aboutsummaryrefslogtreecommitdiff
path: root/src/libcrypto.c
diff options
context:
space:
mode:
authorDirkjan Bussink <d.bussink@gmail.com>2020-12-22 19:54:14 +0100
committerJakub Jelen <jjelen@redhat.com>2021-01-11 10:45:22 +0100
commit710815674a907116c1864dd29c804039cd392616 (patch)
treee96c17823f6664619d7c4858c95f0a232dcfcf2c /src/libcrypto.c
parent816f06e172d5744b2721e1c94863fb76b4313e5e (diff)
downloadlibssh-710815674a907116c1864dd29c804039cd392616.tar.gz
libssh-710815674a907116c1864dd29c804039cd392616.tar.xz
libssh-710815674a907116c1864dd29c804039cd392616.zip
Cleanup AES compatibility code
OpenSSL 1.0.1 has support for CTR & GCM modes so the checks here are no longer needed. This allows for a bunch of additional cleanup of the old code. As for old MacOS versions etc, LibreSSL is a kind of compatibility layer there but things already don't work anyway with that, so it doesn't break anything that isn't already broken. OpenSSL is needed on MacOS separately anyway (like installed with Homebrew). Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
Diffstat (limited to 'src/libcrypto.c')
-rw-r--r--src/libcrypto.c125
1 files changed, 0 insertions, 125 deletions
diff --git a/src/libcrypto.c b/src/libcrypto.c
index b2d5fc93..c5c0eac5 100644
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -71,10 +71,6 @@
#include <openssl/kdf.h>
#endif
-#ifdef HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT
-#include <openssl/modes.h>
-#endif
-
#include "libssh/crypto.h"
static int libcrypto_initialized = 0;
@@ -496,7 +492,6 @@ static void evp_cipher_init(struct ssh_cipher_struct *cipher)
case SSH_AES256_CBC:
cipher->cipher = EVP_aes_256_cbc();
break;
-#ifdef HAVE_OPENSSL_EVP_AES_CTR
case SSH_AES128_CTR:
cipher->cipher = EVP_aes_128_ctr();
break;
@@ -506,26 +501,12 @@ static void evp_cipher_init(struct ssh_cipher_struct *cipher)
case SSH_AES256_CTR:
cipher->cipher = EVP_aes_256_ctr();
break;
-#else
- case SSH_AES128_CTR:
- case SSH_AES192_CTR:
- case SSH_AES256_CTR:
- SSH_LOG(SSH_LOG_WARNING, "This cipher is not available in evp_cipher_init");
- break;
-#endif
-#ifdef HAVE_OPENSSL_EVP_AES_GCM
case SSH_AEAD_AES128_GCM:
cipher->cipher = EVP_aes_128_gcm();
break;
case SSH_AEAD_AES256_GCM:
cipher->cipher = EVP_aes_256_gcm();
break;
-#else
- case SSH_AEAD_AES128_GCM:
- case SSH_AEAD_AES256_GCM:
- SSH_LOG(SSH_LOG_WARNING, "This cipher is not available in evp_cipher_init");
- break;
-#endif /* HAVE_OPENSSL_EVP_AES_GCM */
case SSH_3DES_CBC:
cipher->cipher = EVP_des_ede3_cbc();
break;
@@ -557,7 +538,6 @@ static int evp_cipher_set_encrypt_key(struct ssh_cipher_struct *cipher,
return SSH_ERROR;
}
-#ifdef HAVE_OPENSSL_EVP_AES_GCM
/* For AES-GCM we need to set IV in specific way */
if (cipher->ciphertype == SSH_AEAD_AES128_GCM ||
cipher->ciphertype == SSH_AEAD_AES256_GCM) {
@@ -570,7 +550,6 @@ static int evp_cipher_set_encrypt_key(struct ssh_cipher_struct *cipher,
return SSH_ERROR;
}
}
-#endif /* HAVE_OPENSSL_EVP_AES_GCM */
EVP_CIPHER_CTX_set_padding(cipher->ctx, 0);
@@ -589,7 +568,6 @@ static int evp_cipher_set_decrypt_key(struct ssh_cipher_struct *cipher,
return SSH_ERROR;
}
-#ifdef HAVE_OPENSSL_EVP_AES_GCM
/* For AES-GCM we need to set IV in specific way */
if (cipher->ciphertype == SSH_AEAD_AES128_GCM ||
cipher->ciphertype == SSH_AEAD_AES256_GCM) {
@@ -602,7 +580,6 @@ static int evp_cipher_set_decrypt_key(struct ssh_cipher_struct *cipher,
return SSH_ERROR;
}
}
-#endif /* HAVE_OPENSSL_EVP_AES_GCM */
EVP_CIPHER_CTX_set_padding(cipher->ctx, 0);
@@ -668,68 +645,6 @@ static void evp_cipher_cleanup(struct ssh_cipher_struct *cipher) {
}
}
-#ifndef HAVE_OPENSSL_EVP_AES_CTR
-/* Some OS (osx, OpenIndiana, ...) have no support for CTR ciphers in EVP_aes */
-
-struct ssh_aes_key_schedule {
- AES_KEY key;
- uint8_t IV[AES_BLOCK_SIZE];
-};
-
-static int aes_ctr_set_key(struct ssh_cipher_struct *cipher, void *key,
- void *IV) {
- int rc;
-
- if (cipher->aes_key == NULL) {
- cipher->aes_key = malloc(sizeof (struct ssh_aes_key_schedule));
- }
- if (cipher->aes_key == NULL) {
- return SSH_ERROR;
- }
- ZERO_STRUCTP(cipher->aes_key);
- /* CTR doesn't need a decryption key */
- rc = AES_set_encrypt_key(key, cipher->keysize, &cipher->aes_key->key);
- if (rc < 0) {
- SAFE_FREE(cipher->aes_key);
- return SSH_ERROR;
- }
- memcpy(cipher->aes_key->IV, IV, AES_BLOCK_SIZE);
- return SSH_OK;
-}
-
-static void
-aes_ctr_encrypt(struct ssh_cipher_struct *cipher,
- void *in,
- void *out,
- size_t len)
-{
- unsigned char tmp_buffer[AES_BLOCK_SIZE];
- unsigned int num=0;
- /* Some things are special with ctr128 :
- * In this case, tmp_buffer is not being used, because it is used to store temporary data
- * when an encryption is made on lengths that are not multiple of blocksize.
- * Same for num, which is being used to store the current offset in blocksize in CTR
- * function.
- */
-#ifdef HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT
- CRYPTO_ctr128_encrypt(in, out, len, &cipher->aes_key->key, cipher->aes_key->IV, tmp_buffer, &num, (block128_f)AES_encrypt);
-#else
- AES_ctr128_encrypt(in, out, len, &cipher->aes_key->key, cipher->aes_key->IV, tmp_buffer, &num);
-#endif /* HAVE_OPENSSL_CRYPTO_CTR128_ENCRYPT */
-}
-
-static void aes_ctr_cleanup(struct ssh_cipher_struct *cipher){
- if (cipher != NULL) {
- if (cipher->aes_key != NULL) {
- explicit_bzero(cipher->aes_key, sizeof(*cipher->aes_key));
- }
- SAFE_FREE(cipher->aes_key);
- }
-}
-
-#endif /* HAVE_OPENSSL_EVP_AES_CTR */
-
-#ifdef HAVE_OPENSSL_EVP_AES_GCM
static int
evp_cipher_aead_get_length(struct ssh_cipher_struct *cipher,
void *in,
@@ -900,8 +815,6 @@ evp_cipher_aead_decrypt(struct ssh_cipher_struct *cipher,
return SSH_OK;
}
-#endif /* HAVE_OPENSSL_EVP_AES_GCM */
-
#if defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305)
struct chacha20_poly1305_keysched {
@@ -1311,7 +1224,6 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
},
#endif
#ifdef HAS_AES
-#ifdef HAVE_OPENSSL_EVP_AES_CTR
{
.name = "aes128-ctr",
.blocksize = AES_BLOCK_SIZE,
@@ -1345,41 +1257,6 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
.decrypt = evp_cipher_decrypt,
.cleanup = evp_cipher_cleanup
},
-#else /* HAVE_OPENSSL_EVP_AES_CTR */
- {
- .name = "aes128-ctr",
- .blocksize = AES_BLOCK_SIZE,
- .ciphertype = SSH_AES128_CTR,
- .keysize = 128,
- .set_encrypt_key = aes_ctr_set_key,
- .set_decrypt_key = aes_ctr_set_key,
- .encrypt = aes_ctr_encrypt,
- .decrypt = aes_ctr_encrypt,
- .cleanup = aes_ctr_cleanup
- },
- {
- .name = "aes192-ctr",
- .blocksize = AES_BLOCK_SIZE,
- .ciphertype = SSH_AES192_CTR,
- .keysize = 192,
- .set_encrypt_key = aes_ctr_set_key,
- .set_decrypt_key = aes_ctr_set_key,
- .encrypt = aes_ctr_encrypt,
- .decrypt = aes_ctr_encrypt,
- .cleanup = aes_ctr_cleanup
- },
- {
- .name = "aes256-ctr",
- .blocksize = AES_BLOCK_SIZE,
- .ciphertype = SSH_AES256_CTR,
- .keysize = 256,
- .set_encrypt_key = aes_ctr_set_key,
- .set_decrypt_key = aes_ctr_set_key,
- .encrypt = aes_ctr_encrypt,
- .decrypt = aes_ctr_encrypt,
- .cleanup = aes_ctr_cleanup
- },
-#endif /* HAVE_OPENSSL_EVP_AES_CTR */
{
.name = "aes128-cbc",
.blocksize = AES_BLOCK_SIZE,
@@ -1413,7 +1290,6 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
.decrypt = evp_cipher_decrypt,
.cleanup = evp_cipher_cleanup
},
-#ifdef HAVE_OPENSSL_EVP_AES_GCM
{
.name = "aes128-gcm@openssh.com",
.blocksize = AES_BLOCK_SIZE,
@@ -1442,7 +1318,6 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
.aead_decrypt = evp_cipher_aead_decrypt,
.cleanup = evp_cipher_cleanup
},
-#endif /* HAVE_OPENSSL_EVP_AES_GCM */
#endif /* HAS_AES */
#ifdef HAS_DES
{