diff options
| author | Markus Friedl <markus@cvs.openbsd.org> | 2000-10-12 09:59:21 +0000 |
|---|---|---|
| committer | Markus Friedl <markus@cvs.openbsd.org> | 2000-10-12 09:59:21 +0000 |
| commit | 1c384282b3a7b37f135b61e49c1c2c4583bbe7a6 (patch) | |
| tree | ae1b11f78f2deec6db05d05eb214e4a93acf35e2 /usr.bin | |
| parent | 8727104b8eb8d058d7d16584a6194d30093ccbe1 (diff) | |
enable DES in SSH-1 clients only
Diffstat (limited to 'usr.bin')
| -rw-r--r-- | usr.bin/ssh/cipher.c | 25 | ||||
| -rw-r--r-- | usr.bin/ssh/cipher.h | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect1.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshconnect2.c | 4 | ||||
| -rw-r--r-- | usr.bin/ssh/sshd.c | 6 |
5 files changed, 26 insertions, 17 deletions
diff --git a/usr.bin/ssh/cipher.c b/usr.bin/ssh/cipher.c index 8d6d1c35a7e..0bfbc23c873 100644 --- a/usr.bin/ssh/cipher.c +++ b/usr.bin/ssh/cipher.c @@ -35,7 +35,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: cipher.c,v 1.33 2000/10/11 20:45:21 markus Exp $"); +RCSID("$OpenBSD: cipher.c,v 1.34 2000/10/12 09:59:18 markus Exp $"); #include "ssh.h" #include "xmalloc.h" @@ -62,6 +62,12 @@ none_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len) void des_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen) { + static int dowarn = 1; + if (dowarn) { + error("Warning: use of DES is strongly discouraged " + "due to cryptographic weaknesses"); + dowarn = 0; + } des_set_key((void *)key, cc->u.des.key); } void @@ -301,6 +307,10 @@ Cipher ciphers[] = { SSH_CIPHER_NONE, 8, 0, none_setkey, none_setiv, none_crypt, none_crypt }, + { "des", + SSH_CIPHER_DES, 8, 8, + des_ssh1_setkey, des_ssh1_setiv, + des_ssh1_encrypt, des_ssh1_decrypt }, { "3des", SSH_CIPHER_3DES, 8, 16, des3_ssh1_setkey, des3_setiv, @@ -332,13 +342,13 @@ Cipher ciphers[] = { /*--*/ unsigned int -cipher_mask1() +cipher_mask_ssh1(int client) { unsigned int mask = 0; - Cipher *c; - for (c = ciphers; c->name != NULL; c++) { - if (c->number > SSH_CIPHER_NONE) - mask |= 1 << c->number; + mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */ + mask |= 1 << SSH_CIPHER_BLOWFISH; + if (client) { + mask |= 1 << SSH_CIPHER_DES; } return mask; } @@ -347,9 +357,6 @@ Cipher * cipher_by_name(const char *name) { Cipher *c; - if (strcmp(name, "des") == 0) - error("Warning: use of DES is strongly discouraged " - "due to cryptographic weaknesses"); for (c = ciphers; c->name != NULL; c++) if (strcasecmp(c->name, name) == 0) return c; diff --git a/usr.bin/ssh/cipher.h b/usr.bin/ssh/cipher.h index 1140285856a..e342abf77e4 100644 --- a/usr.bin/ssh/cipher.h +++ b/usr.bin/ssh/cipher.h @@ -32,7 +32,7 @@ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. */ -/* RCSID("$OpenBSD: cipher.h,v 1.20 2000/10/11 20:27:23 markus Exp $"); */ +/* RCSID("$OpenBSD: cipher.h,v 1.21 2000/10/12 09:59:18 markus Exp $"); */ #ifndef CIPHER_H #define CIPHER_H @@ -97,7 +97,7 @@ struct Cipher { void (*decrypt)(CipherContext *, u_char *, const u_char *, u_int); }; -unsigned int cipher_mask1(); +unsigned int cipher_mask_ssh1(int client); Cipher *cipher_by_name(const char *name); Cipher *cipher_by_number(int id); int cipher_number(const char *name); diff --git a/usr.bin/ssh/sshconnect1.c b/usr.bin/ssh/sshconnect1.c index 83994f51813..ce560791cea 100644 --- a/usr.bin/ssh/sshconnect1.c +++ b/usr.bin/ssh/sshconnect1.c @@ -13,7 +13,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect1.c,v 1.7 2000/10/11 20:27:24 markus Exp $"); +RCSID("$OpenBSD: sshconnect1.c,v 1.8 2000/10/12 09:59:19 markus Exp $"); #include <openssl/bn.h> #include <openssl/dsa.h> @@ -838,7 +838,7 @@ ssh_kex(char *host, struct sockaddr *hostaddr) cipher_name(ssh_cipher_default)); options.cipher = ssh_cipher_default; } else if (options.cipher == SSH_CIPHER_NOT_SET) { - if (cipher_mask1() & supported_ciphers & (1 << ssh_cipher_default)) + if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default)) options.cipher = ssh_cipher_default; } /* Check that the selected cipher is supported. */ diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c index 0785548a486..ca459f62c35 100644 --- a/usr.bin/ssh/sshconnect2.c +++ b/usr.bin/ssh/sshconnect2.c @@ -23,7 +23,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshconnect2.c,v 1.24 2000/10/11 20:27:24 markus Exp $"); +RCSID("$OpenBSD: sshconnect2.c,v 1.25 2000/10/12 09:59:19 markus Exp $"); #include <openssl/bn.h> #include <openssl/rsa.h> @@ -80,6 +80,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr) options.ciphers = "3des-cbc"; } else if (options.cipher == SSH_CIPHER_BLOWFISH) { options.ciphers = "blowfish-cbc"; + } else if (options.cipher == SSH_CIPHER_DES) { + fatal("cipher DES not supported for protocol version 2"); } } if (options.ciphers != NULL) { diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c index 664d00223f0..54a5273dd92 100644 --- a/usr.bin/ssh/sshd.c +++ b/usr.bin/ssh/sshd.c @@ -40,7 +40,7 @@ */ #include "includes.h" -RCSID("$OpenBSD: sshd.c,v 1.130 2000/10/11 20:27:24 markus Exp $"); +RCSID("$OpenBSD: sshd.c,v 1.131 2000/10/12 09:59:20 markus Exp $"); #include "xmalloc.h" #include "rsa.h" @@ -1135,7 +1135,7 @@ do_ssh1_kex() packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN); /* Declare which ciphers we support. */ - packet_put_int(cipher_mask1()); + packet_put_int(cipher_mask_ssh1(0)); /* Declare supported authentication types. */ auth_mask = 0; @@ -1176,7 +1176,7 @@ do_ssh1_kex() /* Get cipher type and check whether we accept this. */ cipher_type = packet_get_char(); - if (!(cipher_mask1() & (1 << cipher_type))) + if (!(cipher_mask_ssh1(0) & (1 << cipher_type))) packet_disconnect("Warning: client selects unsupported cipher."); /* Get check bytes from the packet. These must match those we |