mirror of
https://github.com/PowerShell/openssh-portable.git
synced 2025-07-28 16:24:39 +02:00
support --without-openssl at configure time
Disables and removes dependency on OpenSSL. Many features don't work and the set of crypto options is greatly restricted. This will only work on system with native arc4random or /dev/urandom. Considered highly experimental for now.
This commit is contained in:
parent
4f38c61c68
commit
72ef7c148c
@ -76,7 +76,7 @@ LIBOPENSSH_OBJS=\
|
||||
|
||||
LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
authfd.o authfile.o bufaux.o bufbn.o buffer.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o \
|
||||
canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
|
||||
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
|
||||
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
|
||||
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
|
||||
@ -87,7 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
|
||||
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
|
||||
ssh-pkcs11.o smult_curve25519_ref.o \
|
||||
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
|
||||
ssh-ed25519.o digest-openssl.o hmac.o \
|
||||
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
|
||||
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
|
||||
|
||||
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \
|
||||
|
6
bufbn.c
6
bufbn.c
@ -20,12 +20,15 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include "buffer.h"
|
||||
#include "log.h"
|
||||
#include "ssherr.h"
|
||||
|
||||
#ifdef WITH_SSH1
|
||||
int
|
||||
buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
|
||||
{
|
||||
@ -63,6 +66,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value)
|
||||
if (buffer_get_bignum_ret(buffer, value) == -1)
|
||||
fatal("%s: buffer error", __func__);
|
||||
}
|
||||
#endif /* WITH_SSH1 */
|
||||
|
||||
int
|
||||
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
|
||||
@ -101,3 +105,5 @@ buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
|
||||
if (buffer_get_bignum2_ret(buffer, value) == -1)
|
||||
fatal("%s: buffer error", __func__);
|
||||
}
|
||||
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
@ -18,6 +18,8 @@
|
||||
#include <sys/types.h>
|
||||
#include <string.h>
|
||||
|
||||
#ifndef WITH_OPENSSL
|
||||
|
||||
#include "cipher-aesctr.h"
|
||||
|
||||
/*
|
||||
@ -76,3 +78,4 @@ aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes)
|
||||
n = (n + 1) % AES_BLOCK_SIZE;
|
||||
}
|
||||
}
|
||||
#endif /* !WITH_OPENSSL */
|
||||
|
@ -20,6 +20,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
@ -98,3 +100,4 @@ evp_ssh1_bf(void)
|
||||
ssh1_bf.key_len = 32;
|
||||
return (&ssh1_bf);
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
@ -16,7 +16,7 @@
|
||||
*/
|
||||
#include "includes.h"
|
||||
|
||||
#ifndef OPENSSL_HAVE_EVPCTR
|
||||
#if defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR)
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
@ -143,4 +143,4 @@ evp_aes_128_ctr(void)
|
||||
return (&aes_ctr);
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_HAVE_EVPCTR */
|
||||
#endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) */
|
||||
|
927
configure.ac
927
configure.ac
File diff suppressed because it is too large
Load Diff
@ -18,15 +18,19 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifndef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <limits.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
|
||||
#if 0
|
||||
#include <md5.h>
|
||||
#include <rmd160.h>
|
||||
#include <sha1.h>
|
||||
#include <sha2.h>
|
||||
#endif
|
||||
|
||||
#include "ssherr.h"
|
||||
#include "sshbuf.h"
|
||||
@ -89,30 +93,30 @@ const struct ssh_digest digests[SSH_DIGEST_MAX] = {
|
||||
"SHA256",
|
||||
SHA256_BLOCK_LENGTH,
|
||||
SHA256_DIGEST_LENGTH,
|
||||
sizeof(SHA2_CTX),
|
||||
(md_init_fn *) SHA256Init,
|
||||
(md_update_fn *) SHA256Update,
|
||||
(md_final_fn *) SHA256Final
|
||||
sizeof(SHA256_CTX),
|
||||
(md_init_fn *) SHA256_Init,
|
||||
(md_update_fn *) SHA256_Update,
|
||||
(md_final_fn *) SHA256_Final
|
||||
},
|
||||
{
|
||||
SSH_DIGEST_SHA384,
|
||||
"SHA384",
|
||||
SHA384_BLOCK_LENGTH,
|
||||
SHA384_DIGEST_LENGTH,
|
||||
sizeof(SHA2_CTX),
|
||||
(md_init_fn *) SHA384Init,
|
||||
(md_update_fn *) SHA384Update,
|
||||
(md_final_fn *) SHA384Final
|
||||
sizeof(SHA384_CTX),
|
||||
(md_init_fn *) SHA384_Init,
|
||||
(md_update_fn *) SHA384_Update,
|
||||
(md_final_fn *) SHA384_Final
|
||||
},
|
||||
{
|
||||
SSH_DIGEST_SHA512,
|
||||
"SHA512",
|
||||
SHA512_BLOCK_LENGTH,
|
||||
SHA512_DIGEST_LENGTH,
|
||||
sizeof(SHA2_CTX),
|
||||
(md_init_fn *) SHA512Init,
|
||||
(md_update_fn *) SHA512Update,
|
||||
(md_final_fn *) SHA512Final
|
||||
sizeof(SHA512_CTX),
|
||||
(md_init_fn *) SHA512_Init,
|
||||
(md_update_fn *) SHA512_Update,
|
||||
(md_final_fn *) SHA512_Final
|
||||
}
|
||||
};
|
||||
|
||||
@ -257,3 +261,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
|
||||
{
|
||||
return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
|
||||
}
|
||||
#endif /* !WITH_OPENSSL */
|
||||
|
@ -17,6 +17,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <limits.h>
|
||||
#include <stdlib.h>
|
||||
@ -200,3 +202,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
|
||||
{
|
||||
return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
12
entropy.c
12
entropy.c
@ -24,6 +24,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/socket.h>
|
||||
#ifdef HAVE_SYS_UN_H
|
||||
@ -230,3 +232,13 @@ seed_rng(void)
|
||||
if (RAND_status() != 1)
|
||||
fatal("PRNG is not seeded");
|
||||
}
|
||||
|
||||
#else /* WITH_OPENSSL */
|
||||
|
||||
/* Handled in arc4random() */
|
||||
void
|
||||
seed_rng(void)
|
||||
{
|
||||
}
|
||||
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
@ -167,7 +167,9 @@
|
||||
# endif
|
||||
#endif
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
|
||||
#endif
|
||||
|
||||
#include "defines.h"
|
||||
|
||||
|
4
kex.c
4
kex.c
@ -90,9 +90,9 @@ static const struct kexalg kexalgs[] = {
|
||||
# endif /* OPENSSL_HAS_NISTP521 */
|
||||
#endif /* OPENSSL_HAS_ECC */
|
||||
#endif /* WITH_OPENSSL */
|
||||
#ifdef HAVE_EVP_SHA256
|
||||
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
|
||||
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
|
||||
#endif /* HAVE_EVP_SHA256 */
|
||||
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
|
||||
{ NULL, -1, -1, -1},
|
||||
};
|
||||
|
||||
|
3
kexdh.c
3
kexdh.c
@ -25,6 +25,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <signal.h>
|
||||
@ -85,3 +87,4 @@ kex_dh_hash(
|
||||
*hash = digest;
|
||||
*hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
3
kexdhc.c
3
kexdhc.c
@ -25,6 +25,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@ -159,3 +161,4 @@ kexdh_client(Kex *kex)
|
||||
BN_clear_free(shared_secret);
|
||||
kex_finish(kex);
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
3
kexdhs.c
3
kexdhs.c
@ -25,6 +25,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
@ -158,3 +160,4 @@ kexdh_server(Kex *kex)
|
||||
BN_clear_free(shared_secret);
|
||||
kex_finish(kex);
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
@ -26,7 +26,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -94,4 +94,4 @@ kex_ecdh_hash(
|
||||
*hash = digest;
|
||||
*hashlen = ssh_digest_bytes(hash_alg);
|
||||
}
|
||||
#endif /* OPENSSL_HAS_ECC */
|
||||
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
|
||||
|
12
kexecdhc.c
12
kexecdhc.c
@ -26,6 +26,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <stdio.h>
|
||||
@ -42,8 +44,6 @@
|
||||
#include "dh.h"
|
||||
#include "ssh2.h"
|
||||
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
|
||||
#include <openssl/ecdh.h>
|
||||
|
||||
void
|
||||
@ -156,10 +156,4 @@ kexecdh_client(Kex *kex)
|
||||
BN_clear_free(shared_secret);
|
||||
kex_finish(kex);
|
||||
}
|
||||
#else /* OPENSSL_HAS_ECC */
|
||||
void
|
||||
kexecdh_client(Kex *kex)
|
||||
{
|
||||
fatal("ECC support is not enabled");
|
||||
}
|
||||
#endif /* OPENSSL_HAS_ECC */
|
||||
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
|
||||
|
12
kexecdhs.c
12
kexecdhs.c
@ -26,6 +26,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <string.h>
|
||||
#include <signal.h>
|
||||
@ -39,8 +41,6 @@
|
||||
#include "packet.h"
|
||||
#include "ssh2.h"
|
||||
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
|
||||
#include <openssl/ecdh.h>
|
||||
|
||||
void
|
||||
@ -152,10 +152,4 @@ kexecdh_server(Kex *kex)
|
||||
BN_clear_free(shared_secret);
|
||||
kex_finish(kex);
|
||||
}
|
||||
#else /* OPENSSL_HAS_ECC */
|
||||
void
|
||||
kexecdh_server(Kex *kex)
|
||||
{
|
||||
fatal("ECC support is not enabled");
|
||||
}
|
||||
#endif /* OPENSSL_HAS_ECC */
|
||||
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */
|
||||
|
3
kexgex.c
3
kexgex.c
@ -26,6 +26,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -96,3 +98,4 @@ kexgex_hash(
|
||||
*hash = digest;
|
||||
*hashlen = ssh_digest_bytes(hash_alg);
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
@ -26,6 +26,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/dh.h>
|
||||
@ -205,3 +207,4 @@ kexgex_client(Kex *kex)
|
||||
|
||||
kex_finish(kex);
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
@ -26,6 +26,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/param.h>
|
||||
|
||||
#include <stdarg.h>
|
||||
@ -206,3 +208,4 @@ kexgex_server(Kex *kex)
|
||||
|
||||
kex_finish(kex);
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
3
krl.c
3
krl.c
@ -18,6 +18,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL /* XXX just fix bignums and this is good */
|
||||
|
||||
#include <sys/types.h>
|
||||
#include <sys/param.h>
|
||||
#include <openbsd-compat/sys-tree.h>
|
||||
@ -1282,3 +1284,4 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
|
||||
errno = oerrno;
|
||||
return r;
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
4
moduli.c
4
moduli.c
@ -39,6 +39,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/param.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -802,3 +804,5 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted,
|
||||
|
||||
return (res);
|
||||
}
|
||||
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
@ -151,8 +151,10 @@ mm_request_receive(int sock, Buffer *m)
|
||||
debug3("%s entering", __func__);
|
||||
|
||||
if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
|
||||
if (errno == EPIPE)
|
||||
if (errno == EPIPE) {
|
||||
error("%s: socket closed", __func__);
|
||||
cleanup_exit(255);
|
||||
}
|
||||
fatal("%s: read: %s", __func__, strerror(errno));
|
||||
}
|
||||
msg_len = get_u32(buf);
|
||||
|
@ -16,7 +16,7 @@ RANLIB=@RANLIB@
|
||||
INSTALL=@INSTALL@
|
||||
LDFLAGS=-L. @LDFLAGS@
|
||||
|
||||
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
|
||||
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
|
||||
|
||||
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o
|
||||
|
||||
|
@ -26,15 +26,19 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <fcntl.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/types.h>
|
||||
|
||||
#ifndef HAVE_ARC4RANDOM
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/err.h>
|
||||
#endif
|
||||
|
||||
#include "log.h"
|
||||
|
||||
@ -73,14 +77,44 @@ _rs_init(u_char *buf, size_t n)
|
||||
chacha_ivsetup(&rs, buf + KEYSZ);
|
||||
}
|
||||
|
||||
#ifndef WITH_OPENSSL
|
||||
#define SSH_RANDOM_DEV "/dev/urandom"
|
||||
/* XXX use getrandom() if supported on Linux */
|
||||
static void
|
||||
getrnd(u_char *s, size_t len)
|
||||
{
|
||||
int fd;
|
||||
ssize_t r;
|
||||
size_t o = 0;
|
||||
|
||||
if ((fd = open(SSH_RANDOM_DEV, O_RDONLY)) == -1)
|
||||
fatal("Couldn't open %s: %s", SSH_RANDOM_DEV, strerror(errno));
|
||||
while (o < len) {
|
||||
r = read(fd, s + o, len - o);
|
||||
if (r < 0) {
|
||||
if (errno == EAGAIN || errno == EINTR ||
|
||||
errno == EWOULDBLOCK)
|
||||
continue;
|
||||
fatal("read %s: %s", SSH_RANDOM_DEV, strerror(errno));
|
||||
}
|
||||
o += r;
|
||||
}
|
||||
close(fd);
|
||||
}
|
||||
#endif
|
||||
|
||||
static void
|
||||
_rs_stir(void)
|
||||
{
|
||||
u_char rnd[KEYSZ + IVSZ];
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
|
||||
fatal("Couldn't obtain random bytes (error %ld)",
|
||||
ERR_get_error());
|
||||
#else
|
||||
getrnd(rnd, sizeof(rnd));
|
||||
#endif
|
||||
|
||||
if (!rs_initialized) {
|
||||
rs_initialized = 1;
|
||||
|
@ -32,6 +32,9 @@
|
||||
#endif
|
||||
|
||||
#include "crypto_api.h"
|
||||
#ifdef SHA512_DIGEST_LENGTH
|
||||
# undef SHA512_DIGEST_LENGTH
|
||||
#endif
|
||||
#define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES
|
||||
|
||||
/*
|
||||
|
@ -43,7 +43,10 @@
|
||||
#include "readpassphrase.h"
|
||||
#include "vis.h"
|
||||
#include "getrrsetbyname.h"
|
||||
#include "sha1.h"
|
||||
#include "sha2.h"
|
||||
#include "rmd160.h"
|
||||
#include "md5.h"
|
||||
#include "blf.h"
|
||||
|
||||
#ifndef HAVE_BASENAME
|
||||
|
@ -19,6 +19,8 @@
|
||||
#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <stdarg.h>
|
||||
#include <string.h>
|
||||
|
||||
@ -78,3 +80,5 @@ ssh_OpenSSL_add_all_algorithms(void)
|
||||
OPENSSL_config(NULL);
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
@ -20,6 +20,8 @@
|
||||
#define _OPENSSL_COMPAT_H
|
||||
|
||||
#include "includes.h"
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <openssl/opensslv.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/rsa.h>
|
||||
@ -90,4 +92,5 @@ void ssh_OpenSSL_add_all_algorithms(void);
|
||||
|
||||
#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
|
||||
|
||||
#endif /* WITH_OPENSSL */
|
||||
#endif /* _OPENSSL_COMPAT_H */
|
||||
|
@ -38,13 +38,18 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <openssl/opensslv.h>
|
||||
#ifdef WITH_OPENSSL
|
||||
# include <openssl/opensslv.h>
|
||||
# if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
||||
# define _NEED_SHA2 1
|
||||
# endif
|
||||
#else
|
||||
# define _NEED_SHA2 1
|
||||
#endif
|
||||
|
||||
#if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE)
|
||||
|
||||
#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
|
||||
(OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
||||
#include <sys/types.h>
|
||||
#include <string.h>
|
||||
#include "sha2.h"
|
||||
|
||||
/*
|
||||
* UNROLLED TRANSFORM LOOP NOTE:
|
||||
@ -838,7 +843,6 @@ SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context)
|
||||
}
|
||||
|
||||
|
||||
#if 0
|
||||
/*** SHA-384: *********************************************************/
|
||||
void
|
||||
SHA384_Init(SHA384_CTX *context)
|
||||
@ -851,9 +855,29 @@ SHA384_Init(SHA384_CTX *context)
|
||||
context->bitcount[0] = context->bitcount[1] = 0;
|
||||
}
|
||||
|
||||
#if 0
|
||||
__weak_alias(SHA384_Transform, SHA512_Transform);
|
||||
__weak_alias(SHA384_Update, SHA512_Update);
|
||||
__weak_alias(SHA384_Pad, SHA512_Pad);
|
||||
#endif
|
||||
|
||||
void
|
||||
SHA384_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
|
||||
{
|
||||
return SHA512_Transform(state, data);
|
||||
}
|
||||
|
||||
void
|
||||
SHA384_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
|
||||
{
|
||||
SHA512_Update(context, data, len);
|
||||
}
|
||||
|
||||
void
|
||||
SHA384_Pad(SHA512_CTX *context)
|
||||
{
|
||||
SHA512_Pad(context);
|
||||
}
|
||||
|
||||
void
|
||||
SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
|
||||
@ -876,7 +900,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
|
||||
/* Zero out state data */
|
||||
memset(context, 0, sizeof(*context));
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
|
||||
(OPENSSL_VERSION_NUMBER >= 0x00907000L) */
|
||||
#endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */
|
||||
|
@ -41,10 +41,16 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#include <openssl/opensslv.h>
|
||||
#ifdef WITH_OPENSSL
|
||||
# include <openssl/opensslv.h>
|
||||
# if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
||||
# define _NEED_SHA2 1
|
||||
# endif
|
||||
#else
|
||||
# define _NEED_SHA2 1
|
||||
#endif
|
||||
|
||||
#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
|
||||
(OPENSSL_VERSION_NUMBER >= 0x00907000L)
|
||||
#if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE)
|
||||
|
||||
/*** SHA-256/384/512 Various Length Definitions ***********************/
|
||||
#define SHA256_BLOCK_LENGTH 64
|
||||
@ -70,9 +76,7 @@ typedef struct _SHA512_CTX {
|
||||
u_int8_t buffer[SHA512_BLOCK_LENGTH];
|
||||
} SHA512_CTX;
|
||||
|
||||
#if 0
|
||||
typedef SHA512_CTX SHA384_CTX;
|
||||
#endif
|
||||
|
||||
void SHA256_Init(SHA256_CTX *);
|
||||
void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]);
|
||||
@ -91,7 +95,6 @@ char *SHA256_Data(const u_int8_t *, size_t, char *)
|
||||
__attribute__((__bounded__(__string__,1,2)))
|
||||
__attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH)));
|
||||
|
||||
#if 0
|
||||
void SHA384_Init(SHA384_CTX *);
|
||||
void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]);
|
||||
void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t)
|
||||
@ -108,7 +111,6 @@ char *SHA384_FileChunk(const char *, char *, off_t, off_t)
|
||||
char *SHA384_Data(const u_int8_t *, size_t, char *)
|
||||
__attribute__((__bounded__(__string__,1,2)))
|
||||
__attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH)));
|
||||
#endif /* 0 */
|
||||
|
||||
void SHA512_Init(SHA512_CTX *);
|
||||
void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]);
|
||||
@ -127,7 +129,6 @@ char *SHA512_Data(const u_int8_t *, size_t, char *)
|
||||
__attribute__((__bounded__(__string__,1,2)))
|
||||
__attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));
|
||||
|
||||
#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
|
||||
(OPENSSL_VERSION_NUMBER >= 0x00907000L) */
|
||||
#endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */
|
||||
|
||||
#endif /* _SSHSHA2_H */
|
||||
|
@ -57,7 +57,7 @@
|
||||
# include "md5crypt.h"
|
||||
# endif
|
||||
|
||||
# if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
|
||||
# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
|
||||
# include <openssl/des.h>
|
||||
# define crypt DES_crypt
|
||||
# endif
|
||||
|
2
packet.c
2
packet.c
@ -1612,6 +1612,7 @@ packet_get_ecpoint(const EC_GROUP *curve, EC_POINT *point)
|
||||
buffer_get_ecpoint(&active_state->incoming_packet, curve, point);
|
||||
}
|
||||
#endif
|
||||
#endif
|
||||
|
||||
void *
|
||||
packet_get_raw(u_int *length_ptr)
|
||||
@ -1622,7 +1623,6 @@ packet_get_raw(u_int *length_ptr)
|
||||
*length_ptr = bytes;
|
||||
return buffer_ptr(&active_state->incoming_packet);
|
||||
}
|
||||
#endif
|
||||
|
||||
int
|
||||
packet_remaining(void)
|
||||
|
@ -70,11 +70,13 @@ extern char *__progname;
|
||||
|
||||
/* Default files to add */
|
||||
static char *default_files[] = {
|
||||
#ifdef WITH_OPENSSL
|
||||
_PATH_SSH_CLIENT_ID_RSA,
|
||||
_PATH_SSH_CLIENT_ID_DSA,
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
_PATH_SSH_CLIENT_ID_ECDSA,
|
||||
#endif
|
||||
#endif /* WITH_OPENSSL */
|
||||
_PATH_SSH_CLIENT_ID_ED25519,
|
||||
_PATH_SSH_CLIENT_IDENTITY,
|
||||
NULL
|
||||
@ -440,7 +442,9 @@ main(int argc, char **argv)
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
seed_rng();
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
OpenSSL_add_all_algorithms();
|
||||
#endif
|
||||
|
||||
setvbuf(stdout, NULL, _IOLBF, 0);
|
||||
|
||||
|
@ -25,6 +25,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/bn.h>
|
||||
@ -217,3 +219,4 @@ ssh_dss_verify(const struct sshkey *key,
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
@ -26,7 +26,7 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef OPENSSL_HAS_ECC
|
||||
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
@ -189,4 +189,4 @@ ssh_ecdsa_verify(const struct sshkey *key,
|
||||
return ret;
|
||||
}
|
||||
|
||||
#endif /* OPENSSL_HAS_ECC */
|
||||
#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */
|
||||
|
22
ssh-keygen.c
22
ssh-keygen.c
@ -19,9 +19,11 @@
|
||||
#include <sys/stat.h>
|
||||
#include <sys/param.h>
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/pem.h>
|
||||
#include "openbsd-compat/openssl-compat.h"
|
||||
#endif
|
||||
|
||||
#include <errno.h>
|
||||
#include <fcntl.h>
|
||||
@ -179,7 +181,9 @@ int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long,
|
||||
static void
|
||||
type_bits_valid(int type, u_int32_t *bitsp)
|
||||
{
|
||||
#ifdef WITH_OPENSSL
|
||||
u_int maxbits;
|
||||
#endif
|
||||
|
||||
if (type == KEY_UNSPEC) {
|
||||
fprintf(stderr, "unknown key type %s\n", key_type_name);
|
||||
@ -193,13 +197,13 @@ type_bits_valid(int type, u_int32_t *bitsp)
|
||||
else
|
||||
*bitsp = DEFAULT_BITS;
|
||||
}
|
||||
#ifdef WITH_OPENSSL
|
||||
maxbits = (type == KEY_DSA) ?
|
||||
OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
|
||||
if (*bitsp > maxbits) {
|
||||
fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
|
||||
exit(1);
|
||||
}
|
||||
#ifdef WITH_OPENSSL
|
||||
if (type == KEY_DSA && *bitsp != 1024)
|
||||
fatal("DSA keys must be 1024 bits");
|
||||
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
|
||||
@ -2102,10 +2106,12 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca,
|
||||
fclose(krl_spec);
|
||||
free(path);
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
||||
static void
|
||||
do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
|
||||
{
|
||||
#ifdef WITH_OPENSSL
|
||||
struct ssh_krl *krl;
|
||||
struct stat sb;
|
||||
Key *ca = NULL;
|
||||
@ -2155,11 +2161,15 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
|
||||
ssh_krl_free(krl);
|
||||
if (ca != NULL)
|
||||
key_free(ca);
|
||||
#else /* WITH_OPENSSL */
|
||||
fatal("KRLs not supported without OpenSSL");
|
||||
#endif /* WITH_OPENSSL */
|
||||
}
|
||||
|
||||
static void
|
||||
do_check_krl(struct passwd *pw, int argc, char **argv)
|
||||
{
|
||||
#ifdef WITH_OPENSSL
|
||||
int i, r, ret = 0;
|
||||
char *comment;
|
||||
struct ssh_krl *krl;
|
||||
@ -2182,8 +2192,10 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
|
||||
}
|
||||
ssh_krl_free(krl);
|
||||
exit(ret);
|
||||
#else /* WITH_OPENSSL */
|
||||
fatal("KRLs not supported without OpenSSL");
|
||||
#endif /* WITH_OPENSSL */
|
||||
}
|
||||
#endif
|
||||
|
||||
static void
|
||||
usage(void)
|
||||
@ -2249,7 +2261,9 @@ main(int argc, char **argv)
|
||||
|
||||
__progname = ssh_get_progname(argv[0]);
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
OpenSSL_add_all_algorithms();
|
||||
#endif
|
||||
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
|
||||
|
||||
seed_rng();
|
||||
@ -2427,6 +2441,7 @@ main(int argc, char **argv)
|
||||
fatal("Invalid number: %s (%s)",
|
||||
optarg, errstr);
|
||||
break;
|
||||
#ifdef WITH_OPENSSL
|
||||
case 'M':
|
||||
memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);
|
||||
if (errstr)
|
||||
@ -2454,6 +2469,7 @@ main(int argc, char **argv)
|
||||
if (BN_hex2bn(&start, optarg) == 0)
|
||||
fatal("Invalid start point.");
|
||||
break;
|
||||
#endif /* WITH_OPENSSL */
|
||||
case 'V':
|
||||
parse_cert_times(optarg);
|
||||
break;
|
||||
@ -2493,7 +2509,6 @@ main(int argc, char **argv)
|
||||
printf("Cannot use -l with -H or -R.\n");
|
||||
usage();
|
||||
}
|
||||
#ifdef WITH_OPENSSL
|
||||
if (gen_krl) {
|
||||
do_gen_krl(pw, update_krl, argc, argv);
|
||||
return (0);
|
||||
@ -2502,7 +2517,6 @@ main(int argc, char **argv)
|
||||
do_check_krl(pw, argc, argv);
|
||||
return (0);
|
||||
}
|
||||
#endif
|
||||
if (ca_key_path != NULL) {
|
||||
if (cert_key_id == NULL)
|
||||
fatal("Must specify key id (-I) when certifying");
|
||||
|
@ -35,9 +35,11 @@
|
||||
#include <string.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/rand.h>
|
||||
#include <openssl/rsa.h>
|
||||
#endif
|
||||
|
||||
#include "xmalloc.h"
|
||||
#include "log.h"
|
||||
@ -161,7 +163,9 @@ main(int argc, char **argv)
|
||||
u_char *signature, *data;
|
||||
char *host, *fp;
|
||||
u_int slen, dlen;
|
||||
#ifdef WITH_OPENSSL
|
||||
u_int32_t rnd[256];
|
||||
#endif
|
||||
|
||||
/* Ensure that stdin and stdout are connected */
|
||||
if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
|
||||
@ -204,9 +208,11 @@ main(int argc, char **argv)
|
||||
if (found == 0)
|
||||
fatal("could not open any host key");
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
OpenSSL_add_all_algorithms();
|
||||
arc4random_buf(rnd, sizeof(rnd));
|
||||
RAND_seed(rnd, sizeof(rnd));
|
||||
#endif
|
||||
|
||||
found = 0;
|
||||
for (i = 0; i < NUM_KEYTYPES; i++) {
|
||||
|
@ -17,6 +17,8 @@
|
||||
|
||||
#include "includes.h"
|
||||
|
||||
#ifdef WITH_OPENSSL
|
||||
|
||||
#include <sys/types.h>
|
||||
|
||||
#include <openssl/evp.h>
|
||||
@ -263,3 +265,4 @@ done:
|
||||
}
|
||||
return ret;
|
||||
}
|
||||
#endif /* WITH_OPENSSL */
|
||||
|
10
sshd.c
10
sshd.c
@ -623,7 +623,9 @@ privsep_preauth_child(void)
|
||||
|
||||
arc4random_stir();
|
||||
arc4random_buf(rnd, sizeof(rnd));
|
||||
#ifdef WITH_OPENSSL
|
||||
RAND_seed(rnd, sizeof(rnd));
|
||||
#endif
|
||||
explicit_bzero(rnd, sizeof(rnd));
|
||||
|
||||
/* Demote the private keys to public keys. */
|
||||
@ -758,7 +760,9 @@ privsep_postauth(Authctxt *authctxt)
|
||||
|
||||
arc4random_stir();
|
||||
arc4random_buf(rnd, sizeof(rnd));
|
||||
#ifdef WITH_OPENSSL
|
||||
RAND_seed(rnd, sizeof(rnd));
|
||||
#endif
|
||||
explicit_bzero(rnd, sizeof(rnd));
|
||||
|
||||
/* Drop privileges */
|
||||
@ -988,7 +992,7 @@ send_rexec_state(int fd, Buffer *conf)
|
||||
#endif
|
||||
buffer_put_int(&m, 0);
|
||||
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
|
||||
rexec_send_rng_seed(&m);
|
||||
#endif
|
||||
|
||||
@ -1041,7 +1045,7 @@ recv_rexec_state(int fd, Buffer *conf)
|
||||
#endif
|
||||
}
|
||||
|
||||
#ifndef OPENSSL_PRNG_ONLY
|
||||
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
|
||||
rexec_recv_rng_seed(&m);
|
||||
#endif
|
||||
|
||||
@ -1372,7 +1376,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
|
||||
*/
|
||||
arc4random_stir();
|
||||
arc4random_buf(rnd, sizeof(rnd));
|
||||
#ifdef WITH_OPENSSL
|
||||
RAND_seed(rnd, sizeof(rnd));
|
||||
#endif
|
||||
explicit_bzero(rnd, sizeof(rnd));
|
||||
}
|
||||
|
||||
|
Loading…
x
Reference in New Issue
Block a user