aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJakub Jelen <jjelen@redhat.com>2020-04-28 11:04:59 +0200
committerAndreas Schneider <asn@cryptomilk.org>2020-05-05 14:23:06 +0200
commite6aee24a1e3be68417e1ac4ab4a02c65bf9db637 (patch)
tree02ec3d0ee6fb0313ddc23410da2301098ab04b0e
parent46499b1b9090b1e5d6a7d84998bc23ed71b3cf9c (diff)
downloadlibssh-e6aee24a1e3be68417e1ac4ab4a02c65bf9db637.tar.gz
libssh-e6aee24a1e3be68417e1ac4ab4a02c65bf9db637.tar.xz
libssh-e6aee24a1e3be68417e1ac4ab4a02c65bf9db637.zip
Add basic support for none cipher and MACs
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
-rw-r--r--CMakeLists.txt1
-rw-r--r--DefineOptions.cmake7
-rw-r--r--config.h.cmake3
-rw-r--r--include/libssh/wrapper.h3
-rw-r--r--src/kex.c14
-rw-r--r--src/libcrypto.c20
-rw-r--r--src/libgcrypt.c20
-rw-r--r--src/libmbedcrypto.c20
-rw-r--r--src/wrapper.c3
9 files changed, 85 insertions, 6 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt
index b3335225..2dc8118f 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -228,6 +228,7 @@ message(STATUS "SFTP support: ${WITH_SFTP}")
message(STATUS "Server support : ${WITH_SERVER}")
message(STATUS "GSSAPI support : ${WITH_GSSAPI}")
message(STATUS "GEX support : ${WITH_GEX}")
+message(STATUS "Support insecure none cipher and MAC : ${WITH_INSECURE_NONE}")
message(STATUS "Pcap debugging support : ${WITH_PCAP}")
message(STATUS "Build shared library: ${BUILD_SHARED_LIBS}")
message(STATUS "Unit testing: ${UNIT_TESTING}")
diff --git a/DefineOptions.cmake b/DefineOptions.cmake
index 59e8fb9b..85a30376 100644
--- a/DefineOptions.cmake
+++ b/DefineOptions.cmake
@@ -21,7 +21,8 @@ option(WITH_NACL "Build with libnacl (curve25519)" ON)
option(WITH_SYMBOL_VERSIONING "Build with symbol versioning" ON)
option(WITH_ABI_BREAK "Allow ABI break" OFF)
option(WITH_GEX "Enable DH Group exchange mechanisms" ON)
-option(FUZZ_TESTING "Build with fuzzer for the server" OFF)
+option(WITH_INSECURE_NONE "Enable insecure none cipher and MAC algorithms (not suitable for production!)" OFF)
+option(FUZZ_TESTING "Build with fuzzer for the server and client (automatically enables none cipher!)" OFF)
option(PICKY_DEVELOPER "Build with picky developer flags" OFF)
if (WITH_ZLIB)
@@ -54,3 +55,7 @@ endif (NOT GLOBAL_BIND_CONFIG)
if (NOT GLOBAL_CLIENT_CONFIG)
set(GLOBAL_CLIENT_CONFIG "/etc/ssh/ssh_config")
endif (NOT GLOBAL_CLIENT_CONFIG)
+
+if (FUZZ_TESTING)
+ set(WITH_INSECURE_NONE ON)
+endif (FUZZ_TESTING)
diff --git a/config.h.cmake b/config.h.cmake
index 5d62438c..e708dd0b 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -269,6 +269,9 @@
/* Define to 1 if you want to enable DH group exchange algorithms */
#cmakedefine WITH_GEX 1
+/* Define to 1 if you want to enable none cipher and MAC */
+#cmakedefine WITH_INSECURE_NONE 1
+
/* Define to 1 if you want to enable blowfish cipher support */
#cmakedefine WITH_BLOWFISH_CIPHER 1
diff --git a/include/libssh/wrapper.h b/include/libssh/wrapper.h
index ba64939b..df6544ee 100644
--- a/include/libssh/wrapper.h
+++ b/include/libssh/wrapper.h
@@ -42,7 +42,8 @@ enum ssh_hmac_e {
SSH_HMAC_SHA512,
SSH_HMAC_MD5,
SSH_HMAC_AEAD_POLY1305,
- SSH_HMAC_AEAD_GCM
+ SSH_HMAC_AEAD_GCM,
+ SSH_HMAC_NONE,
};
enum ssh_des_e {
diff --git a/src/kex.c b/src/kex.c
index aa817325..dc9d5097 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -125,6 +125,12 @@
#define DSA_PUBLIC_KEY_ALGORITHMS ""
#endif
+#ifdef WITH_INSECURE_NONE
+#define NONE ",none"
+#else
+#define NONE
+#endif
+
#define HOSTKEYS "ssh-ed25519," \
EC_HOSTKEYS \
"rsa-sha2-512," \
@@ -239,10 +245,10 @@ static const char *default_methods[] = {
static const char *supported_methods[] = {
KEY_EXCHANGE_SUPPORTED,
PUBLIC_KEY_ALGORITHMS,
- CHACHA20 AES BLOWFISH DES_SUPPORTED,
- CHACHA20 AES BLOWFISH DES_SUPPORTED,
- "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1",
- "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1",
+ CHACHA20 AES BLOWFISH DES_SUPPORTED NONE,
+ CHACHA20 AES BLOWFISH DES_SUPPORTED NONE,
+ "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1" NONE,
+ "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1" NONE,
ZLIB,
ZLIB,
"",
diff --git a/src/libcrypto.c b/src/libcrypto.c
index 2ad0de83..96abec14 100644
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -1275,6 +1275,17 @@ chacha20_poly1305_aead_encrypt(struct ssh_cipher_struct *cipher,
}
#endif /* defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305) */
+#ifdef WITH_INSECURE_NONE
+static void
+none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
+ void *in,
+ void *out,
+ size_t len)
+{
+ memcpy(out, in, len);
+}
+#endif /* WITH_INSECURE_NONE */
+
/*
* The table of supported ciphers
*/
@@ -1463,6 +1474,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
.name = "chacha20-poly1305@openssh.com"
#endif /* defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305) */
},
+#ifdef WITH_INSECURE_NONE
+ {
+ .name = "none",
+ .blocksize = 8,
+ .keysize = 0,
+ .encrypt = none_crypt,
+ .decrypt = none_crypt,
+ },
+#endif /* WITH_INSECURE_NONE */
{
.name = NULL
}
diff --git a/src/libgcrypt.c b/src/libgcrypt.c
index 85d47c3f..2383ffa0 100644
--- a/src/libgcrypt.c
+++ b/src/libgcrypt.c
@@ -881,6 +881,17 @@ out:
}
#endif /* HAVE_GCRYPT_CHACHA_POLY */
+#ifdef WITH_INSECURE_NONE
+static void
+none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
+ void *in,
+ void *out,
+ size_t len)
+{
+ memcpy(out, in, len);
+}
+#endif /* WITH_INSECURE_NONE */
+
/* the table of supported ciphers */
static struct ssh_cipher_struct ssh_ciphertab[] = {
#ifdef WITH_BLOWFISH_CIPHER
@@ -1020,6 +1031,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
.name = "chacha20-poly1305@openssh.com"
#endif
},
+#ifdef WITH_INSECURE_NONE
+ {
+ .name = "none",
+ .blocksize = 8,
+ .keysize = 0,
+ .encrypt = none_crypt,
+ .decrypt = none_crypt
+ },
+#endif /* WITH_INSECURE_NONE */
{
.name = NULL,
.blocksize = 0,
diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c
index 2db0f3ea..ee3fad79 100644
--- a/src/libmbedcrypto.c
+++ b/src/libmbedcrypto.c
@@ -1216,6 +1216,17 @@ static void cipher_cleanup(struct ssh_cipher_struct *cipher)
#endif /* MBEDTLS_GCM_C */
}
+#ifdef WITH_INSECURE_NONE
+static void
+none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
+ void *in,
+ void *out,
+ size_t len)
+{
+ memcpy(out, in, len);
+}
+#endif /* WITH_INSECURE_NONE */
+
static struct ssh_cipher_struct ssh_ciphertab[] = {
#ifdef WITH_BLOWFISH_CIPHER
{
@@ -1356,6 +1367,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
.name = "chacha20-poly1305@openssh.com"
#endif
},
+#ifdef WITH_INSECURE_NONE
+ {
+ .name = "none",
+ .blocksize = 8,
+ .keysize = 0,
+ .encrypt = none_crypt,
+ .decrypt = none_crypt,
+ },
+#endif /* WITH_INSECURE_NONE */
{
.name = NULL,
.blocksize = 0,
diff --git a/src/wrapper.c b/src/wrapper.c
index 7e57ab5d..d53a61a3 100644
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -66,6 +66,9 @@ static struct ssh_hmac_struct ssh_hmac_tab[] = {
{ "hmac-sha2-256-etm@openssh.com", SSH_HMAC_SHA256, true },
{ "hmac-sha2-512-etm@openssh.com", SSH_HMAC_SHA512, true },
{ "hmac-md5-etm@openssh.com", SSH_HMAC_MD5, true },
+#ifdef WITH_INSECURE_NONE
+ { "none", SSH_HMAC_NONE, false },
+#endif /* WITH_INSECURE_NONE */
{ NULL, 0, false }
};