crypto: Disable blowfish support by default

Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2026-02-05 21:00:33 +09:00 · 2018-12-16 13:32:42 +01:00
parent 6cd8d4a24a
commit dea6fe3d89
11 changed files with 36 additions and 13 deletions
--- a/src/kex.c
+++ b/src/kex.c
@@ -39,16 +39,24 @@
 #include "libssh/knownhosts.h"
 #include "libssh/misc.h"

+#ifdef WITH_BLOWFISH_CIPHER
+# if defined(HAVE_OPENSSL_BLOWFISH_H) || defined(HAVE_LIBGCRYPT) || defined(HAVE_LIBMBEDCRYPTO)
+#  define BLOWFISH "blowfish-cbc,"
+# else
+#  define BLOWFISH ""
+# endif
+#else
+# define BLOWFISH ""
+#endif
+
 #ifdef HAVE_LIBGCRYPT
-# define BLOWFISH "blowfish-cbc,"
 # define AES "aes256-gcm@openssh.com,aes128-gcm@openssh.com," \
             "aes256-ctr,aes192-ctr,aes128-ctr," \
             "aes256-cbc,aes192-cbc,aes128-cbc,"
 # define DES "3des-cbc"
 # define DES_SUPPORTED "3des-cbc"

-#elif defined HAVE_LIBMBEDCRYPTO
-# define BLOWFISH "blowfish-cbc,"
+#elif defined(HAVE_LIBMBEDCRYPTO)
 # ifdef MBEDTLS_GCM_C
 #  define GCM "aes256-gcm@openssh.com,aes128-gcm@openssh.com,"
 # else
@@ -60,13 +68,6 @@
 # define DES_SUPPORTED "3des-cbc"

 #elif defined(HAVE_LIBCRYPTO)
-
-# ifdef HAVE_OPENSSL_BLOWFISH_H
-#  define BLOWFISH "blowfish-cbc,"
-# else /* HAVE_OPENSSL_BLOWFISH_H */
-#  define BLOWFISH ""
-# endif /* HAVE_OPENSSL_BLOWFISH_H */
-
 # ifdef HAVE_OPENSSL_AES_H
 #  ifdef HAVE_OPENSSL_EVP_AES_GCM
 #   define GCM "aes256-gcm@openssh.com,aes128-gcm@openssh.com,"
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -514,10 +514,12 @@ static void evp_cipher_init(struct ssh_cipher_struct *cipher) {
    case SSH_3DES_CBC:
        cipher->cipher = EVP_des_ede3_cbc();
        break;
+#ifdef WITH_BLOWFISH_CIPHER
    case SSH_BLOWFISH_CBC:
        cipher->cipher = EVP_bf_cbc();
        break;
        /* ciphers not using EVP */
+#endif
    case SSH_AEAD_CHACHA20_POLY1305:
        SSH_LOG(SSH_LOG_WARNING, "The ChaCha cipher cannot be handled here");
        break;
@@ -881,6 +883,7 @@ evp_cipher_aead_decrypt(struct ssh_cipher_struct *cipher,
 * The table of supported ciphers
 */
 static struct ssh_cipher_struct ssh_ciphertab[] = {
+#ifdef WITH_BLOWFISH_CIPHER
  {
    .name = "blowfish-cbc",
    .blocksize = 8,
@@ -892,6 +895,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
    .decrypt = evp_cipher_decrypt,
    .cleanup = evp_cipher_cleanup
  },
+#endif
 #ifdef HAS_AES
 #ifndef BROKEN_AES_CTR
 /* OpenSSL until 0.9.7c has a broken AES_ctr128_encrypt implementation which
--- a/src/libgcrypt.c
+++ b/src/libgcrypt.c
@@ -311,6 +311,7 @@ void hmac_final(HMACCTX c, unsigned char *hashmacbuf, unsigned int *len) {
  gcry_md_close(c);
 }

+#ifdef WITH_BLOWFISH_CIPHER
 /* the wrapper functions for blowfish */
 static int blowfish_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV){
  if (cipher->key == NULL) {
@@ -345,6 +346,7 @@ static void blowfish_decrypt(struct ssh_cipher_struct *cipher, void *in,
    void *out, unsigned long len) {
  gcry_cipher_decrypt(cipher->key[0], out, len, in, len);
 }
+#endif /* WITH_BLOWFISH_CIPHER */

 static int aes_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV) {
  int mode=GCRY_CIPHER_MODE_CBC;
@@ -610,6 +612,7 @@ static void des3_decrypt(struct ssh_cipher_struct *cipher, void *in,

 /* the table of supported ciphers */
 static struct ssh_cipher_struct ssh_ciphertab[] = {
+#ifdef WITH_BLOWFISH_CIPHER
  {
    .name            = "blowfish-cbc",
    .blocksize       = 8,
@@ -621,6 +624,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
    .encrypt     = blowfish_encrypt,
    .decrypt     = blowfish_decrypt
  },
+#endif /* WITH_BLOWFISH_CIPHER */
  {
    .name            = "aes128-ctr",
    .blocksize       = 16,
--- a/src/libmbedcrypto.c
+++ b/src/libmbedcrypto.c
@@ -951,6 +951,7 @@ static void cipher_cleanup(struct ssh_cipher_struct *cipher)
 }

 static struct ssh_cipher_struct ssh_ciphertab[] = {
+#ifdef WITH_BLOWFISH_CIPHER
    {
        .name = "blowfish-cbc",
        .blocksize = 8,
@@ -962,6 +963,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
        .decrypt = cipher_decrypt_cbc,
        .cleanup = cipher_cleanup
    },
+#endif /* WITH_BLOWFISH_CIPHER */
    {
        .name = "aes128-ctr",
        .blocksize = 16,
--- a/src/packet_crypt.c
+++ b/src/packet_crypt.c
@@ -33,7 +33,6 @@
 #endif

 #ifdef OPENSSL_CRYPTO
-#include <openssl/blowfish.h>
 #include <openssl/evp.h>
 #include <openssl/hmac.h>
 #endif