summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
-rw-r--r--common-algo.c2
-rw-r--r--common-kex.c36
-rw-r--r--options.h19
3 files changed, 25 insertions, 32 deletions
diff --git a/common-algo.c b/common-algo.c
index 34e9efd..682724e 100644
--- a/common-algo.c
+++ b/common-algo.c
@@ -151,7 +151,7 @@ algo_type sshciphers[] = {
{"blowfish-cbc", 0, &dropbear_blowfish, 1, &dropbear_mode_cbc},
#endif
#ifdef DROPBEAR_NONE_CIPHER
- {"none", 0, (void*)&dropbear_nocipher, 1},
+ {"none", 0, (void*)&dropbear_nocipher, 1, &dropbear_mode_none},
#endif
{NULL, 0, NULL, 0}
};
diff --git a/common-kex.c b/common-kex.c
index 479db86..d1503c9 100644
--- a/common-kex.c
+++ b/common-kex.c
@@ -292,44 +292,30 @@ void gen_new_keys() {
hashkeys(C2S_key, C2S_keysize, &hs, 'C');
hashkeys(S2C_key, S2C_keysize, &hs, 'D');
- recv_cipher = find_cipher(ses.newkeys->recv_algo_crypt->cipherdesc->name);
- if (recv_cipher < 0)
- dropbear_exit("crypto error");
- if (ses.newkeys->recv_crypt_mode->start(recv_cipher,
- recv_IV, recv_key,
- ses.newkeys->recv_algo_crypt->keysize, 0,
- &ses.newkeys->recv_cipher_state) != CRYPT_OK) {
- dropbear_exit("crypto error");
- }
-
- trans_cipher = find_cipher(ses.newkeys->trans_algo_crypt->cipherdesc->name);
- if (trans_cipher < 0)
- dropbear_exit("crypto error");
- if (ses.newkeys->trans_crypt_mode->start(trans_cipher,
- trans_IV, trans_key,
- ses.newkeys->trans_algo_crypt->keysize, 0,
- &ses.newkeys->trans_cipher_state) != CRYPT_OK) {
- dropbear_exit("crypto error");
if (ses.newkeys->recv_algo_crypt->cipherdesc != NULL) {
- if (cbc_start(
- find_cipher(ses.newkeys->recv_algo_crypt->cipherdesc->name),
+ recv_cipher = find_cipher(ses.newkeys->recv_algo_crypt->cipherdesc->name);
+ if (recv_cipher < 0)
+ dropbear_exit("crypto error");
+ if (ses.newkeys->recv_crypt_mode->start(recv_cipher,
recv_IV, recv_key,
ses.newkeys->recv_algo_crypt->keysize, 0,
- &ses.newkeys->recv_symmetric_struct) != CRYPT_OK) {
+ &ses.newkeys->recv_cipher_state) != CRYPT_OK) {
dropbear_exit("crypto error");
}
}
if (ses.newkeys->trans_algo_crypt->cipherdesc != NULL) {
- if (cbc_start(
- find_cipher(ses.newkeys->trans_algo_crypt->cipherdesc->name),
+ trans_cipher = find_cipher(ses.newkeys->trans_algo_crypt->cipherdesc->name);
+ if (trans_cipher < 0)
+ dropbear_exit("crypto error");
+ if (ses.newkeys->trans_crypt_mode->start(trans_cipher,
trans_IV, trans_key,
ses.newkeys->trans_algo_crypt->keysize, 0,
- &ses.newkeys->trans_symmetric_struct) != CRYPT_OK) {
+ &ses.newkeys->trans_cipher_state) != CRYPT_OK) {
dropbear_exit("crypto error");
}
}
-
+
/* MAC keys */
if (ses.newkeys->trans_algo_mac->hashdesc != NULL) {
hashkeys(ses.newkeys->transmackey,
diff --git a/options.h b/options.h
index 7fd61a4..58204f8 100644
--- a/options.h
+++ b/options.h
@@ -82,17 +82,15 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* Protocol RFC requires 3DES and recommends AES128 for interoperability.
* Including multiple keysize variants the same cipher
* (eg AES256 as well as AES128) will result in a minimal size increase.*/
+/*
#define DROPBEAR_AES128
#define DROPBEAR_3DES
#define DROPBEAR_AES256
#define DROPBEAR_BLOWFISH
#define DROPBEAR_TWOFISH256
#define DROPBEAR_TWOFISH128
+*/
-/* Enable "Counter Mode" for ciphers. This is more secure than normal
- * CBC mode against certain attacks. This adds around 1kB to binary
- * size and is recommended for most cases */
-#define DROPBEAR_ENABLE_CTR_MODE
/* You can compile with no encryption if you want. In some circumstances
* this could be safe securitywise, though make sure you know what
* you're doing. Anyone can see everything that goes over the wire, so
@@ -105,6 +103,11 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* "dbclient-insecure" client. */
#define DROPBEAR_NONE_CIPHER
+/* Enable "Counter Mode" for ciphers. This is more secure than normal
+ * CBC mode against certain attacks. This adds around 1kB to binary
+ * size and is recommended for most cases */
+#define DROPBEAR_ENABLE_CTR_MODE
+
/* Message Integrity - at least one required.
* Protocol RFC requires sha1 and recommends sha1-96.
* sha1-96 may be of use for slow links, as it has a smaller overhead.
@@ -117,15 +120,19 @@ etc) slower (perhaps by 50%). Recommended for most small systems. */
* These hashes are also used for public key fingerprints in logs.
* If you disable MD5, Dropbear will fall back to SHA1 fingerprints,
* which are not the standard form. */
+/*
#define DROPBEAR_SHA1_HMAC
#define DROPBEAR_SHA1_96_HMAC
#define DROPBEAR_MD5_HMAC
+*/
/* You can also disable integrity. Don't bother disabling this if you're
* still using a cipher, it's relatively cheap. Don't disable this if you're
* using 'none' cipher, since it's dead simple to run arbitrary commands
- * on the remote host. Beware. */
-/*#define DROPBEAR_NONE_INTEGRITY*/
+ * on the remote host. Beware.
+ * Note again, for the client you will have to disable other hashes above
+ * to use this. */
+#define DROPBEAR_NONE_INTEGRITY
/* Hostkey/public key algorithms - at least one required, these are used
* for hostkey as well as for verifying signatures with pubkey auth.