ClearML/dropbear
1
0
Fork 0
mirror of https://github.com/clearml/dropbear synced 2025-03-04 02:57:46 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Update nocrypto branch to current head

Browse Source 
--HG--
branch : insecure-nocrypto
extra : convert_revision : 9e5e6e33be005d27cd5b3270c574edc45b5c2893
This commit is contained in:
Matt Johnston 2008-11-06 13:33:06 +00:00
parent 800810a181
commit 1912439526
3 changed files with 25 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
common-algo.c
View File

@ -151,7 +151,7 @@ algo_type sshciphers[] = {
{"blowfish-cbc", 0, &dropbear_blowfish, 1, &dropbear_mode_cbc}, {"blowfish-cbc", 0, &dropbear_blowfish, 1, &dropbear_mode_cbc},
#endif #endif
#ifdef DROPBEAR_NONE_CIPHER #ifdef DROPBEAR_NONE_CIPHER
{"none", 0, (void*)&dropbear_nocipher, 1}, {"none", 0, (void*)&dropbear_nocipher, 1, &dropbear_mode_none},
#endif #endif
{NULL, 0, NULL, 0} {NULL, 0, NULL, 0}
}; };

20
common-kex.c
View File

@ -292,6 +292,7 @@ void gen_new_keys() {
hashkeys(C2S_key, C2S_keysize, &hs, 'C'); hashkeys(C2S_key, C2S_keysize, &hs, 'C');
hashkeys(S2C_key, S2C_keysize, &hs, 'D'); hashkeys(S2C_key, S2C_keysize, &hs, 'D');
if (ses.newkeys->recv_algo_crypt->cipherdesc != NULL) {
recv_cipher = find_cipher(ses.newkeys->recv_algo_crypt->cipherdesc->name); recv_cipher = find_cipher(ses.newkeys->recv_algo_crypt->cipherdesc->name);
if (recv_cipher < 0) if (recv_cipher < 0)
dropbear_exit("crypto error"); dropbear_exit("crypto error");
@ -301,7 +302,9 @@ void gen_new_keys() {
&ses.newkeys->recv_cipher_state) != CRYPT_OK) { &ses.newkeys->recv_cipher_state) != CRYPT_OK) {
dropbear_exit("crypto error"); dropbear_exit("crypto error");
} }
}
if (ses.newkeys->trans_algo_crypt->cipherdesc != NULL) {
trans_cipher = find_cipher(ses.newkeys->trans_algo_crypt->cipherdesc->name); trans_cipher = find_cipher(ses.newkeys->trans_algo_crypt->cipherdesc->name);
if (trans_cipher < 0) if (trans_cipher < 0)
dropbear_exit("crypto error"); dropbear_exit("crypto error");
@ -310,23 +313,6 @@ void gen_new_keys() {
ses.newkeys->trans_algo_crypt->keysize, 0, ses.newkeys->trans_algo_crypt->keysize, 0,
&ses.newkeys->trans_cipher_state) != CRYPT_OK) { &ses.newkeys->trans_cipher_state) != CRYPT_OK) {
dropbear_exit("crypto error"); dropbear_exit("crypto error");
if (ses.newkeys->recv_algo_crypt->cipherdesc != NULL) {
if (cbc_start(
find_cipher(ses.newkeys->recv_algo_crypt->cipherdesc->name),
recv_IV, recv_key,
ses.newkeys->recv_algo_crypt->keysize, 0,
&ses.newkeys->recv_symmetric_struct) != CRYPT_OK) {
dropbear_exit("crypto error");
}
}
if (ses.newkeys->trans_algo_crypt->cipherdesc != NULL) {
if (cbc_start(
find_cipher(ses.newkeys->trans_algo_crypt->cipherdesc->name),
trans_IV, trans_key,
ses.newkeys->trans_algo_crypt->keysize, 0,
&ses.newkeys->trans_symmetric_struct) != CRYPT_OK) {
dropbear_exit("crypto error");
} }
} }

19
options.h
View File

@ -82,17 +82,15 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* Protocol RFC requires 3DES and recommends AES128 for interoperability. * Protocol RFC requires 3DES and recommends AES128 for interoperability.
* Including multiple keysize variants the same cipher * Including multiple keysize variants the same cipher
* (eg AES256 as well as AES128) will result in a minimal size increase.*/ * (eg AES256 as well as AES128) will result in a minimal size increase.*/
/*
#define DROPBEAR_AES128 #define DROPBEAR_AES128
#define DROPBEAR_3DES #define DROPBEAR_3DES
#define DROPBEAR_AES256 #define DROPBEAR_AES256
#define DROPBEAR_BLOWFISH #define DROPBEAR_BLOWFISH
#define DROPBEAR_TWOFISH256 #define DROPBEAR_TWOFISH256
#define DROPBEAR_TWOFISH128 #define DROPBEAR_TWOFISH128
*/
/* Enable "Counter Mode" for ciphers. This is more secure than normal
* CBC mode against certain attacks. This adds around 1kB to binary
* size and is recommended for most cases */
#define DROPBEAR_ENABLE_CTR_MODE
/* You can compile with no encryption if you want. In some circumstances /* You can compile with no encryption if you want. In some circumstances
* this could be safe securitywise, though make sure you know what * this could be safe securitywise, though make sure you know what
* you're doing. Anyone can see everything that goes over the wire, so * you're doing. Anyone can see everything that goes over the wire, so
@ -105,6 +103,11 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* "dbclient-insecure" client. */ * "dbclient-insecure" client. */
#define DROPBEAR_NONE_CIPHER #define DROPBEAR_NONE_CIPHER
/* Enable "Counter Mode" for ciphers. This is more secure than normal
* CBC mode against certain attacks. This adds around 1kB to binary
* size and is recommended for most cases */
#define DROPBEAR_ENABLE_CTR_MODE
/* Message Integrity - at least one required. /* Message Integrity - at least one required.
* Protocol RFC requires sha1 and recommends sha1-96. * Protocol RFC requires sha1 and recommends sha1-96.
* sha1-96 may be of use for slow links, as it has a smaller overhead. * sha1-96 may be of use for slow links, as it has a smaller overhead.
@ -117,15 +120,19 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* These hashes are also used for public key fingerprints in logs. * These hashes are also used for public key fingerprints in logs.
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints, * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */ * which are not the standard form. */
/*
#define DROPBEAR_SHA1_HMAC #define DROPBEAR_SHA1_HMAC
#define DROPBEAR_SHA1_96_HMAC #define DROPBEAR_SHA1_96_HMAC
#define DROPBEAR_MD5_HMAC #define DROPBEAR_MD5_HMAC
*/
/* You can also disable integrity. Don't bother disabling this if you're /* You can also disable integrity. Don't bother disabling this if you're
* still using a cipher, it's relatively cheap. Don't disable this if you're * still using a cipher, it's relatively cheap. Don't disable this if you're
* using 'none' cipher, since it's dead simple to run arbitrary commands * using 'none' cipher, since it's dead simple to run arbitrary commands
* on the remote host. Beware. */ * on the remote host. Beware.
/*#define DROPBEAR_NONE_INTEGRITY*/ * Note again, for the client you will have to disable other hashes above
* to use this. */
#define DROPBEAR_NONE_INTEGRITY
/* Hostkey/public key algorithms - at least one required, these are used /* Hostkey/public key algorithms - at least one required, these are used
* for hostkey as well as for verifying signatures with pubkey auth. * for hostkey as well as for verifying signatures with pubkey auth.