diff options
| author | Damien Miller <djm@mindrot.org> | 2005-05-26 12:19:17 +1000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2005-05-26 12:19:17 +1000 |
| commit | 3710f278ae76751118fb3ced2ee6e8e320b91002 (patch) | |
| tree | 049c62a80c0ad073f0b20c1fd7d330d7bcadfb7d /cipher.c | |
| parent | b089fb5fe15a6b1936262a33417265f8cb9b0afb (diff) | |
- djm@cvs.openbsd.org 2005/05/23 23:32:46
[cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
ok markus@
Diffstat (limited to 'cipher.c')
| -rw-r--r-- | cipher.c | 61 |
1 files changed, 38 insertions, 23 deletions
@@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.74 2005/05/23 23:32:46 djm Exp $"); #include "xmalloc.h" #include "log.h" @@ -74,39 +74,42 @@ struct Cipher { int number; /* for ssh1 only */ u_int block_size; u_int key_len; + u_int discard_len; const EVP_CIPHER *(*evptype)(void); } ciphers[] = { - { "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, - { "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc }, - { "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des }, - { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf }, - - { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc }, - { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc }, - { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc }, - { "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 }, + { "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null }, + { "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc }, + { "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des }, + { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf }, + + { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc }, + { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc }, + { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc }, + { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 }, + { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 }, + { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 }, #if OPENSSL_VERSION_NUMBER < 0x00907000L - { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael }, - { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael }, - { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, evp_rijndael }, + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, evp_rijndael }, + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, evp_rijndael }, { "rijndael-cbc@lysator.liu.se", - SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, + SSH_CIPHER_SSH2, 16, 32, 0, evp_rijndael }, #else - { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc }, - { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc }, - { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, + { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc }, + { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc }, + { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc }, { "rijndael-cbc@lysator.liu.se", - SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, + SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc }, #endif #if OPENSSL_VERSION_NUMBER >= 0x00905000L - { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr }, - { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr }, - { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr }, + { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr }, + { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr }, + { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr }, #endif #if defined(EVP_CTRL_SET_ACSS_MODE) - { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss }, + { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss }, #endif - { NULL, SSH_CIPHER_INVALID, 0, 0, NULL } + { NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL } }; /*--*/ @@ -224,6 +227,7 @@ cipher_init(CipherContext *cc, Cipher *cipher, const EVP_CIPHER *type; #endif int klen; + u_char *junk, *discard; if (cipher->number == SSH_CIPHER_DES) { if (dowarn) { @@ -271,6 +275,17 @@ cipher_init(CipherContext *cc, Cipher *cipher, fatal("cipher_init: EVP_CipherInit: set key failed for %s", cipher->name); #endif + + if (cipher->discard_len > 0) { + junk = xmalloc(cipher->discard_len); + discard = xmalloc(cipher->discard_len); + if (EVP_Cipher(&cc->evp, discard, junk, + cipher->discard_len) == 0) + fatal("evp_crypt: EVP_Cipher failed during discard"); + memset(discard, 0, cipher->discard_len); + xfree(junk); + xfree(discard); + } } void |