search for: evp_aes_

Hi. OpenSSH currently has its own implementation of AES in counter mode (cipher-ctr.c). This is probably because it wasn't available in OpenSSL. From what I see now, recent OpenSSL does implement EVP_aes_{128,192,256}_ctr() and it would be nice to use it whenever possible. The gain here is that OpenSSH's version uses software AES implementation and OpenSSL's version will use AES-NI if available. Just FYI, unfortunately I cannot prepare nice and clean patch for this right now, but changing a...

OpenSSH uses its own CTR mode implementation, correct? ?I seem to recall some discussion about why it hasn't/won't switch over to using OpenSSL's implementation, but I can't find the thread anymore. So... why doesn't OpenSSH use OpenSSL's CTR mode implementation? Thanks.

...recall some discussion about why it hasn't/won't switch over to using > OpenSSL's implementation, but I can't find the thread anymore. > > So... why doesn't OpenSSH use OpenSSL's CTR mode implementation? I believe as of 6.2, OpenSSH defaults to using OpenSSL's EVP_aes_*_ctr. I'm unaware of the history (hopefully one of the devs can jump in and help us there). What I do know is OpenSSL introduced AES-CTR support with 0.9.7. --mancha -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signatu...

...100644 --- a/cipher.c +++ b/cipher.c @@ -82,7 +82,9 @@ struct sshcipher { static const struct sshcipher ciphers[] = { #ifdef WITH_OPENSSL +#ifdef OPENSSL_HAVE_DES { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, +#endif { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc }, { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc }, { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, diff --git a/configure.ac b/configure.ac index 889f506..6c664ad 100644 --- a/configure.ac +++ b/configure.ac @@ -2672,6 +2672,26 @@ if test &qu...

...curity/openssh/cvs/openssh_cvs/configure.ac,v retrieving revision 1.307 diff -u -p -r1.307 configure.ac --- configure.ac 12 Nov 2005 07:42:37 -0000 1.307 +++ configure.ac 20 Nov 2005 01:20:40 -0000 @@ -1745,6 +1745,24 @@ Also see contrib/findssl.sh for help ide ] ) +# Check for OpenSSL without EVP_aes_{192,256}_cbc +AC_MSG_CHECKING([whether OpenSSL has crippled AES support]) +AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([[ +#include <string.h> +#include <openssl/evp.h> +int main(void) { exit(EVP_aes_192_cbc() == NULL || EVP_aes_256_cbc() == NULL)} + ]])], + [ + AC_MSG_RESULT(no) + ], + [ +...