From 6dc029f2cbf84a6aab6b6e6a98e99670535be8f4 Mon Sep 17 00:00:00 2001 From: Matt Johnston Date: Wed, 30 Mar 2022 10:23:39 +0800 Subject: [PATCH] Remove twofish and remnants of blowfish Twofish CTR was never enabled by default and CBC modes are deprecated --- SMALL | 5 +---- common-algo.c | 24 ------------------------ crypto_desc.c | 6 ------ default_options.h | 2 -- sysoptions.h | 13 +------------ 5 files changed, 2 insertions(+), 48 deletions(-) diff --git a/SMALL b/SMALL index babd671..0ddb89a 100644 --- a/SMALL +++ b/SMALL @@ -9,10 +9,7 @@ The same applies if you are compiling just a client. --- -The following are set in options.h: - - - You can safely disable blowfish and twofish ciphers, and MD5 hmac, without - affecting interoperability +The following are set in localoptions.h: - If you're compiling statically, you can turn off host lookups diff --git a/common-algo.c b/common-algo.c index b9ad4ae..7564df8 100644 --- a/common-algo.c +++ b/common-algo.c @@ -64,14 +64,6 @@ static const struct dropbear_cipher dropbear_aes256 = static const struct dropbear_cipher dropbear_aes128 = {&aes_desc, 16, 16}; #endif -#if DROPBEAR_TWOFISH256 -static const struct dropbear_cipher dropbear_twofish256 = - {&twofish_desc, 32, 16}; -#endif -#if DROPBEAR_TWOFISH128 -static const struct dropbear_cipher dropbear_twofish128 = - {&twofish_desc, 16, 16}; -#endif #if DROPBEAR_3DES static const struct dropbear_cipher dropbear_3des = {&des3_desc, 24, 8}; @@ -156,15 +148,6 @@ algo_type sshciphers[] = { #if DROPBEAR_AES256 {"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr}, #endif -#if DROPBEAR_TWOFISH_CTR -/* twofish ctr is conditional as it hasn't been tested for interoperability, see options.h */ -#if DROPBEAR_TWOFISH256 - {"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr}, -#endif -#if DROPBEAR_TWOFISH128 - {"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr}, -#endif -#endif /* DROPBEAR_TWOFISH_CTR */ #endif /* DROPBEAR_ENABLE_CTR_MODE */ #if DROPBEAR_ENABLE_CBC_MODE @@ -174,13 +157,6 @@ algo_type sshciphers[] = { #if DROPBEAR_AES256 {"aes256-cbc", 0, &dropbear_aes256, 1, &dropbear_mode_cbc}, #endif -#if DROPBEAR_TWOFISH256 - {"twofish256-cbc", 0, &dropbear_twofish256, 1, &dropbear_mode_cbc}, - {"twofish-cbc", 0, &dropbear_twofish256, 1, &dropbear_mode_cbc}, -#endif -#if DROPBEAR_TWOFISH128 - {"twofish128-cbc", 0, &dropbear_twofish128, 1, &dropbear_mode_cbc}, -#endif #endif /* DROPBEAR_ENABLE_CBC_MODE */ #if DROPBEAR_3DES diff --git a/crypto_desc.c b/crypto_desc.c index 50b63dc..b370728 100644 --- a/crypto_desc.c +++ b/crypto_desc.c @@ -24,12 +24,6 @@ void crypto_init() { #if DROPBEAR_AES &aes_desc, #endif -#if DROPBEAR_BLOWFISH - &blowfish_desc, -#endif -#if DROPBEAR_TWOFISH - &twofish_desc, -#endif #if DROPBEAR_3DES &des3_desc, #endif diff --git a/default_options.h b/default_options.h index d37b1d8..d9e7ba2 100644 --- a/default_options.h +++ b/default_options.h @@ -95,8 +95,6 @@ IMPORTANT: Some options will require "make clean" after changes */ #define DROPBEAR_AES128 1 #define DROPBEAR_AES256 1 #define DROPBEAR_3DES 0 -#define DROPBEAR_TWOFISH256 0 -#define DROPBEAR_TWOFISH128 0 /* Enable Chacha20-Poly1305 authenticated encryption mode. This is * generally faster than AES256 on CPU w/o dedicated AES instructions, diff --git a/sysoptions.h b/sysoptions.h index ed838ba..3267d95 100644 --- a/sysoptions.h +++ b/sysoptions.h @@ -131,14 +131,6 @@ #define DROPBEAR_MD5_HMAC 0 #endif -/* Twofish counter mode is disabled by default because it -has not been tested for interoperability with other SSH implementations. -If you test it please contact the Dropbear author */ -#ifndef DROPBEAR_TWOFISH_CTR -#define DROPBEAR_TWOFISH_CTR 0 -#endif - - #define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA)) /* Debian doesn't define this in system headers */ @@ -235,8 +227,6 @@ If you test it please contact the Dropbear author */ #define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128)) -#define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128)) - #define DROPBEAR_AEAD_MODE ((DROPBEAR_CHACHA20POLY1305) || (DROPBEAR_ENABLE_GCM_MODE)) #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD)) @@ -280,8 +270,7 @@ If you test it please contact the Dropbear author */ #error "You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins" #endif -#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \ - || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128 || DROPBEAR_CHACHA20POLY1305) +#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_CHACHA20POLY1305) #error "At least one encryption algorithm must be enabled. AES128 is recommended." #endif