Remove workarounds for OpenSSL missing AES-CTR.

author Darren Tucker <dtucker@dtucker.net>

Mon, 25 Jul 2022 11:49:04 +0000 (21:49 +1000)

committer Darren Tucker <dtucker@dtucker.net>

Mon, 25 Jul 2022 11:49:04 +0000 (21:49 +1000)
author Darren Tucker <dtucker@dtucker.net>
Mon, 25 Jul 2022 11:49:04 +0000 (21:49 +1000)
committer Darren Tucker <dtucker@dtucker.net>
Mon, 25 Jul 2022 11:49:04 +0000 (21:49 +1000)
diff --git a/.depend b/.depend

index cd38d15f8f52d2225a17c35d8c2c87ac2a0eb394..0661aba3dd75994d51b9c004fa3d601fb5e68671 100644 (file)
--- a/.depend
+++ b/.depend
@@ -39,7 +39,6 @@ cipher-aes.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-co
  cipher-aesctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher-aesctr.h rijndael.h
  cipher-chachapoly-libcrypto.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
  cipher-chachapoly.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h sshbuf.h cipher-chachapoly.h chacha.h poly1305.h
-cipher-ctr.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h
  cipher.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h misc.h sshbuf.h ssherr.h digest.h openbsd-compat/openssl-compat.h
  cleanup.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h log.h ssherr.h
  clientloop.o: includes.h config.h defines.h platform.h openbsd-compat/openbsd-compat.h openbsd-compat/base64.h openbsd-compat/sigact.h openbsd-compat/readpassphrase.h openbsd-compat/vis.h openbsd-compat/getrrsetbyname.h openbsd-compat/sha1.h openbsd-compat/sha2.h openbsd-compat/md5.h openbsd-compat/blf.h openbsd-compat/fnmatch.h openbsd-compat/getopt.h openbsd-compat/bsd-signal.h openbsd-compat/bsd-misc.h openbsd-compat/bsd-setres_id.h openbsd-compat/bsd-statvfs.h openbsd-compat/bsd-waitpid.h openbsd-compat/bsd-poll.h openbsd-compat/fake-rfc2553.h openbsd-compat/bsd-cygwin_util.h openbsd-compat/port-aix.h openbsd-compat/port-irix.h openbsd-compat/port-linux.h openbsd-compat/port-solaris.h openbsd-compat/port-net.h openbsd-compat/port-uw.h openbsd-compat/bsd-nextstep.h entropy.h openbsd-compat/sys-queue.h xmalloc.h ssh.h ssh2.h packet.h dispatch.h sshbuf.h compat.h channels.h sshkey.h cipher.h cipher-chachapoly.h chacha.h poly1305.h cipher-aesctr.h rijndael.h kex.h mac.h crypto_api.h
diff --git a/Makefile.in b/Makefile.in

index 3c28568293c6397476c8d0475399500ee20a5771..a5c292bda3f4dd90a850dc70bb315620523c7191 100644 (file)
--- a/Makefile.in
+++ b/Makefile.in
@@ -94,7 +94,7 @@ LIBOPENSSH_OBJS=\
  LIBSSH_OBJS=${LIBOPENSSH_OBJS} \
         authfd.o authfile.o \
         canohost.o channels.o cipher.o cipher-aes.o cipher-aesctr.o \
-       cipher-ctr.o cleanup.o \
+       cleanup.o \
         compat.o fatal.o hostfile.o \
         log.o match.o moduli.o nchan.o packet.o \
         readpass.o ttymodes.o xmalloc.o addr.o addrmatch.o \
diff --git a/cipher-ctr.c b/cipher-ctr.c

deleted file mode 100644 (file)

index 32771f2..0000000
--- a/cipher-ctr.c
+++ /dev/null
@@ -1,146 +0,0 @@
-/* $OpenBSD: cipher-ctr.c,v 1.11 2010/10/01 23:05:32 djm Exp $ */
-/*
- * Copyright (c) 2003 Markus Friedl <markus@openbsd.org>
- *
- * Permission to use, copy, modify, and distribute this software for any
- * purpose with or without fee is hereby granted, provided that the above
- * copyright notice and this permission notice appear in all copies.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
- * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
- * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
- * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
- * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
- * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
- * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
- */
-#include "includes.h"
-
-#if defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR)
-#include <sys/types.h>
-
-#include <stdarg.h>
-#include <string.h>
-
-#include <openssl/evp.h>
-
-#include "xmalloc.h"
-#include "log.h"
-
-/* compatibility with old or broken OpenSSL versions */
-#include "openbsd-compat/openssl-compat.h"
-
-#ifndef USE_BUILTIN_RIJNDAEL
-#include <openssl/aes.h>
-#endif
-
-struct ssh_aes_ctr_ctx
-{
-       AES_KEY         aes_ctx;
-       u_char          aes_counter[AES_BLOCK_SIZE];
-};
-
-/*
- * increment counter 'ctr',
- * the counter is of size 'len' bytes and stored in network-byte-order.
- * (LSB at ctr[len-1], MSB at ctr[0])
- */
-static void
-ssh_ctr_inc(u_char *ctr, size_t len)
-{
-       int i;
-
-       for (i = len - 1; i >= 0; i--)
-               if (++ctr[i])   /* continue on overflow */
-                       return;
-}
-
-static int
-ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-    LIBCRYPTO_EVP_INL_TYPE len)
-{
-       struct ssh_aes_ctr_ctx *c;
-       size_t n = 0;
-       u_char buf[AES_BLOCK_SIZE];
-
-       if (len == 0)
-               return (1);
-       if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
-               return (0);
-
-       while ((len--) > 0) {
-               if (n == 0) {
-                       AES_encrypt(c->aes_counter, buf, &c->aes_ctx);
-                       ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
-               }
-               *(dest++) = *(src++) ^ buf[n];
-               n = (n + 1) % AES_BLOCK_SIZE;
-       }
-       return (1);
-}
-
-static int
-ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
-    int enc)
-{
-       struct ssh_aes_ctr_ctx *c;
-
-       if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL) {
-               c = xmalloc(sizeof(*c));
-               EVP_CIPHER_CTX_set_app_data(ctx, c);
-       }
-       if (key != NULL)
-               AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
-                   &c->aes_ctx);
-       if (iv != NULL)
-               memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
-       return (1);
-}
-
-static int
-ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
-{
-       struct ssh_aes_ctr_ctx *c;
-
-       if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
-               memset(c, 0, sizeof(*c));
-               free(c);
-               EVP_CIPHER_CTX_set_app_data(ctx, NULL);
-       }
-       return (1);
-}
-
-void
-ssh_aes_ctr_iv(EVP_CIPHER_CTX *evp, int doset, u_char * iv, size_t len)
-{
-       struct ssh_aes_ctr_ctx *c;
-
-       if ((c = EVP_CIPHER_CTX_get_app_data(evp)) == NULL)
-               fatal("ssh_aes_ctr_iv: no context");
-       if (doset)
-               memcpy(c->aes_counter, iv, len);
-       else
-               memcpy(iv, c->aes_counter, len);
-}
-
-const EVP_CIPHER *
-evp_aes_128_ctr(void)
-{
-       static EVP_CIPHER aes_ctr;
-
-       memset(&aes_ctr, 0, sizeof(EVP_CIPHER));
-       aes_ctr.nid = NID_undef;
-       aes_ctr.block_size = AES_BLOCK_SIZE;
-       aes_ctr.iv_len = AES_BLOCK_SIZE;
-       aes_ctr.key_len = 16;
-       aes_ctr.init = ssh_aes_ctr_init;
-       aes_ctr.cleanup = ssh_aes_ctr_cleanup;
-       aes_ctr.do_cipher = ssh_aes_ctr;
-#ifndef SSH_OLD_EVP
-       aes_ctr.flags = EVP_CIPH_CBC_MODE | EVP_CIPH_VARIABLE_LENGTH |
-           EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CUSTOM_IV;
-#endif
-       return (&aes_ctr);
-}
-
-#endif /* defined(WITH_OPENSSL) && !defined(OPENSSL_HAVE_EVPCTR) */
diff --git a/cipher.c b/cipher.c

index 623f6afcd6d55742bf334214218b8cfc099ae0d0..02aea4089ff91a51ceb11c33e6a0ad907aff5fd1 100644 (file)
--- a/cipher.c
+++ b/cipher.c
@@ -485,11 +485,6 @@ cipher_get_keyiv(struct sshcipher_ctx *cc, u_char *iv, size_t len)
                 return SSH_ERR_LIBCRYPTO_ERROR;
         if ((size_t)evplen != len)
                 return SSH_ERR_INVALID_ARGUMENT;
-#ifndef OPENSSL_HAVE_EVPCTR
-       if (c->evptype == evp_aes_128_ctr)
-               ssh_aes_ctr_iv(cc->evp, 0, iv, len);
-       else
-#endif
         if (cipher_authlen(c)) {
                 if (!EVP_CIPHER_CTX_ctrl(cc->evp, EVP_CTRL_GCM_IV_GEN,
                     len, iv))
@@ -519,12 +514,6 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv, size_t len)
                 return SSH_ERR_LIBCRYPTO_ERROR;
         if ((size_t)evplen != len)
                 return SSH_ERR_INVALID_ARGUMENT;
-#ifndef OPENSSL_HAVE_EVPCTR
-       /* XXX iv arg is const, but ssh_aes_ctr_iv isn't */
-       if (c->evptype == evp_aes_128_ctr)
-               ssh_aes_ctr_iv(cc->evp, 1, (u_char *)iv, evplen);
-       else
-#endif
         if (cipher_authlen(c)) {
                 /* XXX iv arg is const, but EVP_CIPHER_CTX_ctrl isn't */
                 if (!EVP_CIPHER_CTX_ctrl(cc->evp,
diff --git a/configure.ac b/configure.ac

index f618300ff7458c11b01100393281d6abe3033465..922195e1bf2c5c71f38b14b66086c45bd7851297 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -2986,28 +2986,6 @@ if test "x$openssl" = "xyes" ; then
                 ]
         )
  
-       # Check for OpenSSL with EVP_aes_*ctr
-       AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
-       AC_LINK_IFELSE(
-               [AC_LANG_PROGRAM([[
-       #include <stdlib.h>
-       #include <string.h>
-       #include <openssl/evp.h>
-               ]], [[
-               exit(EVP_aes_128_ctr() == NULL ||
-                   EVP_aes_192_cbc() == NULL ||
-                   EVP_aes_256_cbc() == NULL);
-               ]])],
-               [
-                       AC_MSG_RESULT([yes])
-                       AC_DEFINE([OPENSSL_HAVE_EVPCTR], [1],
-                           [libcrypto has EVP AES CTR])
-               ],
-               [
-                       AC_MSG_RESULT([no])
-               ]
-       )
-
         AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
         AC_LINK_IFELSE(
                 [AC_LANG_PROGRAM([[
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h

index a60df12577e3094b32cc5b5b8b95522b85bc337e..61a69dd56eb2a4ca893456038a06a59ae1348164 100644 (file)
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -68,14 +68,6 @@ void ssh_libcrypto_init(void);
  # endif
  #endif
  
-#ifndef OPENSSL_HAVE_EVPCTR
-# define EVP_aes_128_ctr evp_aes_128_ctr
-# define EVP_aes_192_ctr evp_aes_128_ctr
-# define EVP_aes_256_ctr evp_aes_128_ctr
-const EVP_CIPHER *evp_aes_128_ctr(void);
-void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
-#endif
-
  /* LibreSSL/OpenSSL 1.1x API compat */
  #ifndef HAVE_DSA_GET0_PQG
  void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
author	Darren Tucker <dtucker@dtucker.net>
	Mon, 25 Jul 2022 11:49:04 +0000 (21:49 +1000)
committer	Darren Tucker <dtucker@dtucker.net>
	Mon, 25 Jul 2022 11:49:04 +0000 (21:49 +1000)
.depend		patch \| blob \| blame \| history
Makefile.in		patch \| blob \| blame \| history
cipher-ctr.c	[deleted file]	patch \| blob \| blame \| history
cipher.c		patch \| blob \| blame \| history
configure.ac		patch \| blob \| blame \| history
openbsd-compat/openssl-compat.h		patch \| blob \| blame \| history