- markus@cvs.openbsd.org 2014/04/29 18:01:49

     [auth.c authfd.c authfile.c bufaux.c cipher.c cipher.h hostfile.c]
     [kex.c key.c mac.c monitor.c monitor_wrap.c myproposal.h packet.c]
     [roaming_client.c ssh-agent.c ssh-keygen.c ssh-keyscan.c ssh-keysign.c]
     [ssh-pkcs11.h ssh.c sshconnect.c sshconnect2.c sshd.c]
     make compiling against OpenSSL optional (make OPENSSL=no);
     reduces algorithms to curve25519, aes-ctr, chacha, ed25519;
     allows us to explore further options; with and ok djm

1 files changed, 38 insertions, 4 deletions

diff --git a/sshd.c b/sshd.c
index b955f192..6e7192cf 100644
--- a/sshd.c
+++ b/sshd.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: sshd.c,v 1.425 2014/04/19 14:53:48 tedu Exp $ */
+/* $OpenBSD: sshd.c,v 1.426 2014/04/29 18:01:49 markus Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -72,10 +72,12 @@
 #include <string.h>
 #include <unistd.h>
 
+#ifdef WITH_OPENSSL
 #include <openssl/dh.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
 #include "openbsd-compat/openssl-compat.h"
+#endif
 
 #ifdef HAVE_SECUREWARE
 #include <sys/security.h>
@@ -98,7 +100,6 @@
 #include "digest.h"
 #include "key.h"
 #include "kex.h"
-#include "dh.h"
 #include "myproposal.h"
 #include "authfile.h"
 #include "pathnames.h"
@@ -256,7 +257,9 @@ struct passwd *privsep_pw = NULL;
 void destroy_sensitive_data(void);
 void demote_sensitive_data(void);
 
+#ifdef WITH_SSH1
 static void do_ssh1_kex(void);
+#endif
 static void do_ssh2_kex(void);
 
 /*
@@ -931,7 +934,13 @@ static void
 usage(void)
 {
 	fprintf(stderr, "%s, %s\n",
-	    SSH_RELEASE, SSLeay_version(SSLEAY_VERSION));
+	    SSH_RELEASE,
+#ifdef WITH_OPENSSL
+	    SSLeay_version(SSLEAY_VERSION)
+#else
+	    "without OpenSSL"
+#endif
+	);
 	fprintf(stderr,
 "usage: sshd [-46DdeiqTt] [-b bits] [-C connection_spec] [-c host_cert_file]\n"
 "            [-E log_file] [-f config_file] [-g login_grace_time]\n"
@@ -964,6 +973,7 @@ send_rexec_state(int fd, Buffer *conf)
 	buffer_init(&m);
 	buffer_put_cstring(&m, buffer_ptr(conf));
 
+#ifdef WITH_SSH1
 	if (sensitive_data.server_key != NULL &&
 	    sensitive_data.server_key->type == KEY_RSA1) {
 		buffer_put_int(&m, 1);
@@ -974,6 +984,7 @@ send_rexec_state(int fd, Buffer *conf)
 		buffer_put_bignum(&m, sensitive_data.server_key->rsa->p);
 		buffer_put_bignum(&m, sensitive_data.server_key->rsa->q);
 	} else
+#endif
 		buffer_put_int(&m, 0);
 
 #ifndef OPENSSL_PRNG_ONLY
@@ -1010,6 +1021,7 @@ recv_rexec_state(int fd, Buffer *conf)
 	free(cp);
 
 	if (buffer_get_int(&m)) {
+#ifdef WITH_SSH1
 		if (sensitive_data.server_key != NULL)
 			key_free(sensitive_data.server_key);
 		sensitive_data.server_key = key_new_private(KEY_RSA1);
@@ -1021,6 +1033,9 @@ recv_rexec_state(int fd, Buffer *conf)
 		buffer_get_bignum(&m, sensitive_data.server_key->rsa->q);
 		rsa_generate_additional_parameters(
 		    sensitive_data.server_key->rsa);
+#else
+		fatal("ssh1 not supported");
+#endif
 	}
 
 #ifndef OPENSSL_PRNG_ONLY
@@ -1543,7 +1558,9 @@ main(int ac, char **av)
 	else
 		closefrom(REEXEC_DEVCRYPTO_RESERVED_FD);
 
+#ifdef WITH_OPENSSL
 	OpenSSL_add_all_algorithms();
+#endif
 
 	/* If requested, redirect the logs to the specified logfile. */
 	if (logfile != NULL) {
@@ -1648,7 +1665,12 @@ main(int ac, char **av)
 	}
 
 	debug("sshd version %s, %s", SSH_VERSION,
-	    SSLeay_version(SSLEAY_VERSION));
+#ifdef WITH_OPENSSL
+	    SSLeay_version(SSLEAY_VERSION)
+#else
+	    "without OpenSSL"
+#endif
+	);
 
 	/* Store privilege separation user for later use if required. */
 	if ((privsep_pw = getpwnam(SSH_PRIVSEP_USER)) == NULL) {
@@ -1770,6 +1792,8 @@ main(int ac, char **av)
 		debug("host certificate: #%d type %d %s", j, key->type,
 		    key_type(key));
 	}
+
+#ifdef WITH_SSH1
 	/* Check certain values for sanity. */
 	if (options.protocol & SSH_PROTO_1) {
 		if (options.server_key_bits < 512 ||
@@ -1794,6 +1818,7 @@ main(int ac, char **av)
 			    options.server_key_bits);
 		}
 	}
+#endif
 
 	if (use_privsep) {
 		struct stat st;
@@ -2077,8 +2102,12 @@ main(int ac, char **av)
 		do_ssh2_kex();
 		do_authentication2(authctxt);
 	} else {
+#ifdef WITH_SSH1
 		do_ssh1_kex();
 		do_authentication(authctxt);
+#else
+		fatal("ssh1 not supported");
+#endif
 	}
 	/*
 	 * If we use privilege separation, the unprivileged child transfers
@@ -2162,6 +2191,7 @@ main(int ac, char **av)
 	exit(0);
 }
 
+#ifdef WITH_SSH1
 /*
  * Decrypt session_key_int using our private server key and private host key
  * (key with larger modulus first).
@@ -2211,6 +2241,7 @@ ssh1_session_key(BIGNUM *session_key_int)
 	}
 	return (rsafail);
 }
+
 /*
  * SSH1 key exchange
  */
@@ -2388,6 +2419,7 @@ do_ssh1_kex(void)
 	packet_send();
 	packet_write_wait();
 }
+#endif
 
 void
 sshd_hostkey_sign(Key *privkey, Key *pubkey, u_char **signature, u_int *slen,
@@ -2450,11 +2482,13 @@ do_ssh2_kex(void)
 
 	/* start key exchange */
 	kex = kex_setup(myproposal);
+#ifdef WITH_OPENSSL
 	kex->kex[KEX_DH_GRP1_SHA1] = kexdh_server;
 	kex->kex[KEX_DH_GRP14_SHA1] = kexdh_server;
 	kex->kex[KEX_DH_GEX_SHA1] = kexgex_server;
 	kex->kex[KEX_DH_GEX_SHA256] = kexgex_server;
 	kex->kex[KEX_ECDH_SHA2] = kexecdh_server;
+#endif
 	kex->kex[KEX_C25519_SHA256] = kexc25519_server;
 	kex->server = 1;
 	kex->client_version_string=client_version_string;