- (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have

   the required OpenSSL support.  Patch from naddy at freebsd.

diff --git a/ChangeLog b/ChangeLog
index f5e2df0d0277c3e6b0333f2696a8057b6bcd3b32..fd88e094bc686f02e259cc93e299b2c408367df8 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+20130610
+ - (dtucker) [myproposal.h] Do not advertise AES GSM ciphers if we don't have
+   the required OpenSSL support.  Patch from naddy at freebsd.
+
 20130516
  - (djm) [contrib/ssh-copy-id] Fix bug that could cause "rm *" to be
    executed if mktemp failed; bz#2105 ok dtucker@

diff --git a/myproposal.h b/myproposal.h
index 99d0934619951ce0b46a5e3577ac624368a0dbb3..05b17dbb93551830c90743fec01ce2c82dc2e980 100644 (file)
--- a/myproposal.h
+++ b/myproposal.h
@@ -45,6 +45,13 @@
 # define HOSTKEY_ECDSA_METHODS
 #endif
 
+#ifdef OPENSSL_HAVE_EVPGCM
+# define AESGCM_CIPHER_MODES \
+       "aes128-gcm@openssh.com,aes256-gcm@openssh.com,"
+#else
+# define AESGCM_CIPHER_MODES
+#endif
+
 /* Old OpenSSL doesn't support what we need for DHGEX-sha256 */
 #if OPENSSL_VERSION_NUMBER >= 0x00907000L
 # define KEX_SHA256_METHODS \
@@ -73,7 +80,7 @@
 #define        KEX_DEFAULT_ENCRYPT \
        "aes128-ctr,aes192-ctr,aes256-ctr," \
        "arcfour256,arcfour128," \
-       "aes128-gcm@openssh.com,aes256-gcm@openssh.com," \
+       AESGCM_CIPHER_MODES \
        "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
        "aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se"
 #ifdef HAVE_EVP_SHA256