Add basic support for none cipher and MACs

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
This commit is contained in:
Jakub Jelen 2020-04-28 11:04:59 +02:00 committed by Andreas Schneider
parent 46499b1b90
commit e6aee24a1e
9 changed files with 85 additions and 6 deletions

View File

@ -228,6 +228,7 @@ message(STATUS "SFTP support: ${WITH_SFTP}")
message(STATUS "Server support : ${WITH_SERVER}")
message(STATUS "GSSAPI support : ${WITH_GSSAPI}")
message(STATUS "GEX support : ${WITH_GEX}")
message(STATUS "Support insecure none cipher and MAC : ${WITH_INSECURE_NONE}")
message(STATUS "Pcap debugging support : ${WITH_PCAP}")
message(STATUS "Build shared library: ${BUILD_SHARED_LIBS}")
message(STATUS "Unit testing: ${UNIT_TESTING}")

View File

@ -21,7 +21,8 @@ option(WITH_NACL "Build with libnacl (curve25519)" ON)
option(WITH_SYMBOL_VERSIONING "Build with symbol versioning" ON)
option(WITH_ABI_BREAK "Allow ABI break" OFF)
option(WITH_GEX "Enable DH Group exchange mechanisms" ON)
option(FUZZ_TESTING "Build with fuzzer for the server" OFF)
option(WITH_INSECURE_NONE "Enable insecure none cipher and MAC algorithms (not suitable for production!)" OFF)
option(FUZZ_TESTING "Build with fuzzer for the server and client (automatically enables none cipher!)" OFF)
option(PICKY_DEVELOPER "Build with picky developer flags" OFF)
if (WITH_ZLIB)
@ -54,3 +55,7 @@ endif (NOT GLOBAL_BIND_CONFIG)
if (NOT GLOBAL_CLIENT_CONFIG)
set(GLOBAL_CLIENT_CONFIG "/etc/ssh/ssh_config")
endif (NOT GLOBAL_CLIENT_CONFIG)
if (FUZZ_TESTING)
set(WITH_INSECURE_NONE ON)
endif (FUZZ_TESTING)

View File

@ -269,6 +269,9 @@
/* Define to 1 if you want to enable DH group exchange algorithms */
#cmakedefine WITH_GEX 1
/* Define to 1 if you want to enable none cipher and MAC */
#cmakedefine WITH_INSECURE_NONE 1
/* Define to 1 if you want to enable blowfish cipher support */
#cmakedefine WITH_BLOWFISH_CIPHER 1

View File

@ -42,7 +42,8 @@ enum ssh_hmac_e {
SSH_HMAC_SHA512,
SSH_HMAC_MD5,
SSH_HMAC_AEAD_POLY1305,
SSH_HMAC_AEAD_GCM
SSH_HMAC_AEAD_GCM,
SSH_HMAC_NONE,
};
enum ssh_des_e {

View File

@ -125,6 +125,12 @@
#define DSA_PUBLIC_KEY_ALGORITHMS ""
#endif
#ifdef WITH_INSECURE_NONE
#define NONE ",none"
#else
#define NONE
#endif
#define HOSTKEYS "ssh-ed25519," \
EC_HOSTKEYS \
"rsa-sha2-512," \
@ -239,10 +245,10 @@ static const char *default_methods[] = {
static const char *supported_methods[] = {
KEY_EXCHANGE_SUPPORTED,
PUBLIC_KEY_ALGORITHMS,
CHACHA20 AES BLOWFISH DES_SUPPORTED,
CHACHA20 AES BLOWFISH DES_SUPPORTED,
"hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1",
"hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1",
CHACHA20 AES BLOWFISH DES_SUPPORTED NONE,
CHACHA20 AES BLOWFISH DES_SUPPORTED NONE,
"hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1" NONE,
"hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1" NONE,
ZLIB,
ZLIB,
"",

View File

@ -1275,6 +1275,17 @@ chacha20_poly1305_aead_encrypt(struct ssh_cipher_struct *cipher,
}
#endif /* defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305) */
#ifdef WITH_INSECURE_NONE
static void
none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
void *in,
void *out,
size_t len)
{
memcpy(out, in, len);
}
#endif /* WITH_INSECURE_NONE */
/*
* The table of supported ciphers
*/
@ -1463,6 +1474,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
.name = "chacha20-poly1305@openssh.com"
#endif /* defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305) */
},
#ifdef WITH_INSECURE_NONE
{
.name = "none",
.blocksize = 8,
.keysize = 0,
.encrypt = none_crypt,
.decrypt = none_crypt,
},
#endif /* WITH_INSECURE_NONE */
{
.name = NULL
}

View File

@ -881,6 +881,17 @@ out:
}
#endif /* HAVE_GCRYPT_CHACHA_POLY */
#ifdef WITH_INSECURE_NONE
static void
none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
void *in,
void *out,
size_t len)
{
memcpy(out, in, len);
}
#endif /* WITH_INSECURE_NONE */
/* the table of supported ciphers */
static struct ssh_cipher_struct ssh_ciphertab[] = {
#ifdef WITH_BLOWFISH_CIPHER
@ -1020,6 +1031,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
.name = "chacha20-poly1305@openssh.com"
#endif
},
#ifdef WITH_INSECURE_NONE
{
.name = "none",
.blocksize = 8,
.keysize = 0,
.encrypt = none_crypt,
.decrypt = none_crypt
},
#endif /* WITH_INSECURE_NONE */
{
.name = NULL,
.blocksize = 0,

View File

@ -1216,6 +1216,17 @@ static void cipher_cleanup(struct ssh_cipher_struct *cipher)
#endif /* MBEDTLS_GCM_C */
}
#ifdef WITH_INSECURE_NONE
static void
none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
void *in,
void *out,
size_t len)
{
memcpy(out, in, len);
}
#endif /* WITH_INSECURE_NONE */
static struct ssh_cipher_struct ssh_ciphertab[] = {
#ifdef WITH_BLOWFISH_CIPHER
{
@ -1356,6 +1367,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
.name = "chacha20-poly1305@openssh.com"
#endif
},
#ifdef WITH_INSECURE_NONE
{
.name = "none",
.blocksize = 8,
.keysize = 0,
.encrypt = none_crypt,
.decrypt = none_crypt,
},
#endif /* WITH_INSECURE_NONE */
{
.name = NULL,
.blocksize = 0,

View File

@ -66,6 +66,9 @@ static struct ssh_hmac_struct ssh_hmac_tab[] = {
{ "hmac-sha2-256-etm@openssh.com", SSH_HMAC_SHA256, true },
{ "hmac-sha2-512-etm@openssh.com", SSH_HMAC_SHA512, true },
{ "hmac-md5-etm@openssh.com", SSH_HMAC_MD5, true },
#ifdef WITH_INSECURE_NONE
{ "none", SSH_HMAC_NONE, false },
#endif /* WITH_INSECURE_NONE */
{ NULL, 0, false }
};