- (dtucker) [openbsd-compat/openssl-compat.h] Bug #1291: Work around a

   bug in OpenSSL 0.9.8e that prevents aes256-ctr, aes192-ctr and arcfour256
   ciphers from working correctly (disconnects with "Bad packet length"
   errors) as found by Ben Harris.  ok djm@

diff --git a/ChangeLog b/ChangeLog
index 06172d61ca248134471b1651022e6cf4c8354da9..3b175540bdd168d11d9fc162fd982c1b5b86e3c4 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,10 @@
  - (djm) [configure.ac] add a --without-openssl-header-check option to
    configure, as some platforms (OS X) ship OpenSSL headers whose version
    does not match that of the shipping library. ok dtucker@
+ - (dtucker) [openbsd-compat/openssl-compat.h] Bug #1291: Work around a
+   bug in OpenSSL 0.9.8e that prevents aes256-ctr, aes192-ctr and arcfour256
+   ciphers from working correctly (disconnects with "Bad packet length"
+   errors) as found by Ben Harris.  ok djm@
 
 20070303
  - (dtucker) [regress/agent-ptrace.sh] Make ttrace gdb error a little more

diff --git a/openbsd-compat/openssl-compat.h b/openbsd-compat/openssl-compat.h
index 36a09f6bad7878e49b10eac11fd0bbc343ca6b57..a37f1473a3ba44ea3d43017ea3ace6f324f6bbe2 100644 (file)
--- a/openbsd-compat/openssl-compat.h
+++ b/openbsd-compat/openssl-compat.h
@@ -46,6 +46,11 @@ extern const EVP_CIPHER *evp_acss(void);
 # endif
 #endif
 
+/* OpenSSL 0.9.8e returns cipher key len not context key len */
+#if (OPENSSL_VERSION_NUMBER == 0x0090805fL)
+# define EVP_CIPHER_CTX_key_length(c) ((c)->key_len)
+#endif
+
 /*
  * We overload some of the OpenSSL crypto functions with ssh_* equivalents
  * which cater for older and/or less featureful OpenSSL version.