support --without-openssl at configure time

Disables and removes dependency on OpenSSL. Many features don't
work and the set of crypto options is greatly restricted. This
will only work on system with native arc4random or /dev/urandom.

Considered highly experimental for now.
This commit is contained in:
Damien Miller 2015-01-15 02:21:31 +11:00
parent 4f38c61c68
commit 72ef7c148c
40 changed files with 709 additions and 511 deletions

View File

@ -76,7 +76,7 @@ LIBOPENSSH_OBJS=\
LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
authfd.o authfile.o bufaux.o bufbn.o buffer.o \
canohost.o channels.o cipher.o cipher-aes.o \
canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
cipher-bf1.o cipher-ctr.o cipher-3des1.o cleanup.o \
compat.o compress.o crc32.o deattack.o fatal.o hostfile.o \
log.o match.o md-sha256.o moduli.o nchan.o packet.o \
@ -87,7 +87,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \
ssh-pkcs11.o smult_curve25519_ref.o \
kexc25519.o kexc25519c.o poly1305.o chacha.o cipher-chachapoly.o \
ssh-ed25519.o digest-openssl.o hmac.o \
ssh-ed25519.o digest-openssl.o digest-libc.o hmac.o \
sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o blocks.o
SSHOBJS= ssh.o readconf.o clientloop.o sshtty.o \

View File

@ -20,12 +20,15 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include "buffer.h"
#include "log.h"
#include "ssherr.h"
#ifdef WITH_SSH1
int
buffer_put_bignum_ret(Buffer *buffer, const BIGNUM *value)
{
@ -63,6 +66,7 @@ buffer_get_bignum(Buffer *buffer, BIGNUM *value)
if (buffer_get_bignum_ret(buffer, value) == -1)
fatal("%s: buffer error", __func__);
}
#endif /* WITH_SSH1 */
int
buffer_put_bignum2_ret(Buffer *buffer, const BIGNUM *value)
@ -101,3 +105,5 @@ buffer_get_bignum2(Buffer *buffer, BIGNUM *value)
if (buffer_get_bignum2_ret(buffer, value) == -1)
fatal("%s: buffer error", __func__);
}
#endif /* WITH_OPENSSL */

View File

@ -18,6 +18,8 @@
#include <sys/types.h>
#include <string.h>
#ifndef WITH_OPENSSL
#include "cipher-aesctr.h"
/*
@ -76,3 +78,4 @@ aesctr_encrypt_bytes(aesctr_ctx *x,const u8 *m,u8 *c,u32 bytes)
n = (n + 1) % AES_BLOCK_SIZE;
}
}
#endif /* !WITH_OPENSSL */

View File

@ -20,6 +20,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <stdarg.h>
@ -98,3 +100,4 @@ evp_ssh1_bf(void)
ssh1_bf.key_len = 32;
return (&ssh1_bf);
}
#endif /* WITH_OPENSSL */

View File

@ -16,7 +16,7 @@
*/
#include "includes.h"
#ifndef OPENSSL_HAVE_EVPCTR
#if defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR)
#include <sys/types.h>
#include <stdarg.h>
@ -143,4 +143,4 @@ evp_aes_128_ctr(void)
return (&aes_ctr);
}
#endif /* OPENSSL_HAVE_EVPCTR */
#endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) */

File diff suppressed because it is too large Load Diff

View File

@ -18,15 +18,19 @@
#include "includes.h"
#ifndef WITH_OPENSSL
#include <sys/types.h>
#include <limits.h>
#include <stdlib.h>
#include <string.h>
#if 0
#include <md5.h>
#include <rmd160.h>
#include <sha1.h>
#include <sha2.h>
#endif
#include "ssherr.h"
#include "sshbuf.h"
@ -89,30 +93,30 @@ const struct ssh_digest digests[SSH_DIGEST_MAX] = {
"SHA256",
SHA256_BLOCK_LENGTH,
SHA256_DIGEST_LENGTH,
sizeof(SHA2_CTX),
(md_init_fn *) SHA256Init,
(md_update_fn *) SHA256Update,
(md_final_fn *) SHA256Final
sizeof(SHA256_CTX),
(md_init_fn *) SHA256_Init,
(md_update_fn *) SHA256_Update,
(md_final_fn *) SHA256_Final
},
{
SSH_DIGEST_SHA384,
"SHA384",
SHA384_BLOCK_LENGTH,
SHA384_DIGEST_LENGTH,
sizeof(SHA2_CTX),
(md_init_fn *) SHA384Init,
(md_update_fn *) SHA384Update,
(md_final_fn *) SHA384Final
sizeof(SHA384_CTX),
(md_init_fn *) SHA384_Init,
(md_update_fn *) SHA384_Update,
(md_final_fn *) SHA384_Final
},
{
SSH_DIGEST_SHA512,
"SHA512",
SHA512_BLOCK_LENGTH,
SHA512_DIGEST_LENGTH,
sizeof(SHA2_CTX),
(md_init_fn *) SHA512Init,
(md_update_fn *) SHA512Update,
(md_final_fn *) SHA512Final
sizeof(SHA512_CTX),
(md_init_fn *) SHA512_Init,
(md_update_fn *) SHA512_Update,
(md_final_fn *) SHA512_Final
}
};
@ -257,3 +261,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
{
return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
}
#endif /* !WITH_OPENSSL */

View File

@ -17,6 +17,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <limits.h>
#include <stdlib.h>
@ -200,3 +202,4 @@ ssh_digest_buffer(int alg, const struct sshbuf *b, u_char *d, size_t dlen)
{
return ssh_digest_memory(alg, sshbuf_ptr(b), sshbuf_len(b), d, dlen);
}
#endif /* WITH_OPENSSL */

View File

@ -24,6 +24,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <sys/socket.h>
#ifdef HAVE_SYS_UN_H
@ -230,3 +232,13 @@ seed_rng(void)
if (RAND_status() != 1)
fatal("PRNG is not seeded");
}
#else /* WITH_OPENSSL */
/* Handled in arc4random() */
void
seed_rng(void)
{
}
#endif /* WITH_OPENSSL */

View File

@ -167,7 +167,9 @@
# endif
#endif
#ifdef WITH_OPENSSL
#include <openssl/opensslv.h> /* For OPENSSL_VERSION_NUMBER */
#endif
#include "defines.h"

4
kex.c
View File

@ -90,9 +90,9 @@ static const struct kexalg kexalgs[] = {
# endif /* OPENSSL_HAS_NISTP521 */
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL */
#ifdef HAVE_EVP_SHA256
#if defined(HAVE_EVP_SHA256) || !defined(WITH_OPENSSL)
{ KEX_CURVE25519_SHA256, KEX_C25519_SHA256, 0, SSH_DIGEST_SHA256 },
#endif /* HAVE_EVP_SHA256 */
#endif /* HAVE_EVP_SHA256 || !WITH_OPENSSL */
{ NULL, -1, -1, -1},
};

View File

@ -25,6 +25,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <signal.h>
@ -85,3 +87,4 @@ kex_dh_hash(
*hash = digest;
*hashlen = ssh_digest_bytes(SSH_DIGEST_SHA1);
}
#endif /* WITH_OPENSSL */

View File

@ -25,6 +25,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <openssl/dh.h>
@ -159,3 +161,4 @@ kexdh_client(Kex *kex)
BN_clear_free(shared_secret);
kex_finish(kex);
}
#endif /* WITH_OPENSSL */

View File

@ -25,6 +25,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <stdarg.h>
@ -158,3 +160,4 @@ kexdh_server(Kex *kex)
BN_clear_free(shared_secret);
kex_finish(kex);
}
#endif /* WITH_OPENSSL */

View File

@ -26,7 +26,7 @@
#include "includes.h"
#ifdef OPENSSL_HAS_ECC
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <sys/types.h>
@ -94,4 +94,4 @@ kex_ecdh_hash(
*hash = digest;
*hashlen = ssh_digest_bytes(hash_alg);
}
#endif /* OPENSSL_HAS_ECC */
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */

View File

@ -26,6 +26,8 @@
#include "includes.h"
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <sys/types.h>
#include <stdio.h>
@ -42,8 +44,6 @@
#include "dh.h"
#include "ssh2.h"
#ifdef OPENSSL_HAS_ECC
#include <openssl/ecdh.h>
void
@ -156,10 +156,4 @@ kexecdh_client(Kex *kex)
BN_clear_free(shared_secret);
kex_finish(kex);
}
#else /* OPENSSL_HAS_ECC */
void
kexecdh_client(Kex *kex)
{
fatal("ECC support is not enabled");
}
#endif /* OPENSSL_HAS_ECC */
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */

View File

@ -26,6 +26,8 @@
#include "includes.h"
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <sys/types.h>
#include <string.h>
#include <signal.h>
@ -39,8 +41,6 @@
#include "packet.h"
#include "ssh2.h"
#ifdef OPENSSL_HAS_ECC
#include <openssl/ecdh.h>
void
@ -152,10 +152,4 @@ kexecdh_server(Kex *kex)
BN_clear_free(shared_secret);
kex_finish(kex);
}
#else /* OPENSSL_HAS_ECC */
void
kexecdh_server(Kex *kex)
{
fatal("ECC support is not enabled");
}
#endif /* OPENSSL_HAS_ECC */
#endif /* defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC) */

View File

@ -26,6 +26,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <openssl/evp.h>
@ -96,3 +98,4 @@ kexgex_hash(
*hash = digest;
*hashlen = ssh_digest_bytes(hash_alg);
}
#endif /* WITH_OPENSSL */

View File

@ -26,6 +26,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <openssl/dh.h>
@ -205,3 +207,4 @@ kexgex_client(Kex *kex)
kex_finish(kex);
}
#endif /* WITH_OPENSSL */

View File

@ -26,6 +26,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/param.h>
#include <stdarg.h>
@ -206,3 +208,4 @@ kexgex_server(Kex *kex)
kex_finish(kex);
}
#endif /* WITH_OPENSSL */

3
krl.c
View File

@ -18,6 +18,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL /* XXX just fix bignums and this is good */
#include <sys/types.h>
#include <sys/param.h>
#include <openbsd-compat/sys-tree.h>
@ -1282,3 +1284,4 @@ ssh_krl_file_contains_key(const char *path, const struct sshkey *key)
errno = oerrno;
return r;
}
#endif /* WITH_OPENSSL */

View File

@ -39,6 +39,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/param.h>
#include <sys/types.h>
@ -802,3 +804,5 @@ prime_test(FILE *in, FILE *out, u_int32_t trials, u_int32_t generator_wanted,
return (res);
}
#endif /* WITH_OPENSSL */

View File

@ -151,8 +151,10 @@ mm_request_receive(int sock, Buffer *m)
debug3("%s entering", __func__);
if (atomicio(read, sock, buf, sizeof(buf)) != sizeof(buf)) {
if (errno == EPIPE)
if (errno == EPIPE) {
error("%s: socket closed", __func__);
cleanup_exit(255);
}
fatal("%s: read: %s", __func__, strerror(errno));
}
msg_len = get_u32(buf);

View File

@ -16,7 +16,7 @@ RANLIB=@RANLIB@
INSTALL=@INSTALL@
LDFLAGS=-L. @LDFLAGS@
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o reallocarray.o realpath.o rresvport.o setenv.o setproctitle.o sha1.o sha2.o rmd160.o md5.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o
COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o

View File

@ -26,15 +26,19 @@
#include "includes.h"
#include <sys/types.h>
#include <fcntl.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/types.h>
#ifndef HAVE_ARC4RANDOM
#ifdef WITH_OPENSSL
#include <openssl/rand.h>
#include <openssl/err.h>
#endif
#include "log.h"
@ -73,14 +77,44 @@ _rs_init(u_char *buf, size_t n)
chacha_ivsetup(&rs, buf + KEYSZ);
}
#ifndef WITH_OPENSSL
#define SSH_RANDOM_DEV "/dev/urandom"
/* XXX use getrandom() if supported on Linux */
static void
getrnd(u_char *s, size_t len)
{
int fd;
ssize_t r;
size_t o = 0;
if ((fd = open(SSH_RANDOM_DEV, O_RDONLY)) == -1)
fatal("Couldn't open %s: %s", SSH_RANDOM_DEV, strerror(errno));
while (o < len) {
r = read(fd, s + o, len - o);
if (r < 0) {
if (errno == EAGAIN || errno == EINTR ||
errno == EWOULDBLOCK)
continue;
fatal("read %s: %s", SSH_RANDOM_DEV, strerror(errno));
}
o += r;
}
close(fd);
}
#endif
static void
_rs_stir(void)
{
u_char rnd[KEYSZ + IVSZ];
#ifdef WITH_OPENSSL
if (RAND_bytes(rnd, sizeof(rnd)) <= 0)
fatal("Couldn't obtain random bytes (error %ld)",
ERR_get_error());
#else
getrnd(rnd, sizeof(rnd));
#endif
if (!rs_initialized) {
rs_initialized = 1;

View File

@ -32,6 +32,9 @@
#endif
#include "crypto_api.h"
#ifdef SHA512_DIGEST_LENGTH
# undef SHA512_DIGEST_LENGTH
#endif
#define SHA512_DIGEST_LENGTH crypto_hash_sha512_BYTES
/*

View File

@ -43,7 +43,10 @@
#include "readpassphrase.h"
#include "vis.h"
#include "getrrsetbyname.h"
#include "sha1.h"
#include "sha2.h"
#include "rmd160.h"
#include "md5.h"
#include "blf.h"
#ifndef HAVE_BASENAME

View File

@ -19,6 +19,8 @@
#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS
#include "includes.h"
#ifdef WITH_OPENSSL
#include <stdarg.h>
#include <string.h>
@ -78,3 +80,5 @@ ssh_OpenSSL_add_all_algorithms(void)
OPENSSL_config(NULL);
}
#endif
#endif /* WITH_OPENSSL */

View File

@ -20,6 +20,8 @@
#define _OPENSSL_COMPAT_H
#include "includes.h"
#ifdef WITH_OPENSSL
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#include <openssl/rsa.h>
@ -90,4 +92,5 @@ void ssh_OpenSSL_add_all_algorithms(void);
#endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */
#endif /* WITH_OPENSSL */
#endif /* _OPENSSL_COMPAT_H */

View File

@ -38,13 +38,18 @@
#include "includes.h"
#include <openssl/opensslv.h>
#ifdef WITH_OPENSSL
# include <openssl/opensslv.h>
# if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
# define _NEED_SHA2 1
# endif
#else
# define _NEED_SHA2 1
#endif
#if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE)
#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
(OPENSSL_VERSION_NUMBER >= 0x00907000L)
#include <sys/types.h>
#include <string.h>
#include "sha2.h"
/*
* UNROLLED TRANSFORM LOOP NOTE:
@ -838,7 +843,6 @@ SHA512_Final(u_int8_t digest[SHA512_DIGEST_LENGTH], SHA512_CTX *context)
}
#if 0
/*** SHA-384: *********************************************************/
void
SHA384_Init(SHA384_CTX *context)
@ -851,9 +855,29 @@ SHA384_Init(SHA384_CTX *context)
context->bitcount[0] = context->bitcount[1] = 0;
}
#if 0
__weak_alias(SHA384_Transform, SHA512_Transform);
__weak_alias(SHA384_Update, SHA512_Update);
__weak_alias(SHA384_Pad, SHA512_Pad);
#endif
void
SHA384_Transform(u_int64_t state[8], const u_int8_t data[SHA512_BLOCK_LENGTH])
{
return SHA512_Transform(state, data);
}
void
SHA384_Update(SHA512_CTX *context, const u_int8_t *data, size_t len)
{
SHA512_Update(context, data, len);
}
void
SHA384_Pad(SHA512_CTX *context)
{
SHA512_Pad(context);
}
void
SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
@ -876,7 +900,5 @@ SHA384_Final(u_int8_t digest[SHA384_DIGEST_LENGTH], SHA384_CTX *context)
/* Zero out state data */
memset(context, 0, sizeof(*context));
}
#endif
#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
(OPENSSL_VERSION_NUMBER >= 0x00907000L) */
#endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */

View File

@ -41,10 +41,16 @@
#include "includes.h"
#include <openssl/opensslv.h>
#ifdef WITH_OPENSSL
# include <openssl/opensslv.h>
# if !defined(HAVE_EVP_SHA256) && (OPENSSL_VERSION_NUMBER >= 0x00907000L)
# define _NEED_SHA2 1
# endif
#else
# define _NEED_SHA2 1
#endif
#if !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
(OPENSSL_VERSION_NUMBER >= 0x00907000L)
#if defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE)
/*** SHA-256/384/512 Various Length Definitions ***********************/
#define SHA256_BLOCK_LENGTH 64
@ -70,9 +76,7 @@ typedef struct _SHA512_CTX {
u_int8_t buffer[SHA512_BLOCK_LENGTH];
} SHA512_CTX;
#if 0
typedef SHA512_CTX SHA384_CTX;
#endif
void SHA256_Init(SHA256_CTX *);
void SHA256_Transform(u_int32_t state[8], const u_int8_t [SHA256_BLOCK_LENGTH]);
@ -91,7 +95,6 @@ char *SHA256_Data(const u_int8_t *, size_t, char *)
__attribute__((__bounded__(__string__,1,2)))
__attribute__((__bounded__(__minbytes__,3,SHA256_DIGEST_STRING_LENGTH)));
#if 0
void SHA384_Init(SHA384_CTX *);
void SHA384_Transform(u_int64_t state[8], const u_int8_t [SHA384_BLOCK_LENGTH]);
void SHA384_Update(SHA384_CTX *, const u_int8_t *, size_t)
@ -108,7 +111,6 @@ char *SHA384_FileChunk(const char *, char *, off_t, off_t)
char *SHA384_Data(const u_int8_t *, size_t, char *)
__attribute__((__bounded__(__string__,1,2)))
__attribute__((__bounded__(__minbytes__,3,SHA384_DIGEST_STRING_LENGTH)));
#endif /* 0 */
void SHA512_Init(SHA512_CTX *);
void SHA512_Transform(u_int64_t state[8], const u_int8_t [SHA512_BLOCK_LENGTH]);
@ -127,7 +129,6 @@ char *SHA512_Data(const u_int8_t *, size_t, char *)
__attribute__((__bounded__(__string__,1,2)))
__attribute__((__bounded__(__minbytes__,3,SHA512_DIGEST_STRING_LENGTH)));
#endif /* !defined(HAVE_EVP_SHA256) && !defined(HAVE_SHA256_UPDATE) && \
(OPENSSL_VERSION_NUMBER >= 0x00907000L) */
#endif /* defined(_NEED_SHA2) && !defined(HAVE_SHA256_UPDATE) */
#endif /* _SSHSHA2_H */

View File

@ -57,7 +57,7 @@
# include "md5crypt.h"
# endif
# if !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
# if defined(WITH_OPENSSL) && !defined(HAVE_CRYPT) && defined(HAVE_DES_CRYPT)
# include <openssl/des.h>
# define crypt DES_crypt
# endif

View File

@ -1612,6 +1612,7 @@ packet_get_ecpoint(const EC_GROUP *curve, EC_POINT *point)
buffer_get_ecpoint(&active_state->incoming_packet, curve, point);
}
#endif
#endif
void *
packet_get_raw(u_int *length_ptr)
@ -1622,7 +1623,6 @@ packet_get_raw(u_int *length_ptr)
*length_ptr = bytes;
return buffer_ptr(&active_state->incoming_packet);
}
#endif
int
packet_remaining(void)

View File

@ -70,11 +70,13 @@ extern char *__progname;
/* Default files to add */
static char *default_files[] = {
#ifdef WITH_OPENSSL
_PATH_SSH_CLIENT_ID_RSA,
_PATH_SSH_CLIENT_ID_DSA,
#ifdef OPENSSL_HAS_ECC
_PATH_SSH_CLIENT_ID_ECDSA,
#endif
#endif /* WITH_OPENSSL */
_PATH_SSH_CLIENT_ID_ED25519,
_PATH_SSH_CLIENT_IDENTITY,
NULL
@ -440,7 +442,9 @@ main(int argc, char **argv)
__progname = ssh_get_progname(argv[0]);
seed_rng();
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
#endif
setvbuf(stdout, NULL, _IOLBF, 0);

View File

@ -25,6 +25,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <openssl/bn.h>
@ -217,3 +219,4 @@ ssh_dss_verify(const struct sshkey *key,
}
return ret;
}
#endif /* WITH_OPENSSL */

View File

@ -26,7 +26,7 @@
#include "includes.h"
#ifdef OPENSSL_HAS_ECC
#if defined(WITH_OPENSSL) && defined(OPENSSL_HAS_ECC)
#include <sys/types.h>
@ -189,4 +189,4 @@ ssh_ecdsa_verify(const struct sshkey *key,
return ret;
}
#endif /* OPENSSL_HAS_ECC */
#endif /* WITH_OPENSSL && OPENSSL_HAS_ECC */

View File

@ -19,9 +19,11 @@
#include <sys/stat.h>
#include <sys/param.h>
#ifdef WITH_OPENSSL
#include <openssl/evp.h>
#include <openssl/pem.h>
#include "openbsd-compat/openssl-compat.h"
#endif
#include <errno.h>
#include <fcntl.h>
@ -179,7 +181,9 @@ int prime_test(FILE *, FILE *, u_int32_t, u_int32_t, char *, unsigned long,
static void
type_bits_valid(int type, u_int32_t *bitsp)
{
#ifdef WITH_OPENSSL
u_int maxbits;
#endif
if (type == KEY_UNSPEC) {
fprintf(stderr, "unknown key type %s\n", key_type_name);
@ -193,13 +197,13 @@ type_bits_valid(int type, u_int32_t *bitsp)
else
*bitsp = DEFAULT_BITS;
}
#ifdef WITH_OPENSSL
maxbits = (type == KEY_DSA) ?
OPENSSL_DSA_MAX_MODULUS_BITS : OPENSSL_RSA_MAX_MODULUS_BITS;
if (*bitsp > maxbits) {
fprintf(stderr, "key bits exceeds maximum %d\n", maxbits);
exit(1);
}
#ifdef WITH_OPENSSL
if (type == KEY_DSA && *bitsp != 1024)
fatal("DSA keys must be 1024 bits");
else if (type != KEY_ECDSA && type != KEY_ED25519 && *bitsp < 768)
@ -2102,10 +2106,12 @@ update_krl_from_file(struct passwd *pw, const char *file, const Key *ca,
fclose(krl_spec);
free(path);
}
#endif /* WITH_OPENSSL */
static void
do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
{
#ifdef WITH_OPENSSL
struct ssh_krl *krl;
struct stat sb;
Key *ca = NULL;
@ -2155,11 +2161,15 @@ do_gen_krl(struct passwd *pw, int updating, int argc, char **argv)
ssh_krl_free(krl);
if (ca != NULL)
key_free(ca);
#else /* WITH_OPENSSL */
fatal("KRLs not supported without OpenSSL");
#endif /* WITH_OPENSSL */
}
static void
do_check_krl(struct passwd *pw, int argc, char **argv)
{
#ifdef WITH_OPENSSL
int i, r, ret = 0;
char *comment;
struct ssh_krl *krl;
@ -2182,8 +2192,10 @@ do_check_krl(struct passwd *pw, int argc, char **argv)
}
ssh_krl_free(krl);
exit(ret);
#else /* WITH_OPENSSL */
fatal("KRLs not supported without OpenSSL");
#endif /* WITH_OPENSSL */
}
#endif
static void
usage(void)
@ -2249,7 +2261,9 @@ main(int argc, char **argv)
__progname = ssh_get_progname(argv[0]);
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
#endif
log_init(argv[0], SYSLOG_LEVEL_INFO, SYSLOG_FACILITY_USER, 1);
seed_rng();
@ -2427,6 +2441,7 @@ main(int argc, char **argv)
fatal("Invalid number: %s (%s)",
optarg, errstr);
break;
#ifdef WITH_OPENSSL
case 'M':
memory = (u_int32_t)strtonum(optarg, 1, UINT_MAX, &errstr);
if (errstr)
@ -2454,6 +2469,7 @@ main(int argc, char **argv)
if (BN_hex2bn(&start, optarg) == 0)
fatal("Invalid start point.");
break;
#endif /* WITH_OPENSSL */
case 'V':
parse_cert_times(optarg);
break;
@ -2493,7 +2509,6 @@ main(int argc, char **argv)
printf("Cannot use -l with -H or -R.\n");
usage();
}
#ifdef WITH_OPENSSL
if (gen_krl) {
do_gen_krl(pw, update_krl, argc, argv);
return (0);
@ -2502,7 +2517,6 @@ main(int argc, char **argv)
do_check_krl(pw, argc, argv);
return (0);
}
#endif
if (ca_key_path != NULL) {
if (cert_key_id == NULL)
fatal("Must specify key id (-I) when certifying");

View File

@ -35,9 +35,11 @@
#include <string.h>
#include <unistd.h>
#ifdef WITH_OPENSSL
#include <openssl/evp.h>
#include <openssl/rand.h>
#include <openssl/rsa.h>
#endif
#include "xmalloc.h"
#include "log.h"
@ -161,7 +163,9 @@ main(int argc, char **argv)
u_char *signature, *data;
char *host, *fp;
u_int slen, dlen;
#ifdef WITH_OPENSSL
u_int32_t rnd[256];
#endif
/* Ensure that stdin and stdout are connected */
if ((fd = open(_PATH_DEVNULL, O_RDWR)) < 2)
@ -204,9 +208,11 @@ main(int argc, char **argv)
if (found == 0)
fatal("could not open any host key");
#ifdef WITH_OPENSSL
OpenSSL_add_all_algorithms();
arc4random_buf(rnd, sizeof(rnd));
RAND_seed(rnd, sizeof(rnd));
#endif
found = 0;
for (i = 0; i < NUM_KEYTYPES; i++) {

View File

@ -17,6 +17,8 @@
#include "includes.h"
#ifdef WITH_OPENSSL
#include <sys/types.h>
#include <openssl/evp.h>
@ -263,3 +265,4 @@ done:
}
return ret;
}
#endif /* WITH_OPENSSL */

10
sshd.c
View File

@ -623,7 +623,9 @@ privsep_preauth_child(void)
arc4random_stir();
arc4random_buf(rnd, sizeof(rnd));
#ifdef WITH_OPENSSL
RAND_seed(rnd, sizeof(rnd));
#endif
explicit_bzero(rnd, sizeof(rnd));
/* Demote the private keys to public keys. */
@ -758,7 +760,9 @@ privsep_postauth(Authctxt *authctxt)
arc4random_stir();
arc4random_buf(rnd, sizeof(rnd));
#ifdef WITH_OPENSSL
RAND_seed(rnd, sizeof(rnd));
#endif
explicit_bzero(rnd, sizeof(rnd));
/* Drop privileges */
@ -988,7 +992,7 @@ send_rexec_state(int fd, Buffer *conf)
#endif
buffer_put_int(&m, 0);
#ifndef OPENSSL_PRNG_ONLY
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
rexec_send_rng_seed(&m);
#endif
@ -1041,7 +1045,7 @@ recv_rexec_state(int fd, Buffer *conf)
#endif
}
#ifndef OPENSSL_PRNG_ONLY
#if defined(WITH_OPENSSL) && !defined(OPENSSL_PRNG_ONLY)
rexec_recv_rng_seed(&m);
#endif
@ -1372,7 +1376,9 @@ server_accept_loop(int *sock_in, int *sock_out, int *newsock, int *config_s)
*/
arc4random_stir();
arc4random_buf(rnd, sizeof(rnd));
#ifdef WITH_OPENSSL
RAND_seed(rnd, sizeof(rnd));
#endif
explicit_bzero(rnd, sizeof(rnd));
}