Skip to content

Commit 7280401

Browse files
committed
remove support for old libcrypto
OpenSSH now requires LibreSSL 3.1.0 or greater or OpenSSL 1.1.1 or greater with/ok dtucker@
1 parent abda22f commit 7280401

File tree

6 files changed

+40
-780
lines changed

6 files changed

+40
-780
lines changed

.github/workflows/c-cpp.yml

Lines changed: 0 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -47,9 +47,6 @@ jobs:
4747
- { target: ubuntu-20.04, config: tcmalloc }
4848
- { target: ubuntu-20.04, config: musl }
4949
- { target: ubuntu-latest, config: libressl-master }
50-
- { target: ubuntu-latest, config: libressl-2.2.9 }
51-
- { target: ubuntu-latest, config: libressl-2.8.3 }
52-
- { target: ubuntu-latest, config: libressl-3.0.2 }
5350
- { target: ubuntu-latest, config: libressl-3.2.6 }
5451
- { target: ubuntu-latest, config: libressl-3.3.6 }
5552
- { target: ubuntu-latest, config: libressl-3.4.3 }
@@ -58,10 +55,6 @@ jobs:
5855
- { target: ubuntu-latest, config: libressl-3.7.1 }
5956
- { target: ubuntu-latest, config: openssl-master }
6057
- { target: ubuntu-latest, config: openssl-noec }
61-
- { target: ubuntu-latest, config: openssl-1.0.1 }
62-
- { target: ubuntu-latest, config: openssl-1.0.1u }
63-
- { target: ubuntu-latest, config: openssl-1.0.2u }
64-
- { target: ubuntu-latest, config: openssl-1.1.0h }
6558
- { target: ubuntu-latest, config: openssl-1.1.1 }
6659
- { target: ubuntu-latest, config: openssl-1.1.1k }
6760
- { target: ubuntu-latest, config: openssl-1.1.1n }

INSTALL

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -21,12 +21,8 @@ https://zlib.net/
2121

2222
libcrypto from either of LibreSSL or OpenSSL. Building without libcrypto
2323
is supported but severely restricts the available ciphers and algorithms.
24-
- LibreSSL (https://www.libressl.org/)
25-
- OpenSSL (https://www.openssl.org) with any of the following versions:
26-
- 1.0.x >= 1.0.1 or 1.1.0 >= 1.1.0g or any 1.1.1
27-
28-
Note that due to a bug in EVP_CipherInit OpenSSL 1.1 versions prior to
29-
1.1.0g can't be used.
24+
- LibreSSL (https://www.libressl.org/) 3.1.0 or greater
25+
- OpenSSL (https://www.openssl.org) 1.1.1 or greater
3026

3127
LibreSSL/OpenSSL should be compiled as a position-independent library
3228
(i.e. -fPIC, eg by configuring OpenSSL as "./config [options] -fPIC"

cipher-aes.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -69,7 +69,7 @@ ssh_rijndael_init(EVP_CIPHER_CTX *ctx, const u_char *key, const u_char *iv,
6969

7070
static int
7171
ssh_rijndael_cbc(EVP_CIPHER_CTX *ctx, u_char *dest, const u_char *src,
72-
LIBCRYPTO_EVP_INL_TYPE len)
72+
size_t len)
7373
{
7474
struct ssh_rijndael_ctx *c;
7575
u_char buf[RIJNDAEL_BLOCKSIZE];

configure.ac

Lines changed: 30 additions & 66 deletions
Original file line numberDiff line numberDiff line change
@@ -2802,42 +2802,40 @@ if test "x$openssl" = "xyes" ; then
28022802
#include <openssl/crypto.h>
28032803
#define DATA "conftest.ssllibver"
28042804
]], [[
2805-
FILE *fd;
2806-
int rc;
2805+
FILE *f;
28072806
2808-
fd = fopen(DATA,"w");
2809-
if(fd == NULL)
2807+
if ((f = fopen(DATA, "w")) == NULL)
28102808
exit(1);
2811-
#ifndef OPENSSL_VERSION
2812-
# define OPENSSL_VERSION SSLEAY_VERSION
2813-
#endif
2814-
#ifndef HAVE_OPENSSL_VERSION
2815-
# define OpenSSL_version SSLeay_version
2816-
#endif
2817-
#ifndef HAVE_OPENSSL_VERSION_NUM
2818-
# define OpenSSL_version_num SSLeay
2819-
#endif
2820-
if ((rc = fprintf(fd, "%08lx (%s)\n",
2809+
if (fprintf(f, "%08lx (%s)",
28212810
(unsigned long)OpenSSL_version_num(),
2822-
OpenSSL_version(OPENSSL_VERSION))) < 0)
2811+
OpenSSL_version(OPENSSL_VERSION)) < 0)
2812+
exit(1);
2813+
#ifdef LIBRESSL_VERSION_NUMBER
2814+
if (fprintf(f, " libressl-%08lx", LIBRESSL_VERSION_NUMBER) < 0)
2815+
exit(1);
2816+
#endif
2817+
if (fputc('\n', f) == EOF || fclose(f) == EOF)
28232818
exit(1);
2824-
28252819
exit(0);
28262820
]])],
28272821
[
2828-
ssl_library_ver=`cat conftest.ssllibver`
2822+
sslver=`cat conftest.ssllibver`
2823+
ssl_showver=`echo "$sslver" | sed 's/ libressl-.*//'`
28292824
# Check version is supported.
2830-
case "$ssl_library_ver" in
2831-
10000*|0*)
2832-
AC_MSG_ERROR([OpenSSL >= 1.0.1 required (have "$ssl_library_ver")])
2833-
;;
2834-
100*) ;; # 1.0.x
2835-
101000[[0123456]]*)
2836-
# https://github.com/openssl/openssl/pull/4613
2837-
AC_MSG_ERROR([OpenSSL 1.1.x versions prior to 1.1.0g have a bug that breaks their use with OpenSSH (have "$ssl_library_ver")])
2825+
case "$sslver" in
2826+
100*|10100*) # 1.0.x, 1.1.0x
2827+
AC_MSG_ERROR([OpenSSL >= 1.1.1 required (have "$ssl_showver")])
28382828
;;
28392829
101*) ;; # 1.1.x
2840-
200*) ;; # LibreSSL
2830+
200*) # LibreSSL
2831+
lver=`echo "$sslver" | sed 's/.*libressl-//'`
2832+
case "$lver" in
2833+
2*|300*) # 2.x, 3.0.0
2834+
AC_MSG_ERROR([LibreSSL >= 3.1.0 required (have "$ssl_showver")])
2835+
;;
2836+
*) ;; # Assume all other versions are good.
2837+
esac
2838+
;;
28412839
300*)
28422840
# OpenSSL 3; we use the 1.1x API
28432841
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
@@ -2847,10 +2845,10 @@ if test "x$openssl" = "xyes" ; then
28472845
CPPFLAGS="$CPPFLAGS -DOPENSSL_API_COMPAT=0x10100000L"
28482846
;;
28492847
*)
2850-
AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_library_ver")])
2848+
AC_MSG_ERROR([Unknown/unsupported OpenSSL version ("$ssl_showver")])
28512849
;;
28522850
esac
2853-
AC_MSG_RESULT([$ssl_library_ver])
2851+
AC_MSG_RESULT([$ssl_showver])
28542852
],
28552853
[
28562854
AC_MSG_RESULT([not found])
@@ -2863,7 +2861,7 @@ if test "x$openssl" = "xyes" ; then
28632861

28642862
case "$host" in
28652863
x86_64-*)
2866-
case "$ssl_library_ver" in
2864+
case "$sslver" in
28672865
3000004*)
28682866
AC_MSG_ERROR([OpenSSL 3.0.4 has a potential RCE in its RSA implementation (CVE-2022-2274)])
28692867
;;
@@ -2879,9 +2877,6 @@ if test "x$openssl" = "xyes" ; then
28792877
#include <openssl/opensslv.h>
28802878
#include <openssl/crypto.h>
28812879
]], [[
2882-
#ifndef HAVE_OPENSSL_VERSION_NUM
2883-
# define OpenSSL_version_num SSLeay
2884-
#endif
28852880
exit(OpenSSL_version_num() == OPENSSL_VERSION_NUMBER ? 0 : 1);
28862881
]])],
28872882
[
@@ -2955,44 +2950,13 @@ if test "x$openssl" = "xyes" ; then
29552950
)
29562951
)
29572952

2958-
# LibreSSL/OpenSSL 1.1x API
2953+
# LibreSSL/OpenSSL API differences
29592954
AC_CHECK_FUNCS([ \
2960-
OPENSSL_init_crypto \
2961-
DH_get0_key \
2962-
DH_get0_pqg \
2963-
DH_set0_key \
2964-
DH_set_length \
2965-
DH_set0_pqg \
2966-
DSA_get0_key \
2967-
DSA_get0_pqg \
2968-
DSA_set0_key \
2969-
DSA_set0_pqg \
2970-
DSA_SIG_get0 \
2971-
DSA_SIG_set0 \
2972-
ECDSA_SIG_get0 \
2973-
ECDSA_SIG_set0 \
29742955
EVP_CIPHER_CTX_iv \
29752956
EVP_CIPHER_CTX_iv_noconst \
29762957
EVP_CIPHER_CTX_get_iv \
29772958
EVP_CIPHER_CTX_get_updated_iv \
29782959
EVP_CIPHER_CTX_set_iv \
2979-
RSA_get0_crt_params \
2980-
RSA_get0_factors \
2981-
RSA_get0_key \
2982-
RSA_set0_crt_params \
2983-
RSA_set0_factors \
2984-
RSA_set0_key \
2985-
RSA_meth_free \
2986-
RSA_meth_dup \
2987-
RSA_meth_set1_name \
2988-
RSA_meth_get_finish \
2989-
RSA_meth_set_priv_enc \
2990-
RSA_meth_set_priv_dec \
2991-
RSA_meth_set_finish \
2992-
EVP_PKEY_get0_RSA \
2993-
EVP_MD_CTX_new \
2994-
EVP_MD_CTX_free \
2995-
EVP_chacha20 \
29962960
])
29972961

29982962
if test "x$openssl_engine" = "xyes" ; then
@@ -3050,8 +3014,8 @@ if test "x$openssl" = "xyes" ; then
30503014
]
30513015
)
30523016

3053-
# Check for SHA256, SHA384 and SHA512 support in OpenSSL
3054-
AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512])
3017+
# Check for various EVP support in OpenSSL
3018+
AC_CHECK_FUNCS([EVP_sha256 EVP_sha384 EVP_sha512 EVP_chacha20])
30553019

30563020
# Check complete ECC support in OpenSSL
30573021
AC_MSG_CHECKING([whether OpenSSL has NID_X9_62_prime256v1])

0 commit comments

Comments
 (0)