diff --git a/ChangeLog b/ChangeLog index 1c4fdef89..aa2918414 100644 --- a/ChangeLog +++ b/ChangeLog @@ -2,6 +2,8 @@ - (dtucker) [entropy.c] Add headers for WIFEXITED and friends. - (dtucker) [configure.ac md-sha256.c] NetBSD has sha2.h in /usr/include/crypto. Hint from djm@. + - (tim) [kex.c myproposal.h md-sha256.c openbsd-compat/sha2.c,h] + Disable sha256 when openssl < 0.9.7. Patch from djm@. 20060315 - (djm) OpenBSD CVS Sync: @@ -4178,4 +4180,4 @@ - (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu -$Id: ChangeLog,v 1.4226 2006/03/15 21:14:34 dtucker Exp $ +$Id: ChangeLog,v 1.4227 2006/03/16 04:17:05 tim Exp $ diff --git a/kex.c b/kex.c index 70c2c9709..8610a7dab 100644 --- a/kex.c +++ b/kex.c @@ -44,11 +44,13 @@ RCSID("$OpenBSD: kex.c,v 1.66 2006/03/07 09:07:40 djm Exp $"); #define KEX_COOKIE_LEN 16 -#ifdef HAVE_EVP_SHA256 +#if OPENSSL_VERSION_NUMBER < 0x00907000L +# define evp_ssh_sha256() NULL +#elif defined(HAVE_EVP_SHA256) # define evp_ssh_sha256 EVP_sha256 -#else /* HAVE_EVP_SHA256 */ +#else extern const EVP_MD *evp_ssh_sha256(void); -#endif /* HAVE_EVP_SHA256 */ +#endif /* prototype */ static void kex_kexinit_finish(Kex *); diff --git a/md-sha256.c b/md-sha256.c index 0b1ed5828..064228a4a 100644 --- a/md-sha256.c +++ b/md-sha256.c @@ -17,8 +17,9 @@ /* EVP wrapper for SHA256 */ #include "includes.h" +#include -#ifndef HAVE_EVP_SHA256 +#if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) #include #include @@ -80,5 +81,5 @@ evp_ssh_sha256(void) return (&ssh_sha256); } -#endif /* HAVE_EVP_SHA256 */ +#endif /* !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ diff --git a/myproposal.h b/myproposal.h index cc94a8ed2..43c540209 100644 --- a/myproposal.h +++ b/myproposal.h @@ -23,11 +23,23 @@ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -#define KEX_DEFAULT_KEX \ + +#include + +/* Old OpenSSL doesn't support what we need for DHGEX-sha256 */ +#if OPENSSL_VERSION_NUMBER < 0x00907000L +# define KEX_DEFAULT_KEX \ + "diffie-hellman-group-exchange-sha1," \ + "diffie-hellman-group14-sha1," \ + "diffie-hellman-group1-sha1" +#else +# define KEX_DEFAULT_KEX \ "diffie-hellman-group-exchange-sha256," \ "diffie-hellman-group-exchange-sha1," \ "diffie-hellman-group14-sha1," \ "diffie-hellman-group1-sha1" +#endif + #define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" #define KEX_DEFAULT_ENCRYPT \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \ diff --git a/openbsd-compat/sha2.c b/openbsd-compat/sha2.c index 36ab60e62..cf8e0ad66 100644 --- a/openbsd-compat/sha2.c +++ b/openbsd-compat/sha2.c @@ -38,7 +38,10 @@ #include "includes.h" -#if !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) +#include + +#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ + (OPENSSL_VERSION_NUMBER >= 0x00907000L) #include #include #include "sha2.h" @@ -875,4 +878,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context) } #endif -#endif /* !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) */ +#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ + (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ diff --git a/openbsd-compat/sha2.h b/openbsd-compat/sha2.h index 1d6aa61e9..821f2dd6c 100644 --- a/openbsd-compat/sha2.h +++ b/openbsd-compat/sha2.h @@ -41,7 +41,10 @@ #include "includes.h" -#if !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) +#include + +#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ + (OPENSSL_VERSION_NUMBER >= 0x00907000L) /*** SHA-256/384/512 Various Length Definitions ***********************/ #define SHA256_BLOCK_LENGTH 64 @@ -124,6 +127,7 @@ char *SHA512_Data(const u_int8_t *, size_t, char *) __attribute__((__bounded__(__string__,1,2))) __attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH))); -#endif /* !defined(HAVE_SHA256_UPDATE) && !defined(HAVE_EVP_SHA256) */ +#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \ + (OPENSSL_VERSION_NUMBER >= 0x00907000L) */ #endif /* _SSHSHA2_H */