From 7280401bdd77ca54be6867a154cc01e0d72612e0 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 24 Mar 2023 13:56:25 +1100 Subject: [PATCH] remove support for old libcrypto OpenSSH now requires LibreSSL 3.1.0 or greater or OpenSSL 1.1.1 or greater with/ok dtucker@ --- .github/workflows/c-cpp.yml | 7 - INSTALL | 8 +- cipher-aes.c | 2 +- configure.ac | 96 ++--- openbsd-compat/libressl-api-compat.c | 556 +-------------------------- openbsd-compat/openssl-compat.h | 151 +------- 6 files changed, 40 insertions(+), 780 deletions(-) diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml index 3d9aa22db..d299a3246 100644 --- a/.github/workflows/c-cpp.yml +++ b/.github/workflows/c-cpp.yml @@ -47,9 +47,6 @@ jobs: - { target: ubuntu-20.04, config: tcmalloc } - { target: ubuntu-20.04, config: musl } - { target: ubuntu-latest, config: libressl-master } - - { target: ubuntu-latest, config: libressl-2.2.9 } - - { target: ubuntu-latest, config: libressl-2.8.3 } - - { target: ubuntu-latest, config: libressl-3.0.2 } - { target: ubuntu-latest, config: libressl-3.2.6 } - { target: ubuntu-latest, config: libressl-3.3.6 } - { target: ubuntu-latest, config: libressl-3.4.3 } @@ -58,10 +55,6 @@ jobs: - { target: ubuntu-latest, config: libressl-3.7.1 } - { target: ubuntu-latest, config: openssl-master } - { target: ubuntu-latest, config: openssl-noec } - - { target: ubuntu-latest, config: openssl-1.0.1 } - - { target: ubuntu-latest, config: openssl-1.0.1u } - - { target: ubuntu-latest, config: openssl-1.0.2u } - - { target: ubuntu-latest, config: openssl-1.1.0h } - { target: ubuntu-latest, config: openssl-1.1.1 } - { target: ubuntu-latest, config: openssl-1.1.1k } - { target: ubuntu-latest, config: openssl-1.1.1n } diff --git a/INSTALL b/INSTALL index 68b15e131..f99d1e2a8 100644 --- a/INSTALL +++ b/INSTALL @@ -21,12 +21,8 @@ https://zlib.net/ libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto is supported but severely restricts the available ciphers and algorithms. - - LibreSSL (https://www.libressl.org/) - - OpenSSL (https://www.openssl.org) with any of the following versions: - - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1 - -Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to -1.1.0g can't be used. + - LibreSSL (https://www.libressl.org/) 3.1.0 or greater + - OpenSSL (https://www.openssl.org) 1.1.1 or greater LibreSSL/OpenSSL should be compiled as a position-independent library (i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC" diff --git a/cipher-aes.c b/cipher-aes.c index 8b1017272..87c763353 100644 --- a/cipher-aes.c +++ b/cipher-aes.c @@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv, static int ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src, - LIBCRYPTO_EVP_INL_TYPE len) + size_t len) { struct ssh_rijndael_ctx *c; u_char buf[RIJNDAEL_BLOCKSIZE]; diff --git a/configure.ac b/configure.ac index 22fee70f6..1c0ccdf19 100644 --- a/configure.ac +++ b/configure.ac @@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then #include #define DATA "conftest.ssllibver" ]], [[ - FILE *fd; - int rc; + FILE *f; - fd = fopen(DATA,"w"); - if(fd == NULL) + if ((f = fopen(DATA, "w")) == NULL) exit(1); -#ifndef OPENSSL_VERSION -# define OPENSSL_VERSION SSLEAY_VERSION -#endif -#ifndef HAVE_OPENSSL_VERSION -# define OpenSSL_version SSLeay_version -#endif -#ifndef HAVE_OPENSSL_VERSION_NUM -# define OpenSSL_version_num SSLeay -#endif - if ((rc = fprintf(fd, "%08lx (%s)\n", + if (fprintf(f, "%08lx (%s)", (unsigned long)OpenSSL_version_num(), - OpenSSL_version(OPENSSL_VERSION))) < 0) + OpenSSL_version(OPENSSL_VERSION)) < 0) + exit(1); +#ifdef LIBRESSL_VERSION_NUMBER + if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0) + exit(1); +#endif + if (fputc('\n', f) == EOF || fclose(f) == EOF) exit(1); - exit(0); ]])], [ - ssl_library_ver=`cat conftest.ssllibver` + sslver=`cat conftest.ssllibver` + ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'` # Check version is supported. - case "$ssl_library_ver" in - 10000*|0*) - AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")]) - ;; - 100*) ;; # 1.0.x - 101000[[0123456]]*) - # https://github.com/openssl/openssl/pull/4613 - AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")]) + case "$sslver" in + 100*|10100*) # 1.0.x, 1.1.0x + AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")]) ;; 101*) ;; # 1.1.x - 200*) ;; # LibreSSL + 200*) # LibreSSL + lver=`echo "$sslver" | sed 's/.*libressl-//'` + case "$lver" in + 2*|300*) # 2.x, 3.0.0 + AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")]) + ;; + *) ;; # Assume all other versions are good. + esac + ;; 300*) # OpenSSL 3; we use the 1.1x API CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" @@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L" ;; *) - AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")]) + AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")]) ;; esac - AC_MSG_RESULT([$ssl_library_ver]) + AC_MSG_RESULT([$ssl_showver]) ], [ AC_MSG_RESULT([not found]) @@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then case "$host" in x86_64-*) - case "$ssl_library_ver" in + case "$sslver" in 3000004*) AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)]) ;; @@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then #include #include ]], [[ -#ifndef HAVE_OPENSSL_VERSION_NUM -# define OpenSSL_version_num SSLeay -#endif exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1); ]])], [ @@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then ) ) - # LibreSSL/OpenSSL 1.1x API + # LibreSSL/OpenSSL API differences AC_CHECK_FUNCS([ \ - OPENSSL_init_crypto \ - DH_get0_key \ - DH_get0_pqg \ - DH_set0_key \ - DH_set_length \ - DH_set0_pqg \ - DSA_get0_key \ - DSA_get0_pqg \ - DSA_set0_key \ - DSA_set0_pqg \ - DSA_SIG_get0 \ - DSA_SIG_set0 \ - ECDSA_SIG_get0 \ - ECDSA_SIG_set0 \ EVP_CIPHER_CTX_iv \ EVP_CIPHER_CTX_iv_noconst \ EVP_CIPHER_CTX_get_iv \ EVP_CIPHER_CTX_get_updated_iv \ EVP_CIPHER_CTX_set_iv \ - RSA_get0_crt_params \ - RSA_get0_factors \ - RSA_get0_key \ - RSA_set0_crt_params \ - RSA_set0_factors \ - RSA_set0_key \ - RSA_meth_free \ - RSA_meth_dup \ - RSA_meth_set1_name \ - RSA_meth_get_finish \ - RSA_meth_set_priv_enc \ - RSA_meth_set_priv_dec \ - RSA_meth_set_finish \ - EVP_PKEY_get0_RSA \ - EVP_MD_CTX_new \ - EVP_MD_CTX_free \ - EVP_chacha20 \ ]) if test "x$openssl_engine" = "xyes" ; then @@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then ] ) - # Check for SHA256, SHA384 and SHA512 support in OpenSSL - AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512]) + # Check for various EVP support in OpenSSL + AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20]) # Check complete ECC support in OpenSSL AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1]) diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c index 498180dc8..59be17397 100644 --- a/openbsd-compat/libressl-api-compat.c +++ b/openbsd-compat/libressl-api-compat.c @@ -1,129 +1,5 @@ -/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */ -/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */ -/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */ -/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */ -/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */ -/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ - -/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */ -/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */ -/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */ -/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL - * project 2000. - */ -/* ==================================================================== - * Copyright (c) 2000-2005 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * licensing@OpenSSL.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). - * - */ - -/* $OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $ */ /* - * Copyright (c) 2018 Theo Buehler + * Copyright (c) 2018 Damien Miller * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -147,192 +23,7 @@ #include #include -#include -#include -#include -#include #include -#ifdef OPENSSL_HAS_ECC -#include -#endif -#include - -#ifndef HAVE_DSA_GET0_PQG -void -DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) -{ - if (p != NULL) - *p = d->p; - if (q != NULL) - *q = d->q; - if (g != NULL) - *g = d->g; -} -#endif /* HAVE_DSA_GET0_PQG */ - -#ifndef HAVE_DSA_SET0_PQG -int -DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g) -{ - if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) || - (d->g == NULL && g == NULL)) - return 0; - - if (p != NULL) { - BN_free(d->p); - d->p = p; - } - if (q != NULL) { - BN_free(d->q); - d->q = q; - } - if (g != NULL) { - BN_free(d->g); - d->g = g; - } - - return 1; -} -#endif /* HAVE_DSA_SET0_PQG */ - -#ifndef HAVE_DSA_GET0_KEY -void -DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key) -{ - if (pub_key != NULL) - *pub_key = d->pub_key; - if (priv_key != NULL) - *priv_key = d->priv_key; -} -#endif /* HAVE_DSA_GET0_KEY */ - -#ifndef HAVE_DSA_SET0_KEY -int -DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key) -{ - if (d->pub_key == NULL && pub_key == NULL) - return 0; - - if (pub_key != NULL) { - BN_free(d->pub_key); - d->pub_key = pub_key; - } - if (priv_key != NULL) { - BN_free(d->priv_key); - d->priv_key = priv_key; - } - - return 1; -} -#endif /* HAVE_DSA_SET0_KEY */ - -#ifndef HAVE_RSA_GET0_KEY -void -RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d) -{ - if (n != NULL) - *n = r->n; - if (e != NULL) - *e = r->e; - if (d != NULL) - *d = r->d; -} -#endif /* HAVE_RSA_GET0_KEY */ - -#ifndef HAVE_RSA_SET0_KEY -int -RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d) -{ - if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL)) - return 0; - - if (n != NULL) { - BN_free(r->n); - r->n = n; - } - if (e != NULL) { - BN_free(r->e); - r->e = e; - } - if (d != NULL) { - BN_free(r->d); - r->d = d; - } - - return 1; -} -#endif /* HAVE_RSA_SET0_KEY */ - -#ifndef HAVE_RSA_GET0_CRT_PARAMS -void -RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, - const BIGNUM **iqmp) -{ - if (dmp1 != NULL) - *dmp1 = r->dmp1; - if (dmq1 != NULL) - *dmq1 = r->dmq1; - if (iqmp != NULL) - *iqmp = r->iqmp; -} -#endif /* HAVE_RSA_GET0_CRT_PARAMS */ - -#ifndef HAVE_RSA_SET0_CRT_PARAMS -int -RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp) -{ - if ((r->dmp1 == NULL && dmp1 == NULL) || - (r->dmq1 == NULL && dmq1 == NULL) || - (r->iqmp == NULL && iqmp == NULL)) - return 0; - - if (dmp1 != NULL) { - BN_free(r->dmp1); - r->dmp1 = dmp1; - } - if (dmq1 != NULL) { - BN_free(r->dmq1); - r->dmq1 = dmq1; - } - if (iqmp != NULL) { - BN_free(r->iqmp); - r->iqmp = iqmp; - } - - return 1; -} -#endif /* HAVE_RSA_SET0_CRT_PARAMS */ - -#ifndef HAVE_RSA_GET0_FACTORS -void -RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q) -{ - if (p != NULL) - *p = r->p; - if (q != NULL) - *q = r->q; -} -#endif /* HAVE_RSA_GET0_FACTORS */ - -#ifndef HAVE_RSA_SET0_FACTORS -int -RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q) -{ - if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL)) - return 0; - - if (p != NULL) { - BN_free(r->p); - r->p = p; - } - if (q != NULL) { - BN_free(r->q); - r->q = q; - } - - return 1; -} -#endif /* HAVE_RSA_SET0_FACTORS */ #ifndef HAVE_EVP_CIPHER_CTX_GET_IV int @@ -392,249 +83,4 @@ EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len) } #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ -#ifndef HAVE_DSA_SIG_GET0 -void -DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) -{ - if (pr != NULL) - *pr = sig->r; - if (ps != NULL) - *ps = sig->s; -} -#endif /* HAVE_DSA_SIG_GET0 */ - -#ifndef HAVE_DSA_SIG_SET0 -int -DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s) -{ - if (r == NULL || s == NULL) - return 0; - - BN_clear_free(sig->r); - sig->r = r; - BN_clear_free(sig->s); - sig->s = s; - - return 1; -} -#endif /* HAVE_DSA_SIG_SET0 */ - -#ifdef OPENSSL_HAS_ECC -#ifndef HAVE_ECDSA_SIG_GET0 -void -ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) -{ - if (pr != NULL) - *pr = sig->r; - if (ps != NULL) - *ps = sig->s; -} -#endif /* HAVE_ECDSA_SIG_GET0 */ - -#ifndef HAVE_ECDSA_SIG_SET0 -int -ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s) -{ - if (r == NULL || s == NULL) - return 0; - - BN_clear_free(sig->r); - BN_clear_free(sig->s); - sig->r = r; - sig->s = s; - return 1; -} -#endif /* HAVE_ECDSA_SIG_SET0 */ -#endif /* OPENSSL_HAS_ECC */ - -#ifndef HAVE_DH_GET0_PQG -void -DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g) -{ - if (p != NULL) - *p = dh->p; - if (q != NULL) - *q = dh->q; - if (g != NULL) - *g = dh->g; -} -#endif /* HAVE_DH_GET0_PQG */ - -#ifndef HAVE_DH_SET0_PQG -int -DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g) -{ - if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL)) - return 0; - - if (p != NULL) { - BN_free(dh->p); - dh->p = p; - } - if (q != NULL) { - BN_free(dh->q); - dh->q = q; - } - if (g != NULL) { - BN_free(dh->g); - dh->g = g; - } - - return 1; -} -#endif /* HAVE_DH_SET0_PQG */ - -#ifndef HAVE_DH_GET0_KEY -void -DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key) -{ - if (pub_key != NULL) - *pub_key = dh->pub_key; - if (priv_key != NULL) - *priv_key = dh->priv_key; -} -#endif /* HAVE_DH_GET0_KEY */ - -#ifndef HAVE_DH_SET0_KEY -int -DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key) -{ - if (pub_key != NULL) { - BN_free(dh->pub_key); - dh->pub_key = pub_key; - } - if (priv_key != NULL) { - BN_free(dh->priv_key); - dh->priv_key = priv_key; - } - - return 1; -} -#endif /* HAVE_DH_SET0_KEY */ - -#ifndef HAVE_DH_SET_LENGTH -int -DH_set_length(DH *dh, long length) -{ - if (length < 0 || length > INT_MAX) - return 0; - - dh->length = length; - return 1; -} -#endif /* HAVE_DH_SET_LENGTH */ - -#ifndef HAVE_RSA_METH_FREE -void -RSA_meth_free(RSA_METHOD *meth) -{ - if (meth != NULL) { - free((char *)meth->name); - free(meth); - } -} -#endif /* HAVE_RSA_METH_FREE */ - -#ifndef HAVE_RSA_METH_DUP -RSA_METHOD * -RSA_meth_dup(const RSA_METHOD *meth) -{ - RSA_METHOD *copy; - - if ((copy = calloc(1, sizeof(*copy))) == NULL) - return NULL; - memcpy(copy, meth, sizeof(*copy)); - if ((copy->name = strdup(meth->name)) == NULL) { - free(copy); - return NULL; - } - - return copy; -} -#endif /* HAVE_RSA_METH_DUP */ - -#ifndef HAVE_RSA_METH_SET1_NAME -int -RSA_meth_set1_name(RSA_METHOD *meth, const char *name) -{ - char *copy; - - if ((copy = strdup(name)) == NULL) - return 0; - free((char *)meth->name); - meth->name = copy; - return 1; -} -#endif /* HAVE_RSA_METH_SET1_NAME */ - -#ifndef HAVE_RSA_METH_GET_FINISH -int -(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa) -{ - return meth->finish; -} -#endif /* HAVE_RSA_METH_GET_FINISH */ - -#ifndef HAVE_RSA_METH_SET_PRIV_ENC -int -RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, - const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) -{ - meth->rsa_priv_enc = priv_enc; - return 1; -} -#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ - -#ifndef HAVE_RSA_METH_SET_PRIV_DEC -int -RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, - const unsigned char *from, unsigned char *to, RSA *rsa, int padding)) -{ - meth->rsa_priv_dec = priv_dec; - return 1; -} -#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ - -#ifndef HAVE_RSA_METH_SET_FINISH -int -RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)) -{ - meth->finish = finish; - return 1; -} -#endif /* HAVE_RSA_METH_SET_FINISH */ - -#ifndef HAVE_EVP_PKEY_GET0_RSA -RSA * -EVP_PKEY_get0_RSA(EVP_PKEY *pkey) -{ - if (pkey->type != EVP_PKEY_RSA) { - /* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */ - return NULL; - } - return pkey->pkey.rsa; -} -#endif /* HAVE_EVP_PKEY_GET0_RSA */ - -#ifndef HAVE_EVP_MD_CTX_NEW -EVP_MD_CTX * -EVP_MD_CTX_new(void) -{ - return calloc(1, sizeof(EVP_MD_CTX)); -} -#endif /* HAVE_EVP_MD_CTX_NEW */ - -#ifndef HAVE_EVP_MD_CTX_FREE -void -EVP_MD_CTX_free(EVP_MD_CTX *ctx) -{ - if (ctx == NULL) - return; - - EVP_MD_CTX_cleanup(ctx); - - free(ctx); -} -#endif /* HAVE_EVP_MD_CTX_FREE */ - #endif /* WITH_OPENSSL */ diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index 61a69dd56..d0dd2c345 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -33,26 +33,13 @@ int ssh_compatible_openssl(long, long); void ssh_libcrypto_init(void); -#if (OPENSSL_VERSION_NUMBER < 0x1000100fL) -# error OpenSSL 1.0.1 or greater is required +#if (OPENSSL_VERSION_NUMBER < 0x10100000L) +# error OpenSSL 1.1.0 or greater is required #endif - -#ifndef OPENSSL_VERSION -# define OPENSSL_VERSION SSLEAY_VERSION -#endif - -#ifndef HAVE_OPENSSL_VERSION -# define OpenSSL_version(x) SSLeay_version(x) -#endif - -#ifndef HAVE_OPENSSL_VERSION_NUM -# define OpenSSL_version_num SSLeay -#endif - -#if OPENSSL_VERSION_NUMBER < 0x10000001L -# define LIBCRYPTO_EVP_INL_TYPE unsigned int -#else -# define LIBCRYPTO_EVP_INL_TYPE size_t +#ifdef LIBRESSL_VERSION_NUMBER +# if LIBRESSL_VERSION_NUMBER < 0x3010000fL +# error LibreSSL 3.1.0 or greater is required +# endif #endif #ifndef OPENSSL_RSA_MAX_MODULUS_BITS @@ -68,25 +55,6 @@ void ssh_libcrypto_init(void); # endif #endif -/* LibreSSL/OpenSSL 1.1x API compat */ -#ifndef HAVE_DSA_GET0_PQG -void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, - const BIGNUM **g); -#endif /* HAVE_DSA_GET0_PQG */ - -#ifndef HAVE_DSA_SET0_PQG -int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g); -#endif /* HAVE_DSA_SET0_PQG */ - -#ifndef HAVE_DSA_GET0_KEY -void DSA_get0_key(const DSA *d, const BIGNUM **pub_key, - const BIGNUM **priv_key); -#endif /* HAVE_DSA_GET0_KEY */ - -#ifndef HAVE_DSA_SET0_KEY -int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key); -#endif /* HAVE_DSA_SET0_KEY */ - #ifndef HAVE_EVP_CIPHER_CTX_GET_IV # ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV # define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv @@ -101,112 +69,5 @@ int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len); #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */ -#ifndef HAVE_RSA_GET0_KEY -void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, - const BIGNUM **d); -#endif /* HAVE_RSA_GET0_KEY */ - -#ifndef HAVE_RSA_SET0_KEY -int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d); -#endif /* HAVE_RSA_SET0_KEY */ - -#ifndef HAVE_RSA_GET0_CRT_PARAMS -void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1, - const BIGNUM **iqmp); -#endif /* HAVE_RSA_GET0_CRT_PARAMS */ - -#ifndef HAVE_RSA_SET0_CRT_PARAMS -int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp); -#endif /* HAVE_RSA_SET0_CRT_PARAMS */ - -#ifndef HAVE_RSA_GET0_FACTORS -void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q); -#endif /* HAVE_RSA_GET0_FACTORS */ - -#ifndef HAVE_RSA_SET0_FACTORS -int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q); -#endif /* HAVE_RSA_SET0_FACTORS */ - -#ifndef DSA_SIG_GET0 -void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); -#endif /* DSA_SIG_GET0 */ - -#ifndef DSA_SIG_SET0 -int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s); -#endif /* DSA_SIG_SET0 */ - -#ifdef OPENSSL_HAS_ECC -#ifndef HAVE_ECDSA_SIG_GET0 -void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps); -#endif /* HAVE_ECDSA_SIG_GET0 */ - -#ifndef HAVE_ECDSA_SIG_SET0 -int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s); -#endif /* HAVE_ECDSA_SIG_SET0 */ -#endif /* OPENSSL_HAS_ECC */ - -#ifndef HAVE_DH_GET0_PQG -void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, - const BIGNUM **g); -#endif /* HAVE_DH_GET0_PQG */ - -#ifndef HAVE_DH_SET0_PQG -int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); -#endif /* HAVE_DH_SET0_PQG */ - -#ifndef HAVE_DH_GET0_KEY -void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key); -#endif /* HAVE_DH_GET0_KEY */ - -#ifndef HAVE_DH_SET0_KEY -int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key); -#endif /* HAVE_DH_SET0_KEY */ - -#ifndef HAVE_DH_SET_LENGTH -int DH_set_length(DH *dh, long length); -#endif /* HAVE_DH_SET_LENGTH */ - -#ifndef HAVE_RSA_METH_FREE -void RSA_meth_free(RSA_METHOD *meth); -#endif /* HAVE_RSA_METH_FREE */ - -#ifndef HAVE_RSA_METH_DUP -RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth); -#endif /* HAVE_RSA_METH_DUP */ - -#ifndef HAVE_RSA_METH_SET1_NAME -int RSA_meth_set1_name(RSA_METHOD *meth, const char *name); -#endif /* HAVE_RSA_METH_SET1_NAME */ - -#ifndef HAVE_RSA_METH_GET_FINISH -int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa); -#endif /* HAVE_RSA_METH_GET_FINISH */ - -#ifndef HAVE_RSA_METH_SET_PRIV_ENC -int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen, - const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); -#endif /* HAVE_RSA_METH_SET_PRIV_ENC */ - -#ifndef HAVE_RSA_METH_SET_PRIV_DEC -int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen, - const unsigned char *from, unsigned char *to, RSA *rsa, int padding)); -#endif /* HAVE_RSA_METH_SET_PRIV_DEC */ - -#ifndef HAVE_RSA_METH_SET_FINISH -int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa)); -#endif /* HAVE_RSA_METH_SET_FINISH */ - -#ifndef HAVE_EVP_PKEY_GET0_RSA -RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey); -#endif /* HAVE_EVP_PKEY_GET0_RSA */ - -#ifndef HAVE_EVP_MD_CTX_new -EVP_MD_CTX *EVP_MD_CTX_new(void); -#endif /* HAVE_EVP_MD_CTX_new */ - -#ifndef HAVE_EVP_MD_CTX_free -void EVP_MD_CTX_free(EVP_MD_CTX *ctx); -#endif /* HAVE_EVP_MD_CTX_free */ - #endif /* WITH_OPENSSL */ #endif /* _OPENSSL_COMPAT_H */