changeset 1915:13cb8cc1b0e4

Remove twofish and remnants of blowfish Twofish CTR was never enabled by default and CBC modes are deprecated
author Matt Johnston <matt@ucc.asn.au>
date Wed, 30 Mar 2022 10:23:39 +0800
parents f978a15194ba
children 3f4cdf839a1a
files SMALL common-algo.c crypto_desc.c default_options.h sysoptions.h
diffstat 5 files changed, 2 insertions(+), 48 deletions(-) [+]
line wrap: on
line diff
--- a/SMALL	Wed Mar 30 10:10:15 2022 +0800
+++ b/SMALL	Wed Mar 30 10:23:39 2022 +0800
@@ -9,10 +9,7 @@
 
 ---
 
-The following are set in options.h:
-
-	- You can safely disable blowfish and twofish ciphers, and MD5 hmac, without
-	  affecting interoperability
+The following are set in localoptions.h:
 
 	- If you're compiling statically, you can turn off host lookups
 
--- a/common-algo.c	Wed Mar 30 10:10:15 2022 +0800
+++ b/common-algo.c	Wed Mar 30 10:23:39 2022 +0800
@@ -64,14 +64,6 @@
 static const struct dropbear_cipher dropbear_aes128 = 
 	{&aes_desc, 16, 16};
 #endif
-#if DROPBEAR_TWOFISH256
-static const struct dropbear_cipher dropbear_twofish256 = 
-	{&twofish_desc, 32, 16};
-#endif
-#if DROPBEAR_TWOFISH128
-static const struct dropbear_cipher dropbear_twofish128 = 
-	{&twofish_desc, 16, 16};
-#endif
 #if DROPBEAR_3DES
 static const struct dropbear_cipher dropbear_3des = 
 	{&des3_desc, 24, 8};
@@ -156,15 +148,6 @@
 #if DROPBEAR_AES256
 	{"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr},
 #endif
-#if DROPBEAR_TWOFISH_CTR
-/* twofish ctr is conditional as it hasn't been tested for interoperability, see options.h */
-#if DROPBEAR_TWOFISH256
-	{"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr},
-#endif
-#if DROPBEAR_TWOFISH128
-	{"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr},
-#endif
-#endif /* DROPBEAR_TWOFISH_CTR */
 #endif /* DROPBEAR_ENABLE_CTR_MODE */
 
 #if DROPBEAR_ENABLE_CBC_MODE
@@ -174,13 +157,6 @@
 #if DROPBEAR_AES256
 	{"aes256-cbc", 0, &dropbear_aes256, 1, &dropbear_mode_cbc},
 #endif
-#if DROPBEAR_TWOFISH256
-	{"twofish256-cbc", 0, &dropbear_twofish256, 1, &dropbear_mode_cbc},
-	{"twofish-cbc", 0, &dropbear_twofish256, 1, &dropbear_mode_cbc},
-#endif
-#if DROPBEAR_TWOFISH128
-	{"twofish128-cbc", 0, &dropbear_twofish128, 1, &dropbear_mode_cbc},
-#endif
 #endif /* DROPBEAR_ENABLE_CBC_MODE */
 
 #if DROPBEAR_3DES
--- a/crypto_desc.c	Wed Mar 30 10:10:15 2022 +0800
+++ b/crypto_desc.c	Wed Mar 30 10:23:39 2022 +0800
@@ -24,12 +24,6 @@
 #if DROPBEAR_AES
 		&aes_desc,
 #endif
-#if DROPBEAR_BLOWFISH
-		&blowfish_desc,
-#endif
-#if DROPBEAR_TWOFISH
-		&twofish_desc,
-#endif
 #if DROPBEAR_3DES
 		&des3_desc,
 #endif
--- a/default_options.h	Wed Mar 30 10:10:15 2022 +0800
+++ b/default_options.h	Wed Mar 30 10:23:39 2022 +0800
@@ -95,8 +95,6 @@
 #define DROPBEAR_AES128 1
 #define DROPBEAR_AES256 1
 #define DROPBEAR_3DES 0
-#define DROPBEAR_TWOFISH256 0
-#define DROPBEAR_TWOFISH128 0
 
 /* Enable Chacha20-Poly1305 authenticated encryption mode. This is
  * generally faster than AES256 on CPU w/o dedicated AES instructions,
--- a/sysoptions.h	Wed Mar 30 10:10:15 2022 +0800
+++ b/sysoptions.h	Wed Mar 30 10:23:39 2022 +0800
@@ -131,14 +131,6 @@
 #define DROPBEAR_MD5_HMAC 0
 #endif
 
-/* Twofish counter mode is disabled by default because it 
-has not been tested for interoperability with other SSH implementations.
-If you test it please contact the Dropbear author */
-#ifndef DROPBEAR_TWOFISH_CTR
-#define DROPBEAR_TWOFISH_CTR 0
-#endif
-
-
 #define DROPBEAR_ECC ((DROPBEAR_ECDH) || (DROPBEAR_ECDSA))
 
 /* Debian doesn't define this in system headers */
@@ -235,8 +227,6 @@
 
 #define DROPBEAR_AES ((DROPBEAR_AES256) || (DROPBEAR_AES128))
 
-#define DROPBEAR_TWOFISH ((DROPBEAR_TWOFISH256) || (DROPBEAR_TWOFISH128))
-
 #define DROPBEAR_AEAD_MODE ((DROPBEAR_CHACHA20POLY1305) || (DROPBEAR_ENABLE_GCM_MODE))
 
 #define DROPBEAR_CLI_ANYTCPFWD ((DROPBEAR_CLI_REMOTETCPFWD) || (DROPBEAR_CLI_LOCALTCPFWD))
@@ -280,8 +270,7 @@
 	#error "You must define DROPBEAR_SVR_PUBKEY_AUTH in order to use plugins"
 #endif
 
-#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_BLOWFISH \
-      || DROPBEAR_TWOFISH256 || DROPBEAR_TWOFISH128 || DROPBEAR_CHACHA20POLY1305)
+#if !(DROPBEAR_AES128 || DROPBEAR_3DES || DROPBEAR_AES256 || DROPBEAR_CHACHA20POLY1305)
 	#error "At least one encryption algorithm must be enabled. AES128 is recommended."
 #endif