_SSH1
         if (sensitive_data.server_key != NULL &&
             sensitive_data.server_key->type == KEY_RSA1) {
                 buffer_put_int(&m, 1);
@@ -974,6 +984,7 @@ send_rexec_state(int fd, Buffer *conf)
                 buffer_put_bignum(&m, sensitive_data.server_key->rsa->p);
                 buffer_put_bignum(&m, sensitive_data.server_key->rsa->q);
         } else
+#endif
                 buffer_put_int(&m, 0);
 
 #ifndef OPENSSL_PRNG_ONLY
@@ -1010,6 +1021,7 @@ recv_rexec_state(int fd, Buffer *conf)
         free(cp);
 
         if (buffer_get_int(&m)) {
+#ifdef WITH_SSH1
                 if (sensitive_data.server_key != NULL)
                         key_free(sensitive_data.server_key);
                 sensitive_data.server_key = key_new_private(KEY_RSA1);
@@ -1021,6 +1033,9 @@ recv_rexec_state(int fd, Buffer *conf)
                 buffer_get_bignum(&m, sensitive_data.server_key->rsa->q);
                 rsa_generate_additional_parameters(
                     sensitive_data.server_key->rsa);
+#else
+                fatal("ssh1 not supported");
+#endif
         }
 
 #ifndef OPENSSL_PRNG_ONLY
@@ -1543,7 +1558,9 @@ main(int ac, char **av)
         else
                 closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
 
+#ifdef WITH_OPENSSL
         OpenSSL_add_all_algorithms();
+#endif
 
         /* If requested, redirect the logs to the specified logfile. */
         if (logfile != NULL) {
@@ -1648,7 +1665,12 @@ main(int ac, char **av)
         }
 
         debug("sshd version %s, %s", SSH_VERSION,
-            SSLeay_version(SSLEAY_VERSION));
+#ifdef WITH_OPENSSL
+            SSLeay_version(SSLEAY_VERSION)
+#else
+            "without OpenSSL"
+#endif
+        );
 
         /* Store privilege separation user for later use if required. */
         if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
@@ -1770,6 +1792,8 @@ main(int ac, char **av)
                 debug("host certificate: #%d type %d %s", j, key->type,
                     key_type(key));
         }
+
+#ifdef WITH_SSH1
         /* Check certain values for sanity. */
         if (options.protocol & SSH_PROTO_1) {
                 if (options.server_key_bits < 512 ||
@@ -1794,6 +1818,7 @@ main(int ac, char **av)
                             options.server_key_bits);
                 }
         }
+#endif
 
         if (use_privsep) {
                 struct stat st;
@@ -2077,8 +2102,12 @@ main(int ac, char **av)
                 do_ssh2_kex();
                 do_authentication2(authctxt);
         } else {
+#ifdef WITH_SSH1
                 do_ssh1_kex();
                 do_authentication(authctxt);
+#else
+                fatal("ssh1 not supported");
+#endif
         }
         /*
          * If we use privilege separation, the unprivileged child transfers
@@ -2162,6 +2191,7 @@ main(int ac, char **av)
         exit(0);
 }
 
+#ifdef WITH_SSH1
 /*
  * Decrypt session_key_int using our private server key and private host key
  * (key with larger modulus first).
@@ -2211,6 +2241,7 @@ ssh1_session_key(BIGNUM *session_key_int)
         }
         return (rsafail);
 }
+
 /*
  * SSH1 key exchange
  */
@@ -2388,6 +2419,7 @@ do_ssh1_kex(void)
         packet_send();
         packet_write_wait();
 }
+#endif
 
 void
 sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen,
@@ -2450,11 +2482,13 @@ do_ssh2_kex(void)
 
         /* start key exchange */
         kex = kex_setup(myproposal);
+#ifdef WITH_OPENSSL
         kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
         kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
         kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
         kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
         kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+#endif
         kex->kex[KEX_C25519_SHA256] = kexc25519_server;
         kex->server = 1;
         kex->client_version_string=client_version_string;