summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat
-rw-r--r--Makefile.in4
-rw-r--r--bufbn.c6
-rw-r--r--cipher-aesctr.c3
-rw-r--r--cipher-bf1.c3
-rw-r--r--cipher-ctr.c4
-rw-r--r--configure.ac887
-rw-r--r--digest-libc.c29
-rw-r--r--digest-openssl.c3
-rw-r--r--entropy.c12
-rw-r--r--includes.h2
-rw-r--r--kex.c4
-rw-r--r--kexdh.c3
-rw-r--r--kexdhc.c3
-rw-r--r--kexdhs.c3
-rw-r--r--kexecdh.c4
-rw-r--r--kexecdhc.c12
-rw-r--r--kexecdhs.c12
-rw-r--r--kexgex.c3
-rw-r--r--kexgexc.c3
-rw-r--r--kexgexs.c3
-rw-r--r--krl.c3
-rw-r--r--moduli.c4
-rw-r--r--monitor_wrap.c4
-rw-r--r--openbsd-compat/Makefile.in2
-rw-r--r--openbsd-compat/arc4random.c36
-rw-r--r--openbsd-compat/bcrypt_pbkdf.c3
-rw-r--r--openbsd-compat/openbsd-compat.h3
-rw-r--r--openbsd-compat/openssl-compat.c4
-rw-r--r--openbsd-compat/openssl-compat.h3
-rw-r--r--openbsd-compat/sha2.c40
-rw-r--r--openbsd-compat/sha2.h19
-rw-r--r--openbsd-compat/xcrypt.c2
-rw-r--r--packet.c2
-rw-r--r--ssh-add.c4
-rw-r--r--ssh-dss.c3
-rw-r--r--ssh-ecdsa.c4
-rw-r--r--ssh-keygen.c22
-rw-r--r--ssh-keysign.c6
-rw-r--r--ssh-rsa.c3
-rw-r--r--sshd.c10
40 files changed, 689 insertions, 491 deletions
diff --git a/Makefile.in b/Makefile.in
index ebd48c303..d7ba813a9 100644
--- a/Makefile.in
+++ b/Makefile.in
@@ -76,7 +76,7 @@ LIBOPENSSH_OBJS=\
76 76
77LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ 77LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
78 authfd.o authfile.o bufaux.o bufbn.o buffer.o \ 78 authfd.o authfile.o bufaux.o bufbn.o buffer.o \
79 canohost.o channels.o cipher.o cipher-aes.o \ 79 canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
80 cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ 80 cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
81 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ 81 compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
82 log.o match.o md-sha256.o moduli.o nchan.o packet.o \ 82 log.o match.o md-sha256.o moduli.o nchan.o packet.o \
@@ -87,7 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
87 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ 87 msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
88 ssh-pkcs11.o smult_curve25519_ref.o \ 88 ssh-pkcs11.o smult_curve25519_ref.o \
89 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ 89 kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
90 ssh-ed25519.o digest-openssl.o hmac.o \ 90 ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
91 sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o 91 sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
92 92
93SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ 93SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
diff --git a/bufbn.c b/bufbn.c
index b7f7cb122..33ae7f73f 100644
--- a/bufbn.c
+++ b/bufbn.c
@@ -20,12 +20,15 @@
20 20
21#include "includes.h" 21#include "includes.h"
22 22
23#ifdef WITH_OPENSSL
24
23#include <sys/types.h> 25#include <sys/types.h>
24 26
25#include "buffer.h" 27#include "buffer.h"
26#include "log.h" 28#include "log.h"
27#include "ssherr.h" 29#include "ssherr.h"
28 30
31#ifdef WITH_SSH1
29int 32int
30buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) 33buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
31{ 34{
@@ -63,6 +66,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value)
63 if (buffer_get_bignum_ret(buffer, value) == -1) 66 if (buffer_get_bignum_ret(buffer, value) == -1)
64 fatal("%s: buffer error", __func__); 67 fatal("%s: buffer error", __func__);
65} 68}
69#endif /* WITH_SSH1 */
66 70
67int 71int
68buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) 72buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
@@ -101,3 +105,5 @@ buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
101 if (buffer_get_bignum2_ret(buffer, value) == -1) 105 if (buffer_get_bignum2_ret(buffer, value) == -1)
102 fatal("%s: buffer error", __func__); 106 fatal("%s: buffer error", __func__);
103} 107}
108
109#endif /* WITH_OPENSSL */
diff --git a/cipher-aesctr.c b/cipher-aesctr.c
index e13615195..850bbf7db 100644
--- a/cipher-aesctr.c
+++ b/cipher-aesctr.c
@@ -18,6 +18,8 @@
18#include <sys/types.h> 18#include <sys/types.h>
19#include <string.h> 19#include <string.h>
20 20
21#ifndef WITH_OPENSSL
22
21#include "cipher-aesctr.h" 23#include "cipher-aesctr.h"
22 24
23/* 25/*
@@ -76,3 +78,4 @@ aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes)
76 n = (n + 1) % AES_BLOCK_SIZE; 78 n = (n + 1) % AES_BLOCK_SIZE;
77 } 79 }
78} 80}
81#endif /* !WITH_OPENSSL */
diff --git a/cipher-bf1.c b/cipher-bf1.c
index 64c74bc6f..ee72ac085 100644
--- a/cipher-bf1.c
+++ b/cipher-bf1.c
@@ -20,6 +20,8 @@
20 20
21#include "includes.h" 21#include "includes.h"
22 22
23#ifdef WITH_OPENSSL
24
23#include <sys/types.h> 25#include <sys/types.h>
24 26
25#include <stdarg.h> 27#include <stdarg.h>
@@ -98,3 +100,4 @@ evp_ssh1_bf(void)
98 ssh1_bf.key_len = 32; 100 ssh1_bf.key_len = 32;
99 return (&ssh1_bf); 101 return (&ssh1_bf);
100} 102}
103#endif /* WITH_OPENSSL */
diff --git a/cipher-ctr.c b/cipher-ctr.c
index ea0f9b3b7..32771f287 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c
@@ -16,7 +16,7 @@
16 */ 16 */
17#include "includes.h" 17#include "includes.h"
18 18
19#ifndef OPENSSL_HAVE_EVPCTR 19#if defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR)
20#include <sys/types.h> 20#include <sys/types.h>
21 21
22#include <stdarg.h> 22#include <stdarg.h>
@@ -143,4 +143,4 @@ evp_aes_128_ctr(void)
143 return (&aes_ctr); 143 return (&aes_ctr);
144} 144}
145 145
146#endif /* OPENSSL_HAVE_EVPCTR */ 146#endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) */
diff --git a/configure.ac b/configure.ac
index 13e25e98f..cb66f54b1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -121,14 +121,34 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [
121 #include <linux/prctl.h> 121 #include <linux/prctl.h>
122]) 122])
123 123
124openssl=yes
124ssh1=yes 125ssh1=yes
125AC_ARG_WITH([ssh1], 126AC_ARG_WITH([openssl],
126 [ --without-ssh1 Disable support for SSH protocol 1], 127 [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ],
127 [ if test "x$withval" = "xno" ; then 128 [ if test "x$withval" = "xno" ; then
129 openssl=no
128 ssh1=no 130 ssh1=no
129 fi 131 fi
130 ] 132 ]
131) 133)
134AC_MSG_CHECKING([whether OpenSSL will be used for cryptography])
135if test "x$openssl" = "xyes" ; then
136 AC_MSG_RESULT([yes])
137 AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography])
138else
139 AC_MSG_RESULT([no])
140fi
141
142AC_ARG_WITH([ssh1],
143 [ --without-ssh1 Disable support for SSH protocol 1],
144 [
145 if test "x$withval" = "xno" ; then
146 ssh1=no
147 elif test "x$openssl" = "xno" ; then
148 AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled])
149 fi
150 ]
151)
132AC_MSG_CHECKING([whether SSH protocol 1 support is enabled]) 152AC_MSG_CHECKING([whether SSH protocol 1 support is enabled])
133if test "x$ssh1" = "xyes" ; then 153if test "x$ssh1" = "xyes" ; then
134 AC_MSG_RESULT([yes]) 154 AC_MSG_RESULT([yes])
@@ -1312,7 +1332,7 @@ g.gl_statv = NULL;
1312 AC_MSG_RESULT([yes]) 1332 AC_MSG_RESULT([yes])
1313 ], [ 1333 ], [
1314 AC_MSG_RESULT([no]) 1334 AC_MSG_RESULT([no])
1315 1335
1316]) 1336])
1317 1337
1318AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) 1338AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>])
@@ -1705,10 +1725,13 @@ AC_LINK_IFELSE(
1705 [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) 1725 [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).])
1706]) 1726])
1707 1727
1708# PKCS#11 support requires dlopen() and co 1728# PKCS11 depends on OpenSSL.
1709AC_SEARCH_LIBS([dlopen], [dl], 1729if test "x$openssl" = "xyes" ; then
1710 [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] 1730 # PKCS#11 support requires dlopen() and co
1711) 1731 AC_SEARCH_LIBS([dlopen], [dl],
1732 [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])]
1733 )
1734fi
1712 1735
1713# IRIX has a const char return value for gai_strerror() 1736# IRIX has a const char return value for gai_strerror()
1714AC_CHECK_FUNCS([gai_strerror], [ 1737AC_CHECK_FUNCS([gai_strerror], [
@@ -2197,6 +2220,9 @@ saved_LDFLAGS="$LDFLAGS"
2197AC_ARG_WITH([ssl-dir], 2220AC_ARG_WITH([ssl-dir],
2198 [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], 2221 [ --with-ssl-dir=PATH Specify path to OpenSSL installation ],
2199 [ 2222 [
2223 if test "x$openssl" = "xno" ; then
2224 AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled])
2225 fi
2200 if test "x$withval" != "xno" ; then 2226 if test "x$withval" != "xno" ; then
2201 case "$withval" in 2227 case "$withval" in
2202 # Relative paths 2228 # Relative paths
@@ -2229,444 +2255,457 @@ AC_ARG_WITH([ssl-dir],
2229 fi 2255 fi
2230 ] 2256 ]
2231) 2257)
2232LIBS="-lcrypto $LIBS" 2258
2233AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], 2259AC_ARG_WITH([openssl-header-check],
2234 [Define if your ssl headers are included 2260 [ --without-openssl-header-check Disable OpenSSL version consistency check],
2235 with #include <openssl/header.h>])],
2236 [ 2261 [
2237 dnl Check default openssl install dir 2262 if test "x$withval" = "xno" ; then
2238 if test -n "${need_dash_r}"; then 2263 openssl_check_nonfatal=1
2239 LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
2240 else
2241 LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
2242 fi 2264 fi
2243 CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
2244 AC_CHECK_HEADER([openssl/opensslv.h], ,
2245 [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2246 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
2247 [
2248 AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
2249 ]
2250 )
2251 ] 2265 ]
2252) 2266)
2253 2267
2254# Determine OpenSSL header version 2268openssl_engine=no
2255AC_MSG_CHECKING([OpenSSL header version]) 2269AC_ARG_WITH([ssl-engine],
2256AC_RUN_IFELSE( 2270 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ],
2257 [AC_LANG_PROGRAM([[
2258#include <stdio.h>
2259#include <string.h>
2260#include <openssl/opensslv.h>
2261#define DATA "conftest.sslincver"
2262 ]], [[
2263 FILE *fd;
2264 int rc;
2265
2266 fd = fopen(DATA,"w");
2267 if(fd == NULL)
2268 exit(1);
2269
2270 if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
2271 exit(1);
2272
2273 exit(0);
2274 ]])],
2275 [
2276 ssl_header_ver=`cat conftest.sslincver`
2277 AC_MSG_RESULT([$ssl_header_ver])
2278 ],
2279 [
2280 AC_MSG_RESULT([not found])
2281 AC_MSG_ERROR([OpenSSL version header not found.])
2282 ],
2283 [ 2271 [
2284 AC_MSG_WARN([cross compiling: not checking]) 2272 if test "x$openssl" = "xno" ; then
2273 AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled])
2274 fi
2275 if test "x$withval" != "xno" ; then
2276 openssl_engine=yes
2277 fi
2285 ] 2278 ]
2286) 2279)
2287 2280
2288# Determine OpenSSL library version 2281if test "x$openssl" = "xyes" ; then
2289AC_MSG_CHECKING([OpenSSL library version]) 2282 LIBS="-lcrypto $LIBS"
2290AC_RUN_IFELSE( 2283 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1],
2291 [AC_LANG_PROGRAM([[ 2284 [Define if your ssl headers are included
2292#include <stdio.h> 2285 with #include <openssl/header.h>])],
2293#include <string.h> 2286 [
2294#include <openssl/opensslv.h> 2287 dnl Check default openssl install dir
2295#include <openssl/crypto.h> 2288 if test -n "${need_dash_r}"; then
2296#define DATA "conftest.ssllibver" 2289 LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}"
2297 ]], [[ 2290 else
2298 FILE *fd; 2291 LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}"
2299 int rc; 2292 fi
2293 CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}"
2294 AC_CHECK_HEADER([openssl/opensslv.h], ,
2295 [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])])
2296 AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])],
2297 [
2298 AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***])
2299 ]
2300 )
2301 ]
2302 )
2300 2303
2301 fd = fopen(DATA,"w"); 2304 # Determine OpenSSL header version
2302 if(fd == NULL) 2305 AC_MSG_CHECKING([OpenSSL header version])
2303 exit(1); 2306 AC_RUN_IFELSE(
2307 [AC_LANG_PROGRAM([[
2308 #include <stdio.h>
2309 #include <string.h>
2310 #include <openssl/opensslv.h>
2311 #define DATA "conftest.sslincver"
2312 ]], [[
2313 FILE *fd;
2314 int rc;
2304 2315
2305 if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), 2316 fd = fopen(DATA,"w");
2306 SSLeay_version(SSLEAY_VERSION))) <0) 2317 if(fd == NULL)
2307 exit(1); 2318 exit(1);
2308 2319
2309 exit(0); 2320 if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0)
2310 ]])], 2321 exit(1);
2311 [
2312 ssl_library_ver=`cat conftest.ssllibver`
2313 # Check version is supported.
2314 case "$ssl_library_ver" in
2315 0090[[0-7]]*|009080[[0-5]]*)
2316 AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")])
2317 ;;
2318 *) ;;
2319 esac
2320 AC_MSG_RESULT([$ssl_library_ver])
2321 ],
2322 [
2323 AC_MSG_RESULT([not found])
2324 AC_MSG_ERROR([OpenSSL library not found.])
2325 ],
2326 [
2327 AC_MSG_WARN([cross compiling: not checking])
2328 ]
2329)
2330 2322
2331# XXX make --without-openssl work 2323 exit(0);
2332AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) 2324 ]])],
2325 [
2326 ssl_header_ver=`cat conftest.sslincver`
2327 AC_MSG_RESULT([$ssl_header_ver])
2328 ],
2329 [
2330 AC_MSG_RESULT([not found])
2331 AC_MSG_ERROR([OpenSSL version header not found.])
2332 ],
2333 [
2334 AC_MSG_WARN([cross compiling: not checking])
2335 ]
2336 )
2333 2337
2334AC_ARG_WITH([openssl-header-check], 2338 # Determine OpenSSL library version
2335 [ --without-openssl-header-check Disable OpenSSL version consistency check], 2339 AC_MSG_CHECKING([OpenSSL library version])
2336 [ if test "x$withval" = "xno" ; then 2340 AC_RUN_IFELSE(
2337 openssl_check_nonfatal=1 2341 [AC_LANG_PROGRAM([[
2338 fi 2342 #include <stdio.h>
2339 ] 2343 #include <string.h>
2340) 2344 #include <openssl/opensslv.h>
2345 #include <openssl/crypto.h>
2346 #define DATA "conftest.ssllibver"
2347 ]], [[
2348 FILE *fd;
2349 int rc;
2341 2350
2342# Sanity check OpenSSL headers 2351 fd = fopen(DATA,"w");
2343AC_MSG_CHECKING([whether OpenSSL's headers match the library]) 2352 if(fd == NULL)
2344AC_RUN_IFELSE( 2353 exit(1);
2345 [AC_LANG_PROGRAM([[
2346#include <string.h>
2347#include <openssl/opensslv.h>
2348 ]], [[
2349 exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2350 ]])],
2351 [
2352 AC_MSG_RESULT([yes])
2353 ],
2354 [
2355 AC_MSG_RESULT([no])
2356 if test "x$openssl_check_nonfatal" = "x"; then
2357 AC_MSG_ERROR([Your OpenSSL headers do not match your
2358library. Check config.log for details.
2359If you are sure your installation is consistent, you can disable the check
2360by running "./configure --without-openssl-header-check".
2361Also see contrib/findssl.sh for help identifying header/library mismatches.
2362])
2363 else
2364 AC_MSG_WARN([Your OpenSSL headers do not match your
2365library. Check config.log for details.
2366Also see contrib/findssl.sh for help identifying header/library mismatches.])
2367 fi
2368 ],
2369 [
2370 AC_MSG_WARN([cross compiling: not checking])
2371 ]
2372)
2373 2354
2374AC_MSG_CHECKING([if programs using OpenSSL functions will link]) 2355 if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(),
2375AC_LINK_IFELSE( 2356 SSLeay_version(SSLEAY_VERSION))) <0)
2376 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], 2357 exit(1);
2377 [[ SSLeay_add_all_algorithms(); ]])],
2378 [
2379 AC_MSG_RESULT([yes])
2380 ],
2381 [
2382 AC_MSG_RESULT([no])
2383 saved_LIBS="$LIBS"
2384 LIBS="$LIBS -ldl"
2385 AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2386 AC_LINK_IFELSE(
2387 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2388 [[ SSLeay_add_all_algorithms(); ]])],
2389 [
2390 AC_MSG_RESULT([yes])
2391 ],
2392 [
2393 AC_MSG_RESULT([no])
2394 LIBS="$saved_LIBS"
2395 ]
2396 )
2397 ]
2398)
2399 2358
2400AC_CHECK_FUNCS([ \ 2359 exit(0);
2401 BN_is_prime_ex \ 2360 ]])],
2402 DSA_generate_parameters_ex \ 2361 [
2403 EVP_DigestInit_ex \ 2362 ssl_library_ver=`cat conftest.ssllibver`
2404 EVP_DigestFinal_ex \ 2363 # Check version is supported.
2405 EVP_MD_CTX_init \ 2364 case "$ssl_library_ver" in
2406 EVP_MD_CTX_cleanup \ 2365 0090[[0-7]]*|009080[[0-5]]*)
2407 EVP_MD_CTX_copy_ex \ 2366 AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")])
2408 HMAC_CTX_init \ 2367 ;;
2409 RSA_generate_key_ex \ 2368 *) ;;
2410 RSA_get_default_method \ 2369 esac
2411]) 2370 AC_MSG_RESULT([$ssl_library_ver])
2371 ],
2372 [
2373 AC_MSG_RESULT([not found])
2374 AC_MSG_ERROR([OpenSSL library not found.])
2375 ],
2376 [
2377 AC_MSG_WARN([cross compiling: not checking])
2378 ]
2379 )
2412 2380
2413AC_ARG_WITH([ssl-engine], 2381 # Sanity check OpenSSL headers
2414 [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], 2382 AC_MSG_CHECKING([whether OpenSSL's headers match the library])
2415 [ if test "x$withval" != "xno" ; then 2383 AC_RUN_IFELSE(
2384 [AC_LANG_PROGRAM([[
2385 #include <string.h>
2386 #include <openssl/opensslv.h>
2387 ]], [[
2388 exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1);
2389 ]])],
2390 [
2391 AC_MSG_RESULT([yes])
2392 ],
2393 [
2394 AC_MSG_RESULT([no])
2395 if test "x$openssl_check_nonfatal" = "x"; then
2396 AC_MSG_ERROR([Your OpenSSL headers do not match your
2397 library. Check config.log for details.
2398 If you are sure your installation is consistent, you can disable the check
2399 by running "./configure --without-openssl-header-check".
2400 Also see contrib/findssl.sh for help identifying header/library mismatches.
2401 ])
2402 else
2403 AC_MSG_WARN([Your OpenSSL headers do not match your
2404 library. Check config.log for details.
2405 Also see contrib/findssl.sh for help identifying header/library mismatches.])
2406 fi
2407 ],
2408 [
2409 AC_MSG_WARN([cross compiling: not checking])
2410 ]
2411 )
2412
2413 AC_MSG_CHECKING([if programs using OpenSSL functions will link])
2414 AC_LINK_IFELSE(
2415 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2416 [[ SSLeay_add_all_algorithms(); ]])],
2417 [
2418 AC_MSG_RESULT([yes])
2419 ],
2420 [
2421 AC_MSG_RESULT([no])
2422 saved_LIBS="$LIBS"
2423 LIBS="$LIBS -ldl"
2424 AC_MSG_CHECKING([if programs using OpenSSL need -ldl])
2425 AC_LINK_IFELSE(
2426 [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]],
2427 [[ SSLeay_add_all_algorithms(); ]])],
2428 [
2429 AC_MSG_RESULT([yes])
2430 ],
2431 [
2432 AC_MSG_RESULT([no])
2433 LIBS="$saved_LIBS"
2434 ]
2435 )
2436 ]
2437 )
2438
2439 AC_CHECK_FUNCS([ \
2440 BN_is_prime_ex \
2441 DSA_generate_parameters_ex \
2442 EVP_DigestInit_ex \
2443 EVP_DigestFinal_ex \
2444 EVP_MD_CTX_init \
2445 EVP_MD_CTX_cleanup \
2446 EVP_MD_CTX_copy_ex \
2447 HMAC_CTX_init \
2448 RSA_generate_key_ex \
2449 RSA_get_default_method \
2450 ])
2451
2452 if test "x$openssl_engine" = "xyes" ; then
2416 AC_MSG_CHECKING([for OpenSSL ENGINE support]) 2453 AC_MSG_CHECKING([for OpenSSL ENGINE support])
2417 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ 2454 AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
2418#include <openssl/engine.h> 2455 #include <openssl/engine.h>
2419 ]], [[ 2456 ]], [[
2420 ENGINE_load_builtin_engines(); 2457 ENGINE_load_builtin_engines();
2421 ENGINE_register_all_complete(); 2458 ENGINE_register_all_complete();
2422 ]])], 2459 ]])],
2423 [ AC_MSG_RESULT([yes]) 2460 [ AC_MSG_RESULT([yes])
2424 AC_DEFINE([USE_OPENSSL_ENGINE], [1], 2461 AC_DEFINE([USE_OPENSSL_ENGINE], [1],
2425 [Enable OpenSSL engine support]) 2462 [Enable OpenSSL engine support])
2426 ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) 2463 ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found])
2427 ]) 2464 ])
2428 fi ] 2465 fi
2429)
2430 2466
2431# Check for OpenSSL without EVP_aes_{192,256}_cbc 2467 # Check for OpenSSL without EVP_aes_{192,256}_cbc
2432AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) 2468 AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
2433AC_LINK_IFELSE( 2469 AC_LINK_IFELSE(
2434 [AC_LANG_PROGRAM([[ 2470 [AC_LANG_PROGRAM([[
2435#include <string.h> 2471 #include <string.h>
2436#include <openssl/evp.h> 2472 #include <openssl/evp.h>
2437 ]], [[ 2473 ]], [[
2438 exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); 2474 exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL);
2439 ]])], 2475 ]])],
2440 [ 2476 [
2441 AC_MSG_RESULT([no]) 2477 AC_MSG_RESULT([no])
2442 ], 2478 ],
2443 [ 2479 [
2444 AC_MSG_RESULT([yes]) 2480 AC_MSG_RESULT([yes])
2445 AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], 2481 AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1],
2446 [libcrypto is missing AES 192 and 256 bit functions]) 2482 [libcrypto is missing AES 192 and 256 bit functions])
2447 ] 2483 ]
2448) 2484 )
2449 2485
2450# Check for OpenSSL with EVP_aes_*ctr 2486 # Check for OpenSSL with EVP_aes_*ctr
2451AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) 2487 AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
2452AC_LINK_IFELSE( 2488 AC_LINK_IFELSE(
2453 [AC_LANG_PROGRAM([[ 2489 [AC_LANG_PROGRAM([[
2454#include <string.h> 2490 #include <string.h>
2455#include <openssl/evp.h> 2491 #include <openssl/evp.h>
2456 ]], [[ 2492 ]], [[
2457 exit(EVP_aes_128_ctr() == NULL || 2493 exit(EVP_aes_128_ctr() == NULL ||
2458 EVP_aes_192_cbc() == NULL || 2494 EVP_aes_192_cbc() == NULL ||
2459 EVP_aes_256_cbc() == NULL); 2495 EVP_aes_256_cbc() == NULL);
2460 ]])], 2496 ]])],
2461 [ 2497 [
2462 AC_MSG_RESULT([yes]) 2498 AC_MSG_RESULT([yes])
2463 AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], 2499 AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
2464 [libcrypto has EVP AES CTR]) 2500 [libcrypto has EVP AES CTR])
2465 ], 2501 ],
2466 [ 2502 [
2467 AC_MSG_RESULT([no]) 2503 AC_MSG_RESULT([no])
2468 ] 2504 ]
2469) 2505 )
2470 2506
2471# Check for OpenSSL with EVP_aes_*gcm 2507 # Check for OpenSSL with EVP_aes_*gcm
2472AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) 2508 AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
2473AC_LINK_IFELSE( 2509 AC_LINK_IFELSE(
2474 [AC_LANG_PROGRAM([[ 2510 [AC_LANG_PROGRAM([[
2475#include <string.h> 2511 #include <string.h>
2476#include <openssl/evp.h> 2512 #include <openssl/evp.h>
2477 ]], [[ 2513 ]], [[
2478 exit(EVP_aes_128_gcm() == NULL || 2514 exit(EVP_aes_128_gcm() == NULL ||
2479 EVP_aes_256_gcm() == NULL || 2515 EVP_aes_256_gcm() == NULL ||
2480 EVP_CTRL_GCM_SET_IV_FIXED == 0 || 2516 EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
2481 EVP_CTRL_GCM_IV_GEN == 0 || 2517 EVP_CTRL_GCM_IV_GEN == 0 ||
2482 EVP_CTRL_GCM_SET_TAG == 0 || 2518 EVP_CTRL_GCM_SET_TAG == 0 ||
2483 EVP_CTRL_GCM_GET_TAG == 0 || 2519 EVP_CTRL_GCM_GET_TAG == 0 ||
2484 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); 2520 EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
2485 ]])], 2521 ]])],
2486 [ 2522 [
2487 AC_MSG_RESULT([yes]) 2523 AC_MSG_RESULT([yes])
2488 AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], 2524 AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
2489 [libcrypto has EVP AES GCM]) 2525 [libcrypto has EVP AES GCM])
2490 ], 2526 ],
2491 [ 2527 [
2492 AC_MSG_RESULT([no]) 2528 AC_MSG_RESULT([no])
2493 unsupported_algorithms="$unsupported_cipers \ 2529 unsupported_algorithms="$unsupported_cipers \
2494 aes128-gcm@openssh.com aes256-gcm@openssh.com" 2530 aes128-gcm@openssh.com aes256-gcm@openssh.com"
2495 ] 2531 ]
2496) 2532 )
2497 2533
2498AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], 2534 AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto],
2499 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], 2535 [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1],
2500 [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) 2536 [Define if libcrypto has EVP_CIPHER_CTX_ctrl])])
2501 2537
2502AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) 2538 AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
2503AC_LINK_IFELSE( 2539 AC_LINK_IFELSE(
2504 [AC_LANG_PROGRAM([[ 2540 [AC_LANG_PROGRAM([[
2505#include <string.h> 2541 #include <string.h>
2506#include <openssl/evp.h> 2542 #include <openssl/evp.h>
2507 ]], [[ 2543 ]], [[
2508 if(EVP_DigestUpdate(NULL, NULL,0)) 2544 if(EVP_DigestUpdate(NULL, NULL,0))
2509 exit(0); 2545 exit(0);
2510 ]])], 2546 ]])],
2511 [ 2547 [
2512 AC_MSG_RESULT([yes]) 2548 AC_MSG_RESULT([yes])
2513 ], 2549 ],
2514 [ 2550 [
2515 AC_MSG_RESULT([no]) 2551 AC_MSG_RESULT([no])
2516 AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], 2552 AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1],
2517 [Define if EVP_DigestUpdate returns void]) 2553 [Define if EVP_DigestUpdate returns void])
2518 ] 2554 ]
2519) 2555 )
2520 2556
2521# Some systems want crypt() from libcrypt, *not* the version in OpenSSL, 2557 # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
2522# because the system crypt() is more featureful. 2558 # because the system crypt() is more featureful.
2523if test "x$check_for_libcrypt_before" = "x1"; then 2559 if test "x$check_for_libcrypt_before" = "x1"; then
2524 AC_CHECK_LIB([crypt], [crypt]) 2560 AC_CHECK_LIB([crypt], [crypt])
2525fi 2561 fi
2526 2562
2527# Some Linux systems (Slackware) need crypt() from libcrypt, *not* the 2563 # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the
2528# version in OpenSSL. 2564 # version in OpenSSL.
2529if test "x$check_for_libcrypt_later" = "x1"; then 2565 if test "x$check_for_libcrypt_later" = "x1"; then
2530 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) 2566 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2531fi 2567 fi
2532AC_CHECK_FUNCS([crypt DES_crypt])
2533
2534# Search for SHA256 support in libc and/or OpenSSL
2535AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2536 [unsupported_algorithms="$unsupported_algorithms \
2537 hmac-sha2-256 hmac-sha2-512 \
2538 diffie-hellman-group-exchange-sha256 \
2539 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
2540 ]
2541)
2542# Search for RIPE-MD support in OpenSSL
2543AC_CHECK_FUNCS([EVP_ripemd160], ,
2544 [unsupported_algorithms="$unsupported_algorithms \
2545 hmac-ripemd160
2546 hmac-ripemd160@openssh.com
2547 hmac-ripemd160-etm@openssh.com"
2548 ]
2549)
2550 2568
2551# Check complete ECC support in OpenSSL 2569 # Search for SHA256 support in libc and/or OpenSSL
2552AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) 2570 AC_CHECK_FUNCS([SHA256_Update EVP_sha256], ,
2553AC_LINK_IFELSE( 2571 [unsupported_algorithms="$unsupported_algorithms \
2554 [AC_LANG_PROGRAM([[ 2572 hmac-sha2-256 hmac-sha2-512 \
2555#include <openssl/ec.h> 2573 diffie-hellman-group-exchange-sha256 \
2556#include <openssl/ecdh.h> 2574 hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com"
2557#include <openssl/ecdsa.h> 2575 ]
2558#include <openssl/evp.h> 2576 )
2559#include <openssl/objects.h> 2577 # Search for RIPE-MD support in OpenSSL
2560#include <openssl/opensslv.h> 2578 AC_CHECK_FUNCS([EVP_ripemd160], ,
2561#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ 2579 [unsupported_algorithms="$unsupported_algorithms \
2562# error "OpenSSL < 0.9.8g has unreliable ECC code" 2580 hmac-ripemd160
2563#endif 2581 hmac-ripemd160@openssh.com
2564 ]], [[ 2582 hmac-ripemd160-etm@openssh.com"
2565 EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 2583 ]
2566 const EVP_MD *m = EVP_sha256(); /* We need this too */ 2584 )
2567 ]])],
2568 [ AC_MSG_RESULT([yes])
2569 enable_nistp256=1 ],
2570 [ AC_MSG_RESULT([no]) ]
2571)
2572 2585
2573AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) 2586 # Check complete ECC support in OpenSSL
2574AC_LINK_IFELSE( 2587 AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
2575 [AC_LANG_PROGRAM([[ 2588 AC_LINK_IFELSE(
2576#include <openssl/ec.h> 2589 [AC_LANG_PROGRAM([[
2577#include <openssl/ecdh.h> 2590 #include <openssl/ec.h>
2578#include <openssl/ecdsa.h> 2591 #include <openssl/ecdh.h>
2579#include <openssl/evp.h> 2592 #include <openssl/ecdsa.h>
2580#include <openssl/objects.h> 2593 #include <openssl/evp.h>
2581#include <openssl/opensslv.h> 2594 #include <openssl/objects.h>
2582#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ 2595 #include <openssl/opensslv.h>
2583# error "OpenSSL < 0.9.8g has unreliable ECC code" 2596 #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2584#endif 2597 # error "OpenSSL < 0.9.8g has unreliable ECC code"
2585 ]], [[ 2598 #endif
2586 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); 2599 ]], [[
2587 const EVP_MD *m = EVP_sha384(); /* We need this too */ 2600 EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
2588 ]])], 2601 const EVP_MD *m = EVP_sha256(); /* We need this too */
2589 [ AC_MSG_RESULT([yes]) 2602 ]])],
2590 enable_nistp384=1 ], 2603 [ AC_MSG_RESULT([yes])
2591 [ AC_MSG_RESULT([no]) ] 2604 enable_nistp256=1 ],
2592) 2605 [ AC_MSG_RESULT([no]) ]
2606 )
2593 2607
2594AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) 2608 AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1])
2595AC_LINK_IFELSE( 2609 AC_LINK_IFELSE(
2596 [AC_LANG_PROGRAM([[ 2610 [AC_LANG_PROGRAM([[
2597#include <openssl/ec.h> 2611 #include <openssl/ec.h>
2598#include <openssl/ecdh.h> 2612 #include <openssl/ecdh.h>
2599#include <openssl/ecdsa.h> 2613 #include <openssl/ecdsa.h>
2600#include <openssl/evp.h> 2614 #include <openssl/evp.h>
2601#include <openssl/objects.h> 2615 #include <openssl/objects.h>
2602#include <openssl/opensslv.h> 2616 #include <openssl/opensslv.h>
2603#if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ 2617 #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2604# error "OpenSSL < 0.9.8g has unreliable ECC code" 2618 # error "OpenSSL < 0.9.8g has unreliable ECC code"
2605#endif 2619 #endif
2606 ]], [[ 2620 ]], [[
2607 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); 2621 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1);
2608 const EVP_MD *m = EVP_sha512(); /* We need this too */ 2622 const EVP_MD *m = EVP_sha384(); /* We need this too */
2609 ]])], 2623 ]])],
2610 [ AC_MSG_RESULT([yes]) 2624 [ AC_MSG_RESULT([yes])
2611 AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) 2625 enable_nistp384=1 ],
2612 AC_RUN_IFELSE( 2626 [ AC_MSG_RESULT([no]) ]
2627 )
2628
2629 AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1])
2630 AC_LINK_IFELSE(
2613 [AC_LANG_PROGRAM([[ 2631 [AC_LANG_PROGRAM([[
2614#include <openssl/ec.h> 2632 #include <openssl/ec.h>
2615#include <openssl/ecdh.h> 2633 #include <openssl/ecdh.h>
2616#include <openssl/ecdsa.h> 2634 #include <openssl/ecdsa.h>
2617#include <openssl/evp.h> 2635 #include <openssl/evp.h>
2618#include <openssl/objects.h> 2636 #include <openssl/objects.h>
2619#include <openssl/opensslv.h> 2637 #include <openssl/opensslv.h>
2620 ]],[[ 2638 #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */
2639 # error "OpenSSL < 0.9.8g has unreliable ECC code"
2640 #endif
2641 ]], [[
2621 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); 2642 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2622 const EVP_MD *m = EVP_sha512(); /* We need this too */ 2643 const EVP_MD *m = EVP_sha512(); /* We need this too */
2623 exit(e == NULL || m == NULL);
2624 ]])], 2644 ]])],
2625 [ AC_MSG_RESULT([yes]) 2645 [ AC_MSG_RESULT([yes])
2626 enable_nistp521=1 ], 2646 AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional])
2627 [ AC_MSG_RESULT([no]) ], 2647 AC_RUN_IFELSE(
2628 [ AC_MSG_WARN([cross-compiling: assuming yes]) 2648 [AC_LANG_PROGRAM([[
2629 enable_nistp521=1 ] 2649 #include <openssl/ec.h>
2630 )], 2650 #include <openssl/ecdh.h>
2631 AC_MSG_RESULT([no]) 2651 #include <openssl/ecdsa.h>
2632) 2652 #include <openssl/evp.h>
2653 #include <openssl/objects.h>
2654 #include <openssl/opensslv.h>
2655 ]],[[
2656 EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1);
2657 const EVP_MD *m = EVP_sha512(); /* We need this too */
2658 exit(e == NULL || m == NULL);
2659 ]])],
2660 [ AC_MSG_RESULT([yes])
2661 enable_nistp521=1 ],
2662 [ AC_MSG_RESULT([no]) ],
2663 [ AC_MSG_WARN([cross-compiling: assuming yes])
2664 enable_nistp521=1 ]
2665 )],
2666 AC_MSG_RESULT([no])
2667 )
2633 2668
2634COMMENT_OUT_ECC="#no ecc#" 2669 COMMENT_OUT_ECC="#no ecc#"
2635TEST_SSH_ECC=no 2670 TEST_SSH_ECC=no
2636 2671
2637if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ 2672 if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \
2638 test x$enable_nistp521 = x1; then 2673 test x$enable_nistp521 = x1; then
2639 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) 2674 AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC])
2640fi 2675 fi
2641if test x$enable_nistp256 = x1; then 2676 if test x$enable_nistp256 = x1; then
2642 AC_DEFINE([OPENSSL_HAS_NISTP256], [1], 2677 AC_DEFINE([OPENSSL_HAS_NISTP256], [1],
2643 [libcrypto has NID_X9_62_prime256v1]) 2678 [libcrypto has NID_X9_62_prime256v1])
2644 TEST_SSH_ECC=yes 2679 TEST_SSH_ECC=yes
2645 COMMENT_OUT_ECC="" 2680 COMMENT_OUT_ECC=""
2646else 2681 else
2647 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ 2682 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \
2648 ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" 2683 ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com"
2649fi 2684 fi
2650if test x$enable_nistp384 = x1; then 2685 if test x$enable_nistp384 = x1; then
2651 AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) 2686 AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1])
2652 TEST_SSH_ECC=yes 2687 TEST_SSH_ECC=yes
2653 COMMENT_OUT_ECC="" 2688 COMMENT_OUT_ECC=""
2654else 2689 else
2655 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ 2690 unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \
2656 ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" 2691 ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com"
2657fi 2692 fi
2658if test x$enable_nistp521 = x1; then 2693 if test x$enable_nistp521 = x1; then
2659 AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) 2694 AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1])
2660 TEST_SSH_ECC=yes 2695 TEST_SSH_ECC=yes
2661 COMMENT_OUT_ECC="" 2696 COMMENT_OUT_ECC=""
2697 else
2698 unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \
2699 ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com"
2700 fi
2701
2702 AC_SUBST([TEST_SSH_ECC])
2703 AC_SUBST([COMMENT_OUT_ECC])
2662else 2704else
2663 unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ 2705 AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"])
2664 ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" 2706 AC_CHECK_FUNCS([crypt DES_crypt])
2665fi 2707fi
2666 2708
2667AC_SUBST([TEST_SSH_ECC])
2668AC_SUBST([COMMENT_OUT_ECC])
2669
2670AC_CHECK_FUNCS([ \ 2709AC_CHECK_FUNCS([ \
2671 arc4random \ 2710 arc4random \
2672 arc4random_buf \ 2711 arc4random_buf \
@@ -2687,28 +2726,30 @@ LIBS="$saved_LIBS"
2687### Configure cryptographic random number support 2726### Configure cryptographic random number support
2688 2727
2689# Check wheter OpenSSL seeds itself 2728# Check wheter OpenSSL seeds itself
2690AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) 2729if test "x$openssl" = "xyes" ; then
2691AC_RUN_IFELSE( 2730 AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded])
2692 [AC_LANG_PROGRAM([[ 2731 AC_RUN_IFELSE(
2693#include <string.h> 2732 [AC_LANG_PROGRAM([[
2694#include <openssl/rand.h> 2733 #include <string.h>
2695 ]], [[ 2734 #include <openssl/rand.h>
2696 exit(RAND_status() == 1 ? 0 : 1); 2735 ]], [[
2697 ]])], 2736 exit(RAND_status() == 1 ? 0 : 1);
2698 [ 2737 ]])],
2699 OPENSSL_SEEDS_ITSELF=yes 2738 [
2700 AC_MSG_RESULT([yes]) 2739 OPENSSL_SEEDS_ITSELF=yes
2701 ], 2740 AC_MSG_RESULT([yes])
2702 [ 2741 ],
2703 AC_MSG_RESULT([no]) 2742 [
2704 ], 2743 AC_MSG_RESULT([no])
2705 [ 2744 ],
2706 AC_MSG_WARN([cross compiling: assuming yes]) 2745 [
2707 # This is safe, since we will fatal() at runtime if 2746 AC_MSG_WARN([cross compiling: assuming yes])
2708 # OpenSSL is not seeded correctly. 2747 # This is safe, since we will fatal() at runtime if
2709 OPENSSL_SEEDS_ITSELF=yes 2748 # OpenSSL is not seeded correctly.
2710 ] 2749 OPENSSL_SEEDS_ITSELF=yes
2711) 2750 ]
2751 )
2752fi
2712 2753
2713# PRNGD TCP socket 2754# PRNGD TCP socket
2714AC_ARG_WITH([prngd-port], 2755AC_ARG_WITH([prngd-port],
@@ -2790,8 +2831,10 @@ elif test ! -z "$PRNGD_SOCKET" ; then
2790 RAND_MSG="PRNGd socket $PRNGD_SOCKET" 2831 RAND_MSG="PRNGd socket $PRNGD_SOCKET"
2791elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then 2832elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then
2792 AC_DEFINE([OPENSSL_PRNG_ONLY], [1], 2833 AC_DEFINE([OPENSSL_PRNG_ONLY], [1],
2793 [Define if you want OpenSSL's internally seeded PRNG only]) 2834 [Define if you want the OpenSSL internally seeded PRNG only])
2794 RAND_MSG="OpenSSL internal ONLY" 2835 RAND_MSG="OpenSSL internal ONLY"
2836elif test "x$openssl" = "xno" ; then
2837 AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible])
2795else 2838else
2796 AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) 2839 AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options])
2797fi 2840fi
@@ -2853,7 +2896,7 @@ if test "x$PAM_MSG" = "xyes" ; then
2853 which takes only one argument to pam_strerror]) 2896 which takes only one argument to pam_strerror])
2854 AC_MSG_RESULT([yes]) 2897 AC_MSG_RESULT([yes])
2855 PAM_MSG="yes (old library)" 2898 PAM_MSG="yes (old library)"
2856 2899
2857 ]) 2900 ])
2858fi 2901fi
2859 2902
diff --git a/digest-libc.c b/digest-libc.c
index 169ded075..a216e784e 100644
--- a/digest-libc.c
+++ b/digest-libc.c
@@ -18,15 +18,19 @@
18 18
19#include "includes.h" 19#include "includes.h"
20 20
21#ifndef WITH_OPENSSL
22
21#include <sys/types.h> 23#include <sys/types.h>
22#include <limits.h> 24#include <limits.h>
23#include <stdlib.h> 25#include <stdlib.h>
24#include <string.h> 26#include <string.h>
25 27
28#if 0
26#include <md5.h> 29#include <md5.h>
27#include <rmd160.h> 30#include <rmd160.h>
28#include <sha1.h> 31#include <sha1.h>
29#include <sha2.h> 32#include <sha2.h>
33#endif
30 34
31#include "ssherr.h" 35#include "ssherr.h"
32#include "sshbuf.h" 36#include "sshbuf.h"
@@ -89,30 +93,30 @@ const struct ssh_digest digests[SSH_DIGEST_MAX] = {
89 "SHA256", 93 "SHA256",
90 SHA256_BLOCK_LENGTH, 94 SHA256_BLOCK_LENGTH,
91 SHA256_DIGEST_LENGTH, 95 SHA256_DIGEST_LENGTH,
92 sizeof(SHA2_CTX), 96 sizeof(SHA256_CTX),
93 (md_init_fn *) SHA256Init, 97 (md_init_fn *) SHA256_Init,
94 (md_update_fn *) SHA256Update, 98 (md_update_fn *) SHA256_Update,
95 (md_final_fn *) SHA256Final 99 (md_final_fn *) SHA256_Final
96 }, 100 },
97 { 101 {
98 SSH_DIGEST_SHA384, 102 SSH_DIGEST_SHA384,
99 "SHA384", 103 "SHA384",
100 SHA384_BLOCK_LENGTH, 104 SHA384_BLOCK_LENGTH,
101 SHA384_DIGEST_LENGTH, 105 SHA384_DIGEST_LENGTH,
102 sizeof(SHA2_CTX), 106 sizeof(SHA384_CTX),
103 (md_init_fn *) SHA384Init, 107 (md_init_fn *) SHA384_Init,
104 (md_update_fn *) SHA384Update, 108 (md_update_fn *) SHA384_Update,
105 (md_final_fn *) SHA384Final 109 (md_final_fn *) SHA384_Final
106 }, 110 },
107 { 111 {
108 SSH_DIGEST_SHA512, 112 SSH_DIGEST_SHA512,
109 "SHA512", 113 "SHA512",
110 SHA512_BLOCK_LENGTH, 114 SHA512_BLOCK_LENGTH,
111 SHA512_DIGEST_LENGTH, 115 SHA512_DIGEST_LENGTH,
112 sizeof(SHA2_CTX), 116 sizeof(SHA512_CTX),
113 (md_init_fn *) SHA512Init, 117 (md_init_fn *) SHA512_Init,
114 (md_update_fn *) SHA512Update, 118 (md_update_fn *) SHA512_Update,
115 (md_final_fn *) SHA512Final 119 (md_final_fn *) SHA512_Final
116 } 120 }
117}; 121};
118 122
@@ -257,3 +261,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
257{ 261{
258 return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen); 262 return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
259} 263}
264#endif /* !WITH_OPENSSL */
diff --git a/digest-openssl.c b/digest-openssl.c
index bb58ff226..13b63c2f0 100644
--- a/digest-openssl.c
+++ b/digest-openssl.c
@@ -17,6 +17,8 @@
17 17
18#include "includes.h" 18#include "includes.h"
19 19
20#ifdef WITH_OPENSSL
21
20#include <sys/types.h> 22#include <sys/types.h>
21#include <limits.h> 23#include <limits.h>
22#include <stdlib.h> 24#include <stdlib.h>
@@ -200,3 +202,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
200{ 202{
201 return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen); 203 return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
202} 204}
205#endif /* WITH_OPENSSL */
diff --git a/entropy.c b/entropy.c
index 1e9d52ac4..9305f89ae 100644
--- a/entropy.c
+++ b/entropy.c
@@ -24,6 +24,8 @@
24 24
25#include "includes.h" 25#include "includes.h"
26 26
27#ifdef WITH_OPENSSL
28
27#include <sys/types.h> 29#include <sys/types.h>
28#include <sys/socket.h> 30#include <sys/socket.h>
29#ifdef HAVE_SYS_UN_H 31#ifdef HAVE_SYS_UN_H
@@ -230,3 +232,13 @@ seed_rng(void)
230 if (RAND_status() != 1) 232 if (RAND_status() != 1)
231 fatal("PRNG is not seeded"); 233 fatal("PRNG is not seeded");
232} 234}
235
236#else /* WITH_OPENSSL */
237
238/* Handled in arc4random() */
239void
240seed_rng(void)
241{
242}
243
244#endif /* WITH_OPENSSL */
diff --git a/includes.h b/includes.h
index 095161c28..c3034e37d 100644
--- a/includes.h
+++ b/includes.h
@@ -167,7 +167,9 @@
167# endif 167# endif
168#endif 168#endif
169 169
170#ifdef WITH_OPENSSL
170#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */ 171#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
172#endif
171 173
172#include "defines.h" 174#include "defines.h"
173 175
diff --git a/kex.c b/kex.c
index fff44335c..ce0bf8809 100644
--- a/kex.c
+++ b/kex.c
@@ -90,9 +90,9 @@ static const struct kexalg kexalgs[] = {
90# endif /* OPENSSL_HAS_NISTP521 */ 90# endif /* OPENSSL_HAS_NISTP521 */
91#endif /* OPENSSL_HAS_ECC */ 91#endif /* OPENSSL_HAS_ECC */
92#endif /* WITH_OPENSSL */ 92#endif /* WITH_OPENSSL */
93#ifdef HAVE_EVP_SHA256 93#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
94 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, 94 { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
95#endif /* HAVE_EVP_SHA256 */ 95#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
96 { NULL, -1, -1, -1}, 96 { NULL, -1, -1, -1},
97}; 97};
98 98
diff --git a/kexdh.c b/kexdh.c
index e7cdadc90..2c1dfb6f5 100644
--- a/kexdh.c
+++ b/kexdh.c
@@ -25,6 +25,8 @@
25 25
26#include "includes.h" 26#include "includes.h"
27 27
28#ifdef WITH_OPENSSL
29
28#include <sys/types.h> 30#include <sys/types.h>
29 31
30#include <signal.h> 32#include <signal.h>
@@ -85,3 +87,4 @@ kex_dh_hash(
85 *hash = digest; 87 *hash = digest;
86 *hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1); 88 *hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
87} 89}
90#endif /* WITH_OPENSSL */
diff --git a/kexdhc.c b/kexdhc.c
index f7a19fc13..53c3d9bcd 100644
--- a/kexdhc.c
+++ b/kexdhc.c
@@ -25,6 +25,8 @@
25 25
26#include "includes.h" 26#include "includes.h"
27 27
28#ifdef WITH_OPENSSL
29
28#include <sys/types.h> 30#include <sys/types.h>
29 31
30#include <openssl/dh.h> 32#include <openssl/dh.h>
@@ -159,3 +161,4 @@ kexdh_client(Kex *kex)
159 BN_clear_free(shared_secret); 161 BN_clear_free(shared_secret);
160 kex_finish(kex); 162 kex_finish(kex);
161} 163}
164#endif /* WITH_OPENSSL */
diff --git a/kexdhs.c b/kexdhs.c
index c3011f741..56aa5d031 100644
--- a/kexdhs.c
+++ b/kexdhs.c
@@ -25,6 +25,8 @@
25 25
26#include "includes.h" 26#include "includes.h"
27 27
28#ifdef WITH_OPENSSL
29
28#include <sys/types.h> 30#include <sys/types.h>
29 31
30#include <stdarg.h> 32#include <stdarg.h>
@@ -158,3 +160,4 @@ kexdh_server(Kex *kex)
158 BN_clear_free(shared_secret); 160 BN_clear_free(shared_secret);
159 kex_finish(kex); 161 kex_finish(kex);
160} 162}
163#endif /* WITH_OPENSSL */
diff --git a/kexecdh.c b/kexecdh.c
index c52c5e234..3115d13d1 100644
--- a/kexecdh.c
+++ b/kexecdh.c
@@ -26,7 +26,7 @@
26 26
27#include "includes.h" 27#include "includes.h"
28 28
29#ifdef OPENSSL_HAS_ECC 29#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
30 30
31#include <sys/types.h> 31#include <sys/types.h>
32 32
@@ -94,4 +94,4 @@ kex_ecdh_hash(
94 *hash = digest; 94 *hash = digest;
95 *hashlen = ssh_digest_bytes(hash_alg); 95 *hashlen = ssh_digest_bytes(hash_alg);
96} 96}
97#endif /* OPENSSL_HAS_ECC */ 97#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
diff --git a/kexecdhc.c b/kexecdhc.c
index 2f7629cca..2019940e5 100644
--- a/kexecdhc.c
+++ b/kexecdhc.c
@@ -26,6 +26,8 @@
26 26
27#include "includes.h" 27#include "includes.h"
28 28
29#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
30
29#include <sys/types.h> 31#include <sys/types.h>
30 32
31#include <stdio.h> 33#include <stdio.h>
@@ -42,8 +44,6 @@
42#include "dh.h" 44#include "dh.h"
43#include "ssh2.h" 45#include "ssh2.h"
44 46
45#ifdef OPENSSL_HAS_ECC
46
47#include <openssl/ecdh.h> 47#include <openssl/ecdh.h>
48 48
49void 49void
@@ -156,10 +156,4 @@ kexecdh_client(Kex *kex)
156 BN_clear_free(shared_secret); 156 BN_clear_free(shared_secret);
157 kex_finish(kex); 157 kex_finish(kex);
158} 158}
159#else /* OPENSSL_HAS_ECC */ 159#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
160void
161kexecdh_client(Kex *kex)
162{
163 fatal("ECC support is not enabled");
164}
165#endif /* OPENSSL_HAS_ECC */
diff --git a/kexecdhs.c b/kexecdhs.c
index 2700b7219..48bc56dc6 100644
--- a/kexecdhs.c
+++ b/kexecdhs.c
@@ -26,6 +26,8 @@
26 26
27#include "includes.h" 27#include "includes.h"
28 28
29#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
30
29#include <sys/types.h> 31#include <sys/types.h>
30#include <string.h> 32#include <string.h>
31#include <signal.h> 33#include <signal.h>
@@ -39,8 +41,6 @@
39#include "packet.h" 41#include "packet.h"
40#include "ssh2.h" 42#include "ssh2.h"
41 43
42#ifdef OPENSSL_HAS_ECC
43
44#include <openssl/ecdh.h> 44#include <openssl/ecdh.h>
45 45
46void 46void
@@ -152,10 +152,4 @@ kexecdh_server(Kex *kex)
152 BN_clear_free(shared_secret); 152 BN_clear_free(shared_secret);
153 kex_finish(kex); 153 kex_finish(kex);
154} 154}
155#else /* OPENSSL_HAS_ECC */ 155#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
156void
157kexecdh_server(Kex *kex)
158{
159 fatal("ECC support is not enabled");
160}
161#endif /* OPENSSL_HAS_ECC */
diff --git a/kexgex.c b/kexgex.c
index c2e6bc16d..d1fa1a063 100644
--- a/kexgex.c
+++ b/kexgex.c
@@ -26,6 +26,8 @@
26 26
27#include "includes.h" 27#include "includes.h"
28 28
29#ifdef WITH_OPENSSL
30
29#include <sys/types.h> 31#include <sys/types.h>
30 32
31#include <openssl/evp.h> 33#include <openssl/evp.h>
@@ -96,3 +98,4 @@ kexgex_hash(
96 *hash = digest; 98 *hash = digest;
97 *hashlen = ssh_digest_bytes(hash_alg); 99 *hashlen = ssh_digest_bytes(hash_alg);
98} 100}
101#endif /* WITH_OPENSSL */
diff --git a/kexgexc.c b/kexgexc.c
index 355b7ba31..a21a1d957 100644
--- a/kexgexc.c
+++ b/kexgexc.c
@@ -26,6 +26,8 @@
26 26
27#include "includes.h" 27#include "includes.h"
28 28
29#ifdef WITH_OPENSSL
30
29#include <sys/types.h> 31#include <sys/types.h>
30 32
31#include <openssl/dh.h> 33#include <openssl/dh.h>
@@ -205,3 +207,4 @@ kexgex_client(Kex *kex)
205 207
206 kex_finish(kex); 208 kex_finish(kex);
207} 209}
210#endif /* WITH_OPENSSL */
diff --git a/kexgexs.c b/kexgexs.c
index 770ad28a8..ab90a9da1 100644
--- a/kexgexs.c
+++ b/kexgexs.c
@@ -26,6 +26,8 @@
26 26
27#include "includes.h" 27#include "includes.h"
28 28
29#ifdef WITH_OPENSSL
30
29#include <sys/param.h> 31#include <sys/param.h>
30 32
31#include <stdarg.h> 33#include <stdarg.h>
@@ -206,3 +208,4 @@ kexgex_server(Kex *kex)
206 208
207 kex_finish(kex); 209 kex_finish(kex);
208} 210}
211#endif /* WITH_OPENSSL */
diff --git a/krl.c b/krl.c
index 3917338f9..b19def79f 100644
--- a/krl.c
+++ b/krl.c
@@ -18,6 +18,8 @@
18 18
19#include "includes.h" 19#include "includes.h"
20 20
21#ifdef WITH_OPENSSL /* XXX just fix bignums and this is good */
22
21#include <sys/types.h> 23#include <sys/types.h>
22#include <sys/param.h> 24#include <sys/param.h>
23#include <openbsd-compat/sys-tree.h> 25#include <openbsd-compat/sys-tree.h>
@@ -1282,3 +1284,4 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
1282 errno = oerrno; 1284 errno = oerrno;
1283 return r; 1285 return r;
1284} 1286}
1287#endif /* WITH_OPENSSL */
diff --git a/moduli.c b/moduli.c
index 474caca67..729d55c10 100644
--- a/moduli.c
+++ b/moduli.c
@@ -39,6 +39,8 @@
39 39
40#include "includes.h" 40#include "includes.h"
41 41
42#ifdef WITH_OPENSSL
43
42#include <sys/param.h> 44#include <sys/param.h>
43#include <sys/types.h> 45#include <sys/types.h>
44 46
@@ -802,3 +804,5 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted,
802 804
803 return (res); 805 return (res);
804} 806}
807
808#endif /* WITH_OPENSSL */
diff --git a/monitor_wrap.c b/monitor_wrap.c
index f4e11c966..b0dbb3f70 100644
--- a/monitor_wrap.c
+++ b/monitor_wrap.c
@@ -151,8 +151,10 @@ mm_request_receive(int sock, Buffer *m)
151 debug3("%s entering", __func__); 151 debug3("%s entering", __func__);
152 152
153 if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { 153 if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
154 if (errno == EPIPE) 154 if (errno == EPIPE) {
155 error("%s: socket closed", __func__);
155 cleanup_exit(255); 156 cleanup_exit(255);
157 }
156 fatal("%s: read: %s", __func__, strerror(errno)); 158 fatal("%s: read: %s", __func__, strerror(errno));
157 } 159 }
158 msg_len = get_u32(buf); 160 msg_len = get_u32(buf);
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in
index 7be3f72aa..3c5e3b7f7 100644
--- a/openbsd-compat/Makefile.in
+++ b/openbsd-compat/Makefile.in
@@ -16,7 +16,7 @@ RANLIB=@RANLIB@
16INSTALL=@INSTALL@ 16INSTALL=@INSTALL@
17LDFLAGS=-L. @LDFLAGS@ 17LDFLAGS=-L. @LDFLAGS@
18 18
19OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o 19OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
20 20
21COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o 21COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
22 22
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c
index 09dbfda16..046f57e61 100644
--- a/openbsd-compat/arc4random.c
+++ b/openbsd-compat/arc4random.c
@@ -26,15 +26,19 @@
26 26
27#include "includes.h" 27#include "includes.h"
28 28
29#include <sys/types.h>
30
31#include <fcntl.h>
29#include <stdlib.h> 32#include <stdlib.h>
30#include <string.h> 33#include <string.h>
31#include <unistd.h> 34#include <unistd.h>
32#include <sys/types.h>
33 35
34#ifndef HAVE_ARC4RANDOM 36#ifndef HAVE_ARC4RANDOM
35 37
38#ifdef WITH_OPENSSL
36#include <openssl/rand.h> 39#include <openssl/rand.h>
37#include <openssl/err.h> 40#include <openssl/err.h>
41#endif
38 42
39#include "log.h" 43#include "log.h"
40 44
@@ -73,14 +77,44 @@ _rs_init(u_char *buf, size_t n)
73 chacha_ivsetup(&rs, buf + KEYSZ); 77 chacha_ivsetup(&rs, buf + KEYSZ);
74} 78}
75 79
80#ifndef WITH_OPENSSL
81#define SSH_RANDOM_DEV "/dev/urandom"
82/* XXX use getrandom() if supported on Linux */
83static void
84getrnd(u_char *s, size_t len)
85{
86 int fd;
87 ssize_t r;
88 size_t o = 0;
89
90 if ((fd = open(SSH_RANDOM_DEV, O_RDONLY)) == -1)
91 fatal("Couldn't open %s: %s", SSH_RANDOM_DEV, strerror(errno));
92 while (o < len) {
93 r = read(fd, s + o, len - o);
94 if (r < 0) {
95 if (errno == EAGAIN || errno == EINTR ||
96 errno == EWOULDBLOCK)
97 continue;
98 fatal("read %s: %s", SSH_RANDOM_DEV, strerror(errno));
99 }
100 o += r;
101 }
102 close(fd);
103}
104#endif
105
76static void 106static void
77_rs_stir(void) 107_rs_stir(void)
78{ 108{
79 u_char rnd[KEYSZ + IVSZ]; 109 u_char rnd[KEYSZ + IVSZ];
80 110
111#ifdef WITH_OPENSSL
81 if (RAND_bytes(rnd, sizeof(rnd)) <= 0) 112 if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
82 fatal("Couldn't obtain random bytes (error %ld)", 113 fatal("Couldn't obtain random bytes (error %ld)",
83 ERR_get_error()); 114 ERR_get_error());
115#else
116 getrnd(rnd, sizeof(rnd));
117#endif
84 118
85 if (!rs_initialized) { 119 if (!rs_initialized) {
86 rs_initialized = 1; 120 rs_initialized = 1;
diff --git a/openbsd-compat/bcrypt_pbkdf.c b/openbsd-compat/bcrypt_pbkdf.c
index 5ed1cc531..16912575a 100644
--- a/openbsd-compat/bcrypt_pbkdf.c
+++ b/openbsd-compat/bcrypt_pbkdf.c
@@ -32,6 +32,9 @@
32#endif 32#endif
33 33
34#include "crypto_api.h" 34#include "crypto_api.h"
35#ifdef SHA512_DIGEST_LENGTH
36# undef SHA512_DIGEST_LENGTH
37#endif
35#define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES 38#define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES
36 39
37/* 40/*
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h
index 94718babd..1cffefe06 100644
--- a/openbsd-compat/openbsd-compat.h
+++ b/openbsd-compat/openbsd-compat.h
@@ -43,7 +43,10 @@
43#include "readpassphrase.h" 43#include "readpassphrase.h"
44#include "vis.h" 44#include "vis.h"
45#include "getrrsetbyname.h" 45#include "getrrsetbyname.h"
46#include "sha1.h"
46#include "sha2.h" 47#include "sha2.h"
48#include "rmd160.h"
49#include "md5.h"
47#include "blf.h" 50#include "blf.h"
48 51
49#ifndef HAVE_BASENAME 52#ifndef HAVE_BASENAME
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c
index 36570e4ad..63a660c7a 100644
--- a/openbsd-compat/openssl-compat.c
+++ b/openbsd-compat/openssl-compat.c
@@ -19,6 +19,8 @@
19#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS 19#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
20#include "includes.h" 20#include "includes.h"
21 21
22#ifdef WITH_OPENSSL
23
22#include <stdarg.h> 24#include <stdarg.h>
23#include <string.h> 25#include <string.h>
24 26
@@ -78,3 +80,5 @@ ssh_OpenSSL_add_all_algorithms(void)
78 OPENSSL_config(NULL); 80 OPENSSL_config(NULL);
79} 81}
80#endif 82#endif
83
84#endif /* WITH_OPENSSL */
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 3695d412b..8917551d3 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -20,6 +20,8 @@
20#define _OPENSSL_COMPAT_H 20#define _OPENSSL_COMPAT_H
21 21
22#include "includes.h" 22#include "includes.h"
23#ifdef WITH_OPENSSL
24
23#include <openssl/opensslv.h> 25#include <openssl/opensslv.h>
24#include <openssl/evp.h> 26#include <openssl/evp.h>
25#include <openssl/rsa.h> 27#include <openssl/rsa.h>
@@ -90,4 +92,5 @@ void ssh_OpenSSL_add_all_algorithms(void);
90 92
91#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ 93#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
92 94
95#endif /* WITH_OPENSSL */
93#endif /* _OPENSSL_COMPAT_H */ 96#endif /* _OPENSSL_COMPAT_H */
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c
index f5bf74d1f..737935d46 100644
--- a/openbsd-compat/sha2.c
+++ b/openbsd-compat/sha2.c
@@ -38,13 +38,18 @@
38 38
39#include "includes.h" 39#include "includes.h"
40 40
41#include <openssl/opensslv.h> 41#ifdef WITH_OPENSSL
42# include <openssl/opensslv.h>
43# if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
44# define _NEED_SHA2 1
45# endif
46#else
47# define _NEED_SHA2 1
48#endif
49
50#if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE)
42 51
43#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
44 (OPENSSL_VERSION_NUMBER >= 0x00907000L)
45#include <sys/types.h>
46#include <string.h> 52#include <string.h>
47#include "sha2.h"
48 53
49/* 54/*
50 * UNROLLED TRANSFORM LOOP NOTE: 55 * UNROLLED TRANSFORM LOOP NOTE:
@@ -838,7 +843,6 @@ SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context)
838} 843}
839 844
840 845
841#if 0
842/*** SHA-384: *********************************************************/ 846/*** SHA-384: *********************************************************/
843void 847void
844SHA384_Init(SHA384_CTX *context) 848SHA384_Init(SHA384_CTX *context)
@@ -851,9 +855,29 @@ SHA384_Init(SHA384_CTX *context)
851 context->bitcount[0] = context->bitcount[1] = 0; 855 context->bitcount[0] = context->bitcount[1] = 0;
852} 856}
853 857
858#if 0
854__weak_alias(SHA384_Transform, SHA512_Transform); 859__weak_alias(SHA384_Transform, SHA512_Transform);
855__weak_alias(SHA384_Update, SHA512_Update); 860__weak_alias(SHA384_Update, SHA512_Update);
856__weak_alias(SHA384_Pad, SHA512_Pad); 861__weak_alias(SHA384_Pad, SHA512_Pad);
862#endif
863
864void
865SHA384_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
866{
867 return SHA512_Transform(state, data);
868}
869
870void
871SHA384_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
872{
873 SHA512_Update(context, data, len);
874}
875
876void
877SHA384_Pad(SHA512_CTX *context)
878{
879 SHA512_Pad(context);
880}
857 881
858void 882void
859SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) 883SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
@@ -876,7 +900,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
876 /* Zero out state data */ 900 /* Zero out state data */
877 memset(context, 0, sizeof(*context)); 901 memset(context, 0, sizeof(*context));
878} 902}
879#endif
880 903
881#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ 904#endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */
882 (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
diff --git a/openbsd-compat/sha2.h b/openbsd-compat/sha2.h
index 73e94f150..c8bfc3cd1 100644
--- a/openbsd-compat/sha2.h
+++ b/openbsd-compat/sha2.h
@@ -41,10 +41,16 @@
41 41
42#include "includes.h" 42#include "includes.h"
43 43
44#include <openssl/opensslv.h> 44#ifdef WITH_OPENSSL
45# include <openssl/opensslv.h>
46# if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
47# define _NEED_SHA2 1
48# endif
49#else
50# define _NEED_SHA2 1
51#endif
45 52
46#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ 53#if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE)
47 (OPENSSL_VERSION_NUMBER >= 0x00907000L)
48 54
49/*** SHA-256/384/512 Various Length Definitions ***********************/ 55/*** SHA-256/384/512 Various Length Definitions ***********************/
50#define SHA256_BLOCK_LENGTH 64 56#define SHA256_BLOCK_LENGTH 64
@@ -70,9 +76,7 @@ typedef struct _SHA512_CTX {
70 u_int8_t buffer[SHA512_BLOCK_LENGTH]; 76 u_int8_t buffer[SHA512_BLOCK_LENGTH];
71} SHA512_CTX; 77} SHA512_CTX;
72 78
73#if 0
74typedef SHA512_CTX SHA384_CTX; 79typedef SHA512_CTX SHA384_CTX;
75#endif
76 80
77void SHA256_Init(SHA256_CTX *); 81void SHA256_Init(SHA256_CTX *);
78void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]); 82void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]);
@@ -91,7 +95,6 @@ char *SHA256_Data(const u_int8_t *, size_t, char *)
91 __attribute__((__bounded__(__string__,1,2))) 95 __attribute__((__bounded__(__string__,1,2)))
92 __attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH))); 96 __attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH)));
93 97
94#if 0
95void SHA384_Init(SHA384_CTX *); 98void SHA384_Init(SHA384_CTX *);
96void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]); 99void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]);
97void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t) 100void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t)
@@ -108,7 +111,6 @@ char *SHA384_FileChunk(const char *, char *, off_t, off_t)
108char *SHA384_Data(const u_int8_t *, size_t, char *) 111char *SHA384_Data(const u_int8_t *, size_t, char *)
109 __attribute__((__bounded__(__string__,1,2))) 112 __attribute__((__bounded__(__string__,1,2)))
110 __attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH))); 113 __attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH)));
111#endif /* 0 */
112 114
113void SHA512_Init(SHA512_CTX *); 115void SHA512_Init(SHA512_CTX *);
114void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]); 116void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]);
@@ -127,7 +129,6 @@ char *SHA512_Data(const u_int8_t *, size_t, char *)
127 __attribute__((__bounded__(__string__,1,2))) 129 __attribute__((__bounded__(__string__,1,2)))
128 __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH))); 130 __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));
129 131
130#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ 132#endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */
131 (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
132 133
133#endif /* _SSHSHA2_H */ 134#endif /* _SSHSHA2_H */
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c
index c8aea461d..8577cbd8a 100644
--- a/openbsd-compat/xcrypt.c
+++ b/openbsd-compat/xcrypt.c
@@ -57,7 +57,7 @@
57# include "md5crypt.h" 57# include "md5crypt.h"
58# endif 58# endif
59 59
60# if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) 60# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
61# include <openssl/des.h> 61# include <openssl/des.h>
62# define crypt DES_crypt 62# define crypt DES_crypt
63# endif 63# endif
diff --git a/packet.c b/packet.c
index 6b326f367..d6f9ff36b 100644
--- a/packet.c
+++ b/packet.c
@@ -1612,6 +1612,7 @@ packet_get_ecpoint(const EC_GROUP *curve, EC_POINT *point)
1612 buffer_get_ecpoint(&active_state->incoming_packet, curve, point); 1612 buffer_get_ecpoint(&active_state->incoming_packet, curve, point);
1613} 1613}
1614#endif 1614#endif
1615#endif
1615 1616
1616void * 1617void *
1617packet_get_raw(u_int *length_ptr) 1618packet_get_raw(u_int *length_ptr)
@@ -1622,7 +1623,6 @@ packet_get_raw(u_int *length_ptr)
1622 *length_ptr = bytes; 1623 *length_ptr = bytes;
1623 return buffer_ptr(&active_state->incoming_packet); 1624 return buffer_ptr(&active_state->incoming_packet);
1624} 1625}
1625#endif
1626 1626
1627int 1627int
1628packet_remaining(void) 1628packet_remaining(void)
diff --git a/ssh-add.c b/ssh-add.c
index 3680ab07a..8f369be4d 100644
--- a/ssh-add.c
+++ b/ssh-add.c
@@ -70,11 +70,13 @@ extern char *__progname;
70 70
71/* Default files to add */ 71/* Default files to add */
72static char *default_files[] = { 72static char *default_files[] = {
73#ifdef WITH_OPENSSL
73 _PATH_SSH_CLIENT_ID_RSA, 74 _PATH_SSH_CLIENT_ID_RSA,
74 _PATH_SSH_CLIENT_ID_DSA, 75 _PATH_SSH_CLIENT_ID_DSA,
75#ifdef OPENSSL_HAS_ECC 76#ifdef OPENSSL_HAS_ECC
76 _PATH_SSH_CLIENT_ID_ECDSA, 77 _PATH_SSH_CLIENT_ID_ECDSA,
77#endif 78#endif
79#endif /* WITH_OPENSSL */
78 _PATH_SSH_CLIENT_ID_ED25519, 80 _PATH_SSH_CLIENT_ID_ED25519,
79 _PATH_SSH_CLIENT_IDENTITY, 81 _PATH_SSH_CLIENT_IDENTITY,
80 NULL 82 NULL
@@ -440,7 +442,9 @@ main(int argc, char **argv)
440 __progname = ssh_get_progname(argv[0]); 442 __progname = ssh_get_progname(argv[0]);
441 seed_rng(); 443 seed_rng();
442 444
445#ifdef WITH_OPENSSL
443 OpenSSL_add_all_algorithms(); 446 OpenSSL_add_all_algorithms();
447#endif
444 448
445 setvbuf(stdout, NULL, _IOLBF, 0); 449 setvbuf(stdout, NULL, _IOLBF, 0);
446 450
diff --git a/ssh-dss.c b/ssh-dss.c
index 9643d90d8..8ed19d849 100644
--- a/ssh-dss.c
+++ b/ssh-dss.c
@@ -25,6 +25,8 @@
25 25
26#include "includes.h" 26#include "includes.h"
27 27
28#ifdef WITH_OPENSSL
29
28#include <sys/types.h> 30#include <sys/types.h>
29 31
30#include <openssl/bn.h> 32#include <openssl/bn.h>
@@ -217,3 +219,4 @@ ssh_dss_verify(const struct sshkey *key,
217 } 219 }
218 return ret; 220 return ret;
219} 221}
222#endif /* WITH_OPENSSL */
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c
index 1119db045..2c76f8b43 100644
--- a/ssh-ecdsa.c
+++ b/ssh-ecdsa.c
@@ -26,7 +26,7 @@
26 26
27#include "includes.h" 27#include "includes.h"
28 28
29#ifdef OPENSSL_HAS_ECC 29#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
30 30
31#include <sys/types.h> 31#include <sys/types.h>
32 32
@@ -189,4 +189,4 @@ ssh_ecdsa_verify(const struct sshkey *key,
189 return ret; 189 return ret;
190} 190}
191 191
192#endif /* OPENSSL_HAS_ECC */ 192#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
diff --git a/ssh-keygen.c b/ssh-keygen.c
index 8daea7f76..75f8e2e09 100644
--- a/ssh-keygen.c
+++ b/ssh-keygen.c
@@ -19,9 +19,11 @@
19#include <sys/stat.h> 19#include <sys/stat.h>
20#include <sys/param.h> 20#include <sys/param.h>
21 21
22#ifdef WITH_OPENSSL
22#include <openssl/evp.h> 23#include <openssl/evp.h>
23#include <openssl/pem.h> 24#include <openssl/pem.h>
24#include "openbsd-compat/openssl-compat.h" 25#include "openbsd-compat/openssl-compat.h"
26#endif
25 27
26#include <errno.h> 28#include <errno.h>
27#include <fcntl.h> 29#include <fcntl.h>
@@ -179,7 +181,9 @@ int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long,
179static void 181static void
180type_bits_valid(int type, u_int32_t *bitsp) 182type_bits_valid(int type, u_int32_t *bitsp)
181{ 183{
184#ifdef WITH_OPENSSL
182 u_int maxbits; 185 u_int maxbits;
186#endif
183 187
184 if (type == KEY_UNSPEC) { 188 if (type == KEY_UNSPEC) {
185 fprintf(stderr, "unknown key type %s\n", key_type_name); 189 fprintf(stderr, "unknown key type %s\n", key_type_name);
@@ -193,13 +197,13 @@ type_bits_valid(int type, u_int32_t *bitsp)
193 else 197 else
194 *bitsp = DEFAULT_BITS; 198 *bitsp = DEFAULT_BITS;
195 } 199 }
200#ifdef WITH_OPENSSL
196 maxbits = (type == KEY_DSA) ? 201 maxbits = (type == KEY_DSA) ?
197 OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; 202 OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
198 if (*bitsp > maxbits) { 203 if (*bitsp > maxbits) {
199 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); 204 fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
200 exit(1); 205 exit(1);
201 } 206 }
202#ifdef WITH_OPENSSL
203 if (type == KEY_DSA && *bitsp != 1024) 207 if (type == KEY_DSA && *bitsp != 1024)
204 fatal("DSA keys must be 1024 bits"); 208 fatal("DSA keys must be 1024 bits");
205 else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) 209 else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
@@ -2102,10 +2106,12 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca,
2102 fclose(krl_spec); 2106 fclose(krl_spec);
2103 free(path); 2107 free(path);
2104} 2108}
2109#endif /* WITH_OPENSSL */
2105 2110
2106static void 2111static void
2107do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) 2112do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
2108{ 2113{
2114#ifdef WITH_OPENSSL
2109 struct ssh_krl *krl; 2115 struct ssh_krl *krl;
2110 struct stat sb; 2116 struct stat sb;
2111 Key *ca = NULL; 2117 Key *ca = NULL;
@@ -2155,11 +2161,15 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
2155 ssh_krl_free(krl); 2161 ssh_krl_free(krl);
2156 if (ca != NULL) 2162 if (ca != NULL)
2157 key_free(ca); 2163 key_free(ca);
2164#else /* WITH_OPENSSL */
2165 fatal("KRLs not supported without OpenSSL");
2166#endif /* WITH_OPENSSL */
2158} 2167}
2159 2168
2160static void 2169static void
2161do_check_krl(struct passwd *pw, int argc, char **argv) 2170do_check_krl(struct passwd *pw, int argc, char **argv)
2162{ 2171{
2172#ifdef WITH_OPENSSL
2163 int i, r, ret = 0; 2173 int i, r, ret = 0;
2164 char *comment; 2174 char *comment;
2165 struct ssh_krl *krl; 2175 struct ssh_krl *krl;
@@ -2182,8 +2192,10 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
2182 } 2192 }
2183 ssh_krl_free(krl); 2193 ssh_krl_free(krl);
2184 exit(ret); 2194 exit(ret);
2195#else /* WITH_OPENSSL */
2196 fatal("KRLs not supported without OpenSSL");
2197#endif /* WITH_OPENSSL */
2185} 2198}
2186#endif
2187 2199
2188static void 2200static void
2189usage(void) 2201usage(void)
@@ -2249,7 +2261,9 @@ main(int argc, char **argv)
2249 2261
2250 __progname = ssh_get_progname(argv[0]); 2262 __progname = ssh_get_progname(argv[0]);
2251 2263
2264#ifdef WITH_OPENSSL
2252 OpenSSL_add_all_algorithms(); 2265 OpenSSL_add_all_algorithms();
2266#endif
2253 log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); 2267 log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
2254 2268
2255 seed_rng(); 2269 seed_rng();
@@ -2427,6 +2441,7 @@ main(int argc, char **argv)
2427 fatal("Invalid number: %s (%s)", 2441 fatal("Invalid number: %s (%s)",
2428 optarg, errstr); 2442 optarg, errstr);
2429 break; 2443 break;
2444#ifdef WITH_OPENSSL
2430 case 'M': 2445 case 'M':
2431 memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); 2446 memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);
2432 if (errstr) 2447 if (errstr)
@@ -2454,6 +2469,7 @@ main(int argc, char **argv)
2454 if (BN_hex2bn(&start, optarg) == 0) 2469 if (BN_hex2bn(&start, optarg) == 0)
2455 fatal("Invalid start point."); 2470 fatal("Invalid start point.");
2456 break; 2471 break;
2472#endif /* WITH_OPENSSL */
2457 case 'V': 2473 case 'V':
2458 parse_cert_times(optarg); 2474 parse_cert_times(optarg);
2459 break; 2475 break;
@@ -2493,7 +2509,6 @@ main(int argc, char **argv)
2493 printf("Cannot use -l with -H or -R.\n"); 2509 printf("Cannot use -l with -H or -R.\n");
2494 usage(); 2510 usage();
2495 } 2511 }
2496#ifdef WITH_OPENSSL
2497 if (gen_krl) { 2512 if (gen_krl) {
2498 do_gen_krl(pw, update_krl, argc, argv); 2513 do_gen_krl(pw, update_krl, argc, argv);
2499 return (0); 2514 return (0);
@@ -2502,7 +2517,6 @@ main(int argc, char **argv)
2502 do_check_krl(pw, argc, argv); 2517 do_check_krl(pw, argc, argv);
2503 return (0); 2518 return (0);
2504 } 2519 }
2505#endif
2506 if (ca_key_path != NULL) { 2520 if (ca_key_path != NULL) {
2507 if (cert_key_id == NULL) 2521 if (cert_key_id == NULL)
2508 fatal("Must specify key id (-I) when certifying"); 2522 fatal("Must specify key id (-I) when certifying");
diff --git a/ssh-keysign.c b/ssh-keysign.c
index d59f115fc..821939997 100644
--- a/ssh-keysign.c
+++ b/ssh-keysign.c
@@ -35,9 +35,11 @@
35#include <string.h> 35#include <string.h>
36#include <unistd.h> 36#include <unistd.h>
37 37
38#ifdef WITH_OPENSSL
38#include <openssl/evp.h> 39#include <openssl/evp.h>
39#include <openssl/rand.h> 40#include <openssl/rand.h>
40#include <openssl/rsa.h> 41#include <openssl/rsa.h>
42#endif
41 43
42#include "xmalloc.h" 44#include "xmalloc.h"
43#include "log.h" 45#include "log.h"
@@ -161,7 +163,9 @@ main(int argc, char **argv)
161 u_char *signature, *data; 163 u_char *signature, *data;
162 char *host, *fp; 164 char *host, *fp;
163 u_int slen, dlen; 165 u_int slen, dlen;
166#ifdef WITH_OPENSSL
164 u_int32_t rnd[256]; 167 u_int32_t rnd[256];
168#endif
165 169
166 /* Ensure that stdin and stdout are connected */ 170 /* Ensure that stdin and stdout are connected */
167 if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2) 171 if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
@@ -204,9 +208,11 @@ main(int argc, char **argv)
204 if (found == 0) 208 if (found == 0)
205 fatal("could not open any host key"); 209 fatal("could not open any host key");
206 210
211#ifdef WITH_OPENSSL
207 OpenSSL_add_all_algorithms(); 212 OpenSSL_add_all_algorithms();
208 arc4random_buf(rnd, sizeof(rnd)); 213 arc4random_buf(rnd, sizeof(rnd));
209 RAND_seed(rnd, sizeof(rnd)); 214 RAND_seed(rnd, sizeof(rnd));
215#endif
210 216
211 found = 0; 217 found = 0;
212 for (i = 0; i < NUM_KEYTYPES; i++) { 218 for (i = 0; i < NUM_KEYTYPES; i++) {
diff --git a/ssh-rsa.c b/ssh-rsa.c
index fec1953b4..aef798da6 100644
--- a/ssh-rsa.c
+++ b/ssh-rsa.c
@@ -17,6 +17,8 @@
17 17
18#include "includes.h" 18#include "includes.h"
19 19
20#ifdef WITH_OPENSSL
21
20#include <sys/types.h> 22#include <sys/types.h>
21 23
22#include <openssl/evp.h> 24#include <openssl/evp.h>
@@ -263,3 +265,4 @@ done:
263 } 265 }
264 return ret; 266 return ret;
265} 267}
268#endif /* WITH_OPENSSL */
diff --git a/sshd.c b/sshd.c
index d59e2555b..202e1706f 100644
--- a/sshd.c
+++ b/sshd.c
@@ -623,7 +623,9 @@ privsep_preauth_child(void)
623 623
624 arc4random_stir(); 624 arc4random_stir();
625 arc4random_buf(rnd, sizeof(rnd)); 625 arc4random_buf(rnd, sizeof(rnd));
626#ifdef WITH_OPENSSL
626 RAND_seed(rnd, sizeof(rnd)); 627 RAND_seed(rnd, sizeof(rnd));
628#endif
627 explicit_bzero(rnd, sizeof(rnd)); 629 explicit_bzero(rnd, sizeof(rnd));
628 630
629 /* Demote the private keys to public keys. */ 631 /* Demote the private keys to public keys. */
@@ -758,7 +760,9 @@ privsep_postauth(Authctxt *authctxt)
758 760
759 arc4random_stir(); 761 arc4random_stir();
760 arc4random_buf(rnd, sizeof(rnd)); 762 arc4random_buf(rnd, sizeof(rnd));
763#ifdef WITH_OPENSSL
761 RAND_seed(rnd, sizeof(rnd)); 764 RAND_seed(rnd, sizeof(rnd));
765#endif
762 explicit_bzero(rnd, sizeof(rnd)); 766 explicit_bzero(rnd, sizeof(rnd));
763 767
764 /* Drop privileges */ 768 /* Drop privileges */
@@ -988,7 +992,7 @@ send_rexec_state(int fd, Buffer *conf)
988#endif 992#endif
989 buffer_put_int(&m, 0); 993 buffer_put_int(&m, 0);
990 994
991#ifndef OPENSSL_PRNG_ONLY 995#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
992 rexec_send_rng_seed(&m); 996 rexec_send_rng_seed(&m);
993#endif 997#endif
994 998
@@ -1041,7 +1045,7 @@ recv_rexec_state(int fd, Buffer *conf)
1041#endif 1045#endif
1042 } 1046 }
1043 1047
1044#ifndef OPENSSL_PRNG_ONLY 1048#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
1045 rexec_recv_rng_seed(&m); 1049 rexec_recv_rng_seed(&m);
1046#endif 1050#endif
1047 1051
@@ -1372,7 +1376,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
1372 */ 1376 */
1373 arc4random_stir(); 1377 arc4random_stir();
1374 arc4random_buf(rnd, sizeof(rnd)); 1378 arc4random_buf(rnd, sizeof(rnd));
1379#ifdef WITH_OPENSSL
1375 RAND_seed(rnd, sizeof(rnd)); 1380 RAND_seed(rnd, sizeof(rnd));
1381#endif
1376 explicit_bzero(rnd, sizeof(rnd)); 1382 explicit_bzero(rnd, sizeof(rnd));
1377 } 1383 }
1378 1384
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-22 10:36:51 +0000