Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / external / openssh / 129d0bb6a65dcd9639e841cc3fd2ef3490420d7b^! / .
commit129d0bb6a65dcd9639e841cc3fd2ef3490420d7b[log] [tgz]
authorDarren Tucker <dtucker@zip.com.au>Mon Dec 19 17:40:40 2005 +1100
committerDarren Tucker <dtucker@zip.com.au>Mon Dec 19 17:40:40 2005 +1100
treea56f568a753739143c8662390e8cf6d8f2f34025
parentd40c66cf3f5d7713ea9489778dc450a48984a81d [diff]
 - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
   openbsd-compat/openssl-compat.h] Check for and work around broken AES
   ciphers >128bit on (some) Solaris 10 systems.  ok djm@

diff --git a/ChangeLog b/ChangeLog
index d28bdf5..a8074f0 100644
--- a/ChangeLog
+++ b/ChangeLog

@@ -1,3 +1,8 @@
+20051219
+ - (dtucker) [cipher-aes.c cipher-ctr.c cipher.c configure.ac
+   openbsd-compat/openssl-compat.h] Check for and work around broken AES
+   ciphers >128bit on (some) Solaris 10 systems.  ok djm@
+
 20051217
  - (dtucker) [defines.h] HP-UX system headers define "YES" and "NO" which
    scp.c also uses, so undef them here.
@@ -3466,4 +3471,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4030 2005/12/17 11:32:03 dtucker Exp $
+$Id: ChangeLog,v 1.4031 2005/12/19 06:40:40 dtucker Exp $

diff --git a/cipher-aes.c b/cipher-aes.c
index 22d500d..228ddb1 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c

@@ -23,7 +23,11 @@
  */
 
 #include "includes.h"
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+
+/* compatibility with old or broken OpenSSL versions */
+#include "openbsd-compat/openssl-compat.h"
+
+#ifdef USE_BUILTIN_RIJNDAEL
 RCSID("$OpenBSD: cipher-aes.c,v 1.2 2003/11/26 21:44:29 djm Exp $");
 
 #include <openssl/evp.h>
@@ -31,10 +35,6 @@
 #include "xmalloc.h"
 #include "log.h"
 
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-#define SSH_OLD_EVP
-#endif
-
 #define RIJNDAEL_BLOCKSIZE 16
 struct ssh_rijndael_ctx
 {
@@ -157,4 +157,4 @@
 #endif
 	return (&rijndal_cbc);
 }
-#endif /* OPENSSL_VERSION_NUMBER */
+#endif /* USE_BUILTIN_RIJNDAEL */

diff --git a/cipher-ctr.c b/cipher-ctr.c
index 8561773..8a98f3c 100644
--- a/cipher-ctr.c
+++ b/cipher-ctr.c

@@ -21,11 +21,10 @@
 #include "log.h"
 #include "xmalloc.h"
 
-#if OPENSSL_VERSION_NUMBER < 0x00906000L
-#define SSH_OLD_EVP
-#endif
+/* compatibility with old or broken OpenSSL versions */
+#include "openbsd-compat/openssl-compat.h"
 
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#ifdef USE_BUILTIN_RIJNDAEL
 #include "rijndael.h"
 #define AES_KEY rijndael_ctx
 #define AES_BLOCK_SIZE 16

diff --git a/cipher.c b/cipher.c
index 0dddf27..1434d55 100644
--- a/cipher.c
+++ b/cipher.c

@@ -334,7 +334,7 @@
 		if ((u_int)evplen != len)
 			fatal("%s: wrong iv length %d != %d", __func__,
 			    evplen, len);
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#ifdef USE_BUILTIN_RIJNDAEL
 		if (c->evptype == evp_rijndael)
 			ssh_rijndael_iv(&cc->evp, 0, iv, len);
 		else
@@ -365,7 +365,7 @@
 		evplen = EVP_CIPHER_CTX_iv_length(&cc->evp);
 		if (evplen == 0)
 			return;
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#ifdef USE_BUILTIN_RIJNDAEL
 		if (c->evptype == evp_rijndael)
 			ssh_rijndael_iv(&cc->evp, 1, iv, evplen);
 		else

diff --git a/configure.ac b/configure.ac
index df85e31..9325c43 100644
--- a/configure.ac
+++ b/configure.ac

@@ -1,4 +1,4 @@
-# $Id: configure.ac,v 1.315 2005/12/17 11:32:03 dtucker Exp $
+# $Id: configure.ac,v 1.316 2005/12/19 06:40:40 dtucker Exp $
 #
 # Copyright (c) 1999-2004 Damien Miller
 #
@@ -1803,6 +1803,24 @@
 	]
 )
 
+# Check for OpenSSL without EVP_aes_{192,256}_cbc
+AC_MSG_CHECKING([whether OpenSSL has crippled AES support])
+AC_COMPILE_IFELSE(
+	[AC_LANG_SOURCE([[
+#include <string.h>
+#include <openssl/evp.h>
+int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL)}
+	]])],
+	[
+		AC_MSG_RESULT(no)
+	],
+	[
+		AC_MSG_RESULT(yes)
+		AC_DEFINE(OPENSSL_LOBOTOMISED_AES, 1,
+		    [libcrypto is missing AES 192 and 256 bit functions])
+	]
+)
+
 # Some systems want crypt() from libcrypt, *not* the version in OpenSSL,
 # because the system crypt() is more featureful.
 if test "x$check_for_libcrypt_before" = "x1"; then

diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 4988485..8a015ec 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h

@@ -1,4 +1,4 @@
-/* $Id: openssl-compat.h,v 1.2 2005/11/20 03:10:00 dtucker Exp $ */
+/* $Id: openssl-compat.h,v 1.3 2005/12/19 06:40:40 dtucker Exp $ */
 
 /*
  * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au>
@@ -24,7 +24,11 @@
 # define EVP_CIPHER_CTX_get_app_data(e)		((e)->app_data)
 #endif
 
-#if OPENSSL_VERSION_NUMBER < 0x00907000L
+#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES)
+# define USE_BUILTIN_RIJNDAEL
+#endif
+
+#ifdef USE_BUILTIN_RIJNDAEL
 # define EVP_aes_128_cbc evp_rijndael
 # define EVP_aes_192_cbc evp_rijndael
 # define EVP_aes_256_cbc evp_rijndael