[openssh-commits] [openssh] 01/01: remove support for old libcrypto

git+noreply at mindrot.org git+noreply at mindrot.org
Fri Mar 24 13:57:13 AEDT 2023


This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 7280401bdd77ca54be6867a154cc01e0d72612e0
Author: Damien Miller <djm at mindrot.org>
Date:   Fri Mar 24 13:56:25 2023 +1100

    remove support for old libcrypto
    
    OpenSSH now requires LibreSSL 3.1.0 or greater or
    OpenSSL 1.1.1 or greater
    
    with/ok dtucker@
---
 .github/workflows/c-cpp.yml          |   7 -
 INSTALL                              |   8 +-
 cipher-aes.c                         |   2 +-
 configure.ac                         |  96 ++----
 openbsd-compat/libressl-api-compat.c | 556 +----------------------------------
 openbsd-compat/openssl-compat.h      | 151 +---------
 6 files changed, 40 insertions(+), 780 deletions(-)

diff --git a/.github/workflows/c-cpp.yml b/.github/workflows/c-cpp.yml
index 3d9aa22d..d299a324 100644
--- a/.github/workflows/c-cpp.yml
+++ b/.github/workflows/c-cpp.yml
@@ -47,9 +47,6 @@ jobs:
           - { target: ubuntu-20.04, config: tcmalloc }
           - { target: ubuntu-20.04, config: musl }
           - { target: ubuntu-latest, config: libressl-master }
-          - { target: ubuntu-latest, config: libressl-2.2.9 }
-          - { target: ubuntu-latest, config: libressl-2.8.3 }
-          - { target: ubuntu-latest, config: libressl-3.0.2 }
           - { target: ubuntu-latest, config: libressl-3.2.6 }
           - { target: ubuntu-latest, config: libressl-3.3.6 }
           - { target: ubuntu-latest, config: libressl-3.4.3 }
@@ -58,10 +55,6 @@ jobs:
           - { target: ubuntu-latest, config: libressl-3.7.1 }
           - { target: ubuntu-latest, config: openssl-master }
           - { target: ubuntu-latest, config: openssl-noec }
-          - { target: ubuntu-latest, config: openssl-1.0.1 }
-          - { target: ubuntu-latest, config: openssl-1.0.1u }
-          - { target: ubuntu-latest, config: openssl-1.0.2u }
-          - { target: ubuntu-latest, config: openssl-1.1.0h }
           - { target: ubuntu-latest, config: openssl-1.1.1 }
           - { target: ubuntu-latest, config: openssl-1.1.1k }
           - { target: ubuntu-latest, config: openssl-1.1.1n }
diff --git a/INSTALL b/INSTALL
index 68b15e13..f99d1e2a 100644
--- a/INSTALL
+++ b/INSTALL
@@ -21,12 +21,8 @@ https://zlib.net/
 
 libcrypto from either of LibreSSL or OpenSSL.  Building without libcrypto
 is supported but severely restricts the available ciphers and algorithms.
- - LibreSSL (https://www.libressl.org/)
- - OpenSSL (https://www.openssl.org) with any of the following versions:
-   - 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
-
-Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to
-1.1.0g can't be used.
+ - LibreSSL (https://www.libressl.org/) 3.1.0 or greater
+ - OpenSSL (https://www.openssl.org) 1.1.1 or greater
 
 LibreSSL/OpenSSL should be compiled as a position-independent library
 (i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC"
diff --git a/cipher-aes.c b/cipher-aes.c
index 8b101727..87c76335 100644
--- a/cipher-aes.c
+++ b/cipher-aes.c
@@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
 
 static int
 ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
-    LIBCRYPTO_EVP_INL_TYPE len)
+    size_t len)
 {
 	struct ssh_rijndael_ctx *c;
 	u_char buf[RIJNDAEL_BLOCKSIZE];
diff --git a/configure.ac b/configure.ac
index 22fee70f..1c0ccdf1 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then
 	#include <openssl/crypto.h>
 	#define DATA "conftest.ssllibver"
 		]], [[
-		FILE *fd;
-		int rc;
+		FILE *f;
 
-		fd = fopen(DATA,"w");
-		if(fd == NULL)
+		if ((f = fopen(DATA, "w")) == NULL)
 			exit(1);
-#ifndef OPENSSL_VERSION
-# define OPENSSL_VERSION SSLEAY_VERSION
-#endif
-#ifndef HAVE_OPENSSL_VERSION
-# define OpenSSL_version	SSLeay_version
-#endif
-#ifndef HAVE_OPENSSL_VERSION_NUM
-# define OpenSSL_version_num	SSLeay
-#endif
-		if ((rc = fprintf(fd, "%08lx (%s)\n",
+		if (fprintf(f, "%08lx (%s)",
 		    (unsigned long)OpenSSL_version_num(),
-		    OpenSSL_version(OPENSSL_VERSION))) < 0)
+		    OpenSSL_version(OPENSSL_VERSION)) < 0)
+			exit(1);
+#ifdef LIBRESSL_VERSION_NUMBER
+		if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0)
+			exit(1);
+#endif
+		if (fputc('\n', f) == EOF || fclose(f) == EOF)
 			exit(1);
-
 		exit(0);
 		]])],
 		[
-			ssl_library_ver=`cat conftest.ssllibver`
+			sslver=`cat conftest.ssllibver`
+			ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'`
 			# Check version is supported.
-			case "$ssl_library_ver" in
-			10000*|0*)
-				AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
-		                ;;
-			100*)   ;; # 1.0.x
-			101000[[0123456]]*)
-				# https://github.com/openssl/openssl/pull/4613
-				AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
+			case "$sslver" in
+			100*|10100*) # 1.0.x, 1.1.0x
+				AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")])
 				;;
 			101*)   ;; # 1.1.x
-			200*)   ;; # LibreSSL
+			200*)   # LibreSSL
+				lver=`echo "$sslver" | sed 's/.*libressl-//'`
+				case "$lver" in
+				2*|300*) # 2.x, 3.0.0
+					AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")])
+					;;
+				*) ;;	# Assume all other versions are good.
+				esac
+				;;
 			300*)
 				# OpenSSL 3; we use the 1.1x API
 				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
@@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then
 				CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
 				;;
 		        *)
-				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
+				AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")])
 		                ;;
 			esac
-			AC_MSG_RESULT([$ssl_library_ver])
+			AC_MSG_RESULT([$ssl_showver])
 		],
 		[
 			AC_MSG_RESULT([not found])
@@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then
 
 	case "$host" in
 	x86_64-*)
-		case "$ssl_library_ver" in
+		case "$sslver" in
 		3000004*)
 			AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
 			;;
@@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then
 	#include <openssl/opensslv.h>
 	#include <openssl/crypto.h>
 		]], [[
-#ifndef HAVE_OPENSSL_VERSION_NUM
-# define OpenSSL_version_num	SSLeay
-#endif
 		exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
 		]])],
 		[
@@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then
 	    )
 	)
 
-	# LibreSSL/OpenSSL 1.1x API
+	# LibreSSL/OpenSSL API differences
 	AC_CHECK_FUNCS([ \
-		OPENSSL_init_crypto \
-		DH_get0_key \
-		DH_get0_pqg \
-		DH_set0_key \
-		DH_set_length \
-		DH_set0_pqg \
-		DSA_get0_key \
-		DSA_get0_pqg \
-		DSA_set0_key \
-		DSA_set0_pqg \
-		DSA_SIG_get0 \
-		DSA_SIG_set0 \
-		ECDSA_SIG_get0 \
-		ECDSA_SIG_set0 \
 		EVP_CIPHER_CTX_iv \
 		EVP_CIPHER_CTX_iv_noconst \
 		EVP_CIPHER_CTX_get_iv \
 		EVP_CIPHER_CTX_get_updated_iv \
 		EVP_CIPHER_CTX_set_iv \
-		RSA_get0_crt_params \
-		RSA_get0_factors \
-		RSA_get0_key \
-		RSA_set0_crt_params \
-		RSA_set0_factors \
-		RSA_set0_key \
-		RSA_meth_free \
-		RSA_meth_dup \
-		RSA_meth_set1_name \
-		RSA_meth_get_finish \
-		RSA_meth_set_priv_enc \
-		RSA_meth_set_priv_dec \
-		RSA_meth_set_finish \
-		EVP_PKEY_get0_RSA \
-		EVP_MD_CTX_new \
-		EVP_MD_CTX_free \
-		EVP_chacha20 \
 	])
 
 	if test "x$openssl_engine" = "xyes" ; then
@@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then
 		]
 	)
 
-	# Check for SHA256, SHA384 and SHA512 support in OpenSSL
-	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
+	# Check for various EVP support in OpenSSL
+	AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20])
 
 	# Check complete ECC support in OpenSSL
 	AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])
diff --git a/openbsd-compat/libressl-api-compat.c b/openbsd-compat/libressl-api-compat.c
index 498180dc..59be1739 100644
--- a/openbsd-compat/libressl-api-compat.c
+++ b/openbsd-compat/libressl-api-compat.c
@@ -1,129 +1,5 @@
-/* $OpenBSD: dsa_lib.c,v 1.29 2018/04/14 07:09:21 tb Exp $ */
-/* $OpenBSD: rsa_lib.c,v 1.37 2018/04/14 07:09:21 tb Exp $ */
-/* $OpenBSD: evp_lib.c,v 1.17 2018/09/12 06:35:38 djm Exp $ */
-/* $OpenBSD: dh_lib.c,v 1.32 2018/05/02 15:48:38 tb Exp $ */
-/* $OpenBSD: p_lib.c,v 1.24 2018/05/30 15:40:50 tb Exp $ */
-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
-/* Copyright (C) 1995-1998 Eric Young (eay at cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay at cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- *
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh at cryptsoft.com).
- *
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay at cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh at cryptsoft.com)"
- *
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- *
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-/* $OpenBSD: dsa_asn1.c,v 1.22 2018/06/14 17:03:19 jsing Exp $ */
-/* $OpenBSD: ecs_asn1.c,v 1.9 2018/03/17 15:24:44 tb Exp $ */
-/* $OpenBSD: digest.c,v 1.30 2018/04/14 07:09:21 tb Exp $ */
-/* Written by Dr Stephen N Henson (steve at openssl.org) for the OpenSSL
- * project 2000.
- */
-/* ====================================================================
- * Copyright (c) 2000-2005 The OpenSSL Project.  All rights reserved.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- *
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- *
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in
- *    the documentation and/or other materials provided with the
- *    distribution.
- *
- * 3. All advertising materials mentioning features or use of this
- *    software must display the following acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
- *
- * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
- *    endorse or promote products derived from this software without
- *    prior written permission. For written permission, please contact
- *    licensing at OpenSSL.org.
- *
- * 5. Products derived from this software may not be called "OpenSSL"
- *    nor may "OpenSSL" appear in their names without prior written
- *    permission of the OpenSSL Project.
- *
- * 6. Redistributions of any form whatsoever must retain the following
- *    acknowledgment:
- *    "This product includes software developed by the OpenSSL Project
- *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
- *
- * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
- * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
- * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
- * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
- * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
- * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
- * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
- * OF THE POSSIBILITY OF SUCH DAMAGE.
- * ====================================================================
- *
- * This product includes cryptographic software written by Eric Young
- * (eay at cryptsoft.com).  This product includes software written by Tim
- * Hudson (tjh at cryptsoft.com).
- *
- */
-
-/*	$OpenBSD: rsa_meth.c,v 1.2 2018/09/12 06:35:38 djm Exp $	*/
 /*
- * Copyright (c) 2018 Theo Buehler <tb at openbsd.org>
+ * Copyright (c) 2018 Damien Miller <djm at mindrot.org>
  *
  * Permission to use, copy, modify, and distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -147,192 +23,7 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include <openssl/err.h>
-#include <openssl/bn.h>
-#include <openssl/dsa.h>
-#include <openssl/rsa.h>
 #include <openssl/evp.h>
-#ifdef OPENSSL_HAS_ECC
-#include <openssl/ecdsa.h>
-#endif
-#include <openssl/dh.h>
-
-#ifndef HAVE_DSA_GET0_PQG
-void
-DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
-{
-	if (p != NULL)
-		*p = d->p;
-	if (q != NULL)
-		*q = d->q;
-	if (g != NULL)
-		*g = d->g;
-}
-#endif /* HAVE_DSA_GET0_PQG */
-
-#ifndef HAVE_DSA_SET0_PQG
-int
-DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-{
-	if ((d->p == NULL && p == NULL) || (d->q == NULL && q == NULL) ||
-	    (d->g == NULL && g == NULL))
-		return 0;
-
-	if (p != NULL) {
-		BN_free(d->p);
-		d->p = p;
-	}
-	if (q != NULL) {
-		BN_free(d->q);
-		d->q = q;
-	}
-	if (g != NULL) {
-		BN_free(d->g);
-		d->g = g;
-	}
-
-	return 1;
-}
-#endif /* HAVE_DSA_SET0_PQG */
-
-#ifndef HAVE_DSA_GET0_KEY
-void
-DSA_get0_key(const DSA *d, const BIGNUM **pub_key, const BIGNUM **priv_key)
-{
-	if (pub_key != NULL)
-		*pub_key = d->pub_key;
-	if (priv_key != NULL)
-		*priv_key = d->priv_key;
-}
-#endif /* HAVE_DSA_GET0_KEY */
-
-#ifndef HAVE_DSA_SET0_KEY
-int
-DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key)
-{
-	if (d->pub_key == NULL && pub_key == NULL)
-		return 0;
-
-	if (pub_key != NULL) {
-		BN_free(d->pub_key);
-		d->pub_key = pub_key;
-	}
-	if (priv_key != NULL) {
-		BN_free(d->priv_key);
-		d->priv_key = priv_key;
-	}
-
-	return 1;
-}
-#endif /* HAVE_DSA_SET0_KEY */
-
-#ifndef HAVE_RSA_GET0_KEY
-void
-RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
-{
-	if (n != NULL)
-		*n = r->n;
-	if (e != NULL)
-		*e = r->e;
-	if (d != NULL)
-		*d = r->d;
-}
-#endif /* HAVE_RSA_GET0_KEY */
-
-#ifndef HAVE_RSA_SET0_KEY
-int
-RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d)
-{
-	if ((r->n == NULL && n == NULL) || (r->e == NULL && e == NULL))
-		return 0;
-
-	if (n != NULL) {
-		BN_free(r->n);
-		r->n = n;
-	}
-	if (e != NULL) {
-		BN_free(r->e);
-		r->e = e;
-	}
-	if (d != NULL) {
-		BN_free(r->d);
-		r->d = d;
-	}
-
-	return 1;
-}
-#endif /* HAVE_RSA_SET0_KEY */
-
-#ifndef HAVE_RSA_GET0_CRT_PARAMS
-void
-RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
-    const BIGNUM **iqmp)
-{
-	if (dmp1 != NULL)
-		*dmp1 = r->dmp1;
-	if (dmq1 != NULL)
-		*dmq1 = r->dmq1;
-	if (iqmp != NULL)
-		*iqmp = r->iqmp;
-}
-#endif /* HAVE_RSA_GET0_CRT_PARAMS */
-
-#ifndef HAVE_RSA_SET0_CRT_PARAMS
-int
-RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp)
-{
-	if ((r->dmp1 == NULL && dmp1 == NULL) ||
-	    (r->dmq1 == NULL && dmq1 == NULL) ||
-	    (r->iqmp == NULL && iqmp == NULL))
-		return 0;
-
-	if (dmp1 != NULL) {
-		BN_free(r->dmp1);
-		r->dmp1 = dmp1;
-	}
-	if (dmq1 != NULL) {
-		BN_free(r->dmq1);
-		r->dmq1 = dmq1;
-	}
-	if (iqmp != NULL) {
-		BN_free(r->iqmp);
-		r->iqmp = iqmp;
-	}
-
-	return 1;
-}
-#endif /* HAVE_RSA_SET0_CRT_PARAMS */
-
-#ifndef HAVE_RSA_GET0_FACTORS
-void
-RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q)
-{
-	if (p != NULL)
-		*p = r->p;
-	if (q != NULL)
-		*q = r->q;
-}
-#endif /* HAVE_RSA_GET0_FACTORS */
-
-#ifndef HAVE_RSA_SET0_FACTORS
-int
-RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q)
-{
-	if ((r->p == NULL && p == NULL) || (r->q == NULL && q == NULL))
-		return 0;
-
-	if (p != NULL) {
-		BN_free(r->p);
-		r->p = p;
-	}
-	if (q != NULL) {
-		BN_free(r->q);
-		r->q = q;
-	}
-
-	return 1;
-}
-#endif /* HAVE_RSA_SET0_FACTORS */
 
 #ifndef HAVE_EVP_CIPHER_CTX_GET_IV
 int
@@ -392,249 +83,4 @@ EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx, const unsigned char *iv, size_t len)
 }
 #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
 
-#ifndef HAVE_DSA_SIG_GET0
-void
-DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
-{
-	if (pr != NULL)
-		*pr = sig->r;
-	if (ps != NULL)
-		*ps = sig->s;
-}
-#endif /* HAVE_DSA_SIG_GET0 */
-
-#ifndef HAVE_DSA_SIG_SET0
-int
-DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s)
-{
-	if (r == NULL || s == NULL)
-		return 0;
-
-	BN_clear_free(sig->r);
-	sig->r = r;
-	BN_clear_free(sig->s);
-	sig->s = s;
-
-	return 1;
-}
-#endif /* HAVE_DSA_SIG_SET0 */
-
-#ifdef OPENSSL_HAS_ECC
-#ifndef HAVE_ECDSA_SIG_GET0
-void
-ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps)
-{
-	if (pr != NULL)
-		*pr = sig->r;
-	if (ps != NULL)
-		*ps = sig->s;
-}
-#endif /* HAVE_ECDSA_SIG_GET0 */
-
-#ifndef HAVE_ECDSA_SIG_SET0
-int
-ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s)
-{
-	if (r == NULL || s == NULL)
-		return 0;
-
-	BN_clear_free(sig->r);
-	BN_clear_free(sig->s);
-	sig->r = r;
-	sig->s = s;
-	return 1;
-}
-#endif /* HAVE_ECDSA_SIG_SET0 */
-#endif /* OPENSSL_HAS_ECC */
-
-#ifndef HAVE_DH_GET0_PQG
-void
-DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g)
-{
-	if (p != NULL)
-		*p = dh->p;
-	if (q != NULL)
-		*q = dh->q;
-	if (g != NULL)
-		*g = dh->g;
-}
-#endif /* HAVE_DH_GET0_PQG */
-
-#ifndef HAVE_DH_SET0_PQG
-int
-DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g)
-{
-	if ((dh->p == NULL && p == NULL) || (dh->g == NULL && g == NULL))
-		return 0;
-
-	if (p != NULL) {
-		BN_free(dh->p);
-		dh->p = p;
-	}
-	if (q != NULL) {
-		BN_free(dh->q);
-		dh->q = q;
-	}
-	if (g != NULL) {
-		BN_free(dh->g);
-		dh->g = g;
-	}
-
-	return 1;
-}
-#endif /* HAVE_DH_SET0_PQG */
-
-#ifndef HAVE_DH_GET0_KEY
-void
-DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key)
-{
-	if (pub_key != NULL)
-		*pub_key = dh->pub_key;
-	if (priv_key != NULL)
-		*priv_key = dh->priv_key;
-}
-#endif /* HAVE_DH_GET0_KEY */
-
-#ifndef HAVE_DH_SET0_KEY
-int
-DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key)
-{
-	if (pub_key != NULL) {
-		BN_free(dh->pub_key);
-		dh->pub_key = pub_key;
-	}
-	if (priv_key != NULL) {
-		BN_free(dh->priv_key);
-		dh->priv_key = priv_key;
-	}
-
-	return 1;
-}
-#endif /* HAVE_DH_SET0_KEY */
-
-#ifndef HAVE_DH_SET_LENGTH
-int
-DH_set_length(DH *dh, long length)
-{
-	if (length < 0 || length > INT_MAX)
-		return 0;
-
-	dh->length = length;
-	return 1;
-}
-#endif /* HAVE_DH_SET_LENGTH */
-
-#ifndef HAVE_RSA_METH_FREE
-void
-RSA_meth_free(RSA_METHOD *meth)
-{
-	if (meth != NULL) {
-		free((char *)meth->name);
-		free(meth);
-	}
-}
-#endif /* HAVE_RSA_METH_FREE */
-
-#ifndef HAVE_RSA_METH_DUP
-RSA_METHOD *
-RSA_meth_dup(const RSA_METHOD *meth)
-{
-	RSA_METHOD *copy;
-
-	if ((copy = calloc(1, sizeof(*copy))) == NULL)
-		return NULL;
-	memcpy(copy, meth, sizeof(*copy));
-	if ((copy->name = strdup(meth->name)) == NULL) {
-		free(copy);
-		return NULL;
-	}
-
-	return copy;
-}
-#endif /* HAVE_RSA_METH_DUP */
-
-#ifndef HAVE_RSA_METH_SET1_NAME
-int
-RSA_meth_set1_name(RSA_METHOD *meth, const char *name)
-{
-	char *copy;
-
-	if ((copy = strdup(name)) == NULL)
-		return 0;
-	free((char *)meth->name);
-	meth->name = copy;
-	return 1;
-}
-#endif /* HAVE_RSA_METH_SET1_NAME */
-
-#ifndef HAVE_RSA_METH_GET_FINISH
-int
-(*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa)
-{
-	return meth->finish;
-}
-#endif /* HAVE_RSA_METH_GET_FINISH */
-
-#ifndef HAVE_RSA_METH_SET_PRIV_ENC
-int
-RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
-    const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
-{
-	meth->rsa_priv_enc = priv_enc;
-	return 1;
-}
-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
-
-#ifndef HAVE_RSA_METH_SET_PRIV_DEC
-int
-RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
-    const unsigned char *from, unsigned char *to, RSA *rsa, int padding))
-{
-	meth->rsa_priv_dec = priv_dec;
-	return 1;
-}
-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
-
-#ifndef HAVE_RSA_METH_SET_FINISH
-int
-RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa))
-{
-	meth->finish = finish;
-	return 1;
-}
-#endif /* HAVE_RSA_METH_SET_FINISH */
-
-#ifndef HAVE_EVP_PKEY_GET0_RSA
-RSA *
-EVP_PKEY_get0_RSA(EVP_PKEY *pkey)
-{
-	if (pkey->type != EVP_PKEY_RSA) {
-		/* EVPerror(EVP_R_EXPECTING_AN_RSA_KEY); */
-		return NULL;
-	}
-	return pkey->pkey.rsa;
-}
-#endif /* HAVE_EVP_PKEY_GET0_RSA */
-
-#ifndef HAVE_EVP_MD_CTX_NEW
-EVP_MD_CTX *
-EVP_MD_CTX_new(void)
-{
-	return calloc(1, sizeof(EVP_MD_CTX));
-}
-#endif /* HAVE_EVP_MD_CTX_NEW */
-
-#ifndef HAVE_EVP_MD_CTX_FREE
-void
-EVP_MD_CTX_free(EVP_MD_CTX *ctx)
-{
-	if (ctx == NULL)
-		return;
-
-	EVP_MD_CTX_cleanup(ctx);
-
-	free(ctx);
-}
-#endif /* HAVE_EVP_MD_CTX_FREE */
-
 #endif /* WITH_OPENSSL */
diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 61a69dd5..d0dd2c34 100644
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -33,26 +33,13 @@
 int ssh_compatible_openssl(long, long);
 void ssh_libcrypto_init(void);
 
-#if (OPENSSL_VERSION_NUMBER < 0x1000100fL)
-# error OpenSSL 1.0.1 or greater is required
+#if (OPENSSL_VERSION_NUMBER < 0x10100000L)
+# error OpenSSL 1.1.0 or greater is required
 #endif
-
-#ifndef OPENSSL_VERSION
-# define OPENSSL_VERSION	SSLEAY_VERSION
-#endif
-
-#ifndef HAVE_OPENSSL_VERSION
-# define OpenSSL_version(x)	SSLeay_version(x)
-#endif
-
-#ifndef HAVE_OPENSSL_VERSION_NUM
-# define OpenSSL_version_num	SSLeay
-#endif
-
-#if OPENSSL_VERSION_NUMBER < 0x10000001L
-# define LIBCRYPTO_EVP_INL_TYPE unsigned int
-#else
-# define LIBCRYPTO_EVP_INL_TYPE size_t
+#ifdef LIBRESSL_VERSION_NUMBER
+# if LIBRESSL_VERSION_NUMBER < 0x3010000fL
+#  error LibreSSL 3.1.0 or greater is required
+# endif
 #endif
 
 #ifndef OPENSSL_RSA_MAX_MODULUS_BITS
@@ -68,25 +55,6 @@ void ssh_libcrypto_init(void);
 # endif
 #endif
 
-/* LibreSSL/OpenSSL 1.1x API compat */
-#ifndef HAVE_DSA_GET0_PQG
-void DSA_get0_pqg(const DSA *d, const BIGNUM **p, const BIGNUM **q,
-    const BIGNUM **g);
-#endif /* HAVE_DSA_GET0_PQG */
-
-#ifndef HAVE_DSA_SET0_PQG
-int DSA_set0_pqg(DSA *d, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-#endif /* HAVE_DSA_SET0_PQG */
-
-#ifndef HAVE_DSA_GET0_KEY
-void DSA_get0_key(const DSA *d, const BIGNUM **pub_key,
-    const BIGNUM **priv_key);
-#endif /* HAVE_DSA_GET0_KEY */
-
-#ifndef HAVE_DSA_SET0_KEY
-int DSA_set0_key(DSA *d, BIGNUM *pub_key, BIGNUM *priv_key);
-#endif /* HAVE_DSA_SET0_KEY */
-
 #ifndef HAVE_EVP_CIPHER_CTX_GET_IV
 # ifdef HAVE_EVP_CIPHER_CTX_GET_UPDATED_IV
 #  define EVP_CIPHER_CTX_get_iv EVP_CIPHER_CTX_get_updated_iv
@@ -101,112 +69,5 @@ int EVP_CIPHER_CTX_set_iv(EVP_CIPHER_CTX *ctx,
     const unsigned char *iv, size_t len);
 #endif /* HAVE_EVP_CIPHER_CTX_SET_IV */
 
-#ifndef HAVE_RSA_GET0_KEY
-void RSA_get0_key(const RSA *r, const BIGNUM **n, const BIGNUM **e,
-    const BIGNUM **d);
-#endif /* HAVE_RSA_GET0_KEY */
-
-#ifndef HAVE_RSA_SET0_KEY
-int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
-#endif /* HAVE_RSA_SET0_KEY */
-
-#ifndef HAVE_RSA_GET0_CRT_PARAMS
-void RSA_get0_crt_params(const RSA *r, const BIGNUM **dmp1, const BIGNUM **dmq1,
-    const BIGNUM **iqmp);
-#endif /* HAVE_RSA_GET0_CRT_PARAMS */
-
-#ifndef HAVE_RSA_SET0_CRT_PARAMS
-int RSA_set0_crt_params(RSA *r, BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
-#endif /* HAVE_RSA_SET0_CRT_PARAMS */
-
-#ifndef HAVE_RSA_GET0_FACTORS
-void RSA_get0_factors(const RSA *r, const BIGNUM **p, const BIGNUM **q);
-#endif /* HAVE_RSA_GET0_FACTORS */
-
-#ifndef HAVE_RSA_SET0_FACTORS
-int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
-#endif /* HAVE_RSA_SET0_FACTORS */
-
-#ifndef DSA_SIG_GET0
-void DSA_SIG_get0(const DSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-#endif /* DSA_SIG_GET0 */
-
-#ifndef DSA_SIG_SET0
-int DSA_SIG_set0(DSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-#endif /* DSA_SIG_SET0 */
-
-#ifdef OPENSSL_HAS_ECC
-#ifndef HAVE_ECDSA_SIG_GET0
-void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps);
-#endif /* HAVE_ECDSA_SIG_GET0 */
-
-#ifndef HAVE_ECDSA_SIG_SET0
-int ECDSA_SIG_set0(ECDSA_SIG *sig, BIGNUM *r, BIGNUM *s);
-#endif /* HAVE_ECDSA_SIG_SET0 */
-#endif /* OPENSSL_HAS_ECC */
-
-#ifndef HAVE_DH_GET0_PQG
-void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q,
-    const BIGNUM **g);
-#endif /* HAVE_DH_GET0_PQG */
-
-#ifndef HAVE_DH_SET0_PQG
-int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g);
-#endif /* HAVE_DH_SET0_PQG */
-
-#ifndef HAVE_DH_GET0_KEY
-void DH_get0_key(const DH *dh, const BIGNUM **pub_key, const BIGNUM **priv_key);
-#endif /* HAVE_DH_GET0_KEY */
-
-#ifndef HAVE_DH_SET0_KEY
-int DH_set0_key(DH *dh, BIGNUM *pub_key, BIGNUM *priv_key);
-#endif /* HAVE_DH_SET0_KEY */
-
-#ifndef HAVE_DH_SET_LENGTH
-int DH_set_length(DH *dh, long length);
-#endif /* HAVE_DH_SET_LENGTH */
-
-#ifndef HAVE_RSA_METH_FREE
-void RSA_meth_free(RSA_METHOD *meth);
-#endif /* HAVE_RSA_METH_FREE */
-
-#ifndef HAVE_RSA_METH_DUP
-RSA_METHOD *RSA_meth_dup(const RSA_METHOD *meth);
-#endif /* HAVE_RSA_METH_DUP */
-
-#ifndef HAVE_RSA_METH_SET1_NAME
-int RSA_meth_set1_name(RSA_METHOD *meth, const char *name);
-#endif /* HAVE_RSA_METH_SET1_NAME */
-
-#ifndef HAVE_RSA_METH_GET_FINISH
-int (*RSA_meth_get_finish(const RSA_METHOD *meth))(RSA *rsa);
-#endif /* HAVE_RSA_METH_GET_FINISH */
-
-#ifndef HAVE_RSA_METH_SET_PRIV_ENC
-int RSA_meth_set_priv_enc(RSA_METHOD *meth, int (*priv_enc)(int flen,
-    const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
-#endif /* HAVE_RSA_METH_SET_PRIV_ENC */
-
-#ifndef HAVE_RSA_METH_SET_PRIV_DEC
-int RSA_meth_set_priv_dec(RSA_METHOD *meth, int (*priv_dec)(int flen,
-    const unsigned char *from, unsigned char *to, RSA *rsa, int padding));
-#endif /* HAVE_RSA_METH_SET_PRIV_DEC */
-
-#ifndef HAVE_RSA_METH_SET_FINISH
-int RSA_meth_set_finish(RSA_METHOD *meth, int (*finish)(RSA *rsa));
-#endif /* HAVE_RSA_METH_SET_FINISH */
-
-#ifndef HAVE_EVP_PKEY_GET0_RSA
-RSA *EVP_PKEY_get0_RSA(EVP_PKEY *pkey);
-#endif /* HAVE_EVP_PKEY_GET0_RSA */
-
-#ifndef HAVE_EVP_MD_CTX_new
-EVP_MD_CTX *EVP_MD_CTX_new(void);
-#endif /* HAVE_EVP_MD_CTX_new */
-
-#ifndef HAVE_EVP_MD_CTX_free
-void EVP_MD_CTX_free(EVP_MD_CTX *ctx);
-#endif /* HAVE_EVP_MD_CTX_free */
-
 #endif /* WITH_OPENSSL */
 #endif /* _OPENSSL_COMPAT_H */

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.


More information about the openssh-commits mailing list