Remove workarounds for OpenSSL missing AES-GCM.

We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES GCM mode.  Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have GCM, so this is no longer needed.  ok djm@
This commit is contained in:
Darren Tucker 2022-07-25 21:43:00 +10:00
parent 5a4a9f7a96
commit b7c56b65c1
3 changed files with 0 additions and 49 deletions

View File

@ -94,12 +94,10 @@ static const struct sshcipher ciphers[] = {
{ "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr }, { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr },
{ "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr }, { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr },
{ "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr }, { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr },
# ifdef OPENSSL_HAVE_EVPGCM
{ "aes128-gcm@openssh.com", { "aes128-gcm@openssh.com",
16, 16, 12, 16, 0, EVP_aes_128_gcm }, 16, 16, 12, 16, 0, EVP_aes_128_gcm },
{ "aes256-gcm@openssh.com", { "aes256-gcm@openssh.com",
16, 32, 12, 16, 0, EVP_aes_256_gcm }, 16, 32, 12, 16, 0, EVP_aes_256_gcm },
# endif /* OPENSSL_HAVE_EVPGCM */
#else #else
{ "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL }, { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL },
{ "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL }, { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL },

View File

@ -2892,7 +2892,6 @@ if test "x$openssl" = "xyes" ; then
BN_is_prime_ex \ BN_is_prime_ex \
DES_crypt \ DES_crypt \
DSA_generate_parameters_ex \ DSA_generate_parameters_ex \
EVP_CIPHER_CTX_ctrl \
EVP_DigestFinal_ex \ EVP_DigestFinal_ex \
EVP_DigestInit_ex \ EVP_DigestInit_ex \
EVP_MD_CTX_cleanup \ EVP_MD_CTX_cleanup \
@ -3009,35 +3008,6 @@ if test "x$openssl" = "xyes" ; then
] ]
) )
# Check for OpenSSL with EVP_aes_*gcm
AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[
#include <stdlib.h>
#include <string.h>
#include <openssl/evp.h>
]], [[
exit(EVP_aes_128_gcm() == NULL ||
EVP_aes_256_gcm() == NULL ||
EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
EVP_CTRL_GCM_IV_GEN == 0 ||
EVP_CTRL_GCM_SET_TAG == 0 ||
EVP_CTRL_GCM_GET_TAG == 0 ||
EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
]])],
[
AC_MSG_RESULT([yes])
AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
[libcrypto has EVP AES GCM])
],
[
AC_MSG_RESULT([no])
unsupported_algorithms="$unsupported_cipers \
aes128-gcm@openssh.com \
aes256-gcm@openssh.com"
]
)
AC_MSG_CHECKING([if EVP_DigestUpdate returns an int]) AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
AC_LINK_IFELSE( AC_LINK_IFELSE(
[AC_LANG_PROGRAM([[ [AC_LANG_PROGRAM([[

View File

@ -76,23 +76,6 @@ const EVP_CIPHER *evp_aes_128_ctr(void);
void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
#endif #endif
/* Avoid some #ifdef. Code that uses these is unreachable without GCM */
#if !defined(OPENSSL_HAVE_EVPGCM) && !defined(EVP_CTRL_GCM_SET_IV_FIXED)
# define EVP_CTRL_GCM_SET_IV_FIXED -1
# define EVP_CTRL_GCM_IV_GEN -1
# define EVP_CTRL_GCM_SET_TAG -1
# define EVP_CTRL_GCM_GET_TAG -1
#endif
/* Replace missing EVP_CIPHER_CTX_ctrl() with something that returns failure */
#ifndef HAVE_EVP_CIPHER_CTX_CTRL
# ifdef OPENSSL_HAVE_EVPGCM
# error AES-GCM enabled without EVP_CIPHER_CTX_ctrl /* shouldn't happen */
# else
# define EVP_CIPHER_CTX_ctrl(a,b,c,d) (0)
# endif
#endif
/* LibreSSL/OpenSSL 1.1x API compat */ /* LibreSSL/OpenSSL 1.1x API compat */
#ifndef HAVE_DSA_GET0_PQG #ifndef HAVE_DSA_GET0_PQG
void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,