openssh unix dev - Apr 2018 - [PATCH] configure.ac/cipher.c: Check for OpenSSL with EVP_des_ede3_cbc

While compiling openssl with option `no-des', it caused the openssh
build failure
...
cipher.c:85:41: error: 'EVP_des_ede3_cbc' undeclared here (not in a
function);
...

Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
 cipher.c     |  2 ++
 configure.ac | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/cipher.c b/cipher.c
index c3cd5dc..41dacfb 100644
--- a/cipher.c
+++ b/cipher.c
@@ -82,7 +82,9 @@ struct sshcipher {
 
 static const struct sshcipher ciphers[] = {
 #ifdef WITH_OPENSSL
+#ifdef OPENSSL_HAVE_DES
 	{ "3des-cbc",		8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
+#endif
 	{ "aes128-cbc",		16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
 	{ "aes192-cbc",		16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
 	{ "aes256-cbc",		16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
diff --git a/configure.ac b/configure.ac
index 889f506..6c664ad 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2672,6 +2672,26 @@ if test "x$openssl" = "xyes" ; then
 		]
 	)
 
+	# Check for OpenSSL with EVP_des_ede3_cbc
+	AC_MSG_CHECKING([whether OpenSSL has DES support])
+	AC_LINK_IFELSE(
+		[AC_LANG_PROGRAM([[
+	#include <string.h>
+	#include <openssl/evp.h>
+	]], [[
+		exit(EVP_des_ede3_cbc() == NULL);
+	]])],
+	[
+		AC_MSG_RESULT([yes])
+		AC_DEFINE([OPENSSL_HAVE_DES], [1],
+		[libcrypto has DES support])
+	],
+	[
+		AC_MSG_RESULT([no])
+	]
+	)
+
+
 	# Check for OpenSSL with EVP_aes_*ctr
 	AC_MSG_CHECKING([whether OpenSSL has AES CTR via EVP])
 	AC_LINK_IFELSE(
-- 
2.7.4

On 18 April 2018 at 17:35, Hongxu Jia <hongxu.jia at windriver.com>
wrote:
> While compiling openssl with option `no-des', it caused the openssh
> build failure
OpenSSL configured that way defines OPENSSL_NO_DES (which is kind of
backward, but that's how OpenSSL does it, and how OpenSSH already
handles OPENSSL_NO_RC4).

3des-cbc is the only cipher that is required by RFC4253, but on the
other hand building without OpenSSL will already omit it.  @djm?

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

While compiling openssl with option `no-des', it caused the openssh
build failure
...
cipher.c:85:41: error: 'EVP_des_ede3_cbc' undeclared here (not in a
function);
...

OpenSSL configured that way defines OPENSSL_NO_DES to disable des

Suggested by dtucker@

Signed-off-by: Hongxu Jia <hongxu.jia at windriver.com>
---
 cipher.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cipher.c b/cipher.c
index c3cd5dc..86558e1 100644
--- a/cipher.c
+++ b/cipher.c
@@ -82,7 +82,9 @@ struct sshcipher {
 
 static const struct sshcipher ciphers[] = {
 #ifdef WITH_OPENSSL
+#ifndef OPENSSL_NO_DES
 	{ "3des-cbc",		8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc },
+#endif
 	{ "aes128-cbc",		16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc },
 	{ "aes192-cbc",		16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc },
 	{ "aes256-cbc",		16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc },
-- 
2.7.4

On Wed, 18 Apr 2018, Darren Tucker wrote:
> On 18 April 2018 at 17:35, Hongxu Jia <hongxu.jia at windriver.com>
wrote:
> > While compiling openssl with option `no-des', it caused the
openssh
> > build failure
> 
> OpenSSL configured that way defines OPENSSL_NO_DES (which is kind of
> backward, but that's how OpenSSL does it, and how OpenSSH already
> handles OPENSSL_NO_RC4).
> 
> 3des-cbc is the only cipher that is required by RFC4253, but on the
> other hand building without OpenSSL will already omit it.  @djm?
I have no objection to our handling OPENSSL_NO_DES and ommitting
3des-cbc. It's pretty easy to do since it doesn't appear in any
default cipher lists any more...

-d