diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2017-05-07 23:12:57 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2017-05-08 09:21:00 +1000 |
| commit | acaf34fd823235d549c633c0146ee03ac5956e82 (patch) | |
| tree | b6e350c58134d35c9a51533349404ee1463192eb /cipher.c | |
| parent | 3e371bd2124427403971db853fb2e36ce789b6fd (diff) | |
upstream commit
As promised in last release announcement: remove
support for Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
Upstream-ID: 21f8facdba3fd8da248df6417000867cec6ba222
Diffstat (limited to 'cipher.c')
| -rw-r--r-- | cipher.c | 64 |
1 files changed, 17 insertions, 47 deletions
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: cipher.c,v 1.106 2017/05/04 01:33:21 djm Exp $ */ | 1 | /* $OpenBSD: cipher.c,v 1.107 2017/05/07 23:12:57 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 3 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| @@ -67,7 +67,6 @@ struct sshcipher { | |||
| 67 | u_int key_len; | 67 | u_int key_len; |
| 68 | u_int iv_len; /* defaults to block_size */ | 68 | u_int iv_len; /* defaults to block_size */ |
| 69 | u_int auth_len; | 69 | u_int auth_len; |
| 70 | u_int discard_len; | ||
| 71 | u_int flags; | 70 | u_int flags; |
| 72 | #define CFLAG_CBC (1<<0) | 71 | #define CFLAG_CBC (1<<0) |
| 73 | #define CFLAG_CHACHAPOLY (1<<1) | 72 | #define CFLAG_CHACHAPOLY (1<<1) |
| @@ -83,42 +82,31 @@ struct sshcipher { | |||
| 83 | 82 | ||
| 84 | static const struct sshcipher ciphers[] = { | 83 | static const struct sshcipher ciphers[] = { |
| 85 | #ifdef WITH_OPENSSL | 84 | #ifdef WITH_OPENSSL |
| 86 | { "3des-cbc", 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, | 85 | { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, |
| 87 | # ifndef OPENSSL_NO_BF | 86 | { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc }, |
| 88 | { "blowfish-cbc", 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, | 87 | { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc }, |
| 89 | # endif /* OPENSSL_NO_BF */ | 88 | { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, |
| 90 | # ifndef OPENSSL_NO_CAST | ||
| 91 | { "cast128-cbc", 8, 16, 0, 0, 0, 1, EVP_cast5_cbc }, | ||
| 92 | # endif /* OPENSSL_NO_CAST */ | ||
| 93 | # ifndef OPENSSL_NO_RC4 | ||
| 94 | { "arcfour", 8, 16, 0, 0, 0, 0, EVP_rc4 }, | ||
| 95 | { "arcfour128", 8, 16, 0, 0, 1536, 0, EVP_rc4 }, | ||
| 96 | { "arcfour256", 8, 32, 0, 0, 1536, 0, EVP_rc4 }, | ||
| 97 | # endif /* OPENSSL_NO_RC4 */ | ||
| 98 | { "aes128-cbc", 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, | ||
| 99 | { "aes192-cbc", 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, | ||
| 100 | { "aes256-cbc", 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, | ||
| 101 | { "rijndael-cbc@lysator.liu.se", | 89 | { "rijndael-cbc@lysator.liu.se", |
| 102 | 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, | 90 | 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, |
| 103 | { "aes128-ctr", 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, | 91 | { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr }, |
| 104 | { "aes192-ctr", 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, | 92 | { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr }, |
| 105 | { "aes256-ctr", 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, | 93 | { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr }, |
| 106 | # ifdef OPENSSL_HAVE_EVPGCM | 94 | # ifdef OPENSSL_HAVE_EVPGCM |
| 107 | { "aes128-gcm@openssh.com", | 95 | { "aes128-gcm@openssh.com", |
| 108 | 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, | 96 | 16, 16, 12, 16, 0, EVP_aes_128_gcm }, |
| 109 | { "aes256-gcm@openssh.com", | 97 | { "aes256-gcm@openssh.com", |
| 110 | 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, | 98 | 16, 32, 12, 16, 0, EVP_aes_256_gcm }, |
| 111 | # endif /* OPENSSL_HAVE_EVPGCM */ | 99 | # endif /* OPENSSL_HAVE_EVPGCM */ |
| 112 | #else | 100 | #else |
| 113 | { "aes128-ctr", 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL }, | 101 | { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL }, |
| 114 | { "aes192-ctr", 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL }, | 102 | { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL }, |
| 115 | { "aes256-ctr", 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL }, | 103 | { "aes256-ctr", 16, 32, 0, 0, CFLAG_AESCTR, NULL }, |
| 116 | #endif | 104 | #endif |
| 117 | { "chacha20-poly1305@openssh.com", | 105 | { "chacha20-poly1305@openssh.com", |
| 118 | 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL }, | 106 | 8, 64, 0, 16, CFLAG_CHACHAPOLY, NULL }, |
| 119 | { "none", 8, 0, 0, 0, 0, CFLAG_NONE, NULL }, | 107 | { "none", 8, 0, 0, 0, CFLAG_NONE, NULL }, |
| 120 | 108 | ||
| 121 | { NULL, 0, 0, 0, 0, 0, 0, NULL } | 109 | { NULL, 0, 0, 0, 0, 0, NULL } |
| 122 | }; | 110 | }; |
| 123 | 111 | ||
| 124 | /*--*/ | 112 | /*--*/ |
| @@ -252,7 +240,6 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher, | |||
| 252 | #ifdef WITH_OPENSSL | 240 | #ifdef WITH_OPENSSL |
| 253 | const EVP_CIPHER *type; | 241 | const EVP_CIPHER *type; |
| 254 | int klen; | 242 | int klen; |
| 255 | u_char *junk, *discard; | ||
| 256 | #endif | 243 | #endif |
| 257 | 244 | ||
| 258 | *ccp = NULL; | 245 | *ccp = NULL; |
| @@ -314,23 +301,6 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher, | |||
| 314 | ret = SSH_ERR_LIBCRYPTO_ERROR; | 301 | ret = SSH_ERR_LIBCRYPTO_ERROR; |
| 315 | goto out; | 302 | goto out; |
| 316 | } | 303 | } |
| 317 | |||
| 318 | if (cipher->discard_len > 0) { | ||
| 319 | if ((junk = malloc(cipher->discard_len)) == NULL || | ||
| 320 | (discard = malloc(cipher->discard_len)) == NULL) { | ||
| 321 | free(junk); | ||
| 322 | ret = SSH_ERR_ALLOC_FAIL; | ||
| 323 | goto out; | ||
| 324 | } | ||
| 325 | ret = EVP_Cipher(cc->evp, discard, junk, cipher->discard_len); | ||
| 326 | explicit_bzero(discard, cipher->discard_len); | ||
| 327 | free(junk); | ||
| 328 | free(discard); | ||
| 329 | if (ret != 1) { | ||
| 330 | ret = SSH_ERR_LIBCRYPTO_ERROR; | ||
| 331 | goto out; | ||
| 332 | } | ||
| 333 | } | ||
| 334 | ret = 0; | 304 | ret = 0; |
| 335 | #endif /* WITH_OPENSSL */ | 305 | #endif /* WITH_OPENSSL */ |
| 336 | out: | 306 | out: |