[openssh-commits] [openssh] 01/02: Remove workarounds for OpenSSL missing AES-GCM.

git+noreply at mindrot.org git+noreply at mindrot.org
Mon Jul 25 22:20:23 AEST 2022


This is an automated email from the git hooks/post-receive script.

dtucker pushed a commit to branch master
in repository openssh.

commit b7c56b65c12f51fe0dbae798d19c8f58224a5d95
Author: Darren Tucker <dtucker at dtucker.net>
Date:   Mon Jul 25 21:43:00 2022 +1000

    Remove workarounds for OpenSSL missing AES-GCM.
    
    We have some compatibility hacks that were added to support OpenSSL
    versions that do not support AES GCM mode.  Since that time, however,
    the minimum OpenSSL version that we support has moved to 1.0.1 which
    *does* have GCM, so this is no longer needed.  ok djm@
---
 cipher.c                        |  2 --
 configure.ac                    | 30 ------------------------------
 openbsd-compat/openssl-compat.h | 17 -----------------
 3 files changed, 49 deletions(-)

diff --git a/cipher.c b/cipher.c
index 5b3a86d6..623f6afc 100644
--- a/cipher.c
+++ b/cipher.c
@@ -94,12 +94,10 @@ static const struct sshcipher ciphers[] = {
 	{ "aes128-ctr",		16, 16, 0, 0, 0, EVP_aes_128_ctr },
 	{ "aes192-ctr",		16, 24, 0, 0, 0, EVP_aes_192_ctr },
 	{ "aes256-ctr",		16, 32, 0, 0, 0, EVP_aes_256_ctr },
-# ifdef OPENSSL_HAVE_EVPGCM
 	{ "aes128-gcm at openssh.com",
 				16, 16, 12, 16, 0, EVP_aes_128_gcm },
 	{ "aes256-gcm at openssh.com",
 				16, 32, 12, 16, 0, EVP_aes_256_gcm },
-# endif /* OPENSSL_HAVE_EVPGCM */
 #else
 	{ "aes128-ctr",		16, 16, 0, 0, CFLAG_AESCTR, NULL },
 	{ "aes192-ctr",		16, 24, 0, 0, CFLAG_AESCTR, NULL },
diff --git a/configure.ac b/configure.ac
index 3e9fd700..f618300f 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2892,7 +2892,6 @@ if test "x$openssl" = "xyes" ; then
 		BN_is_prime_ex \
 		DES_crypt \
 		DSA_generate_parameters_ex \
-		EVP_CIPHER_CTX_ctrl \
 		EVP_DigestFinal_ex \
 		EVP_DigestInit_ex \
 		EVP_MD_CTX_cleanup \
@@ -3009,35 +3008,6 @@ if test "x$openssl" = "xyes" ; then
 		]
 	)
 
-	# Check for OpenSSL with EVP_aes_*gcm
-	AC_MSG_CHECKING([whether OpenSSL has AES GCM via EVP])
-	AC_LINK_IFELSE(
-		[AC_LANG_PROGRAM([[
-	#include <stdlib.h>
-	#include <string.h>
-	#include <openssl/evp.h>
-		]], [[
-		exit(EVP_aes_128_gcm() == NULL ||
-		    EVP_aes_256_gcm() == NULL ||
-		    EVP_CTRL_GCM_SET_IV_FIXED == 0 ||
-		    EVP_CTRL_GCM_IV_GEN == 0 ||
-		    EVP_CTRL_GCM_SET_TAG == 0 ||
-		    EVP_CTRL_GCM_GET_TAG == 0 ||
-		    EVP_CIPHER_CTX_ctrl(NULL, 0, 0, NULL) == 0);
-		]])],
-		[
-			AC_MSG_RESULT([yes])
-			AC_DEFINE([OPENSSL_HAVE_EVPGCM], [1],
-			    [libcrypto has EVP AES GCM])
-		],
-		[
-			AC_MSG_RESULT([no])
-			unsupported_algorithms="$unsupported_cipers \
-			   aes128-gcm at openssh.com \
-			   aes256-gcm at openssh.com"
-		]
-	)
-
 	AC_MSG_CHECKING([if EVP_DigestUpdate returns an int])
 	AC_LINK_IFELSE(
 		[AC_LANG_PROGRAM([[
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 8ca50b5a..a60df125 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -76,23 +76,6 @@ const EVP_CIPHER *evp_aes_128_ctr(void);
 void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, int, u_char *, size_t);
 #endif
 
-/* Avoid some #ifdef. Code that uses these is unreachable without GCM */
-#if !defined(OPENSSL_HAVE_EVPGCM) && !defined(EVP_CTRL_GCM_SET_IV_FIXED)
-# define EVP_CTRL_GCM_SET_IV_FIXED -1
-# define EVP_CTRL_GCM_IV_GEN -1
-# define EVP_CTRL_GCM_SET_TAG -1
-# define EVP_CTRL_GCM_GET_TAG -1
-#endif
-
-/* Replace missing EVP_CIPHER_CTX_ctrl() with something that returns failure */
-#ifndef HAVE_EVP_CIPHER_CTX_CTRL
-# ifdef OPENSSL_HAVE_EVPGCM
-#  error AES-GCM enabled without EVP_CIPHER_CTX_ctrl /* shouldn't happen */
-# else
-# define EVP_CIPHER_CTX_ctrl(a,b,c,d) (0)
-# endif
-#endif
-
 /* LibreSSL/OpenSSL 1.1x API compat */
 #ifndef HAVE_DSA_GET0_PQG
 void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list