[openssh] enable aes-ctr ciphers use the EVP engines from OpenSSL such as the AES-NI
Tomáš Mráz
tmraz at fedoraproject.org
Wed Jan 11 18:11:38 UTC 2012
commit 6148abd5854cf36ae2f5930af5a5e5740553f933
Author: Tomas Mraz <tmraz at fedoraproject.org>
Date: Wed Jan 11 19:11:33 2012 +0100
enable aes-ctr ciphers use the EVP engines from OpenSSL such as the AES-NI
openssh-5.9p1-ctr-evp-fast.patch | 101 ++++++++++++++++++++++++++++++++++++++
openssh.spec | 9 +++-
2 files changed, 108 insertions(+), 2 deletions(-)
---
diff --git a/openssh-5.9p1-ctr-evp-fast.patch b/openssh-5.9p1-ctr-evp-fast.patch
new file mode 100644
index 0000000..5d17aab
--- /dev/null
+++ b/openssh-5.9p1-ctr-evp-fast.patch
@@ -0,0 +1,101 @@
+diff -up openssh-5.9p1/cipher-ctr.c.ctr-evp openssh-5.9p1/cipher-ctr.c
+--- openssh-5.9p1/cipher-ctr.c.ctr-evp 2012-01-11 09:24:06.000000000 +0100
++++ openssh-5.9p1/cipher-ctr.c 2012-01-11 15:54:04.675956600 +0100
+@@ -38,7 +38,7 @@ void ssh_aes_ctr_iv(EVP_CIPHER_CTX *, in
+
+ struct ssh_aes_ctr_ctx
+ {
+- AES_KEY aes_ctx;
++ EVP_CIPHER_CTX ecbctx;
+ u_char aes_counter[AES_BLOCK_SIZE];
+ };
+
+@@ -63,21 +63,42 @@ ssh_aes_ctr(EVP_CIPHER_CTX *ctx, u_char
+ {
+ struct ssh_aes_ctr_ctx *c;
+ size_t n = 0;
+- u_char buf[AES_BLOCK_SIZE];
++ u_char ctrbuf[AES_BLOCK_SIZE*256];
++ u_char buf[AES_BLOCK_SIZE*256];
+
+ if (len == 0)
+ return (1);
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) == NULL)
+ return (0);
+
+- while ((len--) > 0) {
++ for (; len > 0; len -= sizeof(u_int)) {
++ u_int r,a,b;
++
+ if (n == 0) {
+- AES_encrypt(c->aes_counter, buf, &c->aes_ctx);
+- ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
++ int outl, i, buflen;
++
++ buflen = MIN(len, sizeof(ctrbuf));
++
++ for(i = 0; i < buflen; i += AES_BLOCK_SIZE) {
++ memcpy(&ctrbuf[i], c->aes_counter, AES_BLOCK_SIZE);
++ ssh_ctr_inc(c->aes_counter, AES_BLOCK_SIZE);
++ }
++
++ EVP_EncryptUpdate(&c->ecbctx, buf, &outl,
++ ctrbuf, buflen);
+ }
+- *(dest++) = *(src++) ^ buf[n];
+- n = (n + 1) % AES_BLOCK_SIZE;
++
++ memcpy(&a, src, sizeof(a));
++ memcpy(&b, &buf[n], sizeof(b));
++ r = a ^ b;
++ memcpy(dest, &r, sizeof(r));
++ src += sizeof(a);
++ dest += sizeof(r);
++
++ n = (n + sizeof(b)) % sizeof(buf);
+ }
++ memset(ctrbuf, '\0', sizeof(ctrbuf));
++ memset(buf, '\0', sizeof(buf));
+ return (1);
+ }
+
+@@ -91,9 +112,28 @@ ssh_aes_ctr_init(EVP_CIPHER_CTX *ctx, co
+ c = xmalloc(sizeof(*c));
+ EVP_CIPHER_CTX_set_app_data(ctx, c);
+ }
+- if (key != NULL)
+- AES_set_encrypt_key(key, EVP_CIPHER_CTX_key_length(ctx) * 8,
+- &c->aes_ctx);
++
++ EVP_CIPHER_CTX_init(&c->ecbctx);
++
++ if (key != NULL) {
++ const EVP_CIPHER *cipher;
++ switch(EVP_CIPHER_CTX_key_length(ctx)*8) {
++ case 128:
++ cipher = EVP_aes_128_ecb();
++ break;
++ case 192:
++ cipher = EVP_aes_192_ecb();
++ break;
++ case 256:
++ cipher = EVP_aes_256_ecb();
++ break;
++ default:
++ fatal("ssh_aes_ctr_init: wrong aes key length");
++ }
++ if(!EVP_EncryptInit_ex(&c->ecbctx, cipher, NULL, key, NULL))
++ fatal("ssh_aes_ctr_init: cannot initialize aes encryption");
++ EVP_CIPHER_CTX_set_padding(&c->ecbctx, 0);
++ }
+ if (iv != NULL)
+ memcpy(c->aes_counter, iv, AES_BLOCK_SIZE);
+ return (1);
+@@ -105,6 +145,7 @@ ssh_aes_ctr_cleanup(EVP_CIPHER_CTX *ctx)
+ struct ssh_aes_ctr_ctx *c;
+
+ if ((c = EVP_CIPHER_CTX_get_app_data(ctx)) != NULL) {
++ EVP_CIPHER_CTX_cleanup(&c->ecbctx);
+ memset(c, 0, sizeof(*c));
+ xfree(c);
+ EVP_CIPHER_CTX_set_app_data(ctx, NULL);
diff --git a/openssh.spec b/openssh.spec
index 0570c29..519e66b 100644
--- a/openssh.spec
+++ b/openssh.spec
@@ -75,7 +75,7 @@
# Do not forget to bump pam_ssh_agent_auth release if you rewind the main package release to 1
%define openssh_ver 5.9p1
-%define openssh_rel 14
+%define openssh_rel 15
%define pam_ssh_agent_ver 0.9.2
%define pam_ssh_agent_rel 32
@@ -196,7 +196,8 @@ Patch709: openssh-5.9p1-vendor.patch
Patch710: openssh-5.9p1-copy-id-restorecon.patch
# warn users for unsupported UsePAM=no (#757545)
Patch711: openssh-5.9p1-log-usepam-no.patch
-
+# make aes-ctr ciphers use EVP engines such as AES-NI from OpenSSL
+Patch712: openssh-5.9p1-ctr-evp-fast.patch
#http://www.sxw.org.uk/computing/patches/openssh.html
Patch800: openssh-5.9p1-gsskex.patch
@@ -444,6 +445,7 @@ popd
%patch709 -p1 -b .vendor
%patch710 -p1 -b .restorecon
%patch711 -p1 -b .log-usepam-no
+%patch712 -p1 -b .evp-ctr
%patch800 -p1 -b .gsskex
%patch801 -p1 -b .force_krb
@@ -789,6 +791,9 @@ fi
%endif
%changelog
+* Tue Dec 06 2011 Tomas Mraz <tmraz at redhat.com> 5.9p1-15 + 0.9.2-32
+- enable aes-ctr ciphers use the EVP engines from OpenSSL such as the AES-NI
+
* Tue Dec 06 2011 Petr Lautrbach <plautrba at redhat.com> 5.9p1-14 + 0.9.2-32
- warn about unsupported option UsePAM=no (#757545)
More information about the scm-commits
mailing list