Remove workarounds for OpenSSL missing AES-GCM.

We have some compatibility hacks that were added to support OpenSSL
versions that do not support AES GCM mode.  Since that time, however,
the minimum OpenSSL version that we support has moved to 1.0.1 which
*does* have GCM, so this is no longer needed.  ok djm@

diff --git a/cipher.c b/cipher.c
index 5b3a86d69219df807a5e78c576624d39788d18f8..623f6afcd6d55742bf334214218b8cfc099ae0d0 100644 (file)
--- a/cipher.c
+++ b/cipher.c
@@ -94,12 +94,10 @@ static const struct sshcipher ciphers[] = {
        { "aes128-ctr",         16, 16, 0, 0, 0, EVP_aes_128_ctr },
        { "aes192-ctr",         16, 24, 0, 0, 0, EVP_aes_192_ctr },
        { "aes256-ctr",         16, 32, 0, 0, 0, EVP_aes_256_ctr },
-# ifdef OPENSSL_HAVE_EVPGCM
        { "aes128-gcm@openssh.com",
                                16, 16, 12, 16, 0, EVP_aes_128_gcm },
        { "aes256-gcm@openssh.com",
                                16, 32, 12, 16, 0, EVP_aes_256_gcm },
-# endif /* OPENSSL_HAVE_EVPGCM */
 #else
        { "aes128-ctr",         16, 16, 0, 0, CFLAG_AESCTR, NULL },
        { "aes192-ctr",         16, 24, 0, 0, CFLAG_AESCTR, NULL },

diff --git a/configure.ac b/configure.ac
index 3e9fd7005d28e63d713e4ffcfc352f6507f852c1..f618300ff7458c11b01100393281d6abe3033465 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -2892,7 +2892,6 @@ if test "x$openssl" = "xyes" ; then
                BN_is_prime_ex \
                DES_crypt \
                DSA_generate_parameters_ex \
-               EVP_CIPHER_CTX_ctrl \
                EVP_DigestFinal_ex \
                EVP_DigestInit_ex \
                EVP_MD_CTX_cleanup \
@@ -3009,35 +3008,6 @@ if test "x$openssl" = "xyes" ; then
                ]
        )
 
-       # Check for OpenSSL with EVP_aes_*gcm
-       AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
-       AC_LINK_IFELSE(
-               [AC_LANG_PROGRAM([[
-       #include <stdlib.h>
-       #include <string.h>
-       #include <openssl/evp.h>
-               ]], [[
-               exit(EVP_aes_128_gcm() == NULL ||
-                   EVP_aes_256_gcm() == NULL ||
-                   EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
-                   EVP_CTRL_GCM_IV_GEN == 0 ||
-                   EVP_CTRL_GCM_SET_TAG == 0 ||
-                   EVP_CTRL_GCM_GET_TAG == 0 ||
-                   EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
-               ]])],
-               [
-                       AC_MSG_RESULT([yes])
-                       AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
-                           [libcrypto has EVP AES GCM])
-               ],
-               [
-                       AC_MSG_RESULT([no])
-                       unsupported_algorithms="$unsupported_cipers \
-                          aes128-gcm@openssh.com \
-                          aes256-gcm@openssh.com"
-               ]
-       )
-
        AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
        AC_LINK_IFELSE(
                [AC_LANG_PROGRAM([[

diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 8ca50b5ace630d2f96acf35a37ba39f99cdab449..a60df12577e3094b32cc5b5b8b95522b85bc337e 100644 (file)
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -76,23 +76,6 @@ const EVP_CIPHER *evp_aes_128_ctr(void);
 void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
 #endif
 
-/* Avoid some #ifdef. Code that uses these is unreachable without GCM */
-#if !defined(OPENSSL_HAVE_EVPGCM) && !defined(EVP_CTRL_GCM_SET_IV_FIXED)
-# define EVP_CTRL_GCM_SET_IV_FIXED -1
-# define EVP_CTRL_GCM_IV_GEN -1
-# define EVP_CTRL_GCM_SET_TAG -1
-# define EVP_CTRL_GCM_GET_TAG -1
-#endif
-
-/* Replace missing EVP_CIPHER_CTX_ctrl() with something that returns failure */
-#ifndef HAVE_EVP_CIPHER_CTX_CTRL
-# ifdef OPENSSL_HAVE_EVPGCM
-#  error AES-GCM enabled without EVP_CIPHER_CTX_ctrl /* shouldn't happen */
-# else
-# define EVP_CIPHER_CTX_ctrl(a,b,c,d) (0)
-# endif
-#endif
-
 /* LibreSSL/OpenSSL 1.1x API compat */
 #ifndef HAVE_DSA_GET0_PQG
 void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,