Module Name:src
Committed By: snj
Date: Mon Jun 29 23:01:24 UTC 2009
Modified Files:
src/crypto/dist/ssh [netbsd-5-0]: cipher.c cipher.h packet.c
Log Message:
Pull up following revision(s) (requested by tonnerre in ticket #843):
crypto/dist/ssh/cipher.c: revision 1.22
crypto/dist/ssh/cipher.h: revision 1.3
crypto/dist/ssh/packet.c: revision 1.32
Add special handling for CBC cipher modes to make them appear less favorable
than CTR modes. Also, in order to avoid creating oracles unnecessarily,
change behavior in various situations from "Drop connection" to "Ignore
packets up to 256kB". This affects CBC mode ciphers only.
Patch from OpenBSD.
To generate a diff of this commit:
cvs rdiff -u -r1.21 -r1.21.8.1 src/crypto/dist/ssh/cipher.c
cvs rdiff -u -r1.2 -r1.2.28.1 src/crypto/dist/ssh/cipher.h
cvs rdiff -u -r1.30 -r1.30.8.1 src/crypto/dist/ssh/packet.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/crypto/dist/ssh/cipher.c
diff -u src/crypto/dist/ssh/cipher.c:1.21 src/crypto/dist/ssh/cipher.c:1.21.8.1
--- src/crypto/dist/ssh/cipher.c:1.21 Mon Jun 23 14:51:31 2008
+++ src/crypto/dist/ssh/cipher.c Mon Jun 29 23:01:24 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: cipher.c,v 1.21 2008/06/23 14:51:31 christos Exp $ */
+/* $NetBSD: cipher.c,v 1.21.8.1 2009/06/29 23:01:24 snj Exp $ */
/* $OpenBSD: cipher.c,v 1.81 2006/08/03 03:34:42 deraadt Exp $ */
/*
* Author: Tatu Ylonen
@@ -37,7 +37,7 @@
*/
#include "includes.h"
-__RCSID("$NetBSD: cipher.c,v 1.21 2008/06/23 14:51:31 christos Exp $");
+__RCSID("$NetBSD: cipher.c,v 1.21.8.1 2009/06/29 23:01:24 snj Exp $");
#include
#include
@@ -62,38 +62,39 @@
u_int block_size;
u_int key_len;
u_int discard_len;
+ u_int cbc_mode;
const EVP_CIPHER *(*evptype)(void);
} ciphers[] = {
- { "none", SSH_CIPHER_NONE, 8, 0, 0, EVP_enc_null },
- { "des", SSH_CIPHER_DES, 8, 8, 0, EVP_des_cbc },
- { "3des", SSH_CIPHER_3DES, 8, 16, 0, evp_ssh1_3des },
- { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, evp_ssh1_bf },
-
- { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, EVP_des_ede3_cbc },
- { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_bf_cbc },
- { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, EVP_cast5_cbc },
- { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, EVP_rc4 },
- { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, EVP_rc4 },
- { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, EVP_rc4 },
- { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, EVP_aes_128_cbc },
- { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, EVP_aes_192_cbc },
- { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
+ { "none", SSH_CIPHER_NONE, 8, 0, 0, 0, EVP_enc_null },
+ { "des", SSH_CIPHER_DES, 8, 8, 0, 1, EVP_des_cbc },
+ { "3des", SSH_CIPHER_3DES, 8, 16, 0, 1, evp_ssh1_3des },
+ { "blowfish", SSH_CIPHER_BLOWFISH, 8, 32, 0, 0, evp_ssh1_bf },
+
+ { "3des-cbc", SSH_CIPHER_SSH2, 8, 24, 0, 1, EVP_des_ede3_cbc },
+ { "blowfish-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_bf_cbc },
+ { "cast128-cbc", SSH_CIPHER_SSH2, 8, 16, 0, 1, EVP_cast5_cbc },
+ { "arcfour", SSH_CIPHER_SSH2, 8, 16, 0, 0, EVP_rc4 },
+ { "arcfour128", SSH_CIPHER_SSH2, 8, 16, 1536, 0, EVP_rc4 },
+ { "arcfour256", SSH_CIPHER_SSH2, 8, 32, 1536, 0, EVP_rc4 },
+ { "aes128-cbc", SSH_CIPHER_SSH2, 16, 16, 0, 1, EVP_aes_128_cbc },
+ { "aes192-cbc", SSH_CIPHER_SSH2, 16, 24, 0, 1, EVP_aes_192_cbc },
+ { "aes256-cbc", SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
{ "rijndael-...@lysator.liu.se",
-SSH_CIPHER_SSH2, 16, 32, 0, EVP_aes_256_cbc },
+SSH_CIPHER_SSH2, 16, 32, 0, 1, EVP_aes_256_cbc },
#ifdef AES_CTR_MT
- { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_ctr_mt },
- { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_ctr_mt },
- { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_ctr_mt },
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_ctr_mt },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_ctr_mt },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_ctr_mt },
#else
- { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, evp_aes_128_ctr },
- { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, evp_aes_128_ctr },
- { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, evp_aes_128_ctr },
+ { "aes128-ctr", SSH_CIPHER_SSH2, 16, 16, 0, 0, evp_aes_128_ctr },
+ { "aes192-ctr", SSH_CIPHER_SSH2, 16, 24, 0, 0, evp_aes_128_ctr },
+ { "aes256-ctr", SSH_CIPHER_SSH2, 16, 32, 0, 0, evp_aes_128_ctr },
#endif
#ifdef ACSS
- { "a...@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, EVP_acss },
+ { "a...@openssh.org", SSH_CIPHER_SSH2, 16, 5, 0, 0, EVP_acss },
#endif
- { NULL, SSH_CIPHER_INVALID, 0, 0, 0, NULL }
+ { NULL, SSH_CIPHER_INVALID, 0, 0, 0, 0, NULL }
};
#ifndef ACSS
@@ -121,6 +122,12 @@
}
u_int
+cipher_is_cbc(const Cipher *c)
+{
+ return (c->cbc_mode);
+}
+
+u_int
cipher_mask_ssh1(int client)
{
u_int mask = 0;
Index: src/crypto/dist/ssh/cipher.h
diff -u src/crypto/dist/ssh/cipher.h:1.2 src/c