Add basic support for none cipher and MACs

Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2026-02-06 18:29:50 +09:00 · 2020-04-28 11:04:59 +02:00
parent 46499b1b90
commit e6aee24a1e
9 changed files with 85 additions and 6 deletions
--- a/src/kex.c
+++ b/src/kex.c
@@ -125,6 +125,12 @@
 #define DSA_PUBLIC_KEY_ALGORITHMS ""
 #endif

+#ifdef WITH_INSECURE_NONE
+#define NONE ",none"
+#else
+#define NONE
+#endif
+
 #define HOSTKEYS "ssh-ed25519," \
                 EC_HOSTKEYS \
                 "rsa-sha2-512," \
@@ -239,10 +245,10 @@ static const char *default_methods[] = {
 static const char *supported_methods[] = {
  KEY_EXCHANGE_SUPPORTED,
  PUBLIC_KEY_ALGORITHMS,
-  CHACHA20 AES BLOWFISH DES_SUPPORTED,
-  CHACHA20 AES BLOWFISH DES_SUPPORTED,
-  "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1",
-  "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1",
+  CHACHA20 AES BLOWFISH DES_SUPPORTED NONE,
+  CHACHA20 AES BLOWFISH DES_SUPPORTED NONE,
+  "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1" NONE,
+  "hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1" NONE,
  ZLIB,
  ZLIB,
  "",
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -1275,6 +1275,17 @@ chacha20_poly1305_aead_encrypt(struct ssh_cipher_struct *cipher,
 }
 #endif /* defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305) */

+#ifdef WITH_INSECURE_NONE
+static void
+none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
+           void *in,
+           void *out,
+           size_t len)
+{
+    memcpy(out, in, len);
+}
+#endif /* WITH_INSECURE_NONE */
+
 /*
 * The table of supported ciphers
 */
@@ -1463,6 +1474,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
    .name = "chacha20-poly1305@openssh.com"
 #endif /* defined(HAVE_OPENSSL_EVP_CHACHA20) && defined(HAVE_OPENSSL_EVP_POLY1305) */
  },
+#ifdef WITH_INSECURE_NONE
+  {
+    .name = "none",
+    .blocksize = 8,
+    .keysize = 0,
+    .encrypt = none_crypt,
+    .decrypt = none_crypt,
+  },
+#endif /* WITH_INSECURE_NONE */
  {
    .name = NULL
  }
--- a/src/libgcrypt.c
+++ b/src/libgcrypt.c
@@ -881,6 +881,17 @@ out:
 }
 #endif /* HAVE_GCRYPT_CHACHA_POLY */

+#ifdef WITH_INSECURE_NONE
+static void
+none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
+           void *in,
+           void *out,
+           size_t len)
+{
+    memcpy(out, in, len);
+}
+#endif /* WITH_INSECURE_NONE */
+
 /* the table of supported ciphers */
 static struct ssh_cipher_struct ssh_ciphertab[] = {
 #ifdef WITH_BLOWFISH_CIPHER
@@ -1020,6 +1031,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
    .name = "chacha20-poly1305@openssh.com"
 #endif
  },
+#ifdef WITH_INSECURE_NONE
+  {
+    .name            = "none",
+    .blocksize       = 8,
+    .keysize         = 0,
+    .encrypt         = none_crypt,
+    .decrypt         = none_crypt
+  },
+#endif /* WITH_INSECURE_NONE */
  {
    .name            = NULL,
    .blocksize       = 0,
--- a/src/libmbedcrypto.c
+++ b/src/libmbedcrypto.c
@@ -1216,6 +1216,17 @@ static void cipher_cleanup(struct ssh_cipher_struct *cipher)
 #endif /* MBEDTLS_GCM_C */
 }

+#ifdef WITH_INSECURE_NONE
+static void
+none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
+           void *in,
+           void *out,
+           size_t len)
+{
+    memcpy(out, in, len);
+}
+#endif /* WITH_INSECURE_NONE */
+
 static struct ssh_cipher_struct ssh_ciphertab[] = {
 #ifdef WITH_BLOWFISH_CIPHER
    {
@@ -1356,6 +1367,15 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
        .name = "chacha20-poly1305@openssh.com"
 #endif
    },
+#ifdef WITH_INSECURE_NONE
+    {
+        .name = "none",
+        .blocksize = 8,
+        .keysize = 0,
+        .encrypt = none_crypt,
+        .decrypt = none_crypt,
+    },
+#endif /* WITH_INSECURE_NONE */
    {
        .name = NULL,
        .blocksize = 0,
--- a/src/wrapper.c
+++ b/src/wrapper.c
@@ -66,6 +66,9 @@ static struct ssh_hmac_struct ssh_hmac_tab[] = {
  { "hmac-sha2-256-etm@openssh.com", SSH_HMAC_SHA256,        true  },
  { "hmac-sha2-512-etm@openssh.com", SSH_HMAC_SHA512,        true  },
  { "hmac-md5-etm@openssh.com",      SSH_HMAC_MD5,           true  },
+#ifdef WITH_INSECURE_NONE
+  { "none",                          SSH_HMAC_NONE,          false },
+#endif /* WITH_INSECURE_NONE */
  { NULL,                            0,                      false }
 };