Add ssh2 support for aes-ctr cipher (sizes 128, 192, 256) for interoperability
with more modern hosts which are configured to remove aes-cbc mode.
This patch depends on patch aes-ctr which corrects a flaw in the libsec.a
implementation of aes-ctr.
Reference: /n/sources/patch/ssh2-aes-ctr
Date: Mon Apr 9 13:42:11 GMT 2018
Signed-off-by: [email protected]
--- /sys/src/cmd/ssh2/netssh.h Mon Apr 9 13:36:31 2018
+++ /sys/src/cmd/ssh2/netssh.h Mon Apr 9 13:36:28 2018
@@ -318,6 +318,7 @@
};
extern Cipher cipheraes128, cipheraes192, cipheraes256;
+extern Cipher cipheraes128ctr, cipheraes192ctr, cipheraes256ctr;
extern Cipher cipherblowfish, cipher3des, cipherrc4;
extern int debug;
extern int sshkeychan[];
--- /sys/src/cmd/ssh2/netssh.c Mon Apr 9 13:36:41 2018
+++ /sys/src/cmd/ssh2/netssh.c Mon Apr 9 13:36:34 2018
@@ -35,6 +35,9 @@
&cipheraes128,
&cipheraes192,
&cipheraes256,
+ &cipheraes128ctr,
+ &cipheraes192ctr,
+ &cipheraes256ctr,
// &cipherblowfish,
&cipher3des,
&cipherrc4,
--- /sys/src/cmd/ssh2/cipheraes.c Mon Apr 9 13:36:44 2018
+++ /sys/src/cmd/ssh2/cipheraes.c Mon Apr 9 13:36:42 2018
@@ -57,6 +57,16 @@
}
static void
+encryptaesctr(CipherState *cs, uchar *buf, int nbuf)
+{
+ if(cs->state.setup != 0xcafebabe || cs->state.rounds > AESmaxrounds)
+ return;
+ qlock(&aeslock);
+ aesCTRencrypt(buf, nbuf, &cs->state);
+ qunlock(&aeslock);
+}
+
+static void
decryptaes(CipherState *cs, uchar *buf, int nbuf)
{
if(cs->state.setup != 0xcafebabe || cs->state.rounds > AESmaxrounds)
@@ -66,6 +76,16 @@
qunlock(&aeslock);
}
+static void
+decryptaesctr(CipherState *cs, uchar *buf, int nbuf)
+{
+ if(cs->state.setup != 0xcafebabe || cs->state.rounds > AESmaxrounds)
+ return;
+ qlock(&aeslock);
+ aesCTRdecrypt(buf, nbuf, &cs->state);
+ qunlock(&aeslock);
+}
+
Cipher cipheraes128 = {
"aes128-cbc",
AESbsize,
@@ -74,6 +94,14 @@
decryptaes,
};
+Cipher cipheraes128ctr = {
+ "aes128-ctr",
+ AESbsize,
+ initaes128,
+ encryptaesctr,
+ decryptaesctr,
+};
+
Cipher cipheraes192 = {
"aes192-cbc",
AESbsize,
@@ -82,10 +110,26 @@
decryptaes,
};
+Cipher cipheraes192ctr = {
+ "aes192-ctr",
+ AESbsize,
+ initaes192,
+ encryptaesctr,
+ decryptaesctr,
+};
+
Cipher cipheraes256 = {
"aes256-cbc",
AESbsize,
initaes256,
encryptaes,
decryptaes,
+};
+
+Cipher cipheraes256ctr = {
+ "aes256-ctr",
+ AESbsize,
+ initaes256,
+ encryptaesctr,
+ decryptaesctr,
};
|