Add basic support for none cipher and MACs
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
Этот коммит содержится в:
Jakub Jelen
Andreas Schneider
родитель
46499b1b90
Коммит
e6aee24a1e
@ -228,6 +228,7 @@ message(STATUS "SFTP support: ${WITH_SFTP}")
|
|||||||
message(STATUS "Server support : ${WITH_SERVER}")
|
message(STATUS "Server support : ${WITH_SERVER}")
|
||||||
message(STATUS "GSSAPI support : ${WITH_GSSAPI}")
|
message(STATUS "GSSAPI support : ${WITH_GSSAPI}")
|
||||||
message(STATUS "GEX support : ${WITH_GEX}")
|
message(STATUS "GEX support : ${WITH_GEX}")
|
||||||
|
message(STATUS "Support insecure none cipher and MAC : ${WITH_INSECURE_NONE}")
|
||||||
message(STATUS "Pcap debugging support : ${WITH_PCAP}")
|
message(STATUS "Pcap debugging support : ${WITH_PCAP}")
|
||||||
message(STATUS "Build shared library: ${BUILD_SHARED_LIBS}")
|
message(STATUS "Build shared library: ${BUILD_SHARED_LIBS}")
|
||||||
message(STATUS "Unit testing: ${UNIT_TESTING}")
|
message(STATUS "Unit testing: ${UNIT_TESTING}")
|
||||||
|
|||||||
@ -21,7 +21,8 @@ option(WITH_NACL "Build with libnacl (curve25519)" ON)
|
|||||||
option(WITH_SYMBOL_VERSIONING "Build with symbol versioning" ON)
|
option(WITH_SYMBOL_VERSIONING "Build with symbol versioning" ON)
|
||||||
option(WITH_ABI_BREAK "Allow ABI break" OFF)
|
option(WITH_ABI_BREAK "Allow ABI break" OFF)
|
||||||
option(WITH_GEX "Enable DH Group exchange mechanisms" ON)
|
option(WITH_GEX "Enable DH Group exchange mechanisms" ON)
|
||||||
option(FUZZ_TESTING "Build with fuzzer for the server" OFF)
|
option(WITH_INSECURE_NONE "Enable insecure none cipher and MAC algorithms (not suitable for production!)" OFF)
|
||||||
|
option(FUZZ_TESTING "Build with fuzzer for the server and client (automatically enables none cipher!)" OFF)
|
||||||
option(PICKY_DEVELOPER "Build with picky developer flags" OFF)
|
option(PICKY_DEVELOPER "Build with picky developer flags" OFF)
|
||||||
|
|
||||||
if (WITH_ZLIB)
|
if (WITH_ZLIB)
|
||||||
@ -54,3 +55,7 @@ endif (NOT GLOBAL_BIND_CONFIG)
|
|||||||
if (NOT GLOBAL_CLIENT_CONFIG)
|
if (NOT GLOBAL_CLIENT_CONFIG)
|
||||||
set(GLOBAL_CLIENT_CONFIG "/etc/ssh/ssh_config")
|
set(GLOBAL_CLIENT_CONFIG "/etc/ssh/ssh_config")
|
||||||
endif (NOT GLOBAL_CLIENT_CONFIG)
|
endif (NOT GLOBAL_CLIENT_CONFIG)
|
||||||
|
|
||||||
|
if (FUZZ_TESTING)
|
||||||
|
set(WITH_INSECURE_NONE ON)
|
||||||
|
endif (FUZZ_TESTING)
|
||||||
|
|||||||
@ -269,6 +269,9 @@
|
|||||||
/* Define to 1 if you want to enable DH group exchange algorithms */
|
/* Define to 1 if you want to enable DH group exchange algorithms */
|
||||||
#cmakedefine WITH_GEX 1
|
#cmakedefine WITH_GEX 1
|
||||||
|
|
||||||
|
/* Define to 1 if you want to enable none cipher and MAC */
|
||||||
|
#cmakedefine WITH_INSECURE_NONE 1
|
||||||
|
|
||||||
/* Define to 1 if you want to enable blowfish cipher support */
|
/* Define to 1 if you want to enable blowfish cipher support */
|
||||||
#cmakedefine WITH_BLOWFISH_CIPHER 1
|
#cmakedefine WITH_BLOWFISH_CIPHER 1
|
||||||
|
|
||||||
|
|||||||
@ -42,7 +42,8 @@ enum ssh_hmac_e {
|
|||||||
SSH_HMAC_SHA512,
|
SSH_HMAC_SHA512,
|
||||||
SSH_HMAC_MD5,
|
SSH_HMAC_MD5,
|
||||||
SSH_HMAC_AEAD_POLY1305,
|
SSH_HMAC_AEAD_POLY1305,
|
||||||
SSH_HMAC_AEAD_GCM
|
SSH_HMAC_AEAD_GCM,
|
||||||
|
SSH_HMAC_NONE,
|
||||||
};
|
};
|
||||||
|
|
||||||
enum ssh_des_e {
|
enum ssh_des_e {
|
||||||
|
|||||||
14
src/kex.c
14
src/kex.c
@ -125,6 +125,12 @@
|
|||||||
#define DSA_PUBLIC_KEY_ALGORITHMS ""
|
#define DSA_PUBLIC_KEY_ALGORITHMS ""
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#ifdef WITH_INSECURE_NONE
|
||||||
|
#define NONE ",none"
|
||||||
|
#else
|
||||||
|
#define NONE
|
||||||
|
#endif
|
||||||
|
|
||||||
#define HOSTKEYS "ssh-ed25519," \
|
#define HOSTKEYS "ssh-ed25519," \
|
||||||
EC_HOSTKEYS \
|
EC_HOSTKEYS \
|
||||||
"rsa-sha2-512," \
|
"rsa-sha2-512," \
|
||||||
@ -239,10 +245,10 @@ static const char *default_methods[] = {
|
|||||||
static const char *supported_methods[] = {
|
static const char *supported_methods[] = {
|
||||||
KEY_EXCHANGE_SUPPORTED,
|
KEY_EXCHANGE_SUPPORTED,
|
||||||
PUBLIC_KEY_ALGORITHMS,
|
PUBLIC_KEY_ALGORITHMS,
|
||||||
CHACHA20 AES BLOWFISH DES_SUPPORTED,
|
CHACHA20 AES BLOWFISH DES_SUPPORTED NONE,
|
||||||
CHACHA20 AES BLOWFISH DES_SUPPORTED,
|
CHACHA20 AES BLOWFISH DES_SUPPORTED NONE,
|
||||||
"hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1",
|
"hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1" NONE,
|
||||||
"hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1",
|
"hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1" NONE,
|
||||||
ZLIB,
|
ZLIB,
|
||||||
ZLIB,
|
ZLIB,
|
||||||
"",
|
"",
|
||||||
|
|||||||
@ -1275,6 +1275,17 @@ chacha20_poly1305_aead_encrypt(struct ssh_cipher_struct *cipher,
|
|||||||
}
|
}
|
||||||
#endif /* defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305) */
|
#endif /* defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305) */
|
||||||
|
|
||||||
|
#ifdef WITH_INSECURE_NONE
|
||||||
|
static void
|
||||||
|
none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
|
||||||
|
void *in,
|
||||||
|
void *out,
|
||||||
|
size_t len)
|
||||||
|
{
|
||||||
|
memcpy(out, in, len);
|
||||||
|
}
|
||||||
|
#endif /* WITH_INSECURE_NONE */
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* The table of supported ciphers
|
* The table of supported ciphers
|
||||||
*/
|
*/
|
||||||
@ -1463,6 +1474,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
|
|||||||
.name = "chacha20-poly1305@openssh.com"
|
.name = "chacha20-poly1305@openssh.com"
|
||||||
#endif /* defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305) */
|
#endif /* defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305) */
|
||||||
},
|
},
|
||||||
|
#ifdef WITH_INSECURE_NONE
|
||||||
|
{
|
||||||
|
.name = "none",
|
||||||
|
.blocksize = 8,
|
||||||
|
.keysize = 0,
|
||||||
|
.encrypt = none_crypt,
|
||||||
|
.decrypt = none_crypt,
|
||||||
|
},
|
||||||
|
#endif /* WITH_INSECURE_NONE */
|
||||||
{
|
{
|
||||||
.name = NULL
|
.name = NULL
|
||||||
}
|
}
|
||||||
|
|||||||
@ -881,6 +881,17 @@ out:
|
|||||||
}
|
}
|
||||||
#endif /* HAVE_GCRYPT_CHACHA_POLY */
|
#endif /* HAVE_GCRYPT_CHACHA_POLY */
|
||||||
|
|
||||||
|
#ifdef WITH_INSECURE_NONE
|
||||||
|
static void
|
||||||
|
none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
|
||||||
|
void *in,
|
||||||
|
void *out,
|
||||||
|
size_t len)
|
||||||
|
{
|
||||||
|
memcpy(out, in, len);
|
||||||
|
}
|
||||||
|
#endif /* WITH_INSECURE_NONE */
|
||||||
|
|
||||||
/* the table of supported ciphers */
|
/* the table of supported ciphers */
|
||||||
static struct ssh_cipher_struct ssh_ciphertab[] = {
|
static struct ssh_cipher_struct ssh_ciphertab[] = {
|
||||||
#ifdef WITH_BLOWFISH_CIPHER
|
#ifdef WITH_BLOWFISH_CIPHER
|
||||||
@ -1020,6 +1031,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
|
|||||||
.name = "chacha20-poly1305@openssh.com"
|
.name = "chacha20-poly1305@openssh.com"
|
||||||
#endif
|
#endif
|
||||||
},
|
},
|
||||||
|
#ifdef WITH_INSECURE_NONE
|
||||||
|
{
|
||||||
|
.name = "none",
|
||||||
|
.blocksize = 8,
|
||||||
|
.keysize = 0,
|
||||||
|
.encrypt = none_crypt,
|
||||||
|
.decrypt = none_crypt
|
||||||
|
},
|
||||||
|
#endif /* WITH_INSECURE_NONE */
|
||||||
{
|
{
|
||||||
.name = NULL,
|
.name = NULL,
|
||||||
.blocksize = 0,
|
.blocksize = 0,
|
||||||
|
|||||||
@ -1216,6 +1216,17 @@ static void cipher_cleanup(struct ssh_cipher_struct *cipher)
|
|||||||
#endif /* MBEDTLS_GCM_C */
|
#endif /* MBEDTLS_GCM_C */
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifdef WITH_INSECURE_NONE
|
||||||
|
static void
|
||||||
|
none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
|
||||||
|
void *in,
|
||||||
|
void *out,
|
||||||
|
size_t len)
|
||||||
|
{
|
||||||
|
memcpy(out, in, len);
|
||||||
|
}
|
||||||
|
#endif /* WITH_INSECURE_NONE */
|
||||||
|
|
||||||
static struct ssh_cipher_struct ssh_ciphertab[] = {
|
static struct ssh_cipher_struct ssh_ciphertab[] = {
|
||||||
#ifdef WITH_BLOWFISH_CIPHER
|
#ifdef WITH_BLOWFISH_CIPHER
|
||||||
{
|
{
|
||||||
@ -1356,6 +1367,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
|
|||||||
.name = "chacha20-poly1305@openssh.com"
|
.name = "chacha20-poly1305@openssh.com"
|
||||||
#endif
|
#endif
|
||||||
},
|
},
|
||||||
|
#ifdef WITH_INSECURE_NONE
|
||||||
|
{
|
||||||
|
.name = "none",
|
||||||
|
.blocksize = 8,
|
||||||
|
.keysize = 0,
|
||||||
|
.encrypt = none_crypt,
|
||||||
|
.decrypt = none_crypt,
|
||||||
|
},
|
||||||
|
#endif /* WITH_INSECURE_NONE */
|
||||||
{
|
{
|
||||||
.name = NULL,
|
.name = NULL,
|
||||||
.blocksize = 0,
|
.blocksize = 0,
|
||||||
|
|||||||
@ -66,6 +66,9 @@ static struct ssh_hmac_struct ssh_hmac_tab[] = {
|
|||||||
{ "hmac-sha2-256-etm@openssh.com", SSH_HMAC_SHA256, true },
|
{ "hmac-sha2-256-etm@openssh.com", SSH_HMAC_SHA256, true },
|
||||||
{ "hmac-sha2-512-etm@openssh.com", SSH_HMAC_SHA512, true },
|
{ "hmac-sha2-512-etm@openssh.com", SSH_HMAC_SHA512, true },
|
||||||
{ "hmac-md5-etm@openssh.com", SSH_HMAC_MD5, true },
|
{ "hmac-md5-etm@openssh.com", SSH_HMAC_MD5, true },
|
||||||
|
#ifdef WITH_INSECURE_NONE
|
||||||
|
{ "none", SSH_HMAC_NONE, false },
|
||||||
|
#endif /* WITH_INSECURE_NONE */
|
||||||
{ NULL, 0, false }
|
{ NULL, 0, false }
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|||||||
Загрузка…
Ссылка в новой задаче
Block a user