- (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h] Disable

sha256 when openssl < 0.9.7. Patch from djm@. Corrections/testing by me.

ChangeLog

@@ -2,6 +2,8 @@
  - (dtucker) [entropy.c] Add headers for WIFEXITED and friends.
  - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in
    /usr/include/crypto.  Hint from djm@.
+ - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h]
+   Disable sha256 when openssl < 0.9.7. Patch from djm@.
 
 20060315
  - (djm) OpenBSD CVS Sync:
@@ -4178,4 +4180,4 @@
    - (djm) Trim deprecated options from INSTALL. Mention UsePAM
    - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
 
-$Id: ChangeLog,v 1.4226 2006/03/15 21:14:34 dtucker Exp $
+$Id: ChangeLog,v 1.4227 2006/03/16 04:17:05 tim Exp $

kex.c

@@ -44,11 +44,13 @@ RCSID("$OpenBSD: kex.c,v 1.66 2006/03/07 09:07:40 djm Exp $");
 
 #define KEX_COOKIE_LEN	16
 
-#ifdef HAVE_EVP_SHA256
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+# define evp_ssh_sha256() NULL
+#elif defined(HAVE_EVP_SHA256)
 # define evp_ssh_sha256 EVP_sha256
-#else /* HAVE_EVP_SHA256 */
+#else
 extern const EVP_MD *evp_ssh_sha256(void);
-#endif /* HAVE_EVP_SHA256 */
+#endif
 
 /* prototype */
 static void kex_kexinit_finish(Kex *);

md-sha256.c

@@ -17,8 +17,9 @@
 /* EVP wrapper for SHA256 */
 
 #include "includes.h"
+#include <openssl/opensslv.h>
 
-#ifndef HAVE_EVP_SHA256
+#if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 
 #include <string.h>
 #include <openssl/evp.h>
@@ -80,5 +81,5 @@ evp_ssh_sha256(void)
 	return (&ssh_sha256);
 }
 
-#endif /* HAVE_EVP_SHA256 */
+#endif /* !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
 

myproposal.h

@@ -23,11 +23,23 @@
  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
  */
-#define KEX_DEFAULT_KEX		\
+
+#include <openssl/opensslv.h>
+
+/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
+#if OPENSSL_VERSION_NUMBER < 0x00907000L
+# define KEX_DEFAULT_KEX		\
+	"diffie-hellman-group-exchange-sha1," \
+ 	"diffie-hellman-group14-sha1," \
+ 	"diffie-hellman-group1-sha1"
+#else
+# define KEX_DEFAULT_KEX		\
 	"diffie-hellman-group-exchange-sha256," \
 	"diffie-hellman-group-exchange-sha1," \
  	"diffie-hellman-group14-sha1," \
  	"diffie-hellman-group1-sha1"
+#endif
+
 #define	KEX_DEFAULT_PK_ALG	"ssh-rsa,ssh-dss"
 #define	KEX_DEFAULT_ENCRYPT \
 	"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \

openbsd-compat/sha2.c

@@ -38,7 +38,10 @@
 
 #include "includes.h"
 
-#if !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256)
+#include <openssl/opensslv.h>
+
+#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 #include <sys/types.h>
 #include <string.h>
 #include "sha2.h"
@@ -875,4 +878,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
 }
 #endif
 
-#endif /* !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) */
+#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L) */

openbsd-compat/sha2.h

@@ -41,7 +41,10 @@
 
 #include "includes.h"
 
-#if !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256)
+#include <openssl/opensslv.h>
+
+#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L)
 
 /*** SHA-256/384/512 Various Length Definitions ***********************/
 #define SHA256_BLOCK_LENGTH		64
@@ -124,6 +127,7 @@ char *SHA512_Data(const u_int8_t *, size_t, char *)
 	__attribute__((__bounded__(__string__,1,2)))
 	__attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));
 
-#endif /* !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) */
+#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
+    (OPENSSL_VERSION_NUMBER >= 0x00907000L) */
 
 #endif /* _SSHSHA2_H */