Go back to internal OCB implementation

After further discussion, the Mosh maintainers have decided to stick
with the internal OCB implementation for this release. Restore support
for using OpenSSL’s AES but internal OCB. To make this commit easy to
audit, restore the code exactly, including calls to AES functions that
are deprecated in OpenSSL 3; a future commit will update ocb_internal.cc
to use EVP instead of directly calling the AES primitives.

In anticipation of future changes, preserve support for OpenSSL’s
AES-OCB, but don’t compile it in. Add
--with-crypto-library=openssl-with-openssl-ocb and
--with-crypto-library=openssl-with-internal-ocb options to configure so
that developers can easily test Mosh using OpenSSL’s AES-OCB. These
options are intended only for testing, are undocumented, and are not
subject to any API stability guarantees.

Rework configure to look for all possible cryptography libraries first
and then dispatch on --with-crypto-library as appropriate.

configure.ac

@@ -365,7 +365,7 @@ AC_ARG_WITH(
   [AS_HELP_STRING([--with-crypto-library=library], [build with the given crypto library, TYPE=openssl|nettle|apple-common-crypto @<:@default=openssl@:>@])],
   [
     case "${withval}" in
-      openssl|nettle|apple-common-crypto) ;;
+      openssl|openssl-with-internal-ocb|openssl-with-openssl-ocb|nettle|apple-common-crypto) ;;
       *) AC_MSG_ERROR([bad value ${withval} for --with-crypto-library]) ;;
     esac
   ],
@@ -373,36 +373,50 @@ AC_ARG_WITH(
 )
 
 dnl Checks for chosen crypto library
+PKG_CHECK_MODULES([OpenSSL], [openssl],
+  [have_openssl=yes
+    AC_CHECK_LIB([crypto], [AES_encrypt], [have_deprecated_openssl_aes=yes])
+    AC_CHECK_LIB([crypto], [EVP_aes_128_ocb], [have_evp_aes_ocb=yes])],
+  [:])
+PKG_CHECK_MODULES([Nettle], [nettle], [have_nettle=yes], [:])
+AS_CASE([$with_crypto_library],
+  [openssl*],
+    [AS_IF([test "x$have_openssl" != xyes],
+       [AC_MSG_ERROR([OpenSSL crypto library not found])])
+     AC_DEFINE([USE_OPENSSL_AES], [1], [Use OpenSSL library])
+     AC_SUBST([CRYPTO_CFLAGS], ["$OpenSSL_CFLAGS"])
+     AC_SUBST([CRYPTO_LIBS], ["$OpenSSL_LDFLAGS -lcrypto"])])
 case "${with_crypto_library}" in
-  openssl)
+  openssl|openssl-with-internal-ocb)
-    PKG_CHECK_MODULES([CRYPTO], [openssl],
+    AS_IF([test "x$have_deprecated_openssl_aes" != xyes],
-      [AC_DEFINE([USE_OPENSSL_AES], [1], [Use OpenSSL library])],
+      [AC_MSG_ERROR([found OpenSSL without AES support])])
-      [AX_CHECK_LIBRARY([CRYPTO], [openssl/aes.h], [crypto],
+    AM_CONDITIONAL([USE_AES_OCB_FROM_OPENSSL], [false])
-        [AC_DEFINE([USE_OPENSSL_AES], [1], [Use OpenSSL library])
+    human_readable_cryptography_description='internal OCB, OpenSSL AES'
-          AC_SUBST([CRYPTO_CFLAGS], ["$CRYPTO_CPPFLAGS"])
+    ;;
-          AC_SUBST([CRYPTO_LIBS], ["$CRYPTO_LDFLAGS -lcrypto"])],
+  openssl-with-openssl-ocb)
-        [AC_MSG_ERROR([OpenSSL crypto library not found])])])
+    AS_IF([test "x$have_evp_aes_ocb" != xyes],
+      [AC_MSG_ERROR([found OpenSSL without AES-OCB support])])
+    AM_CONDITIONAL([USE_AES_OCB_FROM_OPENSSL], [true])
+    human_readable_cryptography_description='OpenSSL OCB, OpenSSL AES'
     ;;
   nettle)
-    PKG_CHECK_MODULES([CRYPTO], [nettle],
+    AS_IF([test "x$have_nettle" != xyes],
-      [],
       [AC_MSG_ERROR([Nettle crypto library not found])])
     AC_DEFINE([USE_NETTLE_AES], [1], [Use Nettle library])
+    AC_SUBST([CRYPTO_CFLAGS], ["$Nettle_CFLAGS"])
+    AC_SUBST([CRYPTO_LIBS], ["$Nettle_LDFLAGS"])
+    AM_CONDITIONAL([USE_AES_OCB_FROM_OPENSSL], [false])
+    human_readable_cryptography_description='internal OCB, Nettle AES'
     ;;
   apple-common-crypto)
-    dnl Common Crypto is in Apple's standard paths and base libraries.
+    AS_IF([test "x$ac_cv_header_CommonCrypto_CommonCrypto_h" != xyes],
-    dnl So just check for presence of the header.
-    AC_CHECK_HEADERS([CommonCrypto/CommonCrypto.h],
-      [],
       [AC_MSG_ERROR([Apple Common Crypto header not found])])
     AC_DEFINE([USE_APPLE_COMMON_CRYPTO_AES], [1], [Use Apple Common Crypto library])
+    AM_CONDITIONAL([USE_AES_OCB_FROM_OPENSSL], [false])
+    human_readable_cryptography_description='internal OCB, Apple Common Crypto AES'
     ;;
 esac
 
-AM_CONDITIONAL([CRYPTO_LIBRARY_OPENSSL], [test x$with_crypto_library = xopenssl])
-AM_CONDITIONAL([CRYPTO_LIBRARY_NETTLE], [test x$with_crypto_library = xnettle])
-AM_CONDITIONAL([CRYPTO_LIBRARY_APPLE], [test x$with_crypto_library = xapple-common-crypto])
-
 AC_ARG_ENABLE([static-crypto],
   [AS_HELP_STRING([--enable-static-crypto], [Link crypto library statically @<:@no@:>@])],
   [], [enable_static_crypto="$enable_static_libraries"])
@@ -585,4 +599,5 @@ AC_MSG_NOTICE([c++ compiler:        $CXX])
 AC_MSG_NOTICE([Warning CXXFLAGS:    $WARNING_CXXFLAGS])
 AC_MSG_NOTICE([Picky CXXFLAGS:      $PICKY_CXXFLAGS])
 AC_MSG_NOTICE([Harden CFLAGS:       $HARDEN_CFLAGS])
+AC_MSG_NOTICE([Cryptography:        $human_readable_cryptography_description])
 AC_MSG_NOTICE([ =============================])

src/crypto/Makefile.am

@@ -4,7 +4,7 @@ AM_CXXFLAGS = $(WARNING_CXXFLAGS) $(PICKY_CXXFLAGS) $(HARDEN_CFLAGS) $(MISC_CXXF
 noinst_LIBRARIES = libmoshcrypto.a
 
 OCB_SRCS = ae.h
-if CRYPTO_LIBRARY_OPENSSL
+if USE_AES_OCB_FROM_OPENSSL
 OCB_SRCS += ocb_openssl.cc
 else
 OCB_SRCS += ocb_internal.cc

src/crypto/ocb_internal.cc

@@ -26,10 +26,11 @@
 
 #include "config.h"
 
-/* This module implements the ae.h interface for Apple Common Crypto and
+/* This module implements the ae.h interface for OpenSSL, Apple Common
-/  Nettle.                                                                 */
+/  Crypto, and Nettle.                                                     */
-#if !defined(USE_APPLE_COMMON_CRYPTO_AES) && !defined(USE_NETTLE_AES)
+#if !defined(USE_OPENSSL_AES) && !defined(USE_APPLE_COMMON_CRYPTO_AES) && \
-#error ocb_internal.cc only works with Apple Common Crypto or Nettle
+    !defined(USE_NETTLE_AES)
+#error ocb_internal.cc only works with OpenSSL, Apple Common Crypto, or Nettle
 #endif
 
 /* ----------------------------------------------------------------------- */
@@ -62,6 +63,7 @@
 #if 0
 #define USE_APPLE_COMMON_CRYPTO_AES       0
 #define USE_NETTLE_AES       0
+#define USE_OPENSSL_AES      1  /* http://openssl.org                      */
 #endif
 
 /* During encryption and decryption, various "L values" are required.
@@ -352,8 +354,31 @@
 /* AES - Code uses OpenSSL API. Other implementations get mapped to it.    */
 /* ----------------------------------------------------------------------- */
 
+/*---------------*/
+#if USE_OPENSSL_AES
+/*---------------*/
+
+#include <openssl/aes.h>                            /* http://openssl.org/ */
+
+/* How to ECB encrypt an array of blocks, in place                         */
+static inline void AES_ecb_encrypt_blks(block *blks, unsigned nblks, AES_KEY *key) {
+	while (nblks) {
+		--nblks;
+		AES_encrypt((unsigned char *)(blks+nblks), (unsigned char *)(blks+nblks), key);
+	}
+}
+
+static inline void AES_ecb_decrypt_blks(block *blks, unsigned nblks, AES_KEY *key) {
+	while (nblks) {
+		--nblks;
+		AES_decrypt((unsigned char *)(blks+nblks), (unsigned char *)(blks+nblks), key);
+	}
+}
+
+#define BPI 4  /* Number of blocks in buffer per ECB call */
+
 /*-------------------*/
-#if USE_APPLE_COMMON_CRYPTO_AES
+#elif USE_APPLE_COMMON_CRYPTO_AES
 /*-------------------*/
 
 #include <fatal_assert.h>
@@ -1320,3 +1345,7 @@ int main()
     return 0;
 }
 #endif
+
+#if USE_OPENSSL_AES
+char infoString[] = "OCB3 (OpenSSL)";
+#endif