diff options
| author |   djm <djm@openbsd.org> | 2017-05-07 23:12:57 +0000 |
|---|---|---|
| committer | djm <djm@openbsd.org> | 2017-05-07 23:12:57 +0000 |
| commit | d6dbd75998ea83ed9dfce109248b48ce61d15178 (patch) | |
| tree | 05935ac37e086c3c8481f22c706c6080b31ea4ce /usr.bin/ssh/cipher.c | |
| parent | Add a format for the name of the pane's mode, lets it be used as a (diff) | |
| download | wireguard-openbsd-d6dbd75998ea83ed9dfce109248b48ce61d15178.tar.xz wireguard-openbsd-d6dbd75998ea83ed9dfce109248b48ce61d15178.zip | |
As promised in last release announcement: remove support for
Blowfish, RC4 and CAST ciphers. ok markus@ deraadt@
Diffstat (limited to 'usr.bin/ssh/cipher.c')
| -rw-r--r-- | usr.bin/ssh/cipher.c | 95 |
1 files changed, 17 insertions, 78 deletions
diff --git a/usr.bin/ssh/cipher.c b/usr.bin/ssh/cipher.c index 52b73791a70..44d7148293e 100644 --- a/usr.bin/ssh/cipher.c +++ b/usr.bin/ssh/cipher.c @@ -1,4 +1,4 @@ -/* $OpenBSD: cipher.c,v 1.106 2017/05/04 01:33:21 djm Exp $ */ +/* $OpenBSD: cipher.c,v 1.107 2017/05/07 23:12:57 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland @@ -63,7 +63,6 @@ struct sshcipher { u_int key_len; u_int iv_len; /* defaults to block_size */ u_int auth_len; - u_int discard_len; u_int flags; #define CFLAG_CBC (1<<0) #define CFLAG_CHACHAPOLY (1<<1) @@ -79,34 +78,29 @@ struct sshcipher { static const struct sshcipher ciphers[] = { #ifdef WITH_OPENSSL - { "3des-cbc", 8, 24, 0, 0, 0, 1, EVP_des_ede3_cbc }, - { "blowfish-cbc", 8, 16, 0, 0, 0, 1, EVP_bf_cbc }, - { "cast128-cbc", 8, 16, 0, 0, 0, 1, EVP_cast5_cbc }, - { "arcfour", 8, 16, 0, 0, 0, 0, EVP_rc4 }, - { "arcfour128", 8, 16, 0, 0, 1536, 0, EVP_rc4 }, - { "arcfour256", 8, 32, 0, 0, 1536, 0, EVP_rc4 }, - { "aes128-cbc", 16, 16, 0, 0, 0, 1, EVP_aes_128_cbc }, - { "aes192-cbc", 16, 24, 0, 0, 0, 1, EVP_aes_192_cbc }, - { "aes256-cbc", 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, + { "3des-cbc", 8, 24, 0, 0, CFLAG_CBC, EVP_des_ede3_cbc }, + { "aes128-cbc", 16, 16, 0, 0, CFLAG_CBC, EVP_aes_128_cbc }, + { "aes192-cbc", 16, 24, 0, 0, CFLAG_CBC, EVP_aes_192_cbc }, + { "aes256-cbc", 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, { "rijndael-cbc@lysator.liu.se", - 16, 32, 0, 0, 0, 1, EVP_aes_256_cbc }, - { "aes128-ctr", 16, 16, 0, 0, 0, 0, EVP_aes_128_ctr }, - { "aes192-ctr", 16, 24, 0, 0, 0, 0, EVP_aes_192_ctr }, - { "aes256-ctr", 16, 32, 0, 0, 0, 0, EVP_aes_256_ctr }, + 16, 32, 0, 0, CFLAG_CBC, EVP_aes_256_cbc }, + { "aes128-ctr", 16, 16, 0, 0, 0, EVP_aes_128_ctr }, + { "aes192-ctr", 16, 24, 0, 0, 0, EVP_aes_192_ctr }, + { "aes256-ctr", 16, 32, 0, 0, 0, EVP_aes_256_ctr }, { "aes128-gcm@openssh.com", - 16, 16, 12, 16, 0, 0, EVP_aes_128_gcm }, + 16, 16, 12, 16, 0, EVP_aes_128_gcm }, { "aes256-gcm@openssh.com", - 16, 32, 12, 16, 0, 0, EVP_aes_256_gcm }, + 16, 32, 12, 16, 0, EVP_aes_256_gcm }, #else - { "aes128-ctr", 16, 16, 0, 0, 0, CFLAG_AESCTR, NULL }, - { "aes192-ctr", 16, 24, 0, 0, 0, CFLAG_AESCTR, NULL }, - { "aes256-ctr", 16, 32, 0, 0, 0, CFLAG_AESCTR, NULL }, + { "aes128-ctr", 16, 16, 0, 0, CFLAG_AESCTR, NULL }, + { "aes192-ctr", 16, 24, 0, 0, CFLAG_AESCTR, NULL }, + { "aes256-ctr", 16, 32, 0, 0, CFLAG_AESCTR, NULL }, #endif { "chacha20-poly1305@openssh.com", - 8, 64, 0, 16, 0, CFLAG_CHACHAPOLY, NULL }, - { "none", 8, 0, 0, 0, 0, CFLAG_NONE, NULL }, + 8, 64, 0, 16, CFLAG_CHACHAPOLY, NULL }, + { "none", 8, 0, 0, 0, CFLAG_NONE, NULL }, - { NULL, 0, 0, 0, 0, 0, 0, NULL } + { NULL, 0, 0, 0, 0, 0, NULL } }; /*--*/ @@ -240,7 +234,6 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher, #ifdef WITH_OPENSSL const EVP_CIPHER *type; int klen; - u_char *junk, *discard; #endif *ccp = NULL; @@ -302,23 +295,6 @@ cipher_init(struct sshcipher_ctx **ccp, const struct sshcipher *cipher, ret = SSH_ERR_LIBCRYPTO_ERROR; goto out; } - - if (cipher->discard_len > 0) { - if ((junk = malloc(cipher->discard_len)) == NULL || - (discard = malloc(cipher->discard_len)) == NULL) { - free(junk); - ret = SSH_ERR_ALLOC_FAIL; - goto out; - } - ret = EVP_Cipher(cc->evp, discard, junk, cipher->discard_len); - explicit_bzero(discard, cipher->discard_len); - free(junk); - free(discard); - if (ret != 1) { - ret = SSH_ERR_LIBCRYPTO_ERROR; - goto out; - } - } ret = 0; #endif /* WITH_OPENSSL */ out: @@ -532,40 +508,3 @@ cipher_set_keyiv(struct sshcipher_ctx *cc, const u_char *iv) return 0; } -#ifdef WITH_OPENSSL -#define EVP_X_STATE(evp) (evp)->cipher_data -#define EVP_X_STATE_LEN(evp) (evp)->cipher->ctx_size -#endif - -int -cipher_get_keycontext(const struct sshcipher_ctx *cc, u_char *dat) -{ -#ifdef WITH_OPENSSL - const struct sshcipher *c = cc->cipher; - int plen = 0; - - if (c->evptype == EVP_rc4) { - plen = EVP_X_STATE_LEN(cc->evp); - if (dat == NULL) - return (plen); - memcpy(dat, EVP_X_STATE(cc->evp), plen); - } - return (plen); -#else - return 0; -#endif -} - -void -cipher_set_keycontext(struct sshcipher_ctx *cc, const u_char *dat) -{ -#ifdef WITH_OPENSSL - const struct sshcipher *c = cc->cipher; - int plen; - - if (c->evptype == EVP_rc4) { - plen = EVP_X_STATE_LEN(cc->evp); - memcpy(EVP_X_STATE(cc->evp), dat, plen); - } -#endif -} |