diff options
author | des <des@FreeBSD.org> | 2016-01-19 16:18:26 +0000 |
---|---|---|
committer | des <des@FreeBSD.org> | 2016-01-19 16:18:26 +0000 |
commit | 14172c52f89fa504003826ed2e4e2c0ac246505d (patch) | |
tree | bc48bd740145eea64393ed391fc1d972c83f991c /crypto/openssh/openbsd-compat/openssl-compat.c | |
parent | 456370e53073cd38d0ddc4001283f1c131d1428e (diff) | |
parent | 64c731d52472fb486558425128009691392e0bef (diff) | |
download | FreeBSD-src-14172c52f89fa504003826ed2e4e2c0ac246505d.zip FreeBSD-src-14172c52f89fa504003826ed2e4e2c0ac246505d.tar.gz |
Upgrade to OpenSSH 6.7p1, retaining libwrap support (which has been removed
upstream) and a number of security fixes which we had already backported.
MFC after: 1 week
Diffstat (limited to 'crypto/openssh/openbsd-compat/openssl-compat.c')
-rw-r--r-- | crypto/openssh/openbsd-compat/openssl-compat.c | 166 |
1 files changed, 32 insertions, 134 deletions
diff --git a/crypto/openssh/openbsd-compat/openssl-compat.c b/crypto/openssh/openbsd-compat/openssl-compat.c index 885c121..36570e4 100644 --- a/crypto/openssh/openbsd-compat/openssl-compat.c +++ b/crypto/openssh/openbsd-compat/openssl-compat.c @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */ +/* $Id: openssl-compat.c,v 1.19 2014/07/02 05:28:07 djm Exp $ */ /* * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> @@ -16,6 +16,7 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS #include "includes.h" #include <stdarg.h> @@ -26,147 +27,44 @@ # include <openssl/conf.h> #endif -#ifndef HAVE_RSA_GET_DEFAULT_METHOD -# include <openssl/rsa.h> -#endif - #include "log.h" -#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS #include "openssl-compat.h" -#ifdef SSH_OLD_EVP -int -ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type, - unsigned char *key, unsigned char *iv, int enc) -{ - EVP_CipherInit(evp, type, key, iv, enc); - return 1; -} - -int -ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len) -{ - EVP_Cipher(evp, dst, src, len); - return 1; -} - -int -ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp) -{ - EVP_CIPHER_CTX_cleanup(evp); - return 1; -} -#endif - -#ifndef HAVE_EVP_DIGESTINIT_EX -int -EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine) -{ - if (engine != NULL) - fatal("%s: ENGINE is not supported", __func__); -# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID - EVP_DigestInit(ctx, md); - return 1; -# else - return EVP_DigestInit(ctx, md); -# endif -} -#endif - -#ifndef HAVE_EVP_DIGESTFINAL_EX -int -EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s) -{ -# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID - EVP_DigestFinal(ctx, md, s); - return 1; -# else - return EVP_DigestFinal(ctx, md, s); -# endif -} -#endif - -#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID -int -ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt) -{ - EVP_DigestUpdate(ctx, d, cnt); - return 1; -} -#endif - -#ifndef HAVE_EVP_MD_CTX_COPY_EX -int -EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) -{ - return EVP_MD_CTX_copy(out, in); -} -#endif - -#ifndef HAVE_BN_IS_PRIME_EX -int -BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, void *cb) -{ - if (cb != NULL) - fatal("%s: callback args not supported", __func__); - return BN_is_prime(p, nchecks, NULL, ctx, NULL); -} -#endif - -#ifndef HAVE_RSA_GENERATE_KEY_EX -int -RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *bn_e, void *cb) -{ - RSA *new_rsa, tmp_rsa; - unsigned long e; - - if (cb != NULL) - fatal("%s: callback args not supported", __func__); - e = BN_get_word(bn_e); - if (e == 0xffffffffL) - fatal("%s: value of e too large", __func__); - new_rsa = RSA_generate_key(bits, e, NULL, NULL); - if (new_rsa == NULL) - return 0; - /* swap rsa/new_rsa then free new_rsa */ - tmp_rsa = *rsa; - *rsa = *new_rsa; - *new_rsa = tmp_rsa; - RSA_free(new_rsa); - return 1; -} -#endif +/* + * OpenSSL version numbers: MNNFFPPS: major minor fix patch status + * We match major, minor, fix and status (not patch) for <1.0.0. + * After that, we acceptable compatible fix versions (so we + * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed + * within a patch series. + */ -#ifndef HAVE_DSA_GENERATE_PARAMETERS_EX int -DSA_generate_parameters_ex(DSA *dsa, int bits, const unsigned char *seed, - int seed_len, int *counter_ret, unsigned long *h_ret, void *cb) +ssh_compatible_openssl(long headerver, long libver) { - DSA *new_dsa, tmp_dsa; - - if (cb != NULL) - fatal("%s: callback args not supported", __func__); - new_dsa = DSA_generate_parameters(bits, (unsigned char *)seed, seed_len, - counter_ret, h_ret, NULL, NULL); - if (new_dsa == NULL) - return 0; - /* swap dsa/new_dsa then free new_dsa */ - tmp_dsa = *dsa; - *dsa = *new_dsa; - *new_dsa = tmp_dsa; - DSA_free(new_dsa); - return 1; -} -#endif - -#ifndef HAVE_RSA_GET_DEFAULT_METHOD -RSA_METHOD * -RSA_get_default_method(void) -{ - return RSA_PKCS1_SSLeay(); + long mask, hfix, lfix; + + /* exact match is always OK */ + if (headerver == libver) + return 1; + + /* for versions < 1.0.0, major,minor,fix,status must match */ + if (headerver < 0x1000000f) { + mask = 0xfffff00fL; /* major,minor,fix,status */ + return (headerver & mask) == (libver & mask); + } + + /* + * For versions >= 1.0.0, major,minor,status must match and library + * fix version must be equal to or newer than the header. + */ + mask = 0xfff0000fL; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) + return 1; + return 0; } -#endif #ifdef USE_OPENSSL_ENGINE void |