From abe2b245b3ac6c4801e99bc0f13289cd28211e22 Mon Sep 17 00:00:00 2001 From: Damien Miller Date: Fri, 3 Apr 2020 17:25:46 +1100 Subject: [PATCH] prefer libcrypto chacha20-poly1305 where possible --- Makefile.in | 2 +- cipher-chachapoly-libcrypto.c | 3 +++ cipher-chachapoly.c | 4 ++++ configure.ac | 1 + openbsd-compat/openssl-compat.h | 6 ++++++ 5 files changed, 15 insertions(+), 1 deletion(-) diff --git a/Makefile.in b/Makefile.in index e7549470c..efbc62a4a 100644 --- a/Makefile.in +++ b/Makefile.in @@ -103,7 +103,7 @@ LIBSSH_OBJS=${LIBOPENSSH_OBJS} \ ssh-ed25519-sk.o ssh-rsa.o dh.o \ msg.o progressmeter.o dns.o entropy.o gss-genr.o umac.o umac128.o \ ssh-pkcs11.o smult_curve25519_ref.o \ - poly1305.o chacha.o cipher-chachapoly.o \ + poly1305.o chacha.o cipher-chachapoly.o cipher-chachapoly-libcrypto.o \ ssh-ed25519.o digest-openssl.o digest-libc.o \ hmac.o sc25519.o ge25519.o fe25519.o ed25519.o verify.o hash.o \ kex.o kexdh.o kexgex.o kexecdh.o kexc25519.o \ diff --git a/cipher-chachapoly-libcrypto.c b/cipher-chachapoly-libcrypto.c index 960ac14cf..2c0f80f28 100644 --- a/cipher-chachapoly-libcrypto.c +++ b/cipher-chachapoly-libcrypto.c @@ -18,6 +18,8 @@ #include "includes.h" +#if defined(HAVE_EVP_CHACHA20) || !defined(HAVE_BROKEN_CHACHA20) + #include #include /* needed for log.h */ #include @@ -158,3 +160,4 @@ chachapoly_get_length(struct chachapoly_ctx *ctx, *plenp = PEEK_U32(buf); return 0; } +#endif /* defined(HAVE_EVP_CHACHA20) && !defined(HAVE_BROKEN_CHACHA20) */ diff --git a/cipher-chachapoly.c b/cipher-chachapoly.c index 42e8d40b7..132cdeec9 100644 --- a/cipher-chachapoly.c +++ b/cipher-chachapoly.c @@ -18,6 +18,8 @@ #include "includes.h" +#if !defined(HAVE_EVP_CHACHA20) || defined(HAVE_BROKEN_CHACHA20) + #include #include /* needed for log.h */ #include @@ -130,3 +132,5 @@ chachapoly_get_length(struct chachapoly_ctx *ctx, *plenp = PEEK_U32(buf); return 0; } + +#endif /* !defined(HAVE_EVP_CHACHA20) || defined(HAVE_BROKEN_CHACHA20) */ diff --git a/configure.ac b/configure.ac index de6ad127c..9cba9542a 100644 --- a/configure.ac +++ b/configure.ac @@ -2804,6 +2804,7 @@ if test "x$openssl" = "xyes" ; then EVP_PKEY_get0_RSA \ EVP_MD_CTX_new \ EVP_MD_CTX_free \ + EVP_chacha20 \ ]) if test "x$openssl_engine" = "xyes" ; then diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h index abdcb8763..bcefd8f28 100644 --- a/openbsd-compat/openssl-compat.h +++ b/openbsd-compat/openssl-compat.h @@ -62,6 +62,12 @@ void ssh_libcrypto_init(void); # define OPENSSL_DSA_MAX_MODULUS_BITS 10000 #endif +#ifdef LIBRESSL_VERSION_NUMBER +# if LIBRESSL_VERSION_NUMBER >= 0x3010000fL +# define HAVE_BROKEN_CHACHA20 +# endif +#endif + #ifndef OPENSSL_HAVE_EVPCTR # define EVP_aes_128_ctr evp_aes_128_ctr # define EVP_aes_192_ctr evp_aes_128_ctr