diff options
Diffstat (limited to 'crypto/openssh/openbsd-compat')
-rw-r--r-- | crypto/openssh/openbsd-compat/Makefile.in | 4 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/arc4random.c | 4 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/bsd-cygwin_util.c | 16 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/bsd-cygwin_util.h | 6 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/bsd-snprintf.c | 4 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/explicit_bzero.c | 26 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/kludge-fd_set.c | 28 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/openbsd-compat.h | 18 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/openssl-compat.c | 166 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/openssl-compat.h | 121 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/port-uw.c | 1 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/regress/Makefile.in | 6 | ||||
-rw-r--r-- | crypto/openssh/openbsd-compat/regress/opensslvertest.c | 69 |
13 files changed, 216 insertions, 253 deletions
diff --git a/crypto/openssh/openbsd-compat/Makefile.in b/crypto/openssh/openbsd-compat/Makefile.in index 6ecfb93..ab1a3e3 100644 --- a/crypto/openssh/openbsd-compat/Makefile.in +++ b/crypto/openssh/openbsd-compat/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.55 2014/02/04 00:37:50 djm Exp $ +# $Id: Makefile.in,v 1.56 2014/09/30 23:43:08 djm Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -18,7 +18,7 @@ LDFLAGS=-L. @LDFLAGS@ OPENBSD=base64.o basename.o bcrypt_pbkdf.o bindresvport.o blowfish.o daemon.o dirname.o fmt_scaled.o getcwd.o getgrouplist.o getopt_long.o getrrsetbyname.o glob.o inet_aton.o inet_ntoa.o inet_ntop.o mktemp.o pwcache.o readpassphrase.o realpath.o rresvport.o setenv.o setproctitle.o sha2.o sigact.o strlcat.o strlcpy.o strmode.o strnlen.o strptime.o strsep.o strtonum.o strtoll.o strtoul.o strtoull.o timingsafe_bcmp.o vis.o blowfish.o bcrypt_pbkdf.o explicit_bzero.o -COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o +COMPAT=arc4random.o bsd-asprintf.o bsd-closefrom.o bsd-cray.o bsd-cygwin_util.o bsd-getpeereid.o getrrsetbyname-ldns.o bsd-misc.o bsd-nextstep.o bsd-openpty.o bsd-poll.o bsd-setres_id.o bsd-snprintf.o bsd-statvfs.o bsd-waitpid.o fake-rfc2553.o openssl-compat.o xmmap.o xcrypt.o kludge-fd_set.o PORTS=port-aix.o port-irix.o port-linux.o port-solaris.o port-tun.o port-uw.o diff --git a/crypto/openssh/openbsd-compat/arc4random.c b/crypto/openssh/openbsd-compat/arc4random.c index eac073c..09dbfda 100644 --- a/crypto/openssh/openbsd-compat/arc4random.c +++ b/crypto/openssh/openbsd-compat/arc4random.c @@ -87,7 +87,7 @@ _rs_stir(void) _rs_init(rnd, sizeof(rnd)); } else _rs_rekey(rnd, sizeof(rnd)); - memset(rnd, 0, sizeof(rnd)); + explicit_bzero(rnd, sizeof(rnd)); /* invalidate rs_buf */ rs_have = 0; @@ -229,7 +229,7 @@ arc4random_buf(void *_buf, size_t n) buf[i] = r & 0xff; r >>= 8; } - i = r = 0; + explicit_bzero(&r, sizeof(r)); } #endif /* !defined(HAVE_ARC4RANDOM_BUF) && defined(HAVE_ARC4RANDOM) */ diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c index 267e77a..a2d8212 100644 --- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.c +++ b/crypto/openssh/openbsd-compat/bsd-cygwin_util.c @@ -57,6 +57,22 @@ check_ntsec(const char *filename) return (pathconf(filename, _PC_POSIX_PERMISSIONS)); } +const char * +cygwin_ssh_privsep_user() +{ + static char cyg_privsep_user[DNLEN + UNLEN + 2]; + + if (!cyg_privsep_user[0]) + { +#ifdef CW_CYGNAME_FROM_WINNAME + if (cygwin_internal (CW_CYGNAME_FROM_WINNAME, "sshd", cyg_privsep_user, + sizeof cyg_privsep_user) != 0) +#endif + strcpy (cyg_privsep_user, "sshd"); + } + return cyg_privsep_user; +} + #define NL(x) x, (sizeof (x) - 1) #define WENV_SIZ (sizeof (wenv_arr) / sizeof (wenv_arr[0])) diff --git a/crypto/openssh/openbsd-compat/bsd-cygwin_util.h b/crypto/openssh/openbsd-compat/bsd-cygwin_util.h index 1177366..79cb2a1 100644 --- a/crypto/openssh/openbsd-compat/bsd-cygwin_util.h +++ b/crypto/openssh/openbsd-compat/bsd-cygwin_util.h @@ -1,4 +1,4 @@ -/* $Id: bsd-cygwin_util.h,v 1.17 2014/01/18 10:04:00 dtucker Exp $ */ +/* $Id: bsd-cygwin_util.h,v 1.18 2014/05/27 04:34:43 djm Exp $ */ /* * Copyright (c) 2000, 2001, 2011, 2013 Corinna Vinschen <vinschen@redhat.com> @@ -39,6 +39,8 @@ /* Avoid including windows headers. */ typedef void *HANDLE; #define INVALID_HANDLE_VALUE ((HANDLE) -1) +#define DNLEN 16 +#define UNLEN 256 /* Cygwin functions for which declarations are only available when including windows headers, so we have to define them here explicitely. */ @@ -48,6 +50,8 @@ extern void cygwin_set_impersonation_token (const HANDLE); #include <sys/cygwin.h> #include <io.h> +#define CYGWIN_SSH_PRIVSEP_USER (cygwin_ssh_privsep_user()) +const char *cygwin_ssh_privsep_user(); int binary_open(const char *, int , ...); int check_ntsec(const char *); diff --git a/crypto/openssh/openbsd-compat/bsd-snprintf.c b/crypto/openssh/openbsd-compat/bsd-snprintf.c index 975991e..23a6359 100644 --- a/crypto/openssh/openbsd-compat/bsd-snprintf.c +++ b/crypto/openssh/openbsd-compat/bsd-snprintf.c @@ -538,7 +538,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen, } while (*value && (cnt < max)) { DOPR_OUTCH(buffer, *currlen, maxlen, *value); - *value++; + value++; ++cnt; } while ((padlen < 0) && (cnt < max)) { @@ -553,7 +553,7 @@ fmtstr(char *buffer, size_t *currlen, size_t maxlen, static int fmtint(char *buffer, size_t *currlen, size_t maxlen, - LLONG value, int base, int min, int max, int flags) + intmax_t value, int base, int min, int max, int flags) { int signvalue = 0; unsigned LLONG uvalue; diff --git a/crypto/openssh/openbsd-compat/explicit_bzero.c b/crypto/openssh/openbsd-compat/explicit_bzero.c index b106741..3c85a48 100644 --- a/crypto/openssh/openbsd-compat/explicit_bzero.c +++ b/crypto/openssh/openbsd-compat/explicit_bzero.c @@ -7,14 +7,34 @@ #include "includes.h" +/* + * explicit_bzero - don't let the compiler optimize away bzero + */ + #ifndef HAVE_EXPLICIT_BZERO +#ifdef HAVE_MEMSET_S + +void +explicit_bzero(void *p, size_t n) +{ + (void)memset_s(p, n, 0, n); +} + +#else /* HAVE_MEMSET_S */ + /* - * explicit_bzero - don't let the compiler optimize away bzero + * Indirect bzero through a volatile pointer to hopefully avoid + * dead-store optimisation eliminating the call. */ +static void (* volatile ssh_bzero)(void *, size_t) = bzero; + void explicit_bzero(void *p, size_t n) { - bzero(p, n); + ssh_bzero(p, n); } -#endif + +#endif /* HAVE_MEMSET_S */ + +#endif /* HAVE_EXPLICIT_BZERO */ diff --git a/crypto/openssh/openbsd-compat/kludge-fd_set.c b/crypto/openssh/openbsd-compat/kludge-fd_set.c new file mode 100644 index 0000000..6c2ffb6 --- /dev/null +++ b/crypto/openssh/openbsd-compat/kludge-fd_set.c @@ -0,0 +1,28 @@ +/* Placed in the public domain. */ + +/* + * _FORTIFY_SOURCE includes a misguided check for FD_SET(n)/FD_ISSET(b) + * where n > FD_SETSIZE. This breaks OpenSSH and other programs that + * explicitly allocate fd_sets. To avoid this, we wrap FD_SET in a + * function compiled without _FORTIFY_SOURCE. + */ + +#include "config.h" + +#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE) +# include <features.h> +# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ) +# if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) +# undef _FORTIFY_SOURCE +# undef __USE_FORTIFY_LEVEL +# include <sys/socket.h> +void kludge_FD_SET(int n, fd_set *set) { + FD_SET(n, set); +} +int kludge_FD_ISSET(int n, fd_set *set) { + return FD_ISSET(n, set); +} +# endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */ +# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */ +#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */ + diff --git a/crypto/openssh/openbsd-compat/openbsd-compat.h b/crypto/openssh/openbsd-compat/openbsd-compat.h index bc9888e..ce6abae 100644 --- a/crypto/openssh/openbsd-compat/openbsd-compat.h +++ b/crypto/openssh/openbsd-compat/openbsd-compat.h @@ -1,4 +1,4 @@ -/* $Id: openbsd-compat.h,v 1.61 2014/02/04 00:18:23 djm Exp $ */ +/* $Id: openbsd-compat.h,v 1.62 2014/09/30 23:43:08 djm Exp $ */ /* * Copyright (c) 1999-2003 Damien Miller. All rights reserved. @@ -268,4 +268,20 @@ char *shadow_pw(struct passwd *pw); #include "port-tun.h" #include "port-uw.h" +/* _FORTIFY_SOURCE breaks FD_ISSET(n)/FD_SET(n) for n > FD_SETSIZE. Avoid. */ +#if defined(HAVE_FEATURES_H) && defined(_FORTIFY_SOURCE) +# include <features.h> +# if defined(__GNU_LIBRARY__) && defined(__GLIBC_PREREQ) +# if __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) +# include <sys/socket.h> /* Ensure include guard is defined */ +# undef FD_SET +# undef FD_ISSET +# define FD_SET(n, set) kludge_FD_SET(n, set) +# define FD_ISSET(n, set) kludge_FD_ISSET(n, set) +void kludge_FD_SET(int, fd_set *); +int kludge_FD_ISSET(int, fd_set *); +# endif /* __GLIBC_PREREQ(2, 15) && (_FORTIFY_SOURCE > 0) */ +# endif /* __GNU_LIBRARY__ && __GLIBC_PREREQ */ +#endif /* HAVE_FEATURES_H && _FORTIFY_SOURCE */ + #endif /* _OPENBSD_COMPAT_H */ diff --git a/crypto/openssh/openbsd-compat/openssl-compat.c b/crypto/openssh/openbsd-compat/openssl-compat.c index 885c121..36570e4 100644 --- a/crypto/openssh/openbsd-compat/openssl-compat.c +++ b/crypto/openssh/openbsd-compat/openssl-compat.c @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.c,v 1.17 2014/02/13 05:38:33 dtucker Exp $ */ +/* $Id: openssl-compat.c,v 1.19 2014/07/02 05:28:07 djm Exp $ */ /* * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> @@ -16,6 +16,7 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS #include "includes.h" #include <stdarg.h> @@ -26,147 +27,44 @@ # include <openssl/conf.h> #endif -#ifndef HAVE_RSA_GET_DEFAULT_METHOD -# include <openssl/rsa.h> -#endif - #include "log.h" -#define SSH_DONT_OVERLOAD_OPENSSL_FUNCS #include "openssl-compat.h" -#ifdef SSH_OLD_EVP -int -ssh_EVP_CipherInit(EVP_CIPHER_CTX *evp, const EVP_CIPHER *type, - unsigned char *key, unsigned char *iv, int enc) -{ - EVP_CipherInit(evp, type, key, iv, enc); - return 1; -} - -int -ssh_EVP_Cipher(EVP_CIPHER_CTX *evp, char *dst, char *src, int len) -{ - EVP_Cipher(evp, dst, src, len); - return 1; -} - -int -ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *evp) -{ - EVP_CIPHER_CTX_cleanup(evp); - return 1; -} -#endif - -#ifndef HAVE_EVP_DIGESTINIT_EX -int -EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *md, void *engine) -{ - if (engine != NULL) - fatal("%s: ENGINE is not supported", __func__); -# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID - EVP_DigestInit(ctx, md); - return 1; -# else - return EVP_DigestInit(ctx, md); -# endif -} -#endif - -#ifndef HAVE_EVP_DIGESTFINAL_EX -int -EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s) -{ -# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID - EVP_DigestFinal(ctx, md, s); - return 1; -# else - return EVP_DigestFinal(ctx, md, s); -# endif -} -#endif - -#ifdef OPENSSL_EVP_DIGESTUPDATE_VOID -int -ssh_EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, unsigned int cnt) -{ - EVP_DigestUpdate(ctx, d, cnt); - return 1; -} -#endif - -#ifndef HAVE_EVP_MD_CTX_COPY_EX -int -EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in) -{ - return EVP_MD_CTX_copy(out, in); -} -#endif - -#ifndef HAVE_BN_IS_PRIME_EX -int -BN_is_prime_ex(const BIGNUM *p, int nchecks, BN_CTX *ctx, void *cb) -{ - if (cb != NULL) - fatal("%s: callback args not supported", __func__); - return BN_is_prime(p, nchecks, NULL, ctx, NULL); -} -#endif - -#ifndef HAVE_RSA_GENERATE_KEY_EX -int -RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *bn_e, void *cb) -{ - RSA *new_rsa, tmp_rsa; - unsigned long e; - - if (cb != NULL) - fatal("%s: callback args not supported", __func__); - e = BN_get_word(bn_e); - if (e == 0xffffffffL) - fatal("%s: value of e too large", __func__); - new_rsa = RSA_generate_key(bits, e, NULL, NULL); - if (new_rsa == NULL) - return 0; - /* swap rsa/new_rsa then free new_rsa */ - tmp_rsa = *rsa; - *rsa = *new_rsa; - *new_rsa = tmp_rsa; - RSA_free(new_rsa); - return 1; -} -#endif +/* + * OpenSSL version numbers: MNNFFPPS: major minor fix patch status + * We match major, minor, fix and status (not patch) for <1.0.0. + * After that, we acceptable compatible fix versions (so we + * allow 1.0.1 to work with 1.0.0). Going backwards is only allowed + * within a patch series. + */ -#ifndef HAVE_DSA_GENERATE_PARAMETERS_EX int -DSA_generate_parameters_ex(DSA *dsa, int bits, const unsigned char *seed, - int seed_len, int *counter_ret, unsigned long *h_ret, void *cb) +ssh_compatible_openssl(long headerver, long libver) { - DSA *new_dsa, tmp_dsa; - - if (cb != NULL) - fatal("%s: callback args not supported", __func__); - new_dsa = DSA_generate_parameters(bits, (unsigned char *)seed, seed_len, - counter_ret, h_ret, NULL, NULL); - if (new_dsa == NULL) - return 0; - /* swap dsa/new_dsa then free new_dsa */ - tmp_dsa = *dsa; - *dsa = *new_dsa; - *new_dsa = tmp_dsa; - DSA_free(new_dsa); - return 1; -} -#endif - -#ifndef HAVE_RSA_GET_DEFAULT_METHOD -RSA_METHOD * -RSA_get_default_method(void) -{ - return RSA_PKCS1_SSLeay(); + long mask, hfix, lfix; + + /* exact match is always OK */ + if (headerver == libver) + return 1; + + /* for versions < 1.0.0, major,minor,fix,status must match */ + if (headerver < 0x1000000f) { + mask = 0xfffff00fL; /* major,minor,fix,status */ + return (headerver & mask) == (libver & mask); + } + + /* + * For versions >= 1.0.0, major,minor,status must match and library + * fix version must be equal to or newer than the header. + */ + mask = 0xfff0000fL; /* major,minor,status */ + hfix = (headerver & 0x000ff000) >> 12; + lfix = (libver & 0x000ff000) >> 12; + if ( (headerver & mask) == (libver & mask) && lfix >= hfix) + return 1; + return 0; } -#endif #ifdef USE_OPENSSL_ENGINE void diff --git a/crypto/openssh/openbsd-compat/openssl-compat.h b/crypto/openssh/openbsd-compat/openssl-compat.h index 276b970..3695d41 100644 --- a/crypto/openssh/openbsd-compat/openssl-compat.h +++ b/crypto/openssh/openbsd-compat/openssl-compat.h @@ -1,4 +1,4 @@ -/* $Id: openssl-compat.h,v 1.26 2014/02/13 05:38:33 dtucker Exp $ */ +/* $Id: openssl-compat.h,v 1.31 2014/08/29 18:18:29 djm Exp $ */ /* * Copyright (c) 2005 Darren Tucker <dtucker@zip.com.au> @@ -16,28 +16,19 @@ * OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#ifndef _OPENSSL_COMPAT_H +#define _OPENSSL_COMPAT_H + #include "includes.h" #include <openssl/opensslv.h> #include <openssl/evp.h> #include <openssl/rsa.h> #include <openssl/dsa.h> -/* Only in 0.9.8 */ -#ifndef OPENSSL_DSA_MAX_MODULUS_BITS -# define OPENSSL_DSA_MAX_MODULUS_BITS 10000 -#endif -#ifndef OPENSSL_RSA_MAX_MODULUS_BITS -# define OPENSSL_RSA_MAX_MODULUS_BITS 16384 -#endif - -/* OPENSSL_free() is Free() in versions before OpenSSL 0.9.6 */ -#if !defined(OPENSSL_VERSION_NUMBER) || (OPENSSL_VERSION_NUMBER < 0x0090600f) -# define OPENSSL_free(x) Free(x) -#endif +int ssh_compatible_openssl(long, long); -#if OPENSSL_VERSION_NUMBER < 0x00906000L -# define SSH_OLD_EVP -# define EVP_CIPHER_CTX_get_app_data(e) ((e)->app_data) +#if (OPENSSL_VERSION_NUMBER <= 0x0090805fL) +# error OpenSSL 0.9.8f or greater is required #endif #if OPENSSL_VERSION_NUMBER < 0x10000001L @@ -46,27 +37,17 @@ # define LIBCRYPTO_EVP_INL_TYPE size_t #endif -#if (OPENSSL_VERSION_NUMBER < 0x00907000L) || defined(OPENSSL_LOBOTOMISED_AES) -# define USE_BUILTIN_RIJNDAEL +#ifndef OPENSSL_RSA_MAX_MODULUS_BITS +# define OPENSSL_RSA_MAX_MODULUS_BITS 16384 #endif - -#ifdef USE_BUILTIN_RIJNDAEL -# include "rijndael.h" -# define AES_KEY rijndael_ctx -# define AES_BLOCK_SIZE 16 -# define AES_encrypt(a, b, c) rijndael_encrypt(c, a, b) -# define AES_set_encrypt_key(a, b, c) rijndael_set_key(c, (char *)a, b, 1) -# define EVP_aes_128_cbc evp_rijndael -# define EVP_aes_192_cbc evp_rijndael -# define EVP_aes_256_cbc evp_rijndael -const EVP_CIPHER *evp_rijndael(void); -void ssh_rijndael_iv(EVP_CIPHER_CTX *, int, u_char *, u_int); +#ifndef OPENSSL_DSA_MAX_MODULUS_BITS +# define OPENSSL_DSA_MAX_MODULUS_BITS 10000 #endif #ifndef OPENSSL_HAVE_EVPCTR -#define EVP_aes_128_ctr evp_aes_128_ctr -#define EVP_aes_192_ctr evp_aes_128_ctr -#define EVP_aes_256_ctr evp_aes_128_ctr +# define EVP_aes_128_ctr evp_aes_128_ctr +# define EVP_aes_192_ctr evp_aes_128_ctr +# define EVP_aes_256_ctr evp_aes_128_ctr const EVP_CIPHER *evp_aes_128_ctr(void); void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); #endif @@ -88,26 +69,9 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t); # endif #endif -#if OPENSSL_VERSION_NUMBER < 0x00907000L -#define EVP_X_STATE(evp) &(evp).c -#define EVP_X_STATE_LEN(evp) sizeof((evp).c) -#else -#define EVP_X_STATE(evp) (evp).cipher_data -#define EVP_X_STATE_LEN(evp) (evp).cipher->ctx_size -#endif - -/* OpenSSL 0.9.8e returns cipher key len not context key len */ -#if (OPENSSL_VERSION_NUMBER == 0x0090805fL) -# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len) -#endif - -#ifndef HAVE_RSA_GET_DEFAULT_METHOD -RSA_METHOD *RSA_get_default_method(void); -#endif - /* * We overload some of the OpenSSL crypto functions with ssh_* equivalents - * which cater for older and/or less featureful OpenSSL version. + * to automatically handle OpenSSL engine initialisation. * * In order for the compat library to call the real functions, it must * define SSH_DONT_OVERLOAD_OPENSSL_FUNCS before including this file and @@ -115,19 +79,6 @@ RSA_METHOD *RSA_get_default_method(void); */ #ifndef SSH_DONT_OVERLOAD_OPENSSL_FUNCS -# ifdef SSH_OLD_EVP -# ifdef EVP_Cipher -# undef EVP_Cipher -# endif -# define EVP_CipherInit(a,b,c,d,e) ssh_EVP_CipherInit((a),(b),(c),(d),(e)) -# define EVP_Cipher(a,b,c,d) ssh_EVP_Cipher((a),(b),(c),(d)) -# define EVP_CIPHER_CTX_cleanup(a) ssh_EVP_CIPHER_CTX_cleanup((a)) -# endif /* SSH_OLD_EVP */ - -# ifdef OPENSSL_EVP_DIGESTUPDATE_VOID -# define EVP_DigestUpdate(a,b,c) ssh_EVP_DigestUpdate((a),(b),(c)) -# endif - # ifdef USE_OPENSSL_ENGINE # ifdef OpenSSL_add_all_algorithms # undef OpenSSL_add_all_algorithms @@ -135,48 +86,8 @@ RSA_METHOD *RSA_get_default_method(void); # define OpenSSL_add_all_algorithms() ssh_OpenSSL_add_all_algorithms() # endif -# ifndef HAVE_BN_IS_PRIME_EX -int BN_is_prime_ex(const BIGNUM *, int, BN_CTX *, void *); -# endif - -# ifndef HAVE_DSA_GENERATE_PARAMETERS_EX -int DSA_generate_parameters_ex(DSA *, int, const unsigned char *, int, int *, - unsigned long *, void *); -# endif - -# ifndef HAVE_RSA_GENERATE_KEY_EX -int RSA_generate_key_ex(RSA *, int, BIGNUM *, void *); -# endif - -# ifndef HAVE_EVP_DIGESTINIT_EX -int EVP_DigestInit_ex(EVP_MD_CTX *, const EVP_MD *, void *); -# endif - -# ifndef HAVE_EVP_DISESTFINAL_EX -int EVP_DigestFinal_ex(EVP_MD_CTX *, unsigned char *, unsigned int *); -# endif - -# ifndef EVP_MD_CTX_COPY_EX -int EVP_MD_CTX_copy_ex(EVP_MD_CTX *, const EVP_MD_CTX *); -# endif - -int ssh_EVP_CipherInit(EVP_CIPHER_CTX *, const EVP_CIPHER *, unsigned char *, - unsigned char *, int); -int ssh_EVP_Cipher(EVP_CIPHER_CTX *, char *, char *, int); -int ssh_EVP_CIPHER_CTX_cleanup(EVP_CIPHER_CTX *); void ssh_OpenSSL_add_all_algorithms(void); -# ifndef HAVE_HMAC_CTX_INIT -# define HMAC_CTX_init(a) -# endif - -# ifndef HAVE_EVP_MD_CTX_INIT -# define EVP_MD_CTX_init(a) -# endif - -# ifndef HAVE_EVP_MD_CTX_CLEANUP -# define EVP_MD_CTX_cleanup(a) -# endif - #endif /* SSH_DONT_OVERLOAD_OPENSSL_FUNCS */ +#endif /* _OPENSSL_COMPAT_H */ diff --git a/crypto/openssh/openbsd-compat/port-uw.c b/crypto/openssh/openbsd-compat/port-uw.c index b1fbfa2..db24dbb 100644 --- a/crypto/openssh/openbsd-compat/port-uw.c +++ b/crypto/openssh/openbsd-compat/port-uw.c @@ -42,6 +42,7 @@ #include "key.h" #include "auth-options.h" #include "log.h" +#include "misc.h" /* servconf.h needs misc.h for struct ForwardOptions */ #include "servconf.h" #include "hostfile.h" #include "auth.h" diff --git a/crypto/openssh/openbsd-compat/regress/Makefile.in b/crypto/openssh/openbsd-compat/regress/Makefile.in index bcf214b..dabdb09 100644 --- a/crypto/openssh/openbsd-compat/regress/Makefile.in +++ b/crypto/openssh/openbsd-compat/regress/Makefile.in @@ -1,4 +1,4 @@ -# $Id: Makefile.in,v 1.4 2006/08/19 09:12:14 dtucker Exp $ +# $Id: Makefile.in,v 1.5 2014/06/17 13:06:08 dtucker Exp $ sysconfdir=@sysconfdir@ piddir=@piddir@ @@ -16,11 +16,11 @@ LIBS=@LIBS@ LDFLAGS=@LDFLAGS@ $(LIBCOMPAT) TESTPROGS=closefromtest$(EXEEXT) snprintftest$(EXEEXT) strduptest$(EXEEXT) \ - strtonumtest$(EXEEXT) + strtonumtest$(EXEEXT) opensslvertest$(EXEEXT) all: t-exec ${OTHERTESTS} -%$(EXEEXT): %.c +%$(EXEEXT): %.c $(LIBCOMPAT) $(CC) $(CFLAGS) $(CPPFLAGS) $(LDFLAGS) -o $@ $< $(LIBCOMPAT) $(LIBS) t-exec: $(TESTPROGS) diff --git a/crypto/openssh/openbsd-compat/regress/opensslvertest.c b/crypto/openssh/openbsd-compat/regress/opensslvertest.c new file mode 100644 index 0000000..5d019b5 --- /dev/null +++ b/crypto/openssh/openbsd-compat/regress/opensslvertest.c @@ -0,0 +1,69 @@ +/* + * Copyright (c) 2014 Darren Tucker + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR + * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN + * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF + * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ + +#include <stdio.h> +#include <stdlib.h> + +int ssh_compatible_openssl(long, long); + +struct version_test { + long headerver; + long libver; + int result; +} version_tests[] = { + /* built with 0.9.8b release headers */ + { 0x0090802fL, 0x0090802fL, 1}, /* exact match */ + { 0x0090802fL, 0x0090804fL, 1}, /* newer library fix version: ok */ + { 0x0090802fL, 0x0090801fL, 1}, /* older library fix version: ok */ + { 0x0090802fL, 0x0090702fL, 0}, /* older library minor version: NO */ + { 0x0090802fL, 0x0090902fL, 0}, /* newer library minor version: NO */ + { 0x0090802fL, 0x0080802fL, 0}, /* older library major version: NO */ + { 0x0090802fL, 0x1000100fL, 0}, /* newer library major version: NO */ + + /* built with 1.0.1b release headers */ + { 0x1000101fL, 0x1000101fL, 1},/* exact match */ + { 0x1000101fL, 0x1000102fL, 1}, /* newer library patch version: ok */ + { 0x1000101fL, 0x1000100fL, 1}, /* older library patch version: ok */ + { 0x1000101fL, 0x1000201fL, 1}, /* newer library fix version: ok */ + { 0x1000101fL, 0x1000001fL, 0}, /* older library fix version: NO */ + { 0x1000101fL, 0x1010101fL, 0}, /* newer library minor version: NO */ + { 0x1000101fL, 0x0000101fL, 0}, /* older library major version: NO */ + { 0x1000101fL, 0x2000101fL, 0}, /* newer library major version: NO */ +}; + +void +fail(long hver, long lver, int result) +{ + fprintf(stderr, "opensslver: header %lx library %lx != %d \n", hver, lver, result); + exit(1); +} + +int +main(void) +{ + unsigned int i; + int res; + long hver, lver; + + for (i = 0; i < sizeof(version_tests) / sizeof(version_tests[0]); i++) { + hver = version_tests[i].headerver; + lver = version_tests[i].libver; + res = version_tests[i].result; + if (ssh_compatible_openssl(hver, lver) != res) + fail(hver, lver, res); + } + exit(0); +} |