diff options
author | Andreas Schneider <asn@cryptomilk.org> | 2018-12-16 13:32:42 +0100 |
---|---|---|
committer | Andreas Schneider <asn@cryptomilk.org> | 2018-12-19 14:57:29 +0100 |
commit | dea6fe3d895d3ddfa23d67b07c3dccdbb2839366 (patch) | |
tree | 35b81c61107a81b6317e06146363f840de14f666 | |
parent | 6cd8d4a24aa067d16611eb64bf306b7853748f34 (diff) | |
download | libssh-dea6fe3d895d3ddfa23d67b07c3dccdbb2839366.tar.gz libssh-dea6fe3d895d3ddfa23d67b07c3dccdbb2839366.tar.xz libssh-dea6fe3d895d3ddfa23d67b07c3dccdbb2839366.zip |
crypto: Disable blowfish support by default
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
Reviewed-by: Jakub Jelen <jjelen@redhat.com>
-rw-r--r-- | CMakeLists.txt | 1 | ||||
-rw-r--r-- | ConfigureChecks.cmake | 6 | ||||
-rw-r--r-- | DefineOptions.cmake | 1 | ||||
-rw-r--r-- | config.h.cmake | 3 | ||||
-rw-r--r-- | include/libssh/crypto.h | 2 | ||||
-rw-r--r-- | src/kex.c | 21 | ||||
-rw-r--r-- | src/libcrypto.c | 4 | ||||
-rw-r--r-- | src/libgcrypt.c | 4 | ||||
-rw-r--r-- | src/libmbedcrypto.c | 2 | ||||
-rw-r--r-- | src/packet_crypt.c | 1 | ||||
-rw-r--r-- | tests/client/torture_algorithms.c | 4 |
11 files changed, 36 insertions, 13 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index e2188a38..c63eec60 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -227,6 +227,7 @@ message(STATUS "Pcap debugging support : ${WITH_PCAP}") message(STATUS "With static library: ${WITH_STATIC_LIB}") message(STATUS "Unit testing: ${UNIT_TESTING}") message(STATUS "Client code testing: ${CLIENT_TESTING}") +message(STATUS "Blowfish cipher support: ${WITH_BLOWFISH_CIPHER}") set(_SERVER_TESTING OFF) if (WITH_SERVER) set(_SERVER_TESTING ${SERVER_TESTING}) diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake index 7c24dfd9..5ca48bea 100644 --- a/ConfigureChecks.cmake +++ b/ConfigureChecks.cmake @@ -89,8 +89,10 @@ if (OPENSSL_FOUND) message(FATAL_ERROR "Could not detect openssl/aes.h") endif() - set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) - check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H) + if (WITH_BLOWFISH_CIPHER) + set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) + check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H) + endif() set(CMAKE_REQUIRED_INCLUDES ${OPENSSL_INCLUDE_DIR}) check_include_file(openssl/ecdh.h HAVE_OPENSSL_ECDH_H) diff --git a/DefineOptions.cmake b/DefineOptions.cmake index 76b62a40..ca7fe777 100644 --- a/DefineOptions.cmake +++ b/DefineOptions.cmake @@ -8,6 +8,7 @@ option(WITH_DEBUG_PACKET "Build with packet debug output" OFF) option(WITH_DEBUG_CALLTRACE "Build with calltrace debug output" ON) option(WITH_GCRYPT "Compile against libgcrypt" OFF) option(WITH_MBEDTLS "Compile against libmbedtls" OFF) +option(WITH_BLOWFISH_CIPHER "Compile with blowfish support" OFF) option(WITH_PCAP "Compile with Pcap generation support" ON) option(WITH_INTERNAL_DOC "Compile doxygen internal documentation" OFF) option(UNIT_TESTING "Build with unit tests" OFF) diff --git a/config.h.cmake b/config.h.cmake index ff87538c..db28affe 100644 --- a/config.h.cmake +++ b/config.h.cmake @@ -238,6 +238,9 @@ /* Define to 1 if you want to enable server support */ #cmakedefine WITH_SERVER 1 +/* Define to 1 if you want to enable blowfish cipher support */ +#cmakedefine WITH_BLOWFISH_CIPHER 1 + /* Define to 1 if you want to enable debug output for crypto functions */ #cmakedefine DEBUG_CRYPTO 1 diff --git a/include/libssh/crypto.h b/include/libssh/crypto.h index 454dacf7..0160bafc 100644 --- a/include/libssh/crypto.h +++ b/include/libssh/crypto.h @@ -76,7 +76,9 @@ enum ssh_key_exchange_e { enum ssh_cipher_e { SSH_NO_CIPHER=0, +#ifdef WITH_BLOWFISH_CIPHER SSH_BLOWFISH_CBC, +#endif /* WITH_BLOWFISH_CIPHER */ SSH_3DES_CBC, SSH_AES128_CBC, SSH_AES192_CBC, @@ -39,16 +39,24 @@ #include "libssh/knownhosts.h" #include "libssh/misc.h" +#ifdef WITH_BLOWFISH_CIPHER +# if defined(HAVE_OPENSSL_BLOWFISH_H) || defined(HAVE_LIBGCRYPT) || defined(HAVE_LIBMBEDCRYPTO) +# define BLOWFISH "blowfish-cbc," +# else +# define BLOWFISH "" +# endif +#else +# define BLOWFISH "" +#endif + #ifdef HAVE_LIBGCRYPT -# define BLOWFISH "blowfish-cbc," # define AES "aes256-gcm@openssh.com,aes128-gcm@openssh.com," \ "aes256-ctr,aes192-ctr,aes128-ctr," \ "aes256-cbc,aes192-cbc,aes128-cbc," # define DES "3des-cbc" # define DES_SUPPORTED "3des-cbc" -#elif defined HAVE_LIBMBEDCRYPTO -# define BLOWFISH "blowfish-cbc," +#elif defined(HAVE_LIBMBEDCRYPTO) # ifdef MBEDTLS_GCM_C # define GCM "aes256-gcm@openssh.com,aes128-gcm@openssh.com," # else @@ -60,13 +68,6 @@ # define DES_SUPPORTED "3des-cbc" #elif defined(HAVE_LIBCRYPTO) - -# ifdef HAVE_OPENSSL_BLOWFISH_H -# define BLOWFISH "blowfish-cbc," -# else /* HAVE_OPENSSL_BLOWFISH_H */ -# define BLOWFISH "" -# endif /* HAVE_OPENSSL_BLOWFISH_H */ - # ifdef HAVE_OPENSSL_AES_H # ifdef HAVE_OPENSSL_EVP_AES_GCM # define GCM "aes256-gcm@openssh.com,aes128-gcm@openssh.com," diff --git a/src/libcrypto.c b/src/libcrypto.c index 9d8ff3b0..c2d91cdd 100644 --- a/src/libcrypto.c +++ b/src/libcrypto.c @@ -514,10 +514,12 @@ static void evp_cipher_init(struct ssh_cipher_struct *cipher) { case SSH_3DES_CBC: cipher->cipher = EVP_des_ede3_cbc(); break; +#ifdef WITH_BLOWFISH_CIPHER case SSH_BLOWFISH_CBC: cipher->cipher = EVP_bf_cbc(); break; /* ciphers not using EVP */ +#endif case SSH_AEAD_CHACHA20_POLY1305: SSH_LOG(SSH_LOG_WARNING, "The ChaCha cipher cannot be handled here"); break; @@ -881,6 +883,7 @@ evp_cipher_aead_decrypt(struct ssh_cipher_struct *cipher, * The table of supported ciphers */ static struct ssh_cipher_struct ssh_ciphertab[] = { +#ifdef WITH_BLOWFISH_CIPHER { .name = "blowfish-cbc", .blocksize = 8, @@ -892,6 +895,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = { .decrypt = evp_cipher_decrypt, .cleanup = evp_cipher_cleanup }, +#endif #ifdef HAS_AES #ifndef BROKEN_AES_CTR /* OpenSSL until 0.9.7c has a broken AES_ctr128_encrypt implementation which diff --git a/src/libgcrypt.c b/src/libgcrypt.c index c7c80f03..070f81b5 100644 --- a/src/libgcrypt.c +++ b/src/libgcrypt.c @@ -311,6 +311,7 @@ void hmac_final(HMACCTX c, unsigned char *hashmacbuf, unsigned int *len) { gcry_md_close(c); } +#ifdef WITH_BLOWFISH_CIPHER /* the wrapper functions for blowfish */ static int blowfish_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV){ if (cipher->key == NULL) { @@ -345,6 +346,7 @@ static void blowfish_decrypt(struct ssh_cipher_struct *cipher, void *in, void *out, unsigned long len) { gcry_cipher_decrypt(cipher->key[0], out, len, in, len); } +#endif /* WITH_BLOWFISH_CIPHER */ static int aes_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV) { int mode=GCRY_CIPHER_MODE_CBC; @@ -610,6 +612,7 @@ static void des3_decrypt(struct ssh_cipher_struct *cipher, void *in, /* the table of supported ciphers */ static struct ssh_cipher_struct ssh_ciphertab[] = { +#ifdef WITH_BLOWFISH_CIPHER { .name = "blowfish-cbc", .blocksize = 8, @@ -621,6 +624,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = { .encrypt = blowfish_encrypt, .decrypt = blowfish_decrypt }, +#endif /* WITH_BLOWFISH_CIPHER */ { .name = "aes128-ctr", .blocksize = 16, diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c index 4b814598..d5945c27 100644 --- a/src/libmbedcrypto.c +++ b/src/libmbedcrypto.c @@ -951,6 +951,7 @@ static void cipher_cleanup(struct ssh_cipher_struct *cipher) } static struct ssh_cipher_struct ssh_ciphertab[] = { +#ifdef WITH_BLOWFISH_CIPHER { .name = "blowfish-cbc", .blocksize = 8, @@ -962,6 +963,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = { .decrypt = cipher_decrypt_cbc, .cleanup = cipher_cleanup }, +#endif /* WITH_BLOWFISH_CIPHER */ { .name = "aes128-ctr", .blocksize = 16, diff --git a/src/packet_crypt.c b/src/packet_crypt.c index bdc0e5c8..508763ae 100644 --- a/src/packet_crypt.c +++ b/src/packet_crypt.c @@ -33,7 +33,6 @@ #endif #ifdef OPENSSL_CRYPTO -#include <openssl/blowfish.h> #include <openssl/evp.h> #include <openssl/hmac.h> #endif diff --git a/tests/client/torture_algorithms.c b/tests/client/torture_algorithms.c index 41f061e8..8acf4403 100644 --- a/tests/client/torture_algorithms.c +++ b/tests/client/torture_algorithms.c @@ -269,6 +269,7 @@ static void torture_algorithms_3des_cbc_hmac_sha2_512(void **state) { test_algorithm(s->ssh.session, NULL/*kex*/, "3des-cbc", "hmac-sha2-512"); } +#ifdef WITH_BLOWFISH_CIPHER #if ((OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR < 6) || OPENSSH_VERSION_MAJOR <= 6) static void torture_algorithms_blowfish_cbc_hmac_sha1(void **state) { struct torture_state *s = *state; @@ -288,6 +289,7 @@ static void torture_algorithms_blowfish_cbc_hmac_sha2_512(void **state) { test_algorithm(s->ssh.session, NULL/*kex*/, "blowfish-cbc", "hmac-sha2-512"); } #endif +#endif /* WITH_BLOWFISH_CIPHER */ static void torture_algorithms_chacha20_poly1305(void **state) { @@ -508,6 +510,7 @@ int torture_run_tests(void) { cmocka_unit_test_setup_teardown(torture_algorithms_3des_cbc_hmac_sha2_512, session_setup, session_teardown), +#ifdef WITH_BLOWFISH_CIPHER #if ((OPENSSH_VERSION_MAJOR == 7 && OPENSSH_VERSION_MINOR < 6) || OPENSSH_VERSION_MAJOR <= 6) cmocka_unit_test_setup_teardown(torture_algorithms_blowfish_cbc_hmac_sha1, session_setup, @@ -519,6 +522,7 @@ int torture_run_tests(void) { session_setup, session_teardown), #endif +#endif /* WITH_BLOWFISH_CIPHER */ cmocka_unit_test_setup_teardown(torture_algorithms_chacha20_poly1305, session_setup, session_teardown), |