- markus@cvs.openbsd.org 2014/04/29 18:01:49

[auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c] [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c] [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c] [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c] make compiling against OpenSSL optional (make OPENSSL=no); reduces algorithms to curve25519, aes-ctr, chacha, ed25519; allows us to explore further options; with and ok djm
IronCoreLabs · May 15, 2014 · 1f0311c · 1f0311c
1 parent c589378
commit 1f0311c
Show file tree

Hide file tree

Showing 27 changed files with 560 additions and 72 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -36,6 +36,14 @@
      bz#1818 - don't send channel success/failre replies on channels that
      have sent a close already; analysis and patch from Simon Tatham;
      ok markus@
+   - markus@cvs.openbsd.org 2014/04/29 18:01:49
+     [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
+     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
+     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
+     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
+     make compiling against OpenSSL optional (make OPENSSL=no);
+     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
+     allows us to explore further options; with and ok djm
 
 20140430
  - (dtucker) [defines.h] Define __GNUC_PREREQ__ macro if we don't already

diff --git a/auth.c b/auth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: auth.c,v 1.103 2013/05/19 02:42:42 djm Exp $ */
+/* $OpenBSD: auth.c,v 1.104 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
  *
@@ -659,6 +659,7 @@ getpwnamallow(const char *user)
 int
 auth_key_is_revoked(Key *key)
 {
+#ifdef WITH_OPENSSL
 	char *key_fp;
 
 	if (options.revoked_keys_file == NULL)
@@ -671,6 +672,7 @@ auth_key_is_revoked(Key *key)
 	default:
 		goto revoked;
 	}
+#endif
 	debug3("%s: treating %s as a key list", __func__,
 	    options.revoked_keys_file);
 	switch (key_in_file(key, options.revoked_keys_file, 0)) {
@@ -682,6 +684,7 @@ auth_key_is_revoked(Key *key)
 		error("Revoked keys file is unreadable: refusing public key "
 		    "authentication");
 		return 1;
+#ifdef WITH_OPENSSL
 	case 1:
  revoked:
 		/* Key revoked */
@@ -690,6 +693,7 @@ auth_key_is_revoked(Key *key)
 		    "%s key %s ", key_type(key), key_fp);
 		free(key_fp);
 		return 1;
+#endif
 	}
 	fatal("key_in_file returned junk");
 }

diff --git a/authfd.c b/authfd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfd.c,v 1.92 2014/01/31 16:39:19 tedu Exp $ */
+/* $OpenBSD: authfd.c,v 1.93 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -41,9 +41,6 @@
 #include <sys/un.h>
 #include <sys/socket.h>
 
-#include <openssl/evp.h>
-#include <openssl/crypto.h>
-
 #include <fcntl.h>
 #include <stdlib.h>
 #include <signal.h>
@@ -313,8 +310,10 @@ ssh_get_first_identity(AuthenticationConnection *auth, char **comment, int versi
 Key *
 ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int version)
 {
+#ifdef WITH_SSH1
 	int keybits;
 	u_int bits;
+#endif
 	u_char *blob;
 	u_int blen;
 	Key *key = NULL;
@@ -328,6 +327,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
 	 * error if the packet is too short or contains corrupt data.
 	 */
 	switch (version) {
+#ifdef WITH_SSH1
 	case 1:
 		key = key_new(KEY_RSA1);
 		bits = buffer_get_int(&auth->identities);
@@ -339,6 +339,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
 			logit("Warning: identity keysize mismatch: actual %d, announced %u",
 			    BN_num_bits(key->rsa->n), bits);
 		break;
+#endif
 	case 2:
 		blob = buffer_get_string(&auth->identities, &blen);
 		*comment = buffer_get_string(&auth->identities, NULL);
@@ -361,6 +362,7 @@ ssh_get_next_identity(AuthenticationConnection *auth, char **comment, int versio
  * supported) and 1 corresponding to protocol version 1.1.
  */
 
+#ifdef WITH_SSH1
 int
 ssh_decrypt_challenge(AuthenticationConnection *auth,
     Key* key, BIGNUM *challenge,
@@ -410,6 +412,7 @@ ssh_decrypt_challenge(AuthenticationConnection *auth,
 	buffer_free(&buffer);
 	return success;
 }
+#endif
 
 /* ask agent to sign data, returns -1 on error, 0 on success */
 int
@@ -457,6 +460,7 @@ ssh_agent_sign(AuthenticationConnection *auth,
 
 /* Encode key for a message to the agent. */
 
+#ifdef WITH_SSH1
 static void
 ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
 {
@@ -470,6 +474,7 @@ ssh_encode_identity_rsa1(Buffer *b, RSA *key, const char *comment)
 	buffer_put_bignum(b, key->p);	/* ssh key->q, SSL key->p */
 	buffer_put_cstring(b, comment);
 }
+#endif
 
 static void
 ssh_encode_identity_ssh2(Buffer *b, Key *key, const char *comment)
@@ -493,13 +498,16 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
 	buffer_init(&msg);
 
 	switch (key->type) {
+#ifdef WITH_SSH1
 	case KEY_RSA1:
 		type = constrained ?
 		    SSH_AGENTC_ADD_RSA_ID_CONSTRAINED :
 		    SSH_AGENTC_ADD_RSA_IDENTITY;
 		buffer_put_char(&msg, type);
 		ssh_encode_identity_rsa1(&msg, key->rsa, comment);
 		break;
+#endif
+#ifdef WITH_OPENSSL
 	case KEY_RSA:
 	case KEY_RSA_CERT:
 	case KEY_RSA_CERT_V00:
@@ -508,6 +516,7 @@ ssh_add_identity_constrained(AuthenticationConnection *auth, Key *key,
 	case KEY_DSA_CERT_V00:
 	case KEY_ECDSA:
 	case KEY_ECDSA_CERT:
+#endif
 	case KEY_ED25519:
 	case KEY_ED25519_CERT:
 		type = constrained ?
@@ -552,12 +561,15 @@ ssh_remove_identity(AuthenticationConnection *auth, Key *key)
 
 	buffer_init(&msg);
 
+#ifdef WITH_SSH1
 	if (key->type == KEY_RSA1) {
 		buffer_put_char(&msg, SSH_AGENTC_REMOVE_RSA_IDENTITY);
 		buffer_put_int(&msg, BN_num_bits(key->rsa->n));
 		buffer_put_bignum(&msg, key->rsa->e);
 		buffer_put_bignum(&msg, key->rsa->n);
-	} else if (key->type != KEY_UNSPEC) {
+	} else
+#endif
+	if (key->type != KEY_UNSPEC) {
 		key_to_blob(key, &blob, &blen);
 		buffer_put_char(&msg, SSH2_AGENTC_REMOVE_IDENTITY);
 		buffer_put_string(&msg, blob, blen);

diff --git a/authfile.c b/authfile.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: authfile.c,v 1.105 2014/04/28 03:09:18 djm Exp $ */
+/* $OpenBSD: authfile.c,v 1.106 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -43,9 +43,11 @@
 #include <sys/param.h>
 #include <sys/uio.h>
 
+#ifdef WITH_OPENSSL
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pem.h>
+#endif
 
 /* compatibility with old or broken OpenSSL versions */
 #include "openbsd-compat/openssl-compat.h"
@@ -419,6 +421,7 @@ key_parse_private2(Buffer *blob, int type, const char *passphrase,
 	return k;
 }
 
+#ifdef WITH_SSH1
 /*
  * Serialises the authentication (private) key to a blob, encrypting it with
  * passphrase.  The identification of the blob (lowest 64 bits of n) will
@@ -508,7 +511,9 @@ key_private_rsa1_to_blob(Key *key, Buffer *blob, const char *passphrase,
 
 	return 1;
 }
+#endif
 
+#ifdef WITH_OPENSSL
 /* convert SSH v2 key in OpenSSL PEM format */
 static int
 key_private_pem_to_blob(Key *key, Buffer *blob, const char *_passphrase,
@@ -558,6 +563,7 @@ key_private_pem_to_blob(Key *key, Buffer *blob, const char *_passphrase,
 	BIO_free(bio);
 	return success;
 }
+#endif
 
 /* Save a key blob to a file */
 static int
@@ -588,8 +594,11 @@ key_private_to_blob(Key *key, Buffer *blob, const char *passphrase,
     int new_format_rounds)
 {
 	switch (key->type) {
+#ifdef WITH_SSH1
 	case KEY_RSA1:
 		return key_private_rsa1_to_blob(key, blob, passphrase, comment);
+#endif
+#ifdef WITH_OPENSSL
 	case KEY_DSA:
 	case KEY_ECDSA:
 	case KEY_RSA:
@@ -598,6 +607,7 @@ key_private_to_blob(Key *key, Buffer *blob, const char *passphrase,
 			    comment, new_format_cipher, new_format_rounds);
 		}
 		return key_private_pem_to_blob(key, blob, passphrase, comment);
+#endif
 	case KEY_ED25519:
 		return key_private_to_blob2(key, blob, passphrase,
 		    comment, new_format_cipher, new_format_rounds);
@@ -627,6 +637,7 @@ key_save_private(Key *key, const char *filename, const char *passphrase,
 	return success;
 }
 
+#ifdef WITH_SSH1
 /*
  * Parse the public, unencrypted portion of a RSA1 key.
  */
@@ -671,6 +682,7 @@ key_parse_public_rsa1(Buffer *blob, char **commentp)
 
 	return pub;
 }
+#endif
 
 /* Load a key from a fd into a buffer */
 int
@@ -727,6 +739,7 @@ key_load_file(int fd, const char *filename, Buffer *blob)
 	return 1;
 }
 
+#ifdef WITH_SSH1
 /*
  * Loads the public part of the ssh v1 key file.  Returns NULL if an error was
  * encountered (the file does not exist or is not readable), and the key
@@ -870,7 +883,9 @@ key_parse_private_rsa1(Buffer *blob, const char *passphrase, char **commentp)
 	key_free(prv);
 	return NULL;
 }
+#endif
 
+#ifdef WITH_OPENSSL
 static Key *
 key_parse_private_pem(Buffer *blob, int type, const char *passphrase,
     char **commentp)
@@ -964,6 +979,7 @@ key_load_private_pem(int fd, int type, const char *passphrase,
 	buffer_free(&buffer);
 	return prv;
 }
+#endif
 
 int
 key_perm_ok(int fd, const char *filename)
@@ -1000,18 +1016,24 @@ key_parse_private_type(Buffer *blob, int type, const char *passphrase,
 	Key *k;
 
 	switch (type) {
+#ifdef WITH_SSH1
 	case KEY_RSA1:
 		return key_parse_private_rsa1(blob, passphrase, commentp);
+#endif
+#ifdef WITH_OPENSSL
 	case KEY_DSA:
 	case KEY_ECDSA:
 	case KEY_RSA:
 		return key_parse_private_pem(blob, type, passphrase, commentp);
+#endif
 	case KEY_ED25519:
 		return key_parse_private2(blob, type, passphrase, commentp);
 	case KEY_UNSPEC:
 		if ((k = key_parse_private2(blob, type, passphrase, commentp)))
 			return k;
+#ifdef WITH_OPENSSL
 		return key_parse_private_pem(blob, type, passphrase, commentp);
+#endif
 	default:
 		error("%s: cannot parse key type %d", __func__, type);
 		break;
@@ -1061,6 +1083,7 @@ Key *
 key_parse_private(Buffer *buffer, const char *filename,
     const char *passphrase, char **commentp)
 {
+#ifdef WITH_SSH1
 	Key *pub, *prv;
 
 	/* it's a SSH v1 key if the public key part is readable */
@@ -1078,6 +1101,10 @@ key_parse_private(Buffer *buffer, const char *filename,
 		    NULL);
 	}
 	return prv;
+#else
+	return key_parse_private_type(buffer, KEY_UNSPEC,
+	    passphrase, commentp);
+#endif
 }
 
 Key *
@@ -1162,6 +1189,7 @@ key_load_public(const char *filename, char **commentp)
 	Key *pub;
 	char file[MAXPATHLEN];
 
+#ifdef WITH_SSH1
 	/* try rsa1 private key */
 	pub = key_load_public_type(KEY_RSA1, filename, commentp);
 	if (pub != NULL)
@@ -1172,6 +1200,7 @@ key_load_public(const char *filename, char **commentp)
 	if (key_try_load_public(pub, filename, commentp) == 1)
 		return pub;
 	key_free(pub);
+#endif
 
 	/* try ssh2 public key */
 	pub = key_new(KEY_UNSPEC);
@@ -1211,9 +1240,11 @@ key_load_private_cert(int type, const char *filename, const char *passphrase,
 	Key *key, *pub;
 
 	switch (type) {
+#ifdef WITH_OPENSSL
 	case KEY_RSA:
 	case KEY_DSA:
 	case KEY_ECDSA:
+#endif
 	case KEY_ED25519:
 		break;
 	default:

diff --git a/bufaux.c b/bufaux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: bufaux.c,v 1.58 2014/04/28 03:09:18 djm Exp $ */
+/* $OpenBSD: bufaux.c,v 1.59 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -41,8 +41,6 @@
 
 #include <sys/types.h>
 
-#include <openssl/bn.h>
-
 #include <string.h>
 #include <stdarg.h>
 #include <stdlib.h>