2 files changed, 13 insertions, 0 deletions

diff --git a/libssh/kex.c b/libssh/kex.c
index 2b83384..a599734 100644
--- a/libssh/kex.c
+++ b/libssh/kex.c
@@ -53,10 +53,15 @@
 #define BLOWFISH ""
 #endif
 #ifdef HAVE_OPENSSL_AES_H
+#ifdef BROKEN_AES_CTR
+#define AES "aes256-cbc,aes192-cbc,aes128-cbc,"
+#else
 #define AES "aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc,"
+#endif /* BROKEN_AES_CTR */
 #else
 #define AES ""
 #endif
+
 #define DES "3des-cbc"
 #endif
 
diff --git a/libssh/wrapper.c b/libssh/wrapper.c
index 807f743..c3a3123 100644
--- a/libssh/wrapper.c
+++ b/libssh/wrapper.c
@@ -614,6 +614,11 @@ static void aes_decrypt(struct crypto_struct *cipher, void *in, void *out,
   AES_cbc_encrypt(in, out, len, cipher->key, IV, AES_DECRYPT);
 }
 
+#ifndef BROKEN_AES_CTR
+/* OpenSSL until 0.9.7c has a broken AES_ctr128_encrypt implementation which
+ * increments the counter from 2^64 instead of 1. It's better not to use it
+ */
+
 /** @internal
  * @brief encrypts/decrypts data with stream cipher AES_ctr128. 128 bits is actually
  * the size of the CTR counter and incidentally the blocksize, but not the keysize.
@@ -631,6 +636,7 @@ static void aes_ctr128_encrypt(struct crypto_struct *cipher, void *in, void *out
    */
   AES_ctr128_encrypt(in, out, len, cipher->key, IV, tmp_buffer, &num);
 }
+#endif /* BROKEN_AES_CTR */
 #endif /* HAS_AES */
 
 #ifdef HAS_DES
@@ -722,6 +728,7 @@ static struct crypto_struct ssh_ciphertab[] = {
   },
 #endif /* HAS_BLOWFISH */
 #ifdef HAS_AES
+#ifndef BROKEN_AES_CTR
   {
     "aes128-ctr",
     16,
@@ -755,6 +762,7 @@ static struct crypto_struct ssh_ciphertab[] = {
     aes_ctr128_encrypt,
     aes_ctr128_encrypt
   },
+#endif /* BROKEN_AES_CTR */
   {
     "aes128-cbc",
     16,