crypto: Disable blowfish support by default
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
This commit is contained in:
parent
6cd8d4a24a
commit
dea6fe3d89
@ -227,6 +227,7 @@ message(STATUS "Pcap debugging support : ${WITH_PCAP}")
|
||||
message(STATUS "With static library: ${WITH_STATIC_LIB}")
|
||||
message(STATUS "Unit testing: ${UNIT_TESTING}")
|
||||
message(STATUS "Client code testing: ${CLIENT_TESTING}")
|
||||
message(STATUS "Blowfish cipher support: ${WITH_BLOWFISH_CIPHER}")
|
||||
set(_SERVER_TESTING OFF)
|
||||
if (WITH_SERVER)
|
||||
set(_SERVER_TESTING ${SERVER_TESTING})
|
||||
|
@ -89,8 +89,10 @@ if (OPENSSL_FOUND)
|
||||
message(FATAL_ERROR "Could not detect openssl/aes.h")
|
||||
endif()
|
||||
|
||||
set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
|
||||
check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H)
|
||||
if (WITH_BLOWFISH_CIPHER)
|
||||
set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
|
||||
check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H)
|
||||
endif()
|
||||
|
||||
set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR})
|
||||
check_include_file(openssl/ecdh.h HAVE_OPENSSL_ECDH_H)
|
||||
|
@ -8,6 +8,7 @@ option(WITH_DEBUG_PACKET "Build with packet debug output" OFF)
|
||||
option(WITH_DEBUG_CALLTRACE "Build with calltrace debug output" ON)
|
||||
option(WITH_GCRYPT "Compile against libgcrypt" OFF)
|
||||
option(WITH_MBEDTLS "Compile against libmbedtls" OFF)
|
||||
option(WITH_BLOWFISH_CIPHER "Compile with blowfish support" OFF)
|
||||
option(WITH_PCAP "Compile with Pcap generation support" ON)
|
||||
option(WITH_INTERNAL_DOC "Compile doxygen internal documentation" OFF)
|
||||
option(UNIT_TESTING "Build with unit tests" OFF)
|
||||
|
@ -238,6 +238,9 @@
|
||||
/* Define to 1 if you want to enable server support */
|
||||
#cmakedefine WITH_SERVER 1
|
||||
|
||||
/* Define to 1 if you want to enable blowfish cipher support */
|
||||
#cmakedefine WITH_BLOWFISH_CIPHER 1
|
||||
|
||||
/* Define to 1 if you want to enable debug output for crypto functions */
|
||||
#cmakedefine DEBUG_CRYPTO 1
|
||||
|
||||
|
@ -76,7 +76,9 @@ enum ssh_key_exchange_e {
|
||||
|
||||
enum ssh_cipher_e {
|
||||
SSH_NO_CIPHER=0,
|
||||
#ifdef WITH_BLOWFISH_CIPHER
|
||||
SSH_BLOWFISH_CBC,
|
||||
#endif /* WITH_BLOWFISH_CIPHER */
|
||||
SSH_3DES_CBC,
|
||||
SSH_AES128_CBC,
|
||||
SSH_AES192_CBC,
|
||||
|
21
src/kex.c
21
src/kex.c
@ -39,16 +39,24 @@
|
||||
#include "libssh/knownhosts.h"
|
||||
#include "libssh/misc.h"
|
||||
|
||||
#ifdef WITH_BLOWFISH_CIPHER
|
||||
# if defined(HAVE_OPENSSL_BLOWFISH_H) || defined(HAVE_LIBGCRYPT) || defined(HAVE_LIBMBEDCRYPTO)
|
||||
# define BLOWFISH "blowfish-cbc,"
|
||||
# else
|
||||
# define BLOWFISH ""
|
||||
# endif
|
||||
#else
|
||||
# define BLOWFISH ""
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_LIBGCRYPT
|
||||
# define BLOWFISH "blowfish-cbc,"
|
||||
# define AES "aes256-gcm@openssh.com,aes128-gcm@openssh.com," \
|
||||
"aes256-ctr,aes192-ctr,aes128-ctr," \
|
||||
"aes256-cbc,aes192-cbc,aes128-cbc,"
|
||||
# define DES "3des-cbc"
|
||||
# define DES_SUPPORTED "3des-cbc"
|
||||
|
||||
#elif defined HAVE_LIBMBEDCRYPTO
|
||||
# define BLOWFISH "blowfish-cbc,"
|
||||
#elif defined(HAVE_LIBMBEDCRYPTO)
|
||||
# ifdef MBEDTLS_GCM_C
|
||||
# define GCM "aes256-gcm@openssh.com,aes128-gcm@openssh.com,"
|
||||
# else
|
||||
@ -60,13 +68,6 @@
|
||||
# define DES_SUPPORTED "3des-cbc"
|
||||
|
||||
#elif defined(HAVE_LIBCRYPTO)
|
||||
|
||||
# ifdef HAVE_OPENSSL_BLOWFISH_H
|
||||
# define BLOWFISH "blowfish-cbc,"
|
||||
# else /* HAVE_OPENSSL_BLOWFISH_H */
|
||||
# define BLOWFISH ""
|
||||
# endif /* HAVE_OPENSSL_BLOWFISH_H */
|
||||
|
||||
# ifdef HAVE_OPENSSL_AES_H
|
||||
# ifdef HAVE_OPENSSL_EVP_AES_GCM
|
||||
# define GCM "aes256-gcm@openssh.com,aes128-gcm@openssh.com,"
|
||||
|
@ -514,10 +514,12 @@ static void evp_cipher_init(struct ssh_cipher_struct *cipher) {
|
||||
case SSH_3DES_CBC:
|
||||
cipher->cipher = EVP_des_ede3_cbc();
|
||||
break;
|
||||
#ifdef WITH_BLOWFISH_CIPHER
|
||||
case SSH_BLOWFISH_CBC:
|
||||
cipher->cipher = EVP_bf_cbc();
|
||||
break;
|
||||
/* ciphers not using EVP */
|
||||
#endif
|
||||
case SSH_AEAD_CHACHA20_POLY1305:
|
||||
SSH_LOG(SSH_LOG_WARNING, "The ChaCha cipher cannot be handled here");
|
||||
break;
|
||||
@ -881,6 +883,7 @@ evp_cipher_aead_decrypt(struct ssh_cipher_struct *cipher,
|
||||
* The table of supported ciphers
|
||||
*/
|
||||
static struct ssh_cipher_struct ssh_ciphertab[] = {
|
||||
#ifdef WITH_BLOWFISH_CIPHER
|
||||
{
|
||||
.name = "blowfish-cbc",
|
||||
.blocksize = 8,
|
||||
@ -892,6 +895,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
|
||||
.decrypt = evp_cipher_decrypt,
|
||||
.cleanup = evp_cipher_cleanup
|
||||
},
|
||||
#endif
|
||||
#ifdef HAS_AES
|
||||
#ifndef BROKEN_AES_CTR
|
||||
/* OpenSSL until 0.9.7c has a broken AES_ctr128_encrypt implementation which
|
||||
|
@ -311,6 +311,7 @@ void hmac_final(HMACCTX c, unsigned char *hashmacbuf, unsigned int *len) {
|
||||
gcry_md_close(c);
|
||||
}
|
||||
|
||||
#ifdef WITH_BLOWFISH_CIPHER
|
||||
/* the wrapper functions for blowfish */
|
||||
static int blowfish_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV){
|
||||
if (cipher->key == NULL) {
|
||||
@ -345,6 +346,7 @@ static void blowfish_decrypt(struct ssh_cipher_struct *cipher, void *in,
|
||||
void *out, unsigned long len) {
|
||||
gcry_cipher_decrypt(cipher->key[0], out, len, in, len);
|
||||
}
|
||||
#endif /* WITH_BLOWFISH_CIPHER */
|
||||
|
||||
static int aes_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV) {
|
||||
int mode=GCRY_CIPHER_MODE_CBC;
|
||||
@ -610,6 +612,7 @@ static void des3_decrypt(struct ssh_cipher_struct *cipher, void *in,
|
||||
|
||||
/* the table of supported ciphers */
|
||||
static struct ssh_cipher_struct ssh_ciphertab[] = {
|
||||
#ifdef WITH_BLOWFISH_CIPHER
|
||||
{
|
||||
.name = "blowfish-cbc",
|
||||
.blocksize = 8,
|
||||
@ -621,6 +624,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
|
||||
.encrypt = blowfish_encrypt,
|
||||
.decrypt = blowfish_decrypt
|
||||
},
|
||||
#endif /* WITH_BLOWFISH_CIPHER */
|
||||
{
|
||||
.name = "aes128-ctr",
|
||||
.blocksize = 16,
|
||||
|
@ -951,6 +951,7 @@ static void cipher_cleanup(struct ssh_cipher_struct *cipher)
|
||||
}
|
||||
|
||||
static struct ssh_cipher_struct ssh_ciphertab[] = {
|
||||
#ifdef WITH_BLOWFISH_CIPHER
|
||||
{
|
||||
.name = "blowfish-cbc",
|
||||
.blocksize = 8,
|
||||
@ -962,6 +963,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
|
||||
.decrypt = cipher_decrypt_cbc,
|
||||
.cleanup = cipher_cleanup
|
||||
},
|
||||
#endif /* WITH_BLOWFISH_CIPHER */
|
||||
{
|
||||
.name = "aes128-ctr",
|
||||
.blocksize = 16,
|
||||
|
@ -33,7 +33,6 @@
|
||||
#endif
|
||||
|
||||
#ifdef OPENSSL_CRYPTO
|
||||
#include <openssl/blowfish.h>
|
||||
#include <openssl/evp.h>
|
||||
#include <openssl/hmac.h>
|
||||
#endif
|
||||
|
@ -269,6 +269,7 @@ static void torture_algorithms_3des_cbc_hmac_sha2_512(void **state) {
|
||||
test_algorithm(s->ssh.session, NULL/*kex*/, "3des-cbc", "hmac-sha2-512");
|
||||
}
|
||||
|
||||
#ifdef WITH_BLOWFISH_CIPHER
|
||||
#if ((OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR < 6) || OPENSSH_VERSION_MAJOR <= 6)
|
||||
static void torture_algorithms_blowfish_cbc_hmac_sha1(void **state) {
|
||||
struct torture_state *s = *state;
|
||||
@ -288,6 +289,7 @@ static void torture_algorithms_blowfish_cbc_hmac_sha2_512(void **state) {
|
||||
test_algorithm(s->ssh.session, NULL/*kex*/, "blowfish-cbc", "hmac-sha2-512");
|
||||
}
|
||||
#endif
|
||||
#endif /* WITH_BLOWFISH_CIPHER */
|
||||
|
||||
static void torture_algorithms_chacha20_poly1305(void **state)
|
||||
{
|
||||
@ -508,6 +510,7 @@ int torture_run_tests(void) {
|
||||
cmocka_unit_test_setup_teardown(torture_algorithms_3des_cbc_hmac_sha2_512,
|
||||
session_setup,
|
||||
session_teardown),
|
||||
#ifdef WITH_BLOWFISH_CIPHER
|
||||
#if ((OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR < 6) || OPENSSH_VERSION_MAJOR <= 6)
|
||||
cmocka_unit_test_setup_teardown(torture_algorithms_blowfish_cbc_hmac_sha1,
|
||||
session_setup,
|
||||
@ -519,6 +522,7 @@ int torture_run_tests(void) {
|
||||
session_setup,
|
||||
session_teardown),
|
||||
#endif
|
||||
#endif /* WITH_BLOWFISH_CIPHER */
|
||||
cmocka_unit_test_setup_teardown(torture_algorithms_chacha20_poly1305,
|
||||
session_setup,
|
||||
session_teardown),
|
||||
|
Loading…
Reference in New Issue
Block a user