diff options
| author | Matt Johnston <matt@ucc.asn.au> | 2015-06-03 22:59:59 +0800 |
|---|---|---|
| committer | Matt Johnston <matt@ucc.asn.au> | 2015-06-03 22:59:59 +0800 |
| commit | ecd850521816dc2a78792fc53dd9c6c80d5d1b91 (patch) | |
| tree | 8ac23d0bbac268a38054bbce8f0532df1872f283 | |
| parent | 1fa1c3f9db61e11d18363140f167ca1627e2f6ed (diff) | |
Disable twofish-ctr by default, add config option
| -rw-r--r-- | common-algo.c | 3 | ||||
| -rw-r--r-- | options.h | 9 |
2 files changed, 10 insertions, 2 deletions
diff --git a/common-algo.c b/common-algo.c index a3e9d78..b1d4966 100644 --- a/common-algo.c +++ b/common-algo.c @@ -144,12 +144,15 @@ algo_type sshciphers[] = { #ifdef DROPBEAR_AES256 {"aes256-ctr", 0, &dropbear_aes256, 1, &dropbear_mode_ctr}, #endif +#ifdef DROPBEAR_TWOFISH_CTR +/* twofish ctr is conditional as it hasn't been tested for interoperability, see options.h */ #ifdef DROPBEAR_TWOFISH256 {"twofish256-ctr", 0, &dropbear_twofish256, 1, &dropbear_mode_ctr}, #endif #ifdef DROPBEAR_TWOFISH128 {"twofish128-ctr", 0, &dropbear_twofish128, 1, &dropbear_mode_ctr}, #endif +#endif /* DROPBEAR_TWOFISH_CTR */ #endif /* DROPBEAR_ENABLE_CTR_MODE */ #ifdef DROPBEAR_ENABLE_CBC_MODE @@ -103,10 +103,15 @@ much traffic. */ #define DROPBEAR_ENABLE_CBC_MODE /* Enable "Counter Mode" for ciphers. This is more secure than normal - * CBC mode against certain attacks. This adds around 1kB to binary - * size and is recommended for most cases */ + * CBC mode against certain attacks. It is recommended for security + * and forwards compatibility */ #define DROPBEAR_ENABLE_CTR_MODE +/* Twofish counter mode is disabled by default because it +has not been tested for interoperability with other SSH implementations. +If you test it please contact the Dropbear author */ +/* #define DROPBEAR_TWOFISH_CTR */ + /* You can compile with no encryption if you want. In some circumstances * this could be safe security-wise, though make sure you know what * you're doing. Anyone can see everything that goes over the wire, so |