diff options
40 files changed, 689 insertions, 491 deletions
diff --git a/Makefile.in b/Makefile.in index ebd48c303..d7ba813a9 100644 --- a/Makefile.in +++ b/Makefile.in | |||
@@ -76,7 +76,7 @@ LIBOPENSSH_OBJS=\ | |||
76 | 76 | ||
77 | LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | 77 | LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ |
78 | authfd.o authfile.o bufaux.o bufbn.o buffer.o \ | 78 | authfd.o authfile.o bufaux.o bufbn.o buffer.o \ |
79 | canohost.o channels.o cipher.o cipher-aes.o \ | 79 | canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \ |
80 | cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ | 80 | cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \ |
81 | compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ | 81 | compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \ |
82 | log.o match.o md-sha256.o moduli.o nchan.o packet.o \ | 82 | log.o match.o md-sha256.o moduli.o nchan.o packet.o \ |
@@ -87,7 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ | |||
87 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ | 87 | msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ |
88 | ssh-pkcs11.o smult_curve25519_ref.o \ | 88 | ssh-pkcs11.o smult_curve25519_ref.o \ |
89 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ | 89 | kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \ |
90 | ssh-ed25519.o digest-openssl.o hmac.o \ | 90 | ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \ |
91 | sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o | 91 | sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o |
92 | 92 | ||
93 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ | 93 | SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \ |
@@ -20,12 +20,15 @@ | |||
20 | 20 | ||
21 | #include "includes.h" | 21 | #include "includes.h" |
22 | 22 | ||
23 | #ifdef WITH_OPENSSL | ||
24 | |||
23 | #include <sys/types.h> | 25 | #include <sys/types.h> |
24 | 26 | ||
25 | #include "buffer.h" | 27 | #include "buffer.h" |
26 | #include "log.h" | 28 | #include "log.h" |
27 | #include "ssherr.h" | 29 | #include "ssherr.h" |
28 | 30 | ||
31 | #ifdef WITH_SSH1 | ||
29 | int | 32 | int |
30 | buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) | 33 | buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value) |
31 | { | 34 | { |
@@ -63,6 +66,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value) | |||
63 | if (buffer_get_bignum_ret(buffer, value) == -1) | 66 | if (buffer_get_bignum_ret(buffer, value) == -1) |
64 | fatal("%s: buffer error", __func__); | 67 | fatal("%s: buffer error", __func__); |
65 | } | 68 | } |
69 | #endif /* WITH_SSH1 */ | ||
66 | 70 | ||
67 | int | 71 | int |
68 | buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) | 72 | buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value) |
@@ -101,3 +105,5 @@ buffer_get_bignum2(Buffer *buffer, BIGNUM *value) | |||
101 | if (buffer_get_bignum2_ret(buffer, value) == -1) | 105 | if (buffer_get_bignum2_ret(buffer, value) == -1) |
102 | fatal("%s: buffer error", __func__); | 106 | fatal("%s: buffer error", __func__); |
103 | } | 107 | } |
108 | |||
109 | #endif /* WITH_OPENSSL */ | ||
diff --git a/cipher-aesctr.c b/cipher-aesctr.c index e13615195..850bbf7db 100644 --- a/cipher-aesctr.c +++ b/cipher-aesctr.c | |||
@@ -18,6 +18,8 @@ | |||
18 | #include <sys/types.h> | 18 | #include <sys/types.h> |
19 | #include <string.h> | 19 | #include <string.h> |
20 | 20 | ||
21 | #ifndef WITH_OPENSSL | ||
22 | |||
21 | #include "cipher-aesctr.h" | 23 | #include "cipher-aesctr.h" |
22 | 24 | ||
23 | /* | 25 | /* |
@@ -76,3 +78,4 @@ aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes) | |||
76 | n = (n + 1) % AES_BLOCK_SIZE; | 78 | n = (n + 1) % AES_BLOCK_SIZE; |
77 | } | 79 | } |
78 | } | 80 | } |
81 | #endif /* !WITH_OPENSSL */ | ||
diff --git a/cipher-bf1.c b/cipher-bf1.c index 64c74bc6f..ee72ac085 100644 --- a/cipher-bf1.c +++ b/cipher-bf1.c | |||
@@ -20,6 +20,8 @@ | |||
20 | 20 | ||
21 | #include "includes.h" | 21 | #include "includes.h" |
22 | 22 | ||
23 | #ifdef WITH_OPENSSL | ||
24 | |||
23 | #include <sys/types.h> | 25 | #include <sys/types.h> |
24 | 26 | ||
25 | #include <stdarg.h> | 27 | #include <stdarg.h> |
@@ -98,3 +100,4 @@ evp_ssh1_bf(void) | |||
98 | ssh1_bf.key_len = 32; | 100 | ssh1_bf.key_len = 32; |
99 | return (&ssh1_bf); | 101 | return (&ssh1_bf); |
100 | } | 102 | } |
103 | #endif /* WITH_OPENSSL */ | ||
diff --git a/cipher-ctr.c b/cipher-ctr.c index ea0f9b3b7..32771f287 100644 --- a/cipher-ctr.c +++ b/cipher-ctr.c | |||
@@ -16,7 +16,7 @@ | |||
16 | */ | 16 | */ |
17 | #include "includes.h" | 17 | #include "includes.h" |
18 | 18 | ||
19 | #ifndef OPENSSL_HAVE_EVPCTR | 19 | #if defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) |
20 | #include <sys/types.h> | 20 | #include <sys/types.h> |
21 | 21 | ||
22 | #include <stdarg.h> | 22 | #include <stdarg.h> |
@@ -143,4 +143,4 @@ evp_aes_128_ctr(void) | |||
143 | return (&aes_ctr); | 143 | return (&aes_ctr); |
144 | } | 144 | } |
145 | 145 | ||
146 | #endif /* OPENSSL_HAVE_EVPCTR */ | 146 | #endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) */ |
diff --git a/configure.ac b/configure.ac index 13e25e98f..cb66f54b1 100644 --- a/configure.ac +++ b/configure.ac | |||
@@ -121,14 +121,34 @@ AC_CHECK_DECL([PR_SET_NO_NEW_PRIVS], [have_linux_no_new_privs=1], , [ | |||
121 | #include <linux/prctl.h> | 121 | #include <linux/prctl.h> |
122 | ]) | 122 | ]) |
123 | 123 | ||
124 | openssl=yes | ||
124 | ssh1=yes | 125 | ssh1=yes |
125 | AC_ARG_WITH([ssh1], | 126 | AC_ARG_WITH([openssl], |
126 | [ --without-ssh1 Disable support for SSH protocol 1], | 127 | [ --without-openssl Disable use of OpenSSL; use only limited internal crypto **EXPERIMENTAL** ], |
127 | [ if test "x$withval" = "xno" ; then | 128 | [ if test "x$withval" = "xno" ; then |
129 | openssl=no | ||
128 | ssh1=no | 130 | ssh1=no |
129 | fi | 131 | fi |
130 | ] | 132 | ] |
131 | ) | 133 | ) |
134 | AC_MSG_CHECKING([whether OpenSSL will be used for cryptography]) | ||
135 | if test "x$openssl" = "xyes" ; then | ||
136 | AC_MSG_RESULT([yes]) | ||
137 | AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) | ||
138 | else | ||
139 | AC_MSG_RESULT([no]) | ||
140 | fi | ||
141 | |||
142 | AC_ARG_WITH([ssh1], | ||
143 | [ --without-ssh1 Disable support for SSH protocol 1], | ||
144 | [ | ||
145 | if test "x$withval" = "xno" ; then | ||
146 | ssh1=no | ||
147 | elif test "x$openssl" = "xno" ; then | ||
148 | AC_MSG_ERROR([Cannot enable SSH protocol 1 with OpenSSL disabled]) | ||
149 | fi | ||
150 | ] | ||
151 | ) | ||
132 | AC_MSG_CHECKING([whether SSH protocol 1 support is enabled]) | 152 | AC_MSG_CHECKING([whether SSH protocol 1 support is enabled]) |
133 | if test "x$ssh1" = "xyes" ; then | 153 | if test "x$ssh1" = "xyes" ; then |
134 | AC_MSG_RESULT([yes]) | 154 | AC_MSG_RESULT([yes]) |
@@ -1312,7 +1332,7 @@ g.gl_statv = NULL; | |||
1312 | AC_MSG_RESULT([yes]) | 1332 | AC_MSG_RESULT([yes]) |
1313 | ], [ | 1333 | ], [ |
1314 | AC_MSG_RESULT([no]) | 1334 | AC_MSG_RESULT([no]) |
1315 | 1335 | ||
1316 | ]) | 1336 | ]) |
1317 | 1337 | ||
1318 | AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) | 1338 | AC_CHECK_DECLS([GLOB_NOMATCH], , , [#include <glob.h>]) |
@@ -1705,10 +1725,13 @@ AC_LINK_IFELSE( | |||
1705 | [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) | 1725 | [AC_DEFINE([HAVE_ISBLANK], [1], [Define if you have isblank(3C).]) |
1706 | ]) | 1726 | ]) |
1707 | 1727 | ||
1708 | # PKCS#11 support requires dlopen() and co | 1728 | # PKCS11 depends on OpenSSL. |
1709 | AC_SEARCH_LIBS([dlopen], [dl], | 1729 | if test "x$openssl" = "xyes" ; then |
1710 | [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] | 1730 | # PKCS#11 support requires dlopen() and co |
1711 | ) | 1731 | AC_SEARCH_LIBS([dlopen], [dl], |
1732 | [AC_DEFINE([ENABLE_PKCS11], [], [Enable for PKCS#11 support])] | ||
1733 | ) | ||
1734 | fi | ||
1712 | 1735 | ||
1713 | # IRIX has a const char return value for gai_strerror() | 1736 | # IRIX has a const char return value for gai_strerror() |
1714 | AC_CHECK_FUNCS([gai_strerror], [ | 1737 | AC_CHECK_FUNCS([gai_strerror], [ |
@@ -2197,6 +2220,9 @@ saved_LDFLAGS="$LDFLAGS" | |||
2197 | AC_ARG_WITH([ssl-dir], | 2220 | AC_ARG_WITH([ssl-dir], |
2198 | [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], | 2221 | [ --with-ssl-dir=PATH Specify path to OpenSSL installation ], |
2199 | [ | 2222 | [ |
2223 | if test "x$openssl" = "xno" ; then | ||
2224 | AC_MSG_ERROR([cannot use --with-ssl-dir when OpenSSL disabled]) | ||
2225 | fi | ||
2200 | if test "x$withval" != "xno" ; then | 2226 | if test "x$withval" != "xno" ; then |
2201 | case "$withval" in | 2227 | case "$withval" in |
2202 | # Relative paths | 2228 | # Relative paths |
@@ -2229,444 +2255,457 @@ AC_ARG_WITH([ssl-dir], | |||
2229 | fi | 2255 | fi |
2230 | ] | 2256 | ] |
2231 | ) | 2257 | ) |
2232 | LIBS="-lcrypto $LIBS" | 2258 | |
2233 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], | 2259 | AC_ARG_WITH([openssl-header-check], |
2234 | [Define if your ssl headers are included | 2260 | [ --without-openssl-header-check Disable OpenSSL version consistency check], |
2235 | with #include <openssl/header.h>])], | ||
2236 | [ | 2261 | [ |
2237 | dnl Check default openssl install dir | 2262 | if test "x$withval" = "xno" ; then |
2238 | if test -n "${need_dash_r}"; then | 2263 | openssl_check_nonfatal=1 |
2239 | LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" | ||
2240 | else | ||
2241 | LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" | ||
2242 | fi | 2264 | fi |
2243 | CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" | ||
2244 | AC_CHECK_HEADER([openssl/opensslv.h], , | ||
2245 | [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) | ||
2246 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])], | ||
2247 | [ | ||
2248 | AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) | ||
2249 | ] | ||
2250 | ) | ||
2251 | ] | 2265 | ] |
2252 | ) | 2266 | ) |
2253 | 2267 | ||
2254 | # Determine OpenSSL header version | 2268 | openssl_engine=no |
2255 | AC_MSG_CHECKING([OpenSSL header version]) | 2269 | AC_ARG_WITH([ssl-engine], |
2256 | AC_RUN_IFELSE( | 2270 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], |
2257 | [AC_LANG_PROGRAM([[ | ||
2258 | #include <stdio.h> | ||
2259 | #include <string.h> | ||
2260 | #include <openssl/opensslv.h> | ||
2261 | #define DATA "conftest.sslincver" | ||
2262 | ]], [[ | ||
2263 | FILE *fd; | ||
2264 | int rc; | ||
2265 | |||
2266 | fd = fopen(DATA,"w"); | ||
2267 | if(fd == NULL) | ||
2268 | exit(1); | ||
2269 | |||
2270 | if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) | ||
2271 | exit(1); | ||
2272 | |||
2273 | exit(0); | ||
2274 | ]])], | ||
2275 | [ | ||
2276 | ssl_header_ver=`cat conftest.sslincver` | ||
2277 | AC_MSG_RESULT([$ssl_header_ver]) | ||
2278 | ], | ||
2279 | [ | ||
2280 | AC_MSG_RESULT([not found]) | ||
2281 | AC_MSG_ERROR([OpenSSL version header not found.]) | ||
2282 | ], | ||
2283 | [ | 2271 | [ |
2284 | AC_MSG_WARN([cross compiling: not checking]) | 2272 | if test "x$openssl" = "xno" ; then |
2273 | AC_MSG_ERROR([cannot use --with-ssl-engine when OpenSSL disabled]) | ||
2274 | fi | ||
2275 | if test "x$withval" != "xno" ; then | ||
2276 | openssl_engine=yes | ||
2277 | fi | ||
2285 | ] | 2278 | ] |
2286 | ) | 2279 | ) |
2287 | 2280 | ||
2288 | # Determine OpenSSL library version | 2281 | if test "x$openssl" = "xyes" ; then |
2289 | AC_MSG_CHECKING([OpenSSL library version]) | 2282 | LIBS="-lcrypto $LIBS" |
2290 | AC_RUN_IFELSE( | 2283 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL], [1], |
2291 | [AC_LANG_PROGRAM([[ | 2284 | [Define if your ssl headers are included |
2292 | #include <stdio.h> | 2285 | with #include <openssl/header.h>])], |
2293 | #include <string.h> | 2286 | [ |
2294 | #include <openssl/opensslv.h> | 2287 | dnl Check default openssl install dir |
2295 | #include <openssl/crypto.h> | 2288 | if test -n "${need_dash_r}"; then |
2296 | #define DATA "conftest.ssllibver" | 2289 | LDFLAGS="-L/usr/local/ssl/lib -R/usr/local/ssl/lib ${saved_LDFLAGS}" |
2297 | ]], [[ | 2290 | else |
2298 | FILE *fd; | 2291 | LDFLAGS="-L/usr/local/ssl/lib ${saved_LDFLAGS}" |
2299 | int rc; | 2292 | fi |
2293 | CPPFLAGS="-I/usr/local/ssl/include ${saved_CPPFLAGS}" | ||
2294 | AC_CHECK_HEADER([openssl/opensslv.h], , | ||
2295 | [AC_MSG_ERROR([*** OpenSSL headers missing - please install first or check config.log ***])]) | ||
2296 | AC_TRY_LINK_FUNC([RAND_add], [AC_DEFINE([HAVE_OPENSSL])], | ||
2297 | [ | ||
2298 | AC_MSG_ERROR([*** Can't find recent OpenSSL libcrypto (see config.log for details) ***]) | ||
2299 | ] | ||
2300 | ) | ||
2301 | ] | ||
2302 | ) | ||
2300 | 2303 | ||
2301 | fd = fopen(DATA,"w"); | 2304 | # Determine OpenSSL header version |
2302 | if(fd == NULL) | 2305 | AC_MSG_CHECKING([OpenSSL header version]) |
2303 | exit(1); | 2306 | AC_RUN_IFELSE( |
2307 | [AC_LANG_PROGRAM([[ | ||
2308 | #include <stdio.h> | ||
2309 | #include <string.h> | ||
2310 | #include <openssl/opensslv.h> | ||
2311 | #define DATA "conftest.sslincver" | ||
2312 | ]], [[ | ||
2313 | FILE *fd; | ||
2314 | int rc; | ||
2304 | 2315 | ||
2305 | if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), | 2316 | fd = fopen(DATA,"w"); |
2306 | SSLeay_version(SSLEAY_VERSION))) <0) | 2317 | if(fd == NULL) |
2307 | exit(1); | 2318 | exit(1); |
2308 | 2319 | ||
2309 | exit(0); | 2320 | if ((rc = fprintf(fd ,"%08x (%s)\n", OPENSSL_VERSION_NUMBER, OPENSSL_VERSION_TEXT)) <0) |
2310 | ]])], | 2321 | exit(1); |
2311 | [ | ||
2312 | ssl_library_ver=`cat conftest.ssllibver` | ||
2313 | # Check version is supported. | ||
2314 | case "$ssl_library_ver" in | ||
2315 | 0090[[0-7]]*|009080[[0-5]]*) | ||
2316 | AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")]) | ||
2317 | ;; | ||
2318 | *) ;; | ||
2319 | esac | ||
2320 | AC_MSG_RESULT([$ssl_library_ver]) | ||
2321 | ], | ||
2322 | [ | ||
2323 | AC_MSG_RESULT([not found]) | ||
2324 | AC_MSG_ERROR([OpenSSL library not found.]) | ||
2325 | ], | ||
2326 | [ | ||
2327 | AC_MSG_WARN([cross compiling: not checking]) | ||
2328 | ] | ||
2329 | ) | ||
2330 | 2322 | ||
2331 | # XXX make --without-openssl work | 2323 | exit(0); |
2332 | AC_DEFINE_UNQUOTED([WITH_OPENSSL], [1], [use libcrypto for cryptography]) | 2324 | ]])], |
2325 | [ | ||
2326 | ssl_header_ver=`cat conftest.sslincver` | ||
2327 | AC_MSG_RESULT([$ssl_header_ver]) | ||
2328 | ], | ||
2329 | [ | ||
2330 | AC_MSG_RESULT([not found]) | ||
2331 | AC_MSG_ERROR([OpenSSL version header not found.]) | ||
2332 | ], | ||
2333 | [ | ||
2334 | AC_MSG_WARN([cross compiling: not checking]) | ||
2335 | ] | ||
2336 | ) | ||
2333 | 2337 | ||
2334 | AC_ARG_WITH([openssl-header-check], | 2338 | # Determine OpenSSL library version |
2335 | [ --without-openssl-header-check Disable OpenSSL version consistency check], | 2339 | AC_MSG_CHECKING([OpenSSL library version]) |
2336 | [ if test "x$withval" = "xno" ; then | 2340 | AC_RUN_IFELSE( |
2337 | openssl_check_nonfatal=1 | 2341 | [AC_LANG_PROGRAM([[ |
2338 | fi | 2342 | #include <stdio.h> |
2339 | ] | 2343 | #include <string.h> |
2340 | ) | 2344 | #include <openssl/opensslv.h> |
2345 | #include <openssl/crypto.h> | ||
2346 | #define DATA "conftest.ssllibver" | ||
2347 | ]], [[ | ||
2348 | FILE *fd; | ||
2349 | int rc; | ||
2341 | 2350 | ||
2342 | # Sanity check OpenSSL headers | 2351 | fd = fopen(DATA,"w"); |
2343 | AC_MSG_CHECKING([whether OpenSSL's headers match the library]) | 2352 | if(fd == NULL) |
2344 | AC_RUN_IFELSE( | 2353 | exit(1); |
2345 | [AC_LANG_PROGRAM([[ | ||
2346 | #include <string.h> | ||
2347 | #include <openssl/opensslv.h> | ||
2348 | ]], [[ | ||
2349 | exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); | ||
2350 | ]])], | ||
2351 | [ | ||
2352 | AC_MSG_RESULT([yes]) | ||
2353 | ], | ||
2354 | [ | ||
2355 | AC_MSG_RESULT([no]) | ||
2356 | if test "x$openssl_check_nonfatal" = "x"; then | ||
2357 | AC_MSG_ERROR([Your OpenSSL headers do not match your | ||
2358 | library. Check config.log for details. | ||
2359 | If you are sure your installation is consistent, you can disable the check | ||
2360 | by running "./configure --without-openssl-header-check". | ||
2361 | Also see contrib/findssl.sh for help identifying header/library mismatches. | ||
2362 | ]) | ||
2363 | else | ||
2364 | AC_MSG_WARN([Your OpenSSL headers do not match your | ||
2365 | library. Check config.log for details. | ||
2366 | Also see contrib/findssl.sh for help identifying header/library mismatches.]) | ||
2367 | fi | ||
2368 | ], | ||
2369 | [ | ||
2370 | AC_MSG_WARN([cross compiling: not checking]) | ||
2371 | ] | ||
2372 | ) | ||
2373 | 2354 | ||
2374 | AC_MSG_CHECKING([if programs using OpenSSL functions will link]) | 2355 | if ((rc = fprintf(fd ,"%08x (%s)\n", SSLeay(), |
2375 | AC_LINK_IFELSE( | 2356 | SSLeay_version(SSLEAY_VERSION))) <0) |
2376 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | 2357 | exit(1); |
2377 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2378 | [ | ||
2379 | AC_MSG_RESULT([yes]) | ||
2380 | ], | ||
2381 | [ | ||
2382 | AC_MSG_RESULT([no]) | ||
2383 | saved_LIBS="$LIBS" | ||
2384 | LIBS="$LIBS -ldl" | ||
2385 | AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) | ||
2386 | AC_LINK_IFELSE( | ||
2387 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | ||
2388 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2389 | [ | ||
2390 | AC_MSG_RESULT([yes]) | ||
2391 | ], | ||
2392 | [ | ||
2393 | AC_MSG_RESULT([no]) | ||
2394 | LIBS="$saved_LIBS" | ||
2395 | ] | ||
2396 | ) | ||
2397 | ] | ||
2398 | ) | ||
2399 | 2358 | ||
2400 | AC_CHECK_FUNCS([ \ | 2359 | exit(0); |
2401 | BN_is_prime_ex \ | 2360 | ]])], |
2402 | DSA_generate_parameters_ex \ | 2361 | [ |
2403 | EVP_DigestInit_ex \ | 2362 | ssl_library_ver=`cat conftest.ssllibver` |
2404 | EVP_DigestFinal_ex \ | 2363 | # Check version is supported. |
2405 | EVP_MD_CTX_init \ | 2364 | case "$ssl_library_ver" in |
2406 | EVP_MD_CTX_cleanup \ | 2365 | 0090[[0-7]]*|009080[[0-5]]*) |
2407 | EVP_MD_CTX_copy_ex \ | 2366 | AC_MSG_ERROR([OpenSSL >= 0.9.8f required (have "$ssl_library_ver")]) |
2408 | HMAC_CTX_init \ | 2367 | ;; |
2409 | RSA_generate_key_ex \ | 2368 | *) ;; |
2410 | RSA_get_default_method \ | 2369 | esac |
2411 | ]) | 2370 | AC_MSG_RESULT([$ssl_library_ver]) |
2371 | ], | ||
2372 | [ | ||
2373 | AC_MSG_RESULT([not found]) | ||
2374 | AC_MSG_ERROR([OpenSSL library not found.]) | ||
2375 | ], | ||
2376 | [ | ||
2377 | AC_MSG_WARN([cross compiling: not checking]) | ||
2378 | ] | ||
2379 | ) | ||
2412 | 2380 | ||
2413 | AC_ARG_WITH([ssl-engine], | 2381 | # Sanity check OpenSSL headers |
2414 | [ --with-ssl-engine Enable OpenSSL (hardware) ENGINE support ], | 2382 | AC_MSG_CHECKING([whether OpenSSL's headers match the library]) |
2415 | [ if test "x$withval" != "xno" ; then | 2383 | AC_RUN_IFELSE( |
2384 | [AC_LANG_PROGRAM([[ | ||
2385 | #include <string.h> | ||
2386 | #include <openssl/opensslv.h> | ||
2387 | ]], [[ | ||
2388 | exit(SSLeay() == OPENSSL_VERSION_NUMBER ? 0 : 1); | ||
2389 | ]])], | ||
2390 | [ | ||
2391 | AC_MSG_RESULT([yes]) | ||
2392 | ], | ||
2393 | [ | ||
2394 | AC_MSG_RESULT([no]) | ||
2395 | if test "x$openssl_check_nonfatal" = "x"; then | ||
2396 | AC_MSG_ERROR([Your OpenSSL headers do not match your | ||
2397 | library. Check config.log for details. | ||
2398 | If you are sure your installation is consistent, you can disable the check | ||
2399 | by running "./configure --without-openssl-header-check". | ||
2400 | Also see contrib/findssl.sh for help identifying header/library mismatches. | ||
2401 | ]) | ||
2402 | else | ||
2403 | AC_MSG_WARN([Your OpenSSL headers do not match your | ||
2404 | library. Check config.log for details. | ||
2405 | Also see contrib/findssl.sh for help identifying header/library mismatches.]) | ||
2406 | fi | ||
2407 | ], | ||
2408 | [ | ||
2409 | AC_MSG_WARN([cross compiling: not checking]) | ||
2410 | ] | ||
2411 | ) | ||
2412 | |||
2413 | AC_MSG_CHECKING([if programs using OpenSSL functions will link]) | ||
2414 | AC_LINK_IFELSE( | ||
2415 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | ||
2416 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2417 | [ | ||
2418 | AC_MSG_RESULT([yes]) | ||
2419 | ], | ||
2420 | [ | ||
2421 | AC_MSG_RESULT([no]) | ||
2422 | saved_LIBS="$LIBS" | ||
2423 | LIBS="$LIBS -ldl" | ||
2424 | AC_MSG_CHECKING([if programs using OpenSSL need -ldl]) | ||
2425 | AC_LINK_IFELSE( | ||
2426 | [AC_LANG_PROGRAM([[ #include <openssl/evp.h> ]], | ||
2427 | [[ SSLeay_add_all_algorithms(); ]])], | ||
2428 | [ | ||
2429 | AC_MSG_RESULT([yes]) | ||
2430 | ], | ||
2431 | [ | ||
2432 | AC_MSG_RESULT([no]) | ||
2433 | LIBS="$saved_LIBS" | ||
2434 | ] | ||
2435 | ) | ||
2436 | ] | ||
2437 | ) | ||
2438 | |||
2439 | AC_CHECK_FUNCS([ \ | ||
2440 | BN_is_prime_ex \ | ||
2441 | DSA_generate_parameters_ex \ | ||
2442 | EVP_DigestInit_ex \ | ||
2443 | EVP_DigestFinal_ex \ | ||
2444 | EVP_MD_CTX_init \ | ||
2445 | EVP_MD_CTX_cleanup \ | ||
2446 | EVP_MD_CTX_copy_ex \ | ||
2447 | HMAC_CTX_init \ | ||
2448 | RSA_generate_key_ex \ | ||
2449 | RSA_get_default_method \ | ||
2450 | ]) | ||
2451 | |||
2452 | if test "x$openssl_engine" = "xyes" ; then | ||
2416 | AC_MSG_CHECKING([for OpenSSL ENGINE support]) | 2453 | AC_MSG_CHECKING([for OpenSSL ENGINE support]) |
2417 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ | 2454 | AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ |
2418 | #include <openssl/engine.h> | 2455 | #include <openssl/engine.h> |
2419 | ]], [[ | 2456 | ]], [[ |
2420 | ENGINE_load_builtin_engines(); | 2457 | ENGINE_load_builtin_engines(); |
2421 | ENGINE_register_all_complete(); | 2458 | ENGINE_register_all_complete(); |
2422 | ]])], | 2459 | ]])], |
2423 | [ AC_MSG_RESULT([yes]) | 2460 | [ AC_MSG_RESULT([yes]) |
2424 | AC_DEFINE([USE_OPENSSL_ENGINE], [1], | 2461 | AC_DEFINE([USE_OPENSSL_ENGINE], [1], |
2425 | [Enable OpenSSL engine support]) | 2462 | [Enable OpenSSL engine support]) |
2426 | ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) | 2463 | ], [ AC_MSG_ERROR([OpenSSL ENGINE support not found]) |
2427 | ]) | 2464 | ]) |
2428 | fi ] | 2465 | fi |
2429 | ) | ||
2430 | 2466 | ||
2431 | # Check for OpenSSL without EVP_aes_{192,256}_cbc | 2467 | # Check for OpenSSL without EVP_aes_{192,256}_cbc |
2432 | AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) | 2468 | AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) |
2433 | AC_LINK_IFELSE( | 2469 | AC_LINK_IFELSE( |
2434 | [AC_LANG_PROGRAM([[ | 2470 | [AC_LANG_PROGRAM([[ |
2435 | #include <string.h> | 2471 | #include <string.h> |
2436 | #include <openssl/evp.h> | 2472 | #include <openssl/evp.h> |
2437 | ]], [[ | 2473 | ]], [[ |
2438 | exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); | 2474 | exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL); |
2439 | ]])], | 2475 | ]])], |
2440 | [ | 2476 | [ |
2441 | AC_MSG_RESULT([no]) | 2477 | AC_MSG_RESULT([no]) |
2442 | ], | 2478 | ], |
2443 | [ | 2479 | [ |
2444 | AC_MSG_RESULT([yes]) | 2480 | AC_MSG_RESULT([yes]) |
2445 | AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], | 2481 | AC_DEFINE([OPENSSL_LOBOTOMISED_AES], [1], |
2446 | [libcrypto is missing AES 192 and 256 bit functions]) | 2482 | [libcrypto is missing AES 192 and 256 bit functions]) |
2447 | ] | 2483 | ] |
2448 | ) | 2484 | ) |
2449 | 2485 | ||
2450 | # Check for OpenSSL with EVP_aes_*ctr | 2486 | # Check for OpenSSL with EVP_aes_*ctr |
2451 | AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) | 2487 | AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP]) |
2452 | AC_LINK_IFELSE( | 2488 | AC_LINK_IFELSE( |
2453 | [AC_LANG_PROGRAM([[ | 2489 | [AC_LANG_PROGRAM([[ |
2454 | #include <string.h> | 2490 | #include <string.h> |
2455 | #include <openssl/evp.h> | 2491 | #include <openssl/evp.h> |
2456 | ]], [[ | 2492 | ]], [[ |
2457 | exit(EVP_aes_128_ctr() == NULL || | 2493 | exit(EVP_aes_128_ctr() == NULL || |
2458 | EVP_aes_192_cbc() == NULL || | 2494 | EVP_aes_192_cbc() == NULL || |
2459 | EVP_aes_256_cbc() == NULL); | 2495 | EVP_aes_256_cbc() == NULL); |
2460 | ]])], | 2496 | ]])], |
2461 | [ | 2497 | [ |
2462 | AC_MSG_RESULT([yes]) | 2498 | AC_MSG_RESULT([yes]) |
2463 | AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], | 2499 | AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1], |
2464 | [libcrypto has EVP AES CTR]) | 2500 | [libcrypto has EVP AES CTR]) |
2465 | ], | 2501 | ], |
2466 | [ | 2502 | [ |
2467 | AC_MSG_RESULT([no]) | 2503 | AC_MSG_RESULT([no]) |
2468 | ] | 2504 | ] |
2469 | ) | 2505 | ) |
2470 | 2506 | ||
2471 | # Check for OpenSSL with EVP_aes_*gcm | 2507 | # Check for OpenSSL with EVP_aes_*gcm |
2472 | AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) | 2508 | AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP]) |
2473 | AC_LINK_IFELSE( | 2509 | AC_LINK_IFELSE( |
2474 | [AC_LANG_PROGRAM([[ | 2510 | [AC_LANG_PROGRAM([[ |
2475 | #include <string.h> | 2511 | #include <string.h> |
2476 | #include <openssl/evp.h> | 2512 | #include <openssl/evp.h> |
2477 | ]], [[ | 2513 | ]], [[ |
2478 | exit(EVP_aes_128_gcm() == NULL || | 2514 | exit(EVP_aes_128_gcm() == NULL || |
2479 | EVP_aes_256_gcm() == NULL || | 2515 | EVP_aes_256_gcm() == NULL || |
2480 | EVP_CTRL_GCM_SET_IV_FIXED == 0 || | 2516 | EVP_CTRL_GCM_SET_IV_FIXED == 0 || |
2481 | EVP_CTRL_GCM_IV_GEN == 0 || | 2517 | EVP_CTRL_GCM_IV_GEN == 0 || |
2482 | EVP_CTRL_GCM_SET_TAG == 0 || | 2518 | EVP_CTRL_GCM_SET_TAG == 0 || |
2483 | EVP_CTRL_GCM_GET_TAG == 0 || | 2519 | EVP_CTRL_GCM_GET_TAG == 0 || |
2484 | EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); | 2520 | EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0); |
2485 | ]])], | 2521 | ]])], |
2486 | [ | 2522 | [ |
2487 | AC_MSG_RESULT([yes]) | 2523 | AC_MSG_RESULT([yes]) |
2488 | AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], | 2524 | AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1], |
2489 | [libcrypto has EVP AES GCM]) | 2525 | [libcrypto has EVP AES GCM]) |
2490 | ], | 2526 | ], |
2491 | [ | 2527 | [ |
2492 | AC_MSG_RESULT([no]) | 2528 | AC_MSG_RESULT([no]) |
2493 | unsupported_algorithms="$unsupported_cipers \ | 2529 | unsupported_algorithms="$unsupported_cipers \ |
2494 | aes128-gcm@openssh.com aes256-gcm@openssh.com" | 2530 | aes128-gcm@openssh.com aes256-gcm@openssh.com" |
2495 | ] | 2531 | ] |
2496 | ) | 2532 | ) |
2497 | 2533 | ||
2498 | AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], | 2534 | AC_SEARCH_LIBS([EVP_CIPHER_CTX_ctrl], [crypto], |
2499 | [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], | 2535 | [AC_DEFINE([HAVE_EVP_CIPHER_CTX_CTRL], [1], |
2500 | [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) | 2536 | [Define if libcrypto has EVP_CIPHER_CTX_ctrl])]) |
2501 | 2537 | ||
2502 | AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) | 2538 | AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) |
2503 | AC_LINK_IFELSE( | 2539 | AC_LINK_IFELSE( |
2504 | [AC_LANG_PROGRAM([[ | 2540 | [AC_LANG_PROGRAM([[ |
2505 | #include <string.h> | 2541 | #include <string.h> |
2506 | #include <openssl/evp.h> | 2542 | #include <openssl/evp.h> |
2507 | ]], [[ | 2543 | ]], [[ |
2508 | if(EVP_DigestUpdate(NULL, NULL,0)) | 2544 | if(EVP_DigestUpdate(NULL, NULL,0)) |
2509 | exit(0); | 2545 | exit(0); |
2510 | ]])], | 2546 | ]])], |
2511 | [ | 2547 | [ |
2512 | AC_MSG_RESULT([yes]) | 2548 | AC_MSG_RESULT([yes]) |
2513 | ], | 2549 | ], |
2514 | [ | 2550 | [ |
2515 | AC_MSG_RESULT([no]) | 2551 | AC_MSG_RESULT([no]) |
2516 | AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], | 2552 | AC_DEFINE([OPENSSL_EVP_DIGESTUPDATE_VOID], [1], |
2517 | [Define if EVP_DigestUpdate returns void]) | 2553 | [Define if EVP_DigestUpdate returns void]) |
2518 | ] | 2554 | ] |
2519 | ) | 2555 | ) |
2520 | 2556 | ||
2521 | # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, | 2557 | # Some systems want crypt() from libcrypt, *not* the version in OpenSSL, |
2522 | # because the system crypt() is more featureful. | 2558 | # because the system crypt() is more featureful. |
2523 | if test "x$check_for_libcrypt_before" = "x1"; then | 2559 | if test "x$check_for_libcrypt_before" = "x1"; then |
2524 | AC_CHECK_LIB([crypt], [crypt]) | 2560 | AC_CHECK_LIB([crypt], [crypt]) |
2525 | fi | 2561 | fi |
2526 | 2562 | ||
2527 | # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the | 2563 | # Some Linux systems (Slackware) need crypt() from libcrypt, *not* the |
2528 | # version in OpenSSL. | 2564 | # version in OpenSSL. |
2529 | if test "x$check_for_libcrypt_later" = "x1"; then | 2565 | if test "x$check_for_libcrypt_later" = "x1"; then |
2530 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) | 2566 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) |
2531 | fi | 2567 | fi |
2532 | AC_CHECK_FUNCS([crypt DES_crypt]) | ||
2533 | |||
2534 | # Search for SHA256 support in libc and/or OpenSSL | ||
2535 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , | ||
2536 | [unsupported_algorithms="$unsupported_algorithms \ | ||
2537 | hmac-sha2-256 hmac-sha2-512 \ | ||
2538 | diffie-hellman-group-exchange-sha256 \ | ||
2539 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" | ||
2540 | ] | ||
2541 | ) | ||
2542 | # Search for RIPE-MD support in OpenSSL | ||
2543 | AC_CHECK_FUNCS([EVP_ripemd160], , | ||
2544 | [unsupported_algorithms="$unsupported_algorithms \ | ||
2545 | hmac-ripemd160 | ||
2546 | hmac-ripemd160@openssh.com | ||
2547 | hmac-ripemd160-etm@openssh.com" | ||
2548 | ] | ||
2549 | ) | ||
2550 | 2568 | ||
2551 | # Check complete ECC support in OpenSSL | 2569 | # Search for SHA256 support in libc and/or OpenSSL |
2552 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) | 2570 | AC_CHECK_FUNCS([SHA256_Update EVP_sha256], , |
2553 | AC_LINK_IFELSE( | 2571 | [unsupported_algorithms="$unsupported_algorithms \ |
2554 | [AC_LANG_PROGRAM([[ | 2572 | hmac-sha2-256 hmac-sha2-512 \ |
2555 | #include <openssl/ec.h> | 2573 | diffie-hellman-group-exchange-sha256 \ |
2556 | #include <openssl/ecdh.h> | 2574 | hmac-sha2-256-etm@openssh.com hmac-sha2-512-etm@openssh.com" |
2557 | #include <openssl/ecdsa.h> | 2575 | ] |
2558 | #include <openssl/evp.h> | 2576 | ) |
2559 | #include <openssl/objects.h> | 2577 | # Search for RIPE-MD support in OpenSSL |
2560 | #include <openssl/opensslv.h> | 2578 | AC_CHECK_FUNCS([EVP_ripemd160], , |
2561 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2579 | [unsupported_algorithms="$unsupported_algorithms \ |
2562 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2580 | hmac-ripemd160 |
2563 | #endif | 2581 | hmac-ripemd160@openssh.com |
2564 | ]], [[ | 2582 | hmac-ripemd160-etm@openssh.com" |
2565 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | 2583 | ] |
2566 | const EVP_MD *m = EVP_sha256(); /* We need this too */ | 2584 | ) |
2567 | ]])], | ||
2568 | [ AC_MSG_RESULT([yes]) | ||
2569 | enable_nistp256=1 ], | ||
2570 | [ AC_MSG_RESULT([no]) ] | ||
2571 | ) | ||
2572 | 2585 | ||
2573 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) | 2586 | # Check complete ECC support in OpenSSL |
2574 | AC_LINK_IFELSE( | 2587 | AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) |
2575 | [AC_LANG_PROGRAM([[ | 2588 | AC_LINK_IFELSE( |
2576 | #include <openssl/ec.h> | 2589 | [AC_LANG_PROGRAM([[ |
2577 | #include <openssl/ecdh.h> | 2590 | #include <openssl/ec.h> |
2578 | #include <openssl/ecdsa.h> | 2591 | #include <openssl/ecdh.h> |
2579 | #include <openssl/evp.h> | 2592 | #include <openssl/ecdsa.h> |
2580 | #include <openssl/objects.h> | 2593 | #include <openssl/evp.h> |
2581 | #include <openssl/opensslv.h> | 2594 | #include <openssl/objects.h> |
2582 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2595 | #include <openssl/opensslv.h> |
2583 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2596 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2584 | #endif | 2597 | # error "OpenSSL < 0.9.8g has unreliable ECC code" |
2585 | ]], [[ | 2598 | #endif |
2586 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); | 2599 | ]], [[ |
2587 | const EVP_MD *m = EVP_sha384(); /* We need this too */ | 2600 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
2588 | ]])], | 2601 | const EVP_MD *m = EVP_sha256(); /* We need this too */ |
2589 | [ AC_MSG_RESULT([yes]) | 2602 | ]])], |
2590 | enable_nistp384=1 ], | 2603 | [ AC_MSG_RESULT([yes]) |
2591 | [ AC_MSG_RESULT([no]) ] | 2604 | enable_nistp256=1 ], |
2592 | ) | 2605 | [ AC_MSG_RESULT([no]) ] |
2606 | ) | ||
2593 | 2607 | ||
2594 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) | 2608 | AC_MSG_CHECKING([whether OpenSSL has NID_secp384r1]) |
2595 | AC_LINK_IFELSE( | 2609 | AC_LINK_IFELSE( |
2596 | [AC_LANG_PROGRAM([[ | 2610 | [AC_LANG_PROGRAM([[ |
2597 | #include <openssl/ec.h> | 2611 | #include <openssl/ec.h> |
2598 | #include <openssl/ecdh.h> | 2612 | #include <openssl/ecdh.h> |
2599 | #include <openssl/ecdsa.h> | 2613 | #include <openssl/ecdsa.h> |
2600 | #include <openssl/evp.h> | 2614 | #include <openssl/evp.h> |
2601 | #include <openssl/objects.h> | 2615 | #include <openssl/objects.h> |
2602 | #include <openssl/opensslv.h> | 2616 | #include <openssl/opensslv.h> |
2603 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ | 2617 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2604 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | 2618 | # error "OpenSSL < 0.9.8g has unreliable ECC code" |
2605 | #endif | 2619 | #endif |
2606 | ]], [[ | 2620 | ]], [[ |
2607 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | 2621 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp384r1); |
2608 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | 2622 | const EVP_MD *m = EVP_sha384(); /* We need this too */ |
2609 | ]])], | 2623 | ]])], |
2610 | [ AC_MSG_RESULT([yes]) | 2624 | [ AC_MSG_RESULT([yes]) |
2611 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) | 2625 | enable_nistp384=1 ], |
2612 | AC_RUN_IFELSE( | 2626 | [ AC_MSG_RESULT([no]) ] |
2627 | ) | ||
2628 | |||
2629 | AC_MSG_CHECKING([whether OpenSSL has NID_secp521r1]) | ||
2630 | AC_LINK_IFELSE( | ||
2613 | [AC_LANG_PROGRAM([[ | 2631 | [AC_LANG_PROGRAM([[ |
2614 | #include <openssl/ec.h> | 2632 | #include <openssl/ec.h> |
2615 | #include <openssl/ecdh.h> | 2633 | #include <openssl/ecdh.h> |
2616 | #include <openssl/ecdsa.h> | 2634 | #include <openssl/ecdsa.h> |
2617 | #include <openssl/evp.h> | 2635 | #include <openssl/evp.h> |
2618 | #include <openssl/objects.h> | 2636 | #include <openssl/objects.h> |
2619 | #include <openssl/opensslv.h> | 2637 | #include <openssl/opensslv.h> |
2620 | ]],[[ | 2638 | #if OPENSSL_VERSION_NUMBER < 0x0090807f /* 0.9.8g */ |
2639 | # error "OpenSSL < 0.9.8g has unreliable ECC code" | ||
2640 | #endif | ||
2641 | ]], [[ | ||
2621 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | 2642 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); |
2622 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | 2643 | const EVP_MD *m = EVP_sha512(); /* We need this too */ |
2623 | exit(e == NULL || m == NULL); | ||
2624 | ]])], | 2644 | ]])], |
2625 | [ AC_MSG_RESULT([yes]) | 2645 | [ AC_MSG_RESULT([yes]) |
2626 | enable_nistp521=1 ], | 2646 | AC_MSG_CHECKING([if OpenSSL's NID_secp521r1 is functional]) |
2627 | [ AC_MSG_RESULT([no]) ], | 2647 | AC_RUN_IFELSE( |
2628 | [ AC_MSG_WARN([cross-compiling: assuming yes]) | 2648 | [AC_LANG_PROGRAM([[ |
2629 | enable_nistp521=1 ] | 2649 | #include <openssl/ec.h> |
2630 | )], | 2650 | #include <openssl/ecdh.h> |
2631 | AC_MSG_RESULT([no]) | 2651 | #include <openssl/ecdsa.h> |
2632 | ) | 2652 | #include <openssl/evp.h> |
2653 | #include <openssl/objects.h> | ||
2654 | #include <openssl/opensslv.h> | ||
2655 | ]],[[ | ||
2656 | EC_KEY *e = EC_KEY_new_by_curve_name(NID_secp521r1); | ||
2657 | const EVP_MD *m = EVP_sha512(); /* We need this too */ | ||
2658 | exit(e == NULL || m == NULL); | ||
2659 | ]])], | ||
2660 | [ AC_MSG_RESULT([yes]) | ||
2661 | enable_nistp521=1 ], | ||
2662 | [ AC_MSG_RESULT([no]) ], | ||
2663 | [ AC_MSG_WARN([cross-compiling: assuming yes]) | ||
2664 | enable_nistp521=1 ] | ||
2665 | )], | ||
2666 | AC_MSG_RESULT([no]) | ||
2667 | ) | ||
2633 | 2668 | ||
2634 | COMMENT_OUT_ECC="#no ecc#" | 2669 | COMMENT_OUT_ECC="#no ecc#" |
2635 | TEST_SSH_ECC=no | 2670 | TEST_SSH_ECC=no |
2636 | 2671 | ||
2637 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ | 2672 | if test x$enable_nistp256 = x1 || test x$enable_nistp384 = x1 || \ |
2638 | test x$enable_nistp521 = x1; then | 2673 | test x$enable_nistp521 = x1; then |
2639 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) | 2674 | AC_DEFINE(OPENSSL_HAS_ECC, [1], [OpenSSL has ECC]) |
2640 | fi | 2675 | fi |
2641 | if test x$enable_nistp256 = x1; then | 2676 | if test x$enable_nistp256 = x1; then |
2642 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], | 2677 | AC_DEFINE([OPENSSL_HAS_NISTP256], [1], |
2643 | [libcrypto has NID_X9_62_prime256v1]) | 2678 | [libcrypto has NID_X9_62_prime256v1]) |
2644 | TEST_SSH_ECC=yes | 2679 | TEST_SSH_ECC=yes |
2645 | COMMENT_OUT_ECC="" | 2680 | COMMENT_OUT_ECC="" |
2646 | else | 2681 | else |
2647 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ | 2682 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp256 \ |
2648 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" | 2683 | ecdh-sha2-nistp256 ecdsa-sha2-nistp256-cert-v01@openssh.com" |
2649 | fi | 2684 | fi |
2650 | if test x$enable_nistp384 = x1; then | 2685 | if test x$enable_nistp384 = x1; then |
2651 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) | 2686 | AC_DEFINE([OPENSSL_HAS_NISTP384], [1], [libcrypto has NID_secp384r1]) |
2652 | TEST_SSH_ECC=yes | 2687 | TEST_SSH_ECC=yes |
2653 | COMMENT_OUT_ECC="" | 2688 | COMMENT_OUT_ECC="" |
2654 | else | 2689 | else |
2655 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ | 2690 | unsupported_algorithms="$unsupported_algorithms ecdsa-sha2-nistp384 \ |
2656 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" | 2691 | ecdh-sha2-nistp384 ecdsa-sha2-nistp384-cert-v01@openssh.com" |
2657 | fi | 2692 | fi |
2658 | if test x$enable_nistp521 = x1; then | 2693 | if test x$enable_nistp521 = x1; then |
2659 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) | 2694 | AC_DEFINE([OPENSSL_HAS_NISTP521], [1], [libcrypto has NID_secp521r1]) |
2660 | TEST_SSH_ECC=yes | 2695 | TEST_SSH_ECC=yes |
2661 | COMMENT_OUT_ECC="" | 2696 | COMMENT_OUT_ECC="" |
2697 | else | ||
2698 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | ||
2699 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | ||
2700 | fi | ||
2701 | |||
2702 | AC_SUBST([TEST_SSH_ECC]) | ||
2703 | AC_SUBST([COMMENT_OUT_ECC]) | ||
2662 | else | 2704 | else |
2663 | unsupported_algorithms="$unsupported_algorithms ecdh-sha2-nistp521 \ | 2705 | AC_CHECK_LIB([crypt], [crypt], [LIBS="$LIBS -lcrypt"]) |
2664 | ecdsa-sha2-nistp521 ecdsa-sha2-nistp521-cert-v01@openssh.com" | 2706 | AC_CHECK_FUNCS([crypt DES_crypt]) |
2665 | fi | 2707 | fi |
2666 | 2708 | ||
2667 | AC_SUBST([TEST_SSH_ECC]) | ||
2668 | AC_SUBST([COMMENT_OUT_ECC]) | ||
2669 | |||
2670 | AC_CHECK_FUNCS([ \ | 2709 | AC_CHECK_FUNCS([ \ |
2671 | arc4random \ | 2710 | arc4random \ |
2672 | arc4random_buf \ | 2711 | arc4random_buf \ |
@@ -2687,28 +2726,30 @@ LIBS="$saved_LIBS" | |||
2687 | ### Configure cryptographic random number support | 2726 | ### Configure cryptographic random number support |
2688 | 2727 | ||
2689 | # Check wheter OpenSSL seeds itself | 2728 | # Check wheter OpenSSL seeds itself |
2690 | AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) | 2729 | if test "x$openssl" = "xyes" ; then |
2691 | AC_RUN_IFELSE( | 2730 | AC_MSG_CHECKING([whether OpenSSL's PRNG is internally seeded]) |
2692 | [AC_LANG_PROGRAM([[ | 2731 | AC_RUN_IFELSE( |
2693 | #include <string.h> | 2732 | [AC_LANG_PROGRAM([[ |
2694 | #include <openssl/rand.h> | 2733 | #include <string.h> |
2695 | ]], [[ | 2734 | #include <openssl/rand.h> |
2696 | exit(RAND_status() == 1 ? 0 : 1); | 2735 | ]], [[ |
2697 | ]])], | 2736 | exit(RAND_status() == 1 ? 0 : 1); |
2698 | [ | 2737 | ]])], |
2699 | OPENSSL_SEEDS_ITSELF=yes | 2738 | [ |
2700 | AC_MSG_RESULT([yes]) | 2739 | OPENSSL_SEEDS_ITSELF=yes |
2701 | ], | 2740 | AC_MSG_RESULT([yes]) |
2702 | [ | 2741 | ], |
2703 | AC_MSG_RESULT([no]) | 2742 | [ |
2704 | ], | 2743 | AC_MSG_RESULT([no]) |
2705 | [ | 2744 | ], |
2706 | AC_MSG_WARN([cross compiling: assuming yes]) | 2745 | [ |
2707 | # This is safe, since we will fatal() at runtime if | 2746 | AC_MSG_WARN([cross compiling: assuming yes]) |
2708 | # OpenSSL is not seeded correctly. | 2747 | # This is safe, since we will fatal() at runtime if |
2709 | OPENSSL_SEEDS_ITSELF=yes | 2748 | # OpenSSL is not seeded correctly. |
2710 | ] | 2749 | OPENSSL_SEEDS_ITSELF=yes |
2711 | ) | 2750 | ] |
2751 | ) | ||
2752 | fi | ||
2712 | 2753 | ||
2713 | # PRNGD TCP socket | 2754 | # PRNGD TCP socket |
2714 | AC_ARG_WITH([prngd-port], | 2755 | AC_ARG_WITH([prngd-port], |
@@ -2790,8 +2831,10 @@ elif test ! -z "$PRNGD_SOCKET" ; then | |||
2790 | RAND_MSG="PRNGd socket $PRNGD_SOCKET" | 2831 | RAND_MSG="PRNGd socket $PRNGD_SOCKET" |
2791 | elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then | 2832 | elif test ! -z "$OPENSSL_SEEDS_ITSELF" ; then |
2792 | AC_DEFINE([OPENSSL_PRNG_ONLY], [1], | 2833 | AC_DEFINE([OPENSSL_PRNG_ONLY], [1], |
2793 | [Define if you want OpenSSL's internally seeded PRNG only]) | 2834 | [Define if you want the OpenSSL internally seeded PRNG only]) |
2794 | RAND_MSG="OpenSSL internal ONLY" | 2835 | RAND_MSG="OpenSSL internal ONLY" |
2836 | elif test "x$openssl" = "xno" ; then | ||
2837 | AC_MSG_WARN([OpenSSH will use /dev/urandom as a source of random numbers. It will fail if this device is not supported or accessible]) | ||
2795 | else | 2838 | else |
2796 | AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) | 2839 | AC_MSG_ERROR([OpenSSH has no source of random numbers. Please configure OpenSSL with an entropy source or re-run configure using one of the --with-prngd-port or --with-prngd-socket options]) |
2797 | fi | 2840 | fi |
@@ -2853,7 +2896,7 @@ if test "x$PAM_MSG" = "xyes" ; then | |||
2853 | which takes only one argument to pam_strerror]) | 2896 | which takes only one argument to pam_strerror]) |
2854 | AC_MSG_RESULT([yes]) | 2897 | AC_MSG_RESULT([yes]) |
2855 | PAM_MSG="yes (old library)" | 2898 | PAM_MSG="yes (old library)" |
2856 | 2899 | ||
2857 | ]) | 2900 | ]) |
2858 | fi | 2901 | fi |
2859 | 2902 | ||
diff --git a/digest-libc.c b/digest-libc.c index 169ded075..a216e784e 100644 --- a/digest-libc.c +++ b/digest-libc.c | |||
@@ -18,15 +18,19 @@ | |||
18 | 18 | ||
19 | #include "includes.h" | 19 | #include "includes.h" |
20 | 20 | ||
21 | #ifndef WITH_OPENSSL | ||
22 | |||
21 | #include <sys/types.h> | 23 | #include <sys/types.h> |
22 | #include <limits.h> | 24 | #include <limits.h> |
23 | #include <stdlib.h> | 25 | #include <stdlib.h> |
24 | #include <string.h> | 26 | #include <string.h> |
25 | 27 | ||
28 | #if 0 | ||
26 | #include <md5.h> | 29 | #include <md5.h> |
27 | #include <rmd160.h> | 30 | #include <rmd160.h> |
28 | #include <sha1.h> | 31 | #include <sha1.h> |
29 | #include <sha2.h> | 32 | #include <sha2.h> |
33 | #endif | ||
30 | 34 | ||
31 | #include "ssherr.h" | 35 | #include "ssherr.h" |
32 | #include "sshbuf.h" | 36 | #include "sshbuf.h" |
@@ -89,30 +93,30 @@ const struct ssh_digest digests[SSH_DIGEST_MAX] = { | |||
89 | "SHA256", | 93 | "SHA256", |
90 | SHA256_BLOCK_LENGTH, | 94 | SHA256_BLOCK_LENGTH, |
91 | SHA256_DIGEST_LENGTH, | 95 | SHA256_DIGEST_LENGTH, |
92 | sizeof(SHA2_CTX), | 96 | sizeof(SHA256_CTX), |
93 | (md_init_fn *) SHA256Init, | 97 | (md_init_fn *) SHA256_Init, |
94 | (md_update_fn *) SHA256Update, | 98 | (md_update_fn *) SHA256_Update, |
95 | (md_final_fn *) SHA256Final | 99 | (md_final_fn *) SHA256_Final |
96 | }, | 100 | }, |
97 | { | 101 | { |
98 | SSH_DIGEST_SHA384, | 102 | SSH_DIGEST_SHA384, |
99 | "SHA384", | 103 | "SHA384", |
100 | SHA384_BLOCK_LENGTH, | 104 | SHA384_BLOCK_LENGTH, |
101 | SHA384_DIGEST_LENGTH, | 105 | SHA384_DIGEST_LENGTH, |
102 | sizeof(SHA2_CTX), | 106 | sizeof(SHA384_CTX), |
103 | (md_init_fn *) SHA384Init, | 107 | (md_init_fn *) SHA384_Init, |
104 | (md_update_fn *) SHA384Update, | 108 | (md_update_fn *) SHA384_Update, |
105 | (md_final_fn *) SHA384Final | 109 | (md_final_fn *) SHA384_Final |
106 | }, | 110 | }, |
107 | { | 111 | { |
108 | SSH_DIGEST_SHA512, | 112 | SSH_DIGEST_SHA512, |
109 | "SHA512", | 113 | "SHA512", |
110 | SHA512_BLOCK_LENGTH, | 114 | SHA512_BLOCK_LENGTH, |
111 | SHA512_DIGEST_LENGTH, | 115 | SHA512_DIGEST_LENGTH, |
112 | sizeof(SHA2_CTX), | 116 | sizeof(SHA512_CTX), |
113 | (md_init_fn *) SHA512Init, | 117 | (md_init_fn *) SHA512_Init, |
114 | (md_update_fn *) SHA512Update, | 118 | (md_update_fn *) SHA512_Update, |
115 | (md_final_fn *) SHA512Final | 119 | (md_final_fn *) SHA512_Final |
116 | } | 120 | } |
117 | }; | 121 | }; |
118 | 122 | ||
@@ -257,3 +261,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen) | |||
257 | { | 261 | { |
258 | return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen); | 262 | return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen); |
259 | } | 263 | } |
264 | #endif /* !WITH_OPENSSL */ | ||
diff --git a/digest-openssl.c b/digest-openssl.c index bb58ff226..13b63c2f0 100644 --- a/digest-openssl.c +++ b/digest-openssl.c | |||
@@ -17,6 +17,8 @@ | |||
17 | 17 | ||
18 | #include "includes.h" | 18 | #include "includes.h" |
19 | 19 | ||
20 | #ifdef WITH_OPENSSL | ||
21 | |||
20 | #include <sys/types.h> | 22 | #include <sys/types.h> |
21 | #include <limits.h> | 23 | #include <limits.h> |
22 | #include <stdlib.h> | 24 | #include <stdlib.h> |
@@ -200,3 +202,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen) | |||
200 | { | 202 | { |
201 | return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen); | 203 | return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen); |
202 | } | 204 | } |
205 | #endif /* WITH_OPENSSL */ | ||
@@ -24,6 +24,8 @@ | |||
24 | 24 | ||
25 | #include "includes.h" | 25 | #include "includes.h" |
26 | 26 | ||
27 | #ifdef WITH_OPENSSL | ||
28 | |||
27 | #include <sys/types.h> | 29 | #include <sys/types.h> |
28 | #include <sys/socket.h> | 30 | #include <sys/socket.h> |
29 | #ifdef HAVE_SYS_UN_H | 31 | #ifdef HAVE_SYS_UN_H |
@@ -230,3 +232,13 @@ seed_rng(void) | |||
230 | if (RAND_status() != 1) | 232 | if (RAND_status() != 1) |
231 | fatal("PRNG is not seeded"); | 233 | fatal("PRNG is not seeded"); |
232 | } | 234 | } |
235 | |||
236 | #else /* WITH_OPENSSL */ | ||
237 | |||
238 | /* Handled in arc4random() */ | ||
239 | void | ||
240 | seed_rng(void) | ||
241 | { | ||
242 | } | ||
243 | |||
244 | #endif /* WITH_OPENSSL */ | ||
diff --git a/includes.h b/includes.h index 095161c28..c3034e37d 100644 --- a/includes.h +++ b/includes.h | |||
@@ -167,7 +167,9 @@ | |||
167 | # endif | 167 | # endif |
168 | #endif | 168 | #endif |
169 | 169 | ||
170 | #ifdef WITH_OPENSSL | ||
170 | #include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */ | 171 | #include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */ |
172 | #endif | ||
171 | 173 | ||
172 | #include "defines.h" | 174 | #include "defines.h" |
173 | 175 | ||
@@ -90,9 +90,9 @@ static const struct kexalg kexalgs[] = { | |||
90 | # endif /* OPENSSL_HAS_NISTP521 */ | 90 | # endif /* OPENSSL_HAS_NISTP521 */ |
91 | #endif /* OPENSSL_HAS_ECC */ | 91 | #endif /* OPENSSL_HAS_ECC */ |
92 | #endif /* WITH_OPENSSL */ | 92 | #endif /* WITH_OPENSSL */ |
93 | #ifdef HAVE_EVP_SHA256 | 93 | #if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL) |
94 | { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, | 94 | { KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 }, |
95 | #endif /* HAVE_EVP_SHA256 */ | 95 | #endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */ |
96 | { NULL, -1, -1, -1}, | 96 | { NULL, -1, -1, -1}, |
97 | }; | 97 | }; |
98 | 98 | ||
@@ -25,6 +25,8 @@ | |||
25 | 25 | ||
26 | #include "includes.h" | 26 | #include "includes.h" |
27 | 27 | ||
28 | #ifdef WITH_OPENSSL | ||
29 | |||
28 | #include <sys/types.h> | 30 | #include <sys/types.h> |
29 | 31 | ||
30 | #include <signal.h> | 32 | #include <signal.h> |
@@ -85,3 +87,4 @@ kex_dh_hash( | |||
85 | *hash = digest; | 87 | *hash = digest; |
86 | *hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1); | 88 | *hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1); |
87 | } | 89 | } |
90 | #endif /* WITH_OPENSSL */ | ||
@@ -25,6 +25,8 @@ | |||
25 | 25 | ||
26 | #include "includes.h" | 26 | #include "includes.h" |
27 | 27 | ||
28 | #ifdef WITH_OPENSSL | ||
29 | |||
28 | #include <sys/types.h> | 30 | #include <sys/types.h> |
29 | 31 | ||
30 | #include <openssl/dh.h> | 32 | #include <openssl/dh.h> |
@@ -159,3 +161,4 @@ kexdh_client(Kex *kex) | |||
159 | BN_clear_free(shared_secret); | 161 | BN_clear_free(shared_secret); |
160 | kex_finish(kex); | 162 | kex_finish(kex); |
161 | } | 163 | } |
164 | #endif /* WITH_OPENSSL */ | ||
@@ -25,6 +25,8 @@ | |||
25 | 25 | ||
26 | #include "includes.h" | 26 | #include "includes.h" |
27 | 27 | ||
28 | #ifdef WITH_OPENSSL | ||
29 | |||
28 | #include <sys/types.h> | 30 | #include <sys/types.h> |
29 | 31 | ||
30 | #include <stdarg.h> | 32 | #include <stdarg.h> |
@@ -158,3 +160,4 @@ kexdh_server(Kex *kex) | |||
158 | BN_clear_free(shared_secret); | 160 | BN_clear_free(shared_secret); |
159 | kex_finish(kex); | 161 | kex_finish(kex); |
160 | } | 162 | } |
163 | #endif /* WITH_OPENSSL */ | ||
@@ -26,7 +26,7 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #ifdef OPENSSL_HAS_ECC | 29 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) |
30 | 30 | ||
31 | #include <sys/types.h> | 31 | #include <sys/types.h> |
32 | 32 | ||
@@ -94,4 +94,4 @@ kex_ecdh_hash( | |||
94 | *hash = digest; | 94 | *hash = digest; |
95 | *hashlen = ssh_digest_bytes(hash_alg); | 95 | *hashlen = ssh_digest_bytes(hash_alg); |
96 | } | 96 | } |
97 | #endif /* OPENSSL_HAS_ECC */ | 97 | #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */ |
diff --git a/kexecdhc.c b/kexecdhc.c index 2f7629cca..2019940e5 100644 --- a/kexecdhc.c +++ b/kexecdhc.c | |||
@@ -26,6 +26,8 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) | ||
30 | |||
29 | #include <sys/types.h> | 31 | #include <sys/types.h> |
30 | 32 | ||
31 | #include <stdio.h> | 33 | #include <stdio.h> |
@@ -42,8 +44,6 @@ | |||
42 | #include "dh.h" | 44 | #include "dh.h" |
43 | #include "ssh2.h" | 45 | #include "ssh2.h" |
44 | 46 | ||
45 | #ifdef OPENSSL_HAS_ECC | ||
46 | |||
47 | #include <openssl/ecdh.h> | 47 | #include <openssl/ecdh.h> |
48 | 48 | ||
49 | void | 49 | void |
@@ -156,10 +156,4 @@ kexecdh_client(Kex *kex) | |||
156 | BN_clear_free(shared_secret); | 156 | BN_clear_free(shared_secret); |
157 | kex_finish(kex); | 157 | kex_finish(kex); |
158 | } | 158 | } |
159 | #else /* OPENSSL_HAS_ECC */ | 159 | #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */ |
160 | void | ||
161 | kexecdh_client(Kex *kex) | ||
162 | { | ||
163 | fatal("ECC support is not enabled"); | ||
164 | } | ||
165 | #endif /* OPENSSL_HAS_ECC */ | ||
diff --git a/kexecdhs.c b/kexecdhs.c index 2700b7219..48bc56dc6 100644 --- a/kexecdhs.c +++ b/kexecdhs.c | |||
@@ -26,6 +26,8 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) | ||
30 | |||
29 | #include <sys/types.h> | 31 | #include <sys/types.h> |
30 | #include <string.h> | 32 | #include <string.h> |
31 | #include <signal.h> | 33 | #include <signal.h> |
@@ -39,8 +41,6 @@ | |||
39 | #include "packet.h" | 41 | #include "packet.h" |
40 | #include "ssh2.h" | 42 | #include "ssh2.h" |
41 | 43 | ||
42 | #ifdef OPENSSL_HAS_ECC | ||
43 | |||
44 | #include <openssl/ecdh.h> | 44 | #include <openssl/ecdh.h> |
45 | 45 | ||
46 | void | 46 | void |
@@ -152,10 +152,4 @@ kexecdh_server(Kex *kex) | |||
152 | BN_clear_free(shared_secret); | 152 | BN_clear_free(shared_secret); |
153 | kex_finish(kex); | 153 | kex_finish(kex); |
154 | } | 154 | } |
155 | #else /* OPENSSL_HAS_ECC */ | 155 | #endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */ |
156 | void | ||
157 | kexecdh_server(Kex *kex) | ||
158 | { | ||
159 | fatal("ECC support is not enabled"); | ||
160 | } | ||
161 | #endif /* OPENSSL_HAS_ECC */ | ||
@@ -26,6 +26,8 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #ifdef WITH_OPENSSL | ||
30 | |||
29 | #include <sys/types.h> | 31 | #include <sys/types.h> |
30 | 32 | ||
31 | #include <openssl/evp.h> | 33 | #include <openssl/evp.h> |
@@ -96,3 +98,4 @@ kexgex_hash( | |||
96 | *hash = digest; | 98 | *hash = digest; |
97 | *hashlen = ssh_digest_bytes(hash_alg); | 99 | *hashlen = ssh_digest_bytes(hash_alg); |
98 | } | 100 | } |
101 | #endif /* WITH_OPENSSL */ | ||
@@ -26,6 +26,8 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #ifdef WITH_OPENSSL | ||
30 | |||
29 | #include <sys/types.h> | 31 | #include <sys/types.h> |
30 | 32 | ||
31 | #include <openssl/dh.h> | 33 | #include <openssl/dh.h> |
@@ -205,3 +207,4 @@ kexgex_client(Kex *kex) | |||
205 | 207 | ||
206 | kex_finish(kex); | 208 | kex_finish(kex); |
207 | } | 209 | } |
210 | #endif /* WITH_OPENSSL */ | ||
@@ -26,6 +26,8 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #ifdef WITH_OPENSSL | ||
30 | |||
29 | #include <sys/param.h> | 31 | #include <sys/param.h> |
30 | 32 | ||
31 | #include <stdarg.h> | 33 | #include <stdarg.h> |
@@ -206,3 +208,4 @@ kexgex_server(Kex *kex) | |||
206 | 208 | ||
207 | kex_finish(kex); | 209 | kex_finish(kex); |
208 | } | 210 | } |
211 | #endif /* WITH_OPENSSL */ | ||
@@ -18,6 +18,8 @@ | |||
18 | 18 | ||
19 | #include "includes.h" | 19 | #include "includes.h" |
20 | 20 | ||
21 | #ifdef WITH_OPENSSL /* XXX just fix bignums and this is good */ | ||
22 | |||
21 | #include <sys/types.h> | 23 | #include <sys/types.h> |
22 | #include <sys/param.h> | 24 | #include <sys/param.h> |
23 | #include <openbsd-compat/sys-tree.h> | 25 | #include <openbsd-compat/sys-tree.h> |
@@ -1282,3 +1284,4 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key) | |||
1282 | errno = oerrno; | 1284 | errno = oerrno; |
1283 | return r; | 1285 | return r; |
1284 | } | 1286 | } |
1287 | #endif /* WITH_OPENSSL */ | ||
@@ -39,6 +39,8 @@ | |||
39 | 39 | ||
40 | #include "includes.h" | 40 | #include "includes.h" |
41 | 41 | ||
42 | #ifdef WITH_OPENSSL | ||
43 | |||
42 | #include <sys/param.h> | 44 | #include <sys/param.h> |
43 | #include <sys/types.h> | 45 | #include <sys/types.h> |
44 | 46 | ||
@@ -802,3 +804,5 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted, | |||
802 | 804 | ||
803 | return (res); | 805 | return (res); |
804 | } | 806 | } |
807 | |||
808 | #endif /* WITH_OPENSSL */ | ||
diff --git a/monitor_wrap.c b/monitor_wrap.c index f4e11c966..b0dbb3f70 100644 --- a/monitor_wrap.c +++ b/monitor_wrap.c | |||
@@ -151,8 +151,10 @@ mm_request_receive(int sock, Buffer *m) | |||
151 | debug3("%s entering", __func__); | 151 | debug3("%s entering", __func__); |
152 | 152 | ||
153 | if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { | 153 | if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) { |
154 | if (errno == EPIPE) | 154 | if (errno == EPIPE) { |
155 | error("%s: socket closed", __func__); | ||
155 | cleanup_exit(255); | 156 | cleanup_exit(255); |
157 | } | ||
156 | fatal("%s: read: %s", __func__, strerror(errno)); | 158 | fatal("%s: read: %s", __func__, strerror(errno)); |
157 | } | 159 | } |
158 | msg_len = get_u32(buf); | 160 | msg_len = get_u32(buf); |
diff --git a/openbsd-compat/Makefile.in b/openbsd-compat/Makefile.in index 7be3f72aa..3c5e3b7f7 100644 --- a/openbsd-compat/Makefile.in +++ b/openbsd-compat/Makefile.in | |||
@@ -16,7 +16,7 @@ RANLIB=@RANLIB@ | |||
16 | INSTALL=@INSTALL@ | 16 | INSTALL=@INSTALL@ |
17 | LDFLAGS=-L. @LDFLAGS@ | 17 | LDFLAGS=-L. @LDFLAGS@ |
18 | 18 | ||
19 | OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o | 19 | OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o |
20 | 20 | ||
21 | COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o | 21 | COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o |
22 | 22 | ||
diff --git a/openbsd-compat/arc4random.c b/openbsd-compat/arc4random.c index 09dbfda16..046f57e61 100644 --- a/openbsd-compat/arc4random.c +++ b/openbsd-compat/arc4random.c | |||
@@ -26,15 +26,19 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #include <sys/types.h> | ||
30 | |||
31 | #include <fcntl.h> | ||
29 | #include <stdlib.h> | 32 | #include <stdlib.h> |
30 | #include <string.h> | 33 | #include <string.h> |
31 | #include <unistd.h> | 34 | #include <unistd.h> |
32 | #include <sys/types.h> | ||
33 | 35 | ||
34 | #ifndef HAVE_ARC4RANDOM | 36 | #ifndef HAVE_ARC4RANDOM |
35 | 37 | ||
38 | #ifdef WITH_OPENSSL | ||
36 | #include <openssl/rand.h> | 39 | #include <openssl/rand.h> |
37 | #include <openssl/err.h> | 40 | #include <openssl/err.h> |
41 | #endif | ||
38 | 42 | ||
39 | #include "log.h" | 43 | #include "log.h" |
40 | 44 | ||
@@ -73,14 +77,44 @@ _rs_init(u_char *buf, size_t n) | |||
73 | chacha_ivsetup(&rs, buf + KEYSZ); | 77 | chacha_ivsetup(&rs, buf + KEYSZ); |
74 | } | 78 | } |
75 | 79 | ||
80 | #ifndef WITH_OPENSSL | ||
81 | #define SSH_RANDOM_DEV "/dev/urandom" | ||
82 | /* XXX use getrandom() if supported on Linux */ | ||
83 | static void | ||
84 | getrnd(u_char *s, size_t len) | ||
85 | { | ||
86 | int fd; | ||
87 | ssize_t r; | ||
88 | size_t o = 0; | ||
89 | |||
90 | if ((fd = open(SSH_RANDOM_DEV, O_RDONLY)) == -1) | ||
91 | fatal("Couldn't open %s: %s", SSH_RANDOM_DEV, strerror(errno)); | ||
92 | while (o < len) { | ||
93 | r = read(fd, s + o, len - o); | ||
94 | if (r < 0) { | ||
95 | if (errno == EAGAIN || errno == EINTR || | ||
96 | errno == EWOULDBLOCK) | ||
97 | continue; | ||
98 | fatal("read %s: %s", SSH_RANDOM_DEV, strerror(errno)); | ||
99 | } | ||
100 | o += r; | ||
101 | } | ||
102 | close(fd); | ||
103 | } | ||
104 | #endif | ||
105 | |||
76 | static void | 106 | static void |
77 | _rs_stir(void) | 107 | _rs_stir(void) |
78 | { | 108 | { |
79 | u_char rnd[KEYSZ + IVSZ]; | 109 | u_char rnd[KEYSZ + IVSZ]; |
80 | 110 | ||
111 | #ifdef WITH_OPENSSL | ||
81 | if (RAND_bytes(rnd, sizeof(rnd)) <= 0) | 112 | if (RAND_bytes(rnd, sizeof(rnd)) <= 0) |
82 | fatal("Couldn't obtain random bytes (error %ld)", | 113 | fatal("Couldn't obtain random bytes (error %ld)", |
83 | ERR_get_error()); | 114 | ERR_get_error()); |
115 | #else | ||
116 | getrnd(rnd, sizeof(rnd)); | ||
117 | #endif | ||
84 | 118 | ||
85 | if (!rs_initialized) { | 119 | if (!rs_initialized) { |
86 | rs_initialized = 1; | 120 | rs_initialized = 1; |
diff --git a/openbsd-compat/bcrypt_pbkdf.c b/openbsd-compat/bcrypt_pbkdf.c index 5ed1cc531..16912575a 100644 --- a/openbsd-compat/bcrypt_pbkdf.c +++ b/openbsd-compat/bcrypt_pbkdf.c | |||
@@ -32,6 +32,9 @@ | |||
32 | #endif | 32 | #endif |
33 | 33 | ||
34 | #include "crypto_api.h" | 34 | #include "crypto_api.h" |
35 | #ifdef SHA512_DIGEST_LENGTH | ||
36 | # undef SHA512_DIGEST_LENGTH | ||
37 | #endif | ||
35 | #define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES | 38 | #define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES |
36 | 39 | ||
37 | /* | 40 | /* |
diff --git a/openbsd-compat/openbsd-compat.h b/openbsd-compat/openbsd-compat.h index 94718babd..1cffefe06 100644 --- a/openbsd-compat/openbsd-compat.h +++ b/openbsd-compat/openbsd-compat.h | |||
@@ -43,7 +43,10 @@ | |||
43 | #include "readpassphrase.h" | 43 | #include "readpassphrase.h" |
44 | #include "vis.h" | 44 | #include "vis.h" |
45 | #include "getrrsetbyname.h" | 45 | #include "getrrsetbyname.h" |
46 | #include "sha1.h" | ||
46 | #include "sha2.h" | 47 | #include "sha2.h" |
48 | #include "rmd160.h" | ||
49 | #include "md5.h" | ||
47 | #include "blf.h" | 50 | #include "blf.h" |
48 | 51 | ||
49 | #ifndef HAVE_BASENAME | 52 | #ifndef HAVE_BASENAME |
diff --git a/openbsd-compat/openssl-compat.c b/openbsd-compat/openssl-compat.c index 36570e4ad..63a660c7a 100644 --- a/openbsd-compat/openssl-compat.c +++ b/openbsd-compat/openssl-compat.c | |||
@@ -19,6 +19,8 @@ | |||
19 | #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS | 19 | #define SSH_DONT_OVERLOAD_OPENSSL_FUNCS |
20 | #include "includes.h" | 20 | #include "includes.h" |
21 | 21 | ||
22 | #ifdef WITH_OPENSSL | ||
23 | |||
22 | #include <stdarg.h> | 24 | #include <stdarg.h> |
23 | #include <string.h> | 25 | #include <string.h> |
24 | 26 | ||
@@ -78,3 +80,5 @@ ssh_OpenSSL_add_all_algorithms(void) | |||
78 | OPENSSL_config(NULL); | 80 | OPENSSL_config(NULL); |
79 | } | 81 | } |
80 | #endif | 82 | #endif |
83 | |||
84 | #endif /* WITH_OPENSSL */ | ||
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 3695d412b..8917551d3 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h | |||
@@ -20,6 +20,8 @@ | |||
20 | #define _OPENSSL_COMPAT_H | 20 | #define _OPENSSL_COMPAT_H |
21 | 21 | ||
22 | #include "includes.h" | 22 | #include "includes.h" |
23 | #ifdef WITH_OPENSSL | ||
24 | |||
23 | #include <openssl/opensslv.h> | 25 | #include <openssl/opensslv.h> |
24 | #include <openssl/evp.h> | 26 | #include <openssl/evp.h> |
25 | #include <openssl/rsa.h> | 27 | #include <openssl/rsa.h> |
@@ -90,4 +92,5 @@ void ssh_OpenSSL_add_all_algorithms(void); | |||
90 | 92 | ||
91 | #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ | 93 | #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ |
92 | 94 | ||
95 | #endif /* WITH_OPENSSL */ | ||
93 | #endif /* _OPENSSL_COMPAT_H */ | 96 | #endif /* _OPENSSL_COMPAT_H */ |
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c index f5bf74d1f..737935d46 100644 --- a/openbsd-compat/sha2.c +++ b/openbsd-compat/sha2.c | |||
@@ -38,13 +38,18 @@ | |||
38 | 38 | ||
39 | #include "includes.h" | 39 | #include "includes.h" |
40 | 40 | ||
41 | #include <openssl/opensslv.h> | 41 | #ifdef WITH_OPENSSL |
42 | # include <openssl/opensslv.h> | ||
43 | # if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
44 | # define _NEED_SHA2 1 | ||
45 | # endif | ||
46 | #else | ||
47 | # define _NEED_SHA2 1 | ||
48 | #endif | ||
49 | |||
50 | #if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) | ||
42 | 51 | ||
43 | #if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | ||
44 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
45 | #include <sys/types.h> | ||
46 | #include <string.h> | 52 | #include <string.h> |
47 | #include "sha2.h" | ||
48 | 53 | ||
49 | /* | 54 | /* |
50 | * UNROLLED TRANSFORM LOOP NOTE: | 55 | * UNROLLED TRANSFORM LOOP NOTE: |
@@ -838,7 +843,6 @@ SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context) | |||
838 | } | 843 | } |
839 | 844 | ||
840 | 845 | ||
841 | #if 0 | ||
842 | /*** SHA-384: *********************************************************/ | 846 | /*** SHA-384: *********************************************************/ |
843 | void | 847 | void |
844 | SHA384_Init(SHA384_CTX *context) | 848 | SHA384_Init(SHA384_CTX *context) |
@@ -851,9 +855,29 @@ SHA384_Init(SHA384_CTX *context) | |||
851 | context->bitcount[0] = context->bitcount[1] = 0; | 855 | context->bitcount[0] = context->bitcount[1] = 0; |
852 | } | 856 | } |
853 | 857 | ||
858 | #if 0 | ||
854 | __weak_alias(SHA384_Transform, SHA512_Transform); | 859 | __weak_alias(SHA384_Transform, SHA512_Transform); |
855 | __weak_alias(SHA384_Update, SHA512_Update); | 860 | __weak_alias(SHA384_Update, SHA512_Update); |
856 | __weak_alias(SHA384_Pad, SHA512_Pad); | 861 | __weak_alias(SHA384_Pad, SHA512_Pad); |
862 | #endif | ||
863 | |||
864 | void | ||
865 | SHA384_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH]) | ||
866 | { | ||
867 | return SHA512_Transform(state, data); | ||
868 | } | ||
869 | |||
870 | void | ||
871 | SHA384_Update(SHA512_CTX *context, const u_int8_t *data, size_t len) | ||
872 | { | ||
873 | SHA512_Update(context, data, len); | ||
874 | } | ||
875 | |||
876 | void | ||
877 | SHA384_Pad(SHA512_CTX *context) | ||
878 | { | ||
879 | SHA512_Pad(context); | ||
880 | } | ||
857 | 881 | ||
858 | void | 882 | void |
859 | SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) | 883 | SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) |
@@ -876,7 +900,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) | |||
876 | /* Zero out state data */ | 900 | /* Zero out state data */ |
877 | memset(context, 0, sizeof(*context)); | 901 | memset(context, 0, sizeof(*context)); |
878 | } | 902 | } |
879 | #endif | ||
880 | 903 | ||
881 | #endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | 904 | #endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */ |
882 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ | ||
diff --git a/openbsd-compat/sha2.h b/openbsd-compat/sha2.h index 73e94f150..c8bfc3cd1 100644 --- a/openbsd-compat/sha2.h +++ b/openbsd-compat/sha2.h | |||
@@ -41,10 +41,16 @@ | |||
41 | 41 | ||
42 | #include "includes.h" | 42 | #include "includes.h" |
43 | 43 | ||
44 | #include <openssl/opensslv.h> | 44 | #ifdef WITH_OPENSSL |
45 | # include <openssl/opensslv.h> | ||
46 | # if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
47 | # define _NEED_SHA2 1 | ||
48 | # endif | ||
49 | #else | ||
50 | # define _NEED_SHA2 1 | ||
51 | #endif | ||
45 | 52 | ||
46 | #if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | 53 | #if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) |
47 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) | ||
48 | 54 | ||
49 | /*** SHA-256/384/512 Various Length Definitions ***********************/ | 55 | /*** SHA-256/384/512 Various Length Definitions ***********************/ |
50 | #define SHA256_BLOCK_LENGTH 64 | 56 | #define SHA256_BLOCK_LENGTH 64 |
@@ -70,9 +76,7 @@ typedef struct _SHA512_CTX { | |||
70 | u_int8_t buffer[SHA512_BLOCK_LENGTH]; | 76 | u_int8_t buffer[SHA512_BLOCK_LENGTH]; |
71 | } SHA512_CTX; | 77 | } SHA512_CTX; |
72 | 78 | ||
73 | #if 0 | ||
74 | typedef SHA512_CTX SHA384_CTX; | 79 | typedef SHA512_CTX SHA384_CTX; |
75 | #endif | ||
76 | 80 | ||
77 | void SHA256_Init(SHA256_CTX *); | 81 | void SHA256_Init(SHA256_CTX *); |
78 | void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]); | 82 | void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]); |
@@ -91,7 +95,6 @@ char *SHA256_Data(const u_int8_t *, size_t, char *) | |||
91 | __attribute__((__bounded__(__string__,1,2))) | 95 | __attribute__((__bounded__(__string__,1,2))) |
92 | __attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH))); | 96 | __attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH))); |
93 | 97 | ||
94 | #if 0 | ||
95 | void SHA384_Init(SHA384_CTX *); | 98 | void SHA384_Init(SHA384_CTX *); |
96 | void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]); | 99 | void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]); |
97 | void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t) | 100 | void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t) |
@@ -108,7 +111,6 @@ char *SHA384_FileChunk(const char *, char *, off_t, off_t) | |||
108 | char *SHA384_Data(const u_int8_t *, size_t, char *) | 111 | char *SHA384_Data(const u_int8_t *, size_t, char *) |
109 | __attribute__((__bounded__(__string__,1,2))) | 112 | __attribute__((__bounded__(__string__,1,2))) |
110 | __attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH))); | 113 | __attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH))); |
111 | #endif /* 0 */ | ||
112 | 114 | ||
113 | void SHA512_Init(SHA512_CTX *); | 115 | void SHA512_Init(SHA512_CTX *); |
114 | void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]); | 116 | void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]); |
@@ -127,7 +129,6 @@ char *SHA512_Data(const u_int8_t *, size_t, char *) | |||
127 | __attribute__((__bounded__(__string__,1,2))) | 129 | __attribute__((__bounded__(__string__,1,2))) |
128 | __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH))); | 130 | __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH))); |
129 | 131 | ||
130 | #endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ | 132 | #endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */ |
131 | (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ | ||
132 | 133 | ||
133 | #endif /* _SSHSHA2_H */ | 134 | #endif /* _SSHSHA2_H */ |
diff --git a/openbsd-compat/xcrypt.c b/openbsd-compat/xcrypt.c index c8aea461d..8577cbd8a 100644 --- a/openbsd-compat/xcrypt.c +++ b/openbsd-compat/xcrypt.c | |||
@@ -57,7 +57,7 @@ | |||
57 | # include "md5crypt.h" | 57 | # include "md5crypt.h" |
58 | # endif | 58 | # endif |
59 | 59 | ||
60 | # if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) | 60 | # if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT) |
61 | # include <openssl/des.h> | 61 | # include <openssl/des.h> |
62 | # define crypt DES_crypt | 62 | # define crypt DES_crypt |
63 | # endif | 63 | # endif |
@@ -1612,6 +1612,7 @@ packet_get_ecpoint(const EC_GROUP *curve, EC_POINT *point) | |||
1612 | buffer_get_ecpoint(&active_state->incoming_packet, curve, point); | 1612 | buffer_get_ecpoint(&active_state->incoming_packet, curve, point); |
1613 | } | 1613 | } |
1614 | #endif | 1614 | #endif |
1615 | #endif | ||
1615 | 1616 | ||
1616 | void * | 1617 | void * |
1617 | packet_get_raw(u_int *length_ptr) | 1618 | packet_get_raw(u_int *length_ptr) |
@@ -1622,7 +1623,6 @@ packet_get_raw(u_int *length_ptr) | |||
1622 | *length_ptr = bytes; | 1623 | *length_ptr = bytes; |
1623 | return buffer_ptr(&active_state->incoming_packet); | 1624 | return buffer_ptr(&active_state->incoming_packet); |
1624 | } | 1625 | } |
1625 | #endif | ||
1626 | 1626 | ||
1627 | int | 1627 | int |
1628 | packet_remaining(void) | 1628 | packet_remaining(void) |
@@ -70,11 +70,13 @@ extern char *__progname; | |||
70 | 70 | ||
71 | /* Default files to add */ | 71 | /* Default files to add */ |
72 | static char *default_files[] = { | 72 | static char *default_files[] = { |
73 | #ifdef WITH_OPENSSL | ||
73 | _PATH_SSH_CLIENT_ID_RSA, | 74 | _PATH_SSH_CLIENT_ID_RSA, |
74 | _PATH_SSH_CLIENT_ID_DSA, | 75 | _PATH_SSH_CLIENT_ID_DSA, |
75 | #ifdef OPENSSL_HAS_ECC | 76 | #ifdef OPENSSL_HAS_ECC |
76 | _PATH_SSH_CLIENT_ID_ECDSA, | 77 | _PATH_SSH_CLIENT_ID_ECDSA, |
77 | #endif | 78 | #endif |
79 | #endif /* WITH_OPENSSL */ | ||
78 | _PATH_SSH_CLIENT_ID_ED25519, | 80 | _PATH_SSH_CLIENT_ID_ED25519, |
79 | _PATH_SSH_CLIENT_IDENTITY, | 81 | _PATH_SSH_CLIENT_IDENTITY, |
80 | NULL | 82 | NULL |
@@ -440,7 +442,9 @@ main(int argc, char **argv) | |||
440 | __progname = ssh_get_progname(argv[0]); | 442 | __progname = ssh_get_progname(argv[0]); |
441 | seed_rng(); | 443 | seed_rng(); |
442 | 444 | ||
445 | #ifdef WITH_OPENSSL | ||
443 | OpenSSL_add_all_algorithms(); | 446 | OpenSSL_add_all_algorithms(); |
447 | #endif | ||
444 | 448 | ||
445 | setvbuf(stdout, NULL, _IOLBF, 0); | 449 | setvbuf(stdout, NULL, _IOLBF, 0); |
446 | 450 | ||
@@ -25,6 +25,8 @@ | |||
25 | 25 | ||
26 | #include "includes.h" | 26 | #include "includes.h" |
27 | 27 | ||
28 | #ifdef WITH_OPENSSL | ||
29 | |||
28 | #include <sys/types.h> | 30 | #include <sys/types.h> |
29 | 31 | ||
30 | #include <openssl/bn.h> | 32 | #include <openssl/bn.h> |
@@ -217,3 +219,4 @@ ssh_dss_verify(const struct sshkey *key, | |||
217 | } | 219 | } |
218 | return ret; | 220 | return ret; |
219 | } | 221 | } |
222 | #endif /* WITH_OPENSSL */ | ||
diff --git a/ssh-ecdsa.c b/ssh-ecdsa.c index 1119db045..2c76f8b43 100644 --- a/ssh-ecdsa.c +++ b/ssh-ecdsa.c | |||
@@ -26,7 +26,7 @@ | |||
26 | 26 | ||
27 | #include "includes.h" | 27 | #include "includes.h" |
28 | 28 | ||
29 | #ifdef OPENSSL_HAS_ECC | 29 | #if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) |
30 | 30 | ||
31 | #include <sys/types.h> | 31 | #include <sys/types.h> |
32 | 32 | ||
@@ -189,4 +189,4 @@ ssh_ecdsa_verify(const struct sshkey *key, | |||
189 | return ret; | 189 | return ret; |
190 | } | 190 | } |
191 | 191 | ||
192 | #endif /* OPENSSL_HAS_ECC */ | 192 | #endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */ |
diff --git a/ssh-keygen.c b/ssh-keygen.c index 8daea7f76..75f8e2e09 100644 --- a/ssh-keygen.c +++ b/ssh-keygen.c | |||
@@ -19,9 +19,11 @@ | |||
19 | #include <sys/stat.h> | 19 | #include <sys/stat.h> |
20 | #include <sys/param.h> | 20 | #include <sys/param.h> |
21 | 21 | ||
22 | #ifdef WITH_OPENSSL | ||
22 | #include <openssl/evp.h> | 23 | #include <openssl/evp.h> |
23 | #include <openssl/pem.h> | 24 | #include <openssl/pem.h> |
24 | #include "openbsd-compat/openssl-compat.h" | 25 | #include "openbsd-compat/openssl-compat.h" |
26 | #endif | ||
25 | 27 | ||
26 | #include <errno.h> | 28 | #include <errno.h> |
27 | #include <fcntl.h> | 29 | #include <fcntl.h> |
@@ -179,7 +181,9 @@ int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long, | |||
179 | static void | 181 | static void |
180 | type_bits_valid(int type, u_int32_t *bitsp) | 182 | type_bits_valid(int type, u_int32_t *bitsp) |
181 | { | 183 | { |
184 | #ifdef WITH_OPENSSL | ||
182 | u_int maxbits; | 185 | u_int maxbits; |
186 | #endif | ||
183 | 187 | ||
184 | if (type == KEY_UNSPEC) { | 188 | if (type == KEY_UNSPEC) { |
185 | fprintf(stderr, "unknown key type %s\n", key_type_name); | 189 | fprintf(stderr, "unknown key type %s\n", key_type_name); |
@@ -193,13 +197,13 @@ type_bits_valid(int type, u_int32_t *bitsp) | |||
193 | else | 197 | else |
194 | *bitsp = DEFAULT_BITS; | 198 | *bitsp = DEFAULT_BITS; |
195 | } | 199 | } |
200 | #ifdef WITH_OPENSSL | ||
196 | maxbits = (type == KEY_DSA) ? | 201 | maxbits = (type == KEY_DSA) ? |
197 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; | 202 | OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS; |
198 | if (*bitsp > maxbits) { | 203 | if (*bitsp > maxbits) { |
199 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); | 204 | fprintf(stderr, "key bits exceeds maximum %d\n", maxbits); |
200 | exit(1); | 205 | exit(1); |
201 | } | 206 | } |
202 | #ifdef WITH_OPENSSL | ||
203 | if (type == KEY_DSA && *bitsp != 1024) | 207 | if (type == KEY_DSA && *bitsp != 1024) |
204 | fatal("DSA keys must be 1024 bits"); | 208 | fatal("DSA keys must be 1024 bits"); |
205 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) | 209 | else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768) |
@@ -2102,10 +2106,12 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca, | |||
2102 | fclose(krl_spec); | 2106 | fclose(krl_spec); |
2103 | free(path); | 2107 | free(path); |
2104 | } | 2108 | } |
2109 | #endif /* WITH_OPENSSL */ | ||
2105 | 2110 | ||
2106 | static void | 2111 | static void |
2107 | do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) | 2112 | do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) |
2108 | { | 2113 | { |
2114 | #ifdef WITH_OPENSSL | ||
2109 | struct ssh_krl *krl; | 2115 | struct ssh_krl *krl; |
2110 | struct stat sb; | 2116 | struct stat sb; |
2111 | Key *ca = NULL; | 2117 | Key *ca = NULL; |
@@ -2155,11 +2161,15 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv) | |||
2155 | ssh_krl_free(krl); | 2161 | ssh_krl_free(krl); |
2156 | if (ca != NULL) | 2162 | if (ca != NULL) |
2157 | key_free(ca); | 2163 | key_free(ca); |
2164 | #else /* WITH_OPENSSL */ | ||
2165 | fatal("KRLs not supported without OpenSSL"); | ||
2166 | #endif /* WITH_OPENSSL */ | ||
2158 | } | 2167 | } |
2159 | 2168 | ||
2160 | static void | 2169 | static void |
2161 | do_check_krl(struct passwd *pw, int argc, char **argv) | 2170 | do_check_krl(struct passwd *pw, int argc, char **argv) |
2162 | { | 2171 | { |
2172 | #ifdef WITH_OPENSSL | ||
2163 | int i, r, ret = 0; | 2173 | int i, r, ret = 0; |
2164 | char *comment; | 2174 | char *comment; |
2165 | struct ssh_krl *krl; | 2175 | struct ssh_krl *krl; |
@@ -2182,8 +2192,10 @@ do_check_krl(struct passwd *pw, int argc, char **argv) | |||
2182 | } | 2192 | } |
2183 | ssh_krl_free(krl); | 2193 | ssh_krl_free(krl); |
2184 | exit(ret); | 2194 | exit(ret); |
2195 | #else /* WITH_OPENSSL */ | ||
2196 | fatal("KRLs not supported without OpenSSL"); | ||
2197 | #endif /* WITH_OPENSSL */ | ||
2185 | } | 2198 | } |
2186 | #endif | ||
2187 | 2199 | ||
2188 | static void | 2200 | static void |
2189 | usage(void) | 2201 | usage(void) |
@@ -2249,7 +2261,9 @@ main(int argc, char **argv) | |||
2249 | 2261 | ||
2250 | __progname = ssh_get_progname(argv[0]); | 2262 | __progname = ssh_get_progname(argv[0]); |
2251 | 2263 | ||
2264 | #ifdef WITH_OPENSSL | ||
2252 | OpenSSL_add_all_algorithms(); | 2265 | OpenSSL_add_all_algorithms(); |
2266 | #endif | ||
2253 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); | 2267 | log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1); |
2254 | 2268 | ||
2255 | seed_rng(); | 2269 | seed_rng(); |
@@ -2427,6 +2441,7 @@ main(int argc, char **argv) | |||
2427 | fatal("Invalid number: %s (%s)", | 2441 | fatal("Invalid number: %s (%s)", |
2428 | optarg, errstr); | 2442 | optarg, errstr); |
2429 | break; | 2443 | break; |
2444 | #ifdef WITH_OPENSSL | ||
2430 | case 'M': | 2445 | case 'M': |
2431 | memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); | 2446 | memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr); |
2432 | if (errstr) | 2447 | if (errstr) |
@@ -2454,6 +2469,7 @@ main(int argc, char **argv) | |||
2454 | if (BN_hex2bn(&start, optarg) == 0) | 2469 | if (BN_hex2bn(&start, optarg) == 0) |
2455 | fatal("Invalid start point."); | 2470 | fatal("Invalid start point."); |
2456 | break; | 2471 | break; |
2472 | #endif /* WITH_OPENSSL */ | ||
2457 | case 'V': | 2473 | case 'V': |
2458 | parse_cert_times(optarg); | 2474 | parse_cert_times(optarg); |
2459 | break; | 2475 | break; |
@@ -2493,7 +2509,6 @@ main(int argc, char **argv) | |||
2493 | printf("Cannot use -l with -H or -R.\n"); | 2509 | printf("Cannot use -l with -H or -R.\n"); |
2494 | usage(); | 2510 | usage(); |
2495 | } | 2511 | } |
2496 | #ifdef WITH_OPENSSL | ||
2497 | if (gen_krl) { | 2512 | if (gen_krl) { |
2498 | do_gen_krl(pw, update_krl, argc, argv); | 2513 | do_gen_krl(pw, update_krl, argc, argv); |
2499 | return (0); | 2514 | return (0); |
@@ -2502,7 +2517,6 @@ main(int argc, char **argv) | |||
2502 | do_check_krl(pw, argc, argv); | 2517 | do_check_krl(pw, argc, argv); |
2503 | return (0); | 2518 | return (0); |
2504 | } | 2519 | } |
2505 | #endif | ||
2506 | if (ca_key_path != NULL) { | 2520 | if (ca_key_path != NULL) { |
2507 | if (cert_key_id == NULL) | 2521 | if (cert_key_id == NULL) |
2508 | fatal("Must specify key id (-I) when certifying"); | 2522 | fatal("Must specify key id (-I) when certifying"); |
diff --git a/ssh-keysign.c b/ssh-keysign.c index d59f115fc..821939997 100644 --- a/ssh-keysign.c +++ b/ssh-keysign.c | |||
@@ -35,9 +35,11 @@ | |||
35 | #include <string.h> | 35 | #include <string.h> |
36 | #include <unistd.h> | 36 | #include <unistd.h> |
37 | 37 | ||
38 | #ifdef WITH_OPENSSL | ||
38 | #include <openssl/evp.h> | 39 | #include <openssl/evp.h> |
39 | #include <openssl/rand.h> | 40 | #include <openssl/rand.h> |
40 | #include <openssl/rsa.h> | 41 | #include <openssl/rsa.h> |
42 | #endif | ||
41 | 43 | ||
42 | #include "xmalloc.h" | 44 | #include "xmalloc.h" |
43 | #include "log.h" | 45 | #include "log.h" |
@@ -161,7 +163,9 @@ main(int argc, char **argv) | |||
161 | u_char *signature, *data; | 163 | u_char *signature, *data; |
162 | char *host, *fp; | 164 | char *host, *fp; |
163 | u_int slen, dlen; | 165 | u_int slen, dlen; |
166 | #ifdef WITH_OPENSSL | ||
164 | u_int32_t rnd[256]; | 167 | u_int32_t rnd[256]; |
168 | #endif | ||
165 | 169 | ||
166 | /* Ensure that stdin and stdout are connected */ | 170 | /* Ensure that stdin and stdout are connected */ |
167 | if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2) | 171 | if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2) |
@@ -204,9 +208,11 @@ main(int argc, char **argv) | |||
204 | if (found == 0) | 208 | if (found == 0) |
205 | fatal("could not open any host key"); | 209 | fatal("could not open any host key"); |
206 | 210 | ||
211 | #ifdef WITH_OPENSSL | ||
207 | OpenSSL_add_all_algorithms(); | 212 | OpenSSL_add_all_algorithms(); |
208 | arc4random_buf(rnd, sizeof(rnd)); | 213 | arc4random_buf(rnd, sizeof(rnd)); |
209 | RAND_seed(rnd, sizeof(rnd)); | 214 | RAND_seed(rnd, sizeof(rnd)); |
215 | #endif | ||
210 | 216 | ||
211 | found = 0; | 217 | found = 0; |
212 | for (i = 0; i < NUM_KEYTYPES; i++) { | 218 | for (i = 0; i < NUM_KEYTYPES; i++) { |
@@ -17,6 +17,8 @@ | |||
17 | 17 | ||
18 | #include "includes.h" | 18 | #include "includes.h" |
19 | 19 | ||
20 | #ifdef WITH_OPENSSL | ||
21 | |||
20 | #include <sys/types.h> | 22 | #include <sys/types.h> |
21 | 23 | ||
22 | #include <openssl/evp.h> | 24 | #include <openssl/evp.h> |
@@ -263,3 +265,4 @@ done: | |||
263 | } | 265 | } |
264 | return ret; | 266 | return ret; |
265 | } | 267 | } |
268 | #endif /* WITH_OPENSSL */ | ||
@@ -623,7 +623,9 @@ privsep_preauth_child(void) | |||
623 | 623 | ||
624 | arc4random_stir(); | 624 | arc4random_stir(); |
625 | arc4random_buf(rnd, sizeof(rnd)); | 625 | arc4random_buf(rnd, sizeof(rnd)); |
626 | #ifdef WITH_OPENSSL | ||
626 | RAND_seed(rnd, sizeof(rnd)); | 627 | RAND_seed(rnd, sizeof(rnd)); |
628 | #endif | ||
627 | explicit_bzero(rnd, sizeof(rnd)); | 629 | explicit_bzero(rnd, sizeof(rnd)); |
628 | 630 | ||
629 | /* Demote the private keys to public keys. */ | 631 | /* Demote the private keys to public keys. */ |
@@ -758,7 +760,9 @@ privsep_postauth(Authctxt *authctxt) | |||
758 | 760 | ||
759 | arc4random_stir(); | 761 | arc4random_stir(); |
760 | arc4random_buf(rnd, sizeof(rnd)); | 762 | arc4random_buf(rnd, sizeof(rnd)); |
763 | #ifdef WITH_OPENSSL | ||
761 | RAND_seed(rnd, sizeof(rnd)); | 764 | RAND_seed(rnd, sizeof(rnd)); |
765 | #endif | ||
762 | explicit_bzero(rnd, sizeof(rnd)); | 766 | explicit_bzero(rnd, sizeof(rnd)); |
763 | 767 | ||
764 | /* Drop privileges */ | 768 | /* Drop privileges */ |
@@ -988,7 +992,7 @@ send_rexec_state(int fd, Buffer *conf) | |||
988 | #endif | 992 | #endif |
989 | buffer_put_int(&m, 0); | 993 | buffer_put_int(&m, 0); |
990 | 994 | ||
991 | #ifndef OPENSSL_PRNG_ONLY | 995 | #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) |
992 | rexec_send_rng_seed(&m); | 996 | rexec_send_rng_seed(&m); |
993 | #endif | 997 | #endif |
994 | 998 | ||
@@ -1041,7 +1045,7 @@ recv_rexec_state(int fd, Buffer *conf) | |||
1041 | #endif | 1045 | #endif |
1042 | } | 1046 | } |
1043 | 1047 | ||
1044 | #ifndef OPENSSL_PRNG_ONLY | 1048 | #if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY) |
1045 | rexec_recv_rng_seed(&m); | 1049 | rexec_recv_rng_seed(&m); |
1046 | #endif | 1050 | #endif |
1047 | 1051 | ||
@@ -1372,7 +1376,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s) | |||
1372 | */ | 1376 | */ |
1373 | arc4random_stir(); | 1377 | arc4random_stir(); |
1374 | arc4random_buf(rnd, sizeof(rnd)); | 1378 | arc4random_buf(rnd, sizeof(rnd)); |
1379 | #ifdef WITH_OPENSSL | ||
1375 | RAND_seed(rnd, sizeof(rnd)); | 1380 | RAND_seed(rnd, sizeof(rnd)); |
1381 | #endif | ||
1376 | explicit_bzero(rnd, sizeof(rnd)); | 1382 | explicit_bzero(rnd, sizeof(rnd)); |
1377 | } | 1383 | } |
1378 | 1384 | ||