summaryrefslogtreecommitdiff
path: root/usr.bin
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin')
-rw-r--r--usr.bin/ssh/cipher.c25
-rw-r--r--usr.bin/ssh/cipher.h4
-rw-r--r--usr.bin/ssh/sshconnect1.c4
-rw-r--r--usr.bin/ssh/sshconnect2.c4
-rw-r--r--usr.bin/ssh/sshd.c6
5 files changed, 26 insertions, 17 deletions
diff --git a/usr.bin/ssh/cipher.c b/usr.bin/ssh/cipher.c
index 8d6d1c35a7e..0bfbc23c873 100644
--- a/usr.bin/ssh/cipher.c
+++ b/usr.bin/ssh/cipher.c
@@ -35,7 +35,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: cipher.c,v 1.33 2000/10/11 20:45:21 markus Exp $");
+RCSID("$OpenBSD: cipher.c,v 1.34 2000/10/12 09:59:18 markus Exp $");
#include "ssh.h"
#include "xmalloc.h"
@@ -62,6 +62,12 @@ none_crypt(CipherContext *cc, u_char *dest, const u_char *src, u_int len)
void
des_ssh1_setkey(CipherContext *cc, const u_char *key, u_int keylen)
{
+ static int dowarn = 1;
+ if (dowarn) {
+ error("Warning: use of DES is strongly discouraged "
+ "due to cryptographic weaknesses");
+ dowarn = 0;
+ }
des_set_key((void *)key, cc->u.des.key);
}
void
@@ -301,6 +307,10 @@ Cipher ciphers[] = {
SSH_CIPHER_NONE, 8, 0,
none_setkey, none_setiv,
none_crypt, none_crypt },
+ { "des",
+ SSH_CIPHER_DES, 8, 8,
+ des_ssh1_setkey, des_ssh1_setiv,
+ des_ssh1_encrypt, des_ssh1_decrypt },
{ "3des",
SSH_CIPHER_3DES, 8, 16,
des3_ssh1_setkey, des3_setiv,
@@ -332,13 +342,13 @@ Cipher ciphers[] = {
/*--*/
unsigned int
-cipher_mask1()
+cipher_mask_ssh1(int client)
{
unsigned int mask = 0;
- Cipher *c;
- for (c = ciphers; c->name != NULL; c++) {
- if (c->number > SSH_CIPHER_NONE)
- mask |= 1 << c->number;
+ mask |= 1 << SSH_CIPHER_3DES; /* Mandatory */
+ mask |= 1 << SSH_CIPHER_BLOWFISH;
+ if (client) {
+ mask |= 1 << SSH_CIPHER_DES;
}
return mask;
}
@@ -347,9 +357,6 @@ Cipher *
cipher_by_name(const char *name)
{
Cipher *c;
- if (strcmp(name, "des") == 0)
- error("Warning: use of DES is strongly discouraged "
- "due to cryptographic weaknesses");
for (c = ciphers; c->name != NULL; c++)
if (strcasecmp(c->name, name) == 0)
return c;
diff --git a/usr.bin/ssh/cipher.h b/usr.bin/ssh/cipher.h
index 1140285856a..e342abf77e4 100644
--- a/usr.bin/ssh/cipher.h
+++ b/usr.bin/ssh/cipher.h
@@ -32,7 +32,7 @@
* THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*/
-/* RCSID("$OpenBSD: cipher.h,v 1.20 2000/10/11 20:27:23 markus Exp $"); */
+/* RCSID("$OpenBSD: cipher.h,v 1.21 2000/10/12 09:59:18 markus Exp $"); */
#ifndef CIPHER_H
#define CIPHER_H
@@ -97,7 +97,7 @@ struct Cipher {
void (*decrypt)(CipherContext *, u_char *, const u_char *, u_int);
};
-unsigned int cipher_mask1();
+unsigned int cipher_mask_ssh1(int client);
Cipher *cipher_by_name(const char *name);
Cipher *cipher_by_number(int id);
int cipher_number(const char *name);
diff --git a/usr.bin/ssh/sshconnect1.c b/usr.bin/ssh/sshconnect1.c
index 83994f51813..ce560791cea 100644
--- a/usr.bin/ssh/sshconnect1.c
+++ b/usr.bin/ssh/sshconnect1.c
@@ -13,7 +13,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect1.c,v 1.7 2000/10/11 20:27:24 markus Exp $");
+RCSID("$OpenBSD: sshconnect1.c,v 1.8 2000/10/12 09:59:19 markus Exp $");
#include <openssl/bn.h>
#include <openssl/dsa.h>
@@ -838,7 +838,7 @@ ssh_kex(char *host, struct sockaddr *hostaddr)
cipher_name(ssh_cipher_default));
options.cipher = ssh_cipher_default;
} else if (options.cipher == SSH_CIPHER_NOT_SET) {
- if (cipher_mask1() & supported_ciphers & (1 << ssh_cipher_default))
+ if (cipher_mask_ssh1(1) & supported_ciphers & (1 << ssh_cipher_default))
options.cipher = ssh_cipher_default;
}
/* Check that the selected cipher is supported. */
diff --git a/usr.bin/ssh/sshconnect2.c b/usr.bin/ssh/sshconnect2.c
index 0785548a486..ca459f62c35 100644
--- a/usr.bin/ssh/sshconnect2.c
+++ b/usr.bin/ssh/sshconnect2.c
@@ -23,7 +23,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshconnect2.c,v 1.24 2000/10/11 20:27:24 markus Exp $");
+RCSID("$OpenBSD: sshconnect2.c,v 1.25 2000/10/12 09:59:19 markus Exp $");
#include <openssl/bn.h>
#include <openssl/rsa.h>
@@ -80,6 +80,8 @@ ssh_kex2(char *host, struct sockaddr *hostaddr)
options.ciphers = "3des-cbc";
} else if (options.cipher == SSH_CIPHER_BLOWFISH) {
options.ciphers = "blowfish-cbc";
+ } else if (options.cipher == SSH_CIPHER_DES) {
+ fatal("cipher DES not supported for protocol version 2");
}
}
if (options.ciphers != NULL) {
diff --git a/usr.bin/ssh/sshd.c b/usr.bin/ssh/sshd.c
index 664d00223f0..54a5273dd92 100644
--- a/usr.bin/ssh/sshd.c
+++ b/usr.bin/ssh/sshd.c
@@ -40,7 +40,7 @@
*/
#include "includes.h"
-RCSID("$OpenBSD: sshd.c,v 1.130 2000/10/11 20:27:24 markus Exp $");
+RCSID("$OpenBSD: sshd.c,v 1.131 2000/10/12 09:59:20 markus Exp $");
#include "xmalloc.h"
#include "rsa.h"
@@ -1135,7 +1135,7 @@ do_ssh1_kex()
packet_put_int(SSH_PROTOFLAG_HOST_IN_FWD_OPEN);
/* Declare which ciphers we support. */
- packet_put_int(cipher_mask1());
+ packet_put_int(cipher_mask_ssh1(0));
/* Declare supported authentication types. */
auth_mask = 0;
@@ -1176,7 +1176,7 @@ do_ssh1_kex()
/* Get cipher type and check whether we accept this. */
cipher_type = packet_get_char();
- if (!(cipher_mask1() & (1 << cipher_type)))
+ if (!(cipher_mask_ssh1(0) & (1 << cipher_type)))
packet_disconnect("Warning: client selects unsupported cipher.");
/* Get check bytes from the packet. These must match those we