Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
Matt Johnston
dropbear
Commits
f40ed8ba
Commit
f40ed8ba
authored
May 16, 2012
by
Matt Johnston
Browse files
Update insecure-nocrypto to current head
--HG-- branch : insecure-nocrypto
parents
41f50057
19124395
Changes
4
Hide whitespace changes
Inline
Side-by-side
cli-auth.c
View file @
f40ed8ba
...
...
@@ -257,7 +257,10 @@ void cli_auth_try() {
#endif
#ifdef ENABLE_CLI_INTERACT_AUTH
if
(
!
finished
&&
ses
.
authstate
.
authtypes
&
AUTH_TYPE_INTERACT
)
{
if
(
ses
.
keys
->
trans
.
algo_crypt
->
cipherdesc
==
NULL
)
{
fprintf
(
stderr
,
"Sorry, I won't let you use interactive auth unencrypted.
\n
"
);
}
else
if
(
!
finished
&&
ses
.
authstate
.
authtypes
&
AUTH_TYPE_INTERACT
)
{
if
(
cli_ses
.
auth_interact_failed
)
{
finished
=
0
;
}
else
{
...
...
@@ -269,7 +272,10 @@ void cli_auth_try() {
#endif
#ifdef ENABLE_CLI_PASSWORD_AUTH
if
(
!
finished
&&
ses
.
authstate
.
authtypes
&
AUTH_TYPE_PASSWORD
)
{
if
(
ses
.
keys
->
trans
.
algo_crypt
->
cipherdesc
==
NULL
)
{
fprintf
(
stderr
,
"Sorry, I won't let you use password auth unencrypted.
\n
"
);
}
else
if
(
!
finished
&&
ses
.
authstate
.
authtypes
&
AUTH_TYPE_PASSWORD
)
{
cli_auth_password
();
finished
=
1
;
cli_ses
.
lastauthtype
=
AUTH_TYPE_PASSWORD
;
...
...
common-algo.c
View file @
f40ed8ba
...
...
@@ -159,6 +159,9 @@ algo_type sshciphers[] = {
#endif
#ifdef DROPBEAR_BLOWFISH
{
"blowfish-cbc"
,
0
,
&
dropbear_blowfish
,
1
,
&
dropbear_mode_cbc
},
#endif
#ifdef DROPBEAR_NONE_CIPHER
{
"none"
,
0
,
(
void
*
)
&
dropbear_nocipher
,
1
,
&
dropbear_mode_none
},
#endif
{
NULL
,
0
,
NULL
,
0
,
NULL
}
};
...
...
@@ -177,7 +180,10 @@ algo_type sshhashes[] = {
{
"hmac-sha1"
,
0
,
&
dropbear_sha1
,
1
,
NULL
},
#endif
#ifdef DROPBEAR_MD5_HMAC
{
"hmac-md5"
,
0
,
&
dropbear_md5
,
1
,
NULL
},
{
"hmac-md5"
,
0
,
(
void
*
)
&
dropbear_md5
,
1
,
NULL
},
#endif
#ifdef DROPBEAR_NONE_INTEGRITY
{
"none"
,
0
,
(
void
*
)
&
dropbear_nohash
,
1
,
NULL
},
#endif
{
NULL
,
0
,
NULL
,
0
,
NULL
}
};
...
...
common-kex.c
View file @
f40ed8ba
...
...
@@ -293,7 +293,6 @@ void gen_new_keys() {
hash_state
hs
;
unsigned
int
C2S_keysize
,
S2C_keysize
;
char
mactransletter
,
macrecvletter
;
/* Client or server specific */
int
recv_cipher
=
0
,
trans_cipher
=
0
;
TRACE
((
"enter gen_new_keys"
))
/* the dh_K and hash are the start of all hashes, we make use of that */
...
...
@@ -330,31 +329,39 @@ void gen_new_keys() {
hashkeys
(
C2S_key
,
C2S_keysize
,
&
hs
,
'C'
);
hashkeys
(
S2C_key
,
S2C_keysize
,
&
hs
,
'D'
);
recv_cipher
=
find_cipher
(
ses
.
newkeys
->
recv
.
algo_crypt
->
cipherdesc
->
name
);
if
(
recv_cipher
<
0
)
dropbear_exit
(
"Crypto error"
);
if
(
ses
.
newkeys
->
recv
.
crypt_mode
->
start
(
recv_cipher
,
recv_IV
,
recv_key
,
ses
.
newkeys
->
recv
.
algo_crypt
->
keysize
,
0
,
&
ses
.
newkeys
->
recv
.
cipher_state
)
!=
CRYPT_OK
)
{
dropbear_exit
(
"Crypto error"
);
}
trans_cipher
=
find_cipher
(
ses
.
newkeys
->
trans
.
algo_crypt
->
cipherdesc
->
name
);
if
(
trans_cipher
<
0
)
dropbear_exit
(
"Crypto error"
);
if
(
ses
.
newkeys
->
trans
.
crypt_mode
->
start
(
trans_cipher
,
trans_IV
,
trans_key
,
ses
.
newkeys
->
trans
.
algo_crypt
->
keysize
,
0
,
&
ses
.
newkeys
->
trans
.
cipher_state
)
!=
CRYPT_OK
)
{
dropbear_exit
(
"Crypto error"
);
if
(
ses
.
newkeys
->
recv
.
algo_crypt
->
cipherdesc
!=
NULL
)
{
int
recv_cipher
=
find_cipher
(
ses
.
newkeys
->
recv
.
algo_crypt
->
cipherdesc
->
name
);
if
(
recv_cipher
<
0
)
dropbear_exit
(
"Crypto error"
);
if
(
ses
.
newkeys
->
recv
.
crypt_mode
->
start
(
recv_cipher
,
recv_IV
,
recv_key
,
ses
.
newkeys
->
recv
.
algo_crypt
->
keysize
,
0
,
&
ses
.
newkeys
->
recv
.
cipher_state
)
!=
CRYPT_OK
)
{
dropbear_exit
(
"Crypto error"
);
}
}
if
(
ses
.
newkeys
->
trans
.
algo_crypt
->
cipherdesc
!=
NULL
)
{
int
trans_cipher
=
find_cipher
(
ses
.
newkeys
->
trans
.
algo_crypt
->
cipherdesc
->
name
);
if
(
trans_cipher
<
0
)
dropbear_exit
(
"Crypto error"
);
if
(
ses
.
newkeys
->
trans
.
crypt_mode
->
start
(
trans_cipher
,
trans_IV
,
trans_key
,
ses
.
newkeys
->
trans
.
algo_crypt
->
keysize
,
0
,
&
ses
.
newkeys
->
trans
.
cipher_state
)
!=
CRYPT_OK
)
{
dropbear_exit
(
"Crypto error"
);
}
}
/* MAC keys */
hashkeys
(
ses
.
newkeys
->
trans
.
mackey
,
ses
.
newkeys
->
trans
.
algo_mac
->
keysize
,
&
hs
,
mactransletter
);
hashkeys
(
ses
.
newkeys
->
recv
.
mackey
,
ses
.
newkeys
->
recv
.
algo_mac
->
keysize
,
&
hs
,
macrecvletter
);
if
(
ses
.
newkeys
->
trans
.
algo_mac
->
hashdesc
!=
NULL
)
{
hashkeys
(
ses
.
newkeys
->
trans
.
mackey
,
ses
.
newkeys
->
trans
.
algo_mac
->
keysize
,
&
hs
,
mactransletter
);
}
if
(
ses
.
newkeys
->
recv
.
algo_mac
->
hashdesc
!=
NULL
)
{
hashkeys
(
ses
.
newkeys
->
recv
.
mackey
,
ses
.
newkeys
->
recv
.
algo_mac
->
keysize
,
&
hs
,
macrecvletter
);
}
ses
.
newkeys
->
trans
.
hash_index
=
find_hash
(
ses
.
newkeys
->
trans
.
algo_mac
->
hashdesc
->
name
),
ses
.
newkeys
->
recv
.
hash_index
=
find_hash
(
ses
.
newkeys
->
recv
.
algo_mac
->
hashdesc
->
name
),
...
...
options.h
View file @
f40ed8ba
...
...
@@ -97,6 +97,18 @@ much traffic. */
* size and is recommended for most cases */
#define DROPBEAR_ENABLE_CTR_MODE
/* You can compile with no encryption if you want. In some circumstances
* this could be safe security-wise, though make sure you know what
* you're doing. Anyone can see everything that goes over the wire, so
* the only safe auth method is public key. You'll have to disable all other
* ciphers above in the client if you want to use this, or implement cipher
* prioritisation in cli-runopts.
*
* The best way to do things is probably make normal compile of dropbear with
* all ciphers including "none" as the server, then recompile a special
* "dbclient-insecure" client. */
/* #define DROPBEAR_NONE_CIPHER */
/* Message Integrity - at least one required.
* Protocol RFC requires sha1 and recommends sha1-96.
* sha1-96 is of use for slow links as it has a smaller overhead.
...
...
@@ -109,13 +121,19 @@ much traffic. */
* These hashes are also used for public key fingerprints in logs.
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */
#define DROPBEAR_SHA1_HMAC
#define DROPBEAR_SHA1_96_HMAC
/*#define DROPBEAR_SHA2_256_HMAC*/
/*#define DROPBEAR_SHA2_512_HMAC*/
#define DROPBEAR_MD5_HMAC
/* You can also disable integrity. Don't bother disabling this if you're
* still using a cipher, it's relatively cheap. If you disable this it's dead
* simple to run arbitrary commands on the remote host. Beware.
* Note again, for the client you will have to disable other hashes above
* to use this. */
/* #define DROPBEAR_NONE_INTEGRITY */
/* Hostkey/public key algorithms - at least one required, these are used
* for hostkey as well as for verifying signatures with pubkey auth.
* Removing either of these won't save very much space.
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment