Hi all, I'm doing some work on the library and for now I have the attached three small patches for the AES part of crypt.c.
In a later patch I'll add a common CTR mode, so that backends only need to provide CBC. I see some work in this direction already. I'm working on my axTLS branch, it isn't done yet, but it does work. I am thinking to add some basic algorithm code into libssh2 itself, to enable a build without any dependencies at all. (At the cost of a reduced algorithm set; only MD5, SHA1, SHA2, AES, RSA, DH, maybe ChaCha later.) It would not be high performance, but high convenience. What do you think? //Peter
From ea7b900e2b803624de93e669de12a5a56fd993f6 Mon Sep 17 00:00:00 2001 From: Peter Stuge <pe...@stuge.se> Date: Sun, 15 Apr 2018 01:49:42 +0200 Subject: [PATCH 1/3] src/crypt.c: Make AES-192 optional for crypto backends --- src/crypt.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/crypt.c b/src/crypt.c index 4beb0aa..c505b9f 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -131,6 +131,7 @@ static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes128_ctr = { _libssh2_cipher_aes128ctr }; +#ifdef _libssh2_cipher_aes192ctr static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes192_ctr = { "aes192-ctr", "", @@ -143,6 +144,7 @@ static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes192_ctr = { &crypt_dtor, _libssh2_cipher_aes192ctr }; +#endif static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes256_ctr = { "aes256-ctr", @@ -172,6 +174,7 @@ static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes128_cbc = { _libssh2_cipher_aes128 }; +#ifdef _libssh2_cipher_aes192 static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes192_cbc = { "aes192-cbc", "DEK-Info: AES-192-CBC", @@ -184,6 +187,7 @@ static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes192_cbc = { &crypt_dtor, _libssh2_cipher_aes192 }; +#endif static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_aes256_cbc = { "aes256-cbc", @@ -313,13 +317,17 @@ static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_3des_cbc = { static const LIBSSH2_CRYPT_METHOD *_libssh2_crypt_methods[] = { #if LIBSSH2_AES_CTR &libssh2_crypt_method_aes128_ctr, +#ifdef libssh2_crypt_method_aes192_ctr &libssh2_crypt_method_aes192_ctr, +#endif &libssh2_crypt_method_aes256_ctr, #endif /* LIBSSH2_AES */ #if LIBSSH2_AES &libssh2_crypt_method_aes256_cbc, &libssh2_crypt_method_rijndael_cbc_lysator_liu_se, /* == aes256-cbc */ +#ifdef libssh2_crypt_method_aes192_cbc &libssh2_crypt_method_aes192_cbc, +#endif &libssh2_crypt_method_aes128_cbc, #endif /* LIBSSH2_AES */ #if LIBSSH2_BLOWFISH --
From a6d99abf87ddc7f166d16dc089e825ad1451f197 Mon Sep 17 00:00:00 2001 From: Peter Stuge <pe...@stuge.se> Date: Sun, 15 Apr 2018 01:54:43 +0200 Subject: [PATCH 2/3] src/crypt.c: List AES algorithms individually in _libssh2_crypt_methods This makes it easy to reorder the list later. --- src/crypt.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/src/crypt.c b/src/crypt.c index c505b9f..4da76be 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -315,21 +315,25 @@ static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_3des_cbc = { #endif static const LIBSSH2_CRYPT_METHOD *_libssh2_crypt_methods[] = { -#if LIBSSH2_AES_CTR +#ifdef libssh2_crypt_method_aes128_ctr &libssh2_crypt_method_aes128_ctr, +#endif #ifdef libssh2_crypt_method_aes192_ctr &libssh2_crypt_method_aes192_ctr, #endif +#ifdef libssh2_crypt_method_aes256_ctr &libssh2_crypt_method_aes256_ctr, -#endif /* LIBSSH2_AES */ -#if LIBSSH2_AES +#endif +#ifdef libssh2_crypt_method_aes256_cbc &libssh2_crypt_method_aes256_cbc, &libssh2_crypt_method_rijndael_cbc_lysator_liu_se, /* == aes256-cbc */ +#endif #ifdef libssh2_crypt_method_aes192_cbc &libssh2_crypt_method_aes192_cbc, #endif +#ifdef libssh2_crypt_method_aes128_cbc &libssh2_crypt_method_aes128_cbc, -#endif /* LIBSSH2_AES */ +#endif #if LIBSSH2_BLOWFISH &libssh2_crypt_method_blowfish_cbc, #endif /* LIBSSH2_BLOWFISH */ --
From dd4bab122b41cab4e9a9a7980227014ea50216e7 Mon Sep 17 00:00:00 2001 From: Peter Stuge <pe...@stuge.se> Date: Sun, 15 Apr 2018 01:57:21 +0200 Subject: [PATCH 3/3] src/crypt.c: Make AES algorithm list aes{256,192,128}-{ctr,cbc} The new order prefers larger keys and CTR over CBC for each key size: aes256-ctr,aes256-cbc,aes192-ctr,aes192-cbc,aes128-ctr,aes128-cbc The order of the algorithm list determines the default KEX message. The default KEX message can, as before, be overridden using: libssh2_session_method_pref(..., LIBSSH2_METHOD_CRYPT_{CS,SC}, ...) --- src/crypt.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/src/crypt.c b/src/crypt.c index 4da76be..9a4ccf4 100644 --- a/src/crypt.c +++ b/src/crypt.c @@ -315,12 +315,6 @@ static const LIBSSH2_CRYPT_METHOD libssh2_crypt_method_3des_cbc = { #endif static const LIBSSH2_CRYPT_METHOD *_libssh2_crypt_methods[] = { -#ifdef libssh2_crypt_method_aes128_ctr - &libssh2_crypt_method_aes128_ctr, -#endif -#ifdef libssh2_crypt_method_aes192_ctr - &libssh2_crypt_method_aes192_ctr, -#endif #ifdef libssh2_crypt_method_aes256_ctr &libssh2_crypt_method_aes256_ctr, #endif @@ -328,9 +322,15 @@ static const LIBSSH2_CRYPT_METHOD *_libssh2_crypt_methods[] = { &libssh2_crypt_method_aes256_cbc, &libssh2_crypt_method_rijndael_cbc_lysator_liu_se, /* == aes256-cbc */ #endif +#ifdef libssh2_crypt_method_aes192_ctr + &libssh2_crypt_method_aes192_ctr, +#endif #ifdef libssh2_crypt_method_aes192_cbc &libssh2_crypt_method_aes192_cbc, #endif +#ifdef libssh2_crypt_method_aes128_ctr + &libssh2_crypt_method_aes128_ctr, +#endif #ifdef libssh2_crypt_method_aes128_cbc &libssh2_crypt_method_aes128_cbc, #endif --
_______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel