tyler.durden
/
openssh-portable
mirror of https://github.com/PowerShell/openssh-portable.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

- djm@cvs.openbsd.org 2005/05/23 23:32:46 

[cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
     add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
     ok markus@
This commit is contained in:
Damien Miller 2005-05-26 12:19:17 +10:00
parent b089fb5fe1
commit 3710f278ae
6 changed files with 63 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
ChangeLog
View File

@ -76,6 +76,10 @@
- removes signed/unsigned comparisons in moduli generation - removes signed/unsigned comparisons in moduli generation
- use strtonum instead of atoi where its easier - use strtonum instead of atoi where its easier
- check some strlcpy overflow and fatal instead of truncate - check some strlcpy overflow and fatal instead of truncate
- djm@cvs.openbsd.org 2005/05/23 23:32:46
[cipher.c myproposal.h ssh.1 ssh_config.5 sshd_config.5]
add support for draft-harris-ssh-arcfour-fixes-02 improved arcfour modes;
ok markus@
20050524 20050524
- (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec] - (djm) [contrib/caldera/openssh.spec contrib/redhat/openssh.spec]
@ -2575,4 +2579,4 @@
- (djm) Trim deprecated options from INSTALL. Mention UsePAM - (djm) Trim deprecated options from INSTALL. Mention UsePAM
- (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu - (djm) Fix quote handling in sftp; Patch from admorten AT umich.edu
$Id: ChangeLog,v 1.3783 2005/05/26 02:16:18 djm Exp $ $Id: ChangeLog,v 1.3784 2005/05/26 02:19:17 djm Exp $

59
cipher.c
View File

@ -35,7 +35,7 @@
*/ */
#include "includes.h" #include "includes.h"
RCSID("$OpenBSD: cipher.c,v 1.73 2005/01/23 10:18:12 djm Exp $"); RCSID("$OpenBSD: cipher.c,v 1.74 2005/05/23 23:32:46 djm Exp $");
#include "xmalloc.h" #include "xmalloc.h"
#include "log.h" #include "log.h"
@ -74,39 +74,42 @@ struct Cipher {
int number; /* for ssh1 only */ int number; /* for ssh1 only */
u_int block_size; u_int block_size;
u_int key_len; u_int key_len;
u_int discard_len;
const EVP_CIPHER *(*evptype)(void); const EVP_CIPHER *(*evptype)(void);
} ciphers[] = { } ciphers[] = {
{ "none", SSH_CIPHER_NONE, 8, 0, EVP_enc_null }, { "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null },
{ "des", SSH_CIPHER_DES, 8, 8, EVP_des_cbc }, { "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc },
{ "3des", SSH_CIPHER_3DES, 8, 16, evp_ssh1_3des }, { "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des },
{ "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, evp_ssh1_bf }, { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf },
{ "3des-cbc", SSH_CIPHER_SSH2, 8, 24, EVP_des_ede3_cbc }, { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc },
{ "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_bf_cbc }, { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc },
{ "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, EVP_cast5_cbc }, { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc },
{ "arcfour", SSH_CIPHER_SSH2, 8, 16, EVP_rc4 }, { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 },
{ "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 },
{ "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 },
#if OPENSSL_VERSION_NUMBER < 0x00907000L #if OPENSSL_VERSION_NUMBER < 0x00907000L
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, evp_rijndael }, { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, evp_rijndael },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, evp_rijndael }, { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, evp_rijndael },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, evp_rijndael },
{ "rijndael-cbc@lysator.liu.se", { "rijndael-cbc@lysator.liu.se",
SSH_CIPHER_SSH2, 16, 32, evp_rijndael }, SSH_CIPHER_SSH2, 16, 32, 0, evp_rijndael },
#else #else
{ "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, EVP_aes_128_cbc }, { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc },
{ "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, EVP_aes_192_cbc }, { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc },
{ "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
{ "rijndael-cbc@lysator.liu.se", { "rijndael-cbc@lysator.liu.se",
SSH_CIPHER_SSH2, 16, 32, EVP_aes_256_cbc }, SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
#endif #endif
#if OPENSSL_VERSION_NUMBER >= 0x00905000L #if OPENSSL_VERSION_NUMBER >= 0x00905000L
{ "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, evp_aes_128_ctr }, { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr },
{ "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, evp_aes_128_ctr }, { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr },
{ "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, evp_aes_128_ctr }, { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr },
#endif #endif
#if defined(EVP_CTRL_SET_ACSS_MODE) #if defined(EVP_CTRL_SET_ACSS_MODE)
{ "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, EVP_acss }, { "acss@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss },
#endif #endif
{ NULL, SSH_CIPHER_INVALID, 0, 0, NULL } { NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL }
}; };
/*--*/ /*--*/
@ -224,6 +227,7 @@ cipher_init(CipherContext *cc, Cipher *cipher,
const EVP_CIPHER *type; const EVP_CIPHER *type;
#endif #endif
int klen; int klen;
u_char *junk, *discard;
if (cipher->number == SSH_CIPHER_DES) { if (cipher->number == SSH_CIPHER_DES) {
if (dowarn) { if (dowarn) {
@ -271,6 +275,17 @@ cipher_init(CipherContext *cc, Cipher *cipher,
fatal("cipher_init: EVP_CipherInit: set key failed for %s", fatal("cipher_init: EVP_CipherInit: set key failed for %s",
cipher->name); cipher->name);
#endif #endif
if (cipher->discard_len > 0) {
junk = xmalloc(cipher->discard_len);
discard = xmalloc(cipher->discard_len);
if (EVP_Cipher(&cc->evp, discard, junk,
cipher->discard_len) == 0)
fatal("evp_crypt: EVP_Cipher failed during discard");
memset(discard, 0, cipher->discard_len);
xfree(junk);
xfree(discard);
}
} }
void void

5
myproposal.h
View File

@ -1,4 +1,4 @@
/* $OpenBSD: myproposal.h,v 1.16 2004/06/13 12:53:24 djm Exp $ */ /* $OpenBSD: myproposal.h,v 1.17 2005/05/23 23:32:46 djm Exp $ */
/* /*
* Copyright (c) 2000 Markus Friedl. All rights reserved. * Copyright (c) 2000 Markus Friedl. All rights reserved.
@ -28,7 +28,8 @@
"diffie-hellman-group1-sha1" "diffie-hellman-group1-sha1"
#define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss" #define KEX_DEFAULT_PK_ALG "ssh-rsa,ssh-dss"
#define KEX_DEFAULT_ENCRYPT \ #define KEX_DEFAULT_ENCRYPT \
"aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour," \ "aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc," \
"arcfour128,arcfour256,arcfour," \
"aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \ "aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se," \
"aes128-ctr,aes192-ctr,aes256-ctr" "aes128-ctr,aes192-ctr,aes256-ctr"
#define KEX_DEFAULT_MAC \ #define KEX_DEFAULT_MAC \

9
ssh.1
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh.1,v 1.207 2005/04/21 06:17:50 djm Exp $ .\" $OpenBSD: ssh.1,v 1.208 2005/05/23 23:32:46 djm Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSH 1 .Dt SSH 1
.Os .Os
@ -479,14 +479,17 @@ The supported ciphers are
.Dq aes128-ctr , .Dq aes128-ctr ,
.Dq aes192-ctr , .Dq aes192-ctr ,
.Dq aes256-ctr , .Dq aes256-ctr ,
.Dq arcfour128 ,
.Dq arcfour256 ,
.Dq arcfour , .Dq arcfour ,
.Dq blowfish-cbc , .Dq blowfish-cbc ,
and and
.Dq cast128-cbc . .Dq cast128-cbc .
The default is The default is
.Bd -literal .Bd -literal
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
aes192-cbc,aes256-cbc'' arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr''
.Ed .Ed
.It Fl D Ar port .It Fl D Ar port
Specifies a local Specifies a local

9
ssh_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: ssh_config.5,v 1.53 2005/05/20 11:23:32 jmc Exp $ .\" $OpenBSD: ssh_config.5,v 1.54 2005/05/23 23:32:46 djm Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSH_CONFIG 5 .Dt SSH_CONFIG 5
.Os .Os
@ -193,14 +193,17 @@ The supported ciphers are
.Dq aes128-ctr , .Dq aes128-ctr ,
.Dq aes192-ctr , .Dq aes192-ctr ,
.Dq aes256-ctr , .Dq aes256-ctr ,
.Dq arcfour128 ,
.Dq arcfour256 ,
.Dq arcfour , .Dq arcfour ,
.Dq blowfish-cbc , .Dq blowfish-cbc ,
and and
.Dq cast128-cbc . .Dq cast128-cbc .
The default is The default is
.Bd -literal .Bd -literal
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
aes192-cbc,aes256-cbc'' arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr''
.Ed .Ed
.It Cm ClearAllForwardings .It Cm ClearAllForwardings
Specifies that all local, remote and dynamic port forwardings Specifies that all local, remote and dynamic port forwardings

9
sshd_config.5
View File

@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\" .\"
.\" $OpenBSD: sshd_config.5,v 1.42 2005/05/19 02:39:55 djm Exp $ .\" $OpenBSD: sshd_config.5,v 1.43 2005/05/23 23:32:46 djm Exp $
.Dd September 25, 1999 .Dd September 25, 1999
.Dt SSHD_CONFIG 5 .Dt SSHD_CONFIG 5
.Os .Os
@ -168,14 +168,17 @@ The supported ciphers are
.Dq aes128-ctr , .Dq aes128-ctr ,
.Dq aes192-ctr , .Dq aes192-ctr ,
.Dq aes256-ctr , .Dq aes256-ctr ,
.Dq arcfour128 ,
.Dq arcfour256 ,
.Dq arcfour , .Dq arcfour ,
.Dq blowfish-cbc , .Dq blowfish-cbc ,
and and
.Dq cast128-cbc . .Dq cast128-cbc .
The default is The default is
.Bd -literal .Bd -literal
``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour, ``aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,
aes192-cbc,aes256-cbc,aes128-ctr,aes192-ctr,aes256-ctr'' arcfour256,arcfour,aes192-cbc,aes256-cbc,aes128-ctr,
aes192-ctr,aes256-ctr''
.Ed .Ed
.It Cm ClientAliveCountMax .It Cm ClientAliveCountMax
Sets the number of client alive messages (see above) which may be Sets the number of client alive messages (see above) which may be