6 files changed, 36 insertions, 11 deletions
diff --git a/ChangeLog b/ChangeLog
index 1c4fdef89..aa2918414 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,8 @@
 - (dtucker) [entropy.c] Add headers for WIFEXITED and friends.
 - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in
   /usr/include/crypto.  Hint from djm@.
+ - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h]
+   Disable sha256 when openssl < 0.9.7. Patch from djm@.
 20060315
 - (djm) OpenBSD CVS Sync:
@@ -4178,4 +4180,4 @@
   - (djm) Trim deprecated options from INSTALL. Mention UsePAM
   - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
-$Id: ChangeLog,v 1.4226 2006/03/15 21:14:34 dtucker Exp $
+$Id: ChangeLog,v 1.4227 2006/03/16 04:17:05 tim Exp $
diff --git a/kex.c b/kex.c
index 70c2c9709..8610a7dab 100644
--- a/kex.c
+++ b/kex.c
@@ -44,11 +44,13 @@ RCSID("$OpenBSD: kex.c,v 1.66 2006/03/07 09:07:40 djm Exp $");
 #define KEX_COOKIE_LEN  16
-#ifdef HAVE_EVP_SHA256
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+# define evp_ssh_sha256() NULL
+#elif defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-#else /* HAVE_EVP_SHA256 */
+#else
 extern const EVP_MD *evp_ssh_sha256(void);
-#endif /* HAVE_EVP_SHA256 */
+#endif
 /* prototype */
 static void kex_kexinit_finish(Kex *);
diff --git a/md-sha256.c b/md-sha256.c
index 0b1ed5828..064228a4a 100644
--- a/md-sha256.c
+++ b/md-sha256.c
@@ -17,8 +17,9 @@
 /* EVP wrapper for SHA256 */
 #include "includes.h"
+#include <openssl/opensslv.h>
-#ifndef HAVE_EVP_SHA256
+#if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 #include <string.h>
 #include <openssl/evp.h>
@@ -80,5 +81,5 @@ evp_ssh_sha256(void)
        return (&ssh_sha256);
 }
-#endif /* HAVE_EVP_SHA256 */
+#endif /* !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
diff --git a/myproposal.h b/myproposal.h
index cc94a8ed2..43c540209 100644
--- a/myproposal.h
+++ b/myproposal.h
@@ -23,11 +23,23 @@
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */
-#define KEX_DEFAULT_KEX         \
+#include <openssl/opensslv.h>
+/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+# define KEX_DEFAULT_KEX                \
+        "diffie-hellman-group-exchange-sha1," \
+        "diffie-hellman-group14-sha1," \
+        "diffie-hellman-group1-sha1"
+#else
+# define KEX_DEFAULT_KEX                \
        "diffie-hellman-group-exchange-sha256," \
        "diffie-hellman-group-exchange-sha1," \
        "diffie-hellman-group14-sha1," \
        "diffie-hellman-group1-sha1"
+#endif
 #define KEX_DEFAULT_PK_ALG      "ssh-rsa,ssh-dss"
 #define KEX_DEFAULT_ENCRYPT \
        "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c
index 36ab60e62..cf8e0ad66 100644
--- a/openbsd-compat/sha2.c
+++ b/openbsd-compat/sha2.c
@@ -38,7 +38,10 @@
 #include "includes.h"
-#if !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256)
+#include <openssl/opensslv.h>
+#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 #include <sys/types.h>
 #include <string.h>
 #include "sha2.h"
@@ -875,4 +878,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
 }
 #endif
-#endif /* !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) */
+#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
diff --git a/openbsd-compat/sha2.h b/openbsd-compat/sha2.h
index 1d6aa61e9..821f2dd6c 100644
--- a/openbsd-compat/sha2.h
+++ b/openbsd-compat/sha2.h
@@ -41,7 +41,10 @@
 #include "includes.h"
-#if !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256)
+#include <openssl/opensslv.h>
+#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 /*** SHA-256/384/512 Various Length Definitions ***********************/
 #define SHA256_BLOCK_LENGTH             64
@@ -124,6 +127,7 @@ char *SHA512_Data(const u_int8_t *, size_t, char *)
        __attribute__((__bounded__(__string__,1,2)))
        __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));
-#endif /* !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) */
+#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
 #endif /* _SSHSHA2_H */

diff --git a/ChangeLog b/ChangeLog index 1c4fdef89..aa2918414 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -2,6 +2,8 @@
2	- (dtucker) [entropy.c] Add headers for WIFEXITED and friends.	2	- (dtucker) [entropy.c] Add headers for WIFEXITED and friends.
3	- (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in	3	- (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in
4	/usr/include/crypto. Hint from djm@.	4	/usr/include/crypto. Hint from djm@.
		5	- (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h]
		6	Disable sha256 when openssl < 0.9.7. Patch from djm@.
5		7
6	20060315	8	20060315
7	- (djm) OpenBSD CVS Sync:	9	- (djm) OpenBSD CVS Sync:
@@ -4178,4 +4180,4 @@
4178	- (djm) Trim deprecated options from INSTALL. Mention UsePAM	4180	- (djm) Trim deprecated options from INSTALL. Mention UsePAM
4179	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu	4181	- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
4180		4182
4181	$Id: ChangeLog,v 1.4226 2006/03/15 21:14:34 dtucker Exp $	4183	$Id: ChangeLog,v 1.4227 2006/03/16 04:17:05 tim Exp $


diff --git a/kex.c b/kex.c index 70c2c9709..8610a7dab 100644 --- a/kex.c +++ b/kex.c
@@ -44,11 +44,13 @@ RCSID("$OpenBSD: kex.c,v 1.66 2006/03/07 09:07:40 djm Exp $");
44		44
45	#define KEX_COOKIE_LEN 16	45	#define KEX_COOKIE_LEN 16
46		46
47	#ifdef HAVE_EVP_SHA256	47	#if OPENSSL_VERSION_NUMBER < 0x00907000L
		48	# define evp_ssh_sha256() NULL
		49	#elif defined(HAVE_EVP_SHA256)
48	# define evp_ssh_sha256 EVP_sha256	50	# define evp_ssh_sha256 EVP_sha256
49	#else /* HAVE_EVP_SHA256 */	51	#else
50	extern const EVP_MD *evp_ssh_sha256(void);	52	extern const EVP_MD *evp_ssh_sha256(void);
51	#endif /* HAVE_EVP_SHA256 */	53	#endif
52		54
53	/* prototype */	55	/* prototype */
54	static void kex_kexinit_finish(Kex *);	56	static void kex_kexinit_finish(Kex *);


diff --git a/md-sha256.c b/md-sha256.c index 0b1ed5828..064228a4a 100644 --- a/md-sha256.c +++ b/md-sha256.c
@@ -17,8 +17,9 @@
17	/* EVP wrapper for SHA256 */	17	/* EVP wrapper for SHA256 */
18		18
19	#include "includes.h"	19	#include "includes.h"
		20	#include <openssl/opensslv.h>
20		21
21	#ifndef HAVE_EVP_SHA256	22	#if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
22		23
23	#include <string.h>	24	#include <string.h>
24	#include <openssl/evp.h>	25	#include <openssl/evp.h>
@@ -80,5 +81,5 @@ evp_ssh_sha256(void)
80	return (&ssh_sha256);	81	return (&ssh_sha256);
81	}	82	}
82		83
83	#endif /* HAVE_EVP_SHA256 */	84	#endif /* !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
84		85


diff --git a/myproposal.h b/myproposal.h index cc94a8ed2..43c540209 100644 --- a/myproposal.h +++ b/myproposal.h
@@ -23,11 +23,23 @@
23	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	23	* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
24	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	24	* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
25	*/	25	*/
26	#define KEX_DEFAULT_KEX \	26
		27	#include <openssl/opensslv.h>
		28
		29	/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
		30	#if OPENSSL_VERSION_NUMBER < 0x00907000L
		31	# define KEX_DEFAULT_KEX \
		32	"diffie-hellman-group-exchange-sha1," \
		33	"diffie-hellman-group14-sha1," \
		34	"diffie-hellman-group1-sha1"
		35	#else
		36	# define KEX_DEFAULT_KEX \
27	"diffie-hellman-group-exchange-sha256," \	37	"diffie-hellman-group-exchange-sha256," \
28	"diffie-hellman-group-exchange-sha1," \	38	"diffie-hellman-group-exchange-sha1," \
29	"diffie-hellman-group14-sha1," \	39	"diffie-hellman-group14-sha1," \
30	"diffie-hellman-group1-sha1"	40	"diffie-hellman-group1-sha1"
		41	#endif
		42
31	#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"	43	#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
32	#define KEX_DEFAULT_ENCRYPT \	44	#define KEX_DEFAULT_ENCRYPT \
33	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \	45	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \


diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c index 36ab60e62..cf8e0ad66 100644 --- a/openbsd-compat/sha2.c +++ b/openbsd-compat/sha2.c
@@ -38,7 +38,10 @@
38		38
39	#include "includes.h"	39	#include "includes.h"
40		40
41	#if !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256)	41	#include <openssl/opensslv.h>
		42
		43	#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
		44	(OPENSSL_VERSION_NUMBER >= 0x00907000L)
42	#include <sys/types.h>	45	#include <sys/types.h>
43	#include <string.h>	46	#include <string.h>
44	#include "sha2.h"	47	#include "sha2.h"
@@ -875,4 +878,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
875	}	878	}
876	#endif	879	#endif
877		880
878	#endif /* !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) */	881	#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
		882	(OPENSSL_VERSION_NUMBER >= 0x00907000L) */


diff --git a/openbsd-compat/sha2.h b/openbsd-compat/sha2.h index 1d6aa61e9..821f2dd6c 100644 --- a/openbsd-compat/sha2.h +++ b/openbsd-compat/sha2.h
@@ -41,7 +41,10 @@
41		41
42	#include "includes.h"	42	#include "includes.h"
43		43
44	#if !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256)	44	#include <openssl/opensslv.h>
		45
		46	#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
		47	(OPENSSL_VERSION_NUMBER >= 0x00907000L)
45		48
46	/* SHA-256/384/512 Various Length Definitions *********************/	49	/* SHA-256/384/512 Various Length Definitions *********************/
47	#define SHA256_BLOCK_LENGTH 64	50	#define SHA256_BLOCK_LENGTH 64
@@ -124,6 +127,7 @@ char SHA512_Data(const u_int8_t , size_t, char *)
124	__attribute__((__bounded__(__string__,1,2)))	127	__attribute__((__bounded__(__string__,1,2)))
125	__attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));	128	__attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));
126		129
127	#endif /* !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) */	130	#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
		131	(OPENSSL_VERSION_NUMBER >= 0x00907000L) */
128		132
129	#endif /* _SSHSHA2_H */	133	#endif /* _SSHSHA2_H */