changeset 512:0129fd8ccc71 insecure-nocrypto

Update nocrypto branch to current head
author Matt Johnston <matt@ucc.asn.au>
date Thu, 06 Nov 2008 13:33:06 +0000
parents 582cb38e4eb5
children a4b7627b3157
files common-algo.c common-kex.c options.h
diffstat 3 files changed, 25 insertions(+), 32 deletions(-) [+]
line wrap: on
line diff
--- a/common-algo.c	Thu Nov 06 13:16:55 2008 +0000
+++ b/common-algo.c	Thu Nov 06 13:33:06 2008 +0000
@@ -151,7 +151,7 @@
 	{"blowfish-cbc", 0, &dropbear_blowfish, 1, &dropbear_mode_cbc},
 #endif
 #ifdef DROPBEAR_NONE_CIPHER
-	{"none", 0, (void*)&dropbear_nocipher, 1},
+	{"none", 0, (void*)&dropbear_nocipher, 1, &dropbear_mode_none},
 #endif
 	{NULL, 0, NULL, 0}
 };
--- a/common-kex.c	Thu Nov 06 13:16:55 2008 +0000
+++ b/common-kex.c	Thu Nov 06 13:33:06 2008 +0000
@@ -292,44 +292,30 @@
 	hashkeys(C2S_key, C2S_keysize, &hs, 'C');
 	hashkeys(S2C_key, S2C_keysize, &hs, 'D');
 
-	recv_cipher = find_cipher(ses.newkeys->recv_algo_crypt->cipherdesc->name);
-	if (recv_cipher < 0)
-	    dropbear_exit("crypto error");
-	if (ses.newkeys->recv_crypt_mode->start(recv_cipher, 
-			recv_IV, recv_key, 
-			ses.newkeys->recv_algo_crypt->keysize, 0, 
-			&ses.newkeys->recv_cipher_state) != CRYPT_OK) {
-		dropbear_exit("crypto error");
-	}
-
-	trans_cipher = find_cipher(ses.newkeys->trans_algo_crypt->cipherdesc->name);
-	if (trans_cipher < 0)
-	    dropbear_exit("crypto error");
-	if (ses.newkeys->trans_crypt_mode->start(trans_cipher, 
-			trans_IV, trans_key, 
-			ses.newkeys->trans_algo_crypt->keysize, 0, 
-			&ses.newkeys->trans_cipher_state) != CRYPT_OK) {
-		dropbear_exit("crypto error");
 	if (ses.newkeys->recv_algo_crypt->cipherdesc != NULL) {
-		if (cbc_start(
-			find_cipher(ses.newkeys->recv_algo_crypt->cipherdesc->name),
+		recv_cipher = find_cipher(ses.newkeys->recv_algo_crypt->cipherdesc->name);
+		if (recv_cipher < 0)
+			dropbear_exit("crypto error");
+		if (ses.newkeys->recv_crypt_mode->start(recv_cipher, 
 				recv_IV, recv_key, 
 				ses.newkeys->recv_algo_crypt->keysize, 0, 
-				&ses.newkeys->recv_symmetric_struct) != CRYPT_OK) {
+				&ses.newkeys->recv_cipher_state) != CRYPT_OK) {
 			dropbear_exit("crypto error");
 		}
 	}
 
 	if (ses.newkeys->trans_algo_crypt->cipherdesc != NULL) {
-		if (cbc_start(
-			find_cipher(ses.newkeys->trans_algo_crypt->cipherdesc->name),
+		trans_cipher = find_cipher(ses.newkeys->trans_algo_crypt->cipherdesc->name);
+		if (trans_cipher < 0)
+			dropbear_exit("crypto error");
+		if (ses.newkeys->trans_crypt_mode->start(trans_cipher, 
 				trans_IV, trans_key, 
 				ses.newkeys->trans_algo_crypt->keysize, 0, 
-				&ses.newkeys->trans_symmetric_struct) != CRYPT_OK) {
+				&ses.newkeys->trans_cipher_state) != CRYPT_OK) {
 			dropbear_exit("crypto error");
 		}
 	}
-	
+
 	/* MAC keys */
 	if (ses.newkeys->trans_algo_mac->hashdesc != NULL) {
 		hashkeys(ses.newkeys->transmackey, 
--- a/options.h	Thu Nov 06 13:16:55 2008 +0000
+++ b/options.h	Thu Nov 06 13:33:06 2008 +0000
@@ -82,17 +82,15 @@
  * Protocol RFC requires 3DES and recommends AES128 for interoperability.
  * Including multiple keysize variants the same cipher 
  * (eg AES256 as well as AES128) will result in a minimal size increase.*/
+/*
 #define DROPBEAR_AES128
 #define DROPBEAR_3DES
 #define DROPBEAR_AES256
 #define DROPBEAR_BLOWFISH
 #define DROPBEAR_TWOFISH256
 #define DROPBEAR_TWOFISH128
+*/
 
-/* Enable "Counter Mode" for ciphers. This is more secure than normal
- * CBC mode against certain attacks. This adds around 1kB to binary 
- * size and is recommended for most cases */
-#define DROPBEAR_ENABLE_CTR_MODE
 /* You can compile with no encryption if you want. In some circumstances
  * this could be safe securitywise, though make sure you know what
  * you're doing. Anyone can see everything that goes over the wire, so
@@ -105,6 +103,11 @@
  * "dbclient-insecure" client. */
 #define DROPBEAR_NONE_CIPHER
 
+/* Enable "Counter Mode" for ciphers. This is more secure than normal
+ * CBC mode against certain attacks. This adds around 1kB to binary 
+ * size and is recommended for most cases */
+#define DROPBEAR_ENABLE_CTR_MODE
+
 /* Message Integrity - at least one required.
  * Protocol RFC requires sha1 and recommends sha1-96.
  * sha1-96 may be of use for slow links, as it has a smaller overhead.
@@ -117,15 +120,19 @@
  * These hashes are also used for public key fingerprints in logs.
  * If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
  * which are not the standard form. */
+/*
 #define DROPBEAR_SHA1_HMAC
 #define DROPBEAR_SHA1_96_HMAC
 #define DROPBEAR_MD5_HMAC
+*/
 
 /* You can also disable integrity. Don't bother disabling this if you're
  * still using a cipher, it's relatively cheap. Don't disable this if you're
  * using 'none' cipher, since it's dead simple to run arbitrary commands
- * on the remote host. Beware. */
-/*#define DROPBEAR_NONE_INTEGRITY*/
+ * on the remote host. Beware.
+ * Note again, for the client you will have to disable other hashes above
+ * to use this. */
+#define DROPBEAR_NONE_INTEGRITY
 
 /* Hostkey/public key algorithms - at least one required, these are used
  * for hostkey as well as for verifying signatures with pubkey auth.