# HG changeset patch # User Matt Johnston # Date 1433343599 -28800 # Node ID 1e486f368ec335dfef0e849e291b6ef5d11e6a03 # Parent 50f8a24953e6482549928d2af466a6fdf890eb24 Disable twofish-ctr by default, add config option diff -r 50f8a24953e6 -r 1e486f368ec3 common-algo.c --- a/common-algo.c Wed Jun 03 22:15:12 2015 +0800 +++ b/common-algo.c Wed Jun 03 22:59:59 2015 +0800 @@ -144,12 +144,15 @@ #ifdef DROPBEAR_AES256 {"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr}, #endif +#ifdef DROPBEAR_TWOFISH_CTR +/* twofish ctr is conditional as it hasn't been tested for interoperability, see options.h */ #ifdef DROPBEAR_TWOFISH256 {"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr}, #endif #ifdef DROPBEAR_TWOFISH128 {"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr}, #endif +#endif /* DROPBEAR_TWOFISH_CTR */ #endif /* DROPBEAR_ENABLE_CTR_MODE */ #ifdef DROPBEAR_ENABLE_CBC_MODE diff -r 50f8a24953e6 -r 1e486f368ec3 options.h --- a/options.h Wed Jun 03 22:15:12 2015 +0800 +++ b/options.h Wed Jun 03 22:59:59 2015 +0800 @@ -103,10 +103,15 @@ #define DROPBEAR_ENABLE_CBC_MODE /* Enable "Counter Mode" for ciphers. This is more secure than normal - * CBC mode against certain attacks. This adds around 1kB to binary - * size and is recommended for most cases */ + * CBC mode against certain attacks. It is recommended for security + * and forwards compatibility */ #define DROPBEAR_ENABLE_CTR_MODE +/* Twofish counter mode is disabled by default because it +has not been tested for interoperability with other SSH implementations. +If you test it please contact the Dropbear author */ +/* #define DROPBEAR_TWOFISH_CTR */ + /* You can compile with no encryption if you want. In some circumstances * this could be safe security-wise, though make sure you know what * you're doing. Anyone can see everything that goes over the wire, so