From b04cd464db09fb9b1eb994b013c6642ce7e26c41 Mon Sep 17 00:00:00 2001
From: Frank Denis <frank.denis@corp.ovh.com>
Date: Thu, 8 Oct 2015 12:54:43 +0200
Subject: [PATCH] Remove constructions using the ECB mode

---
 cfg_kwords.h  |  4 ----
 lfd_encrypt.c | 60 +++++++++++----------------------------------------
 vtun.h        |  4 ----
 vtund.conf    |  9 --------
 vtund.conf.5  | 13 +----------
 5 files changed, 13 insertions(+), 77 deletions(-)

diff --git a/cfg_kwords.h b/cfg_kwords.h
index 72a86c3..0f14ede 100644
--- a/cfg_kwords.h
+++ b/cfg_kwords.h
@@ -86,19 +86,15 @@ struct kword cfg_param[] = {
    { "inetd",	 VTUN_INETD },
    { "stand",	 VTUN_STAND_ALONE },
    { "keep",     VTUN_PERSIST_KEEPIF },
-   { "blowfish128ecb", VTUN_ENC_BF128ECB },
    { "blowfish128cbc", VTUN_ENC_BF128CBC },
    { "blowfish128cfb", VTUN_ENC_BF128CFB },
    { "blowfish128ofb", VTUN_ENC_BF128OFB },
-   { "blowfish256ecb", VTUN_ENC_BF256ECB },
    { "blowfish256cbc", VTUN_ENC_BF256CBC },
    { "blowfish256cfb", VTUN_ENC_BF256CFB },
    { "blowfish256ofb", VTUN_ENC_BF256OFB },
-   { "aes128ecb",      VTUN_ENC_AES128ECB },
    { "aes128cbc",      VTUN_ENC_AES128CBC },
    { "aes128cfb",      VTUN_ENC_AES128CFB },
    { "aes128ofb",      VTUN_ENC_AES128OFB },
-   { "aes256ecb",      VTUN_ENC_AES256ECB },
    { "aes256cbc",      VTUN_ENC_AES256CBC },
    { "aes256cfb",      VTUN_ENC_AES256CFB },
    { "aes256ofb",      VTUN_ENC_AES256OFB },
diff --git a/lfd_encrypt.c b/lfd_encrypt.c
index c9da086..14fabb6 100644
--- a/lfd_encrypt.c
+++ b/lfd_encrypt.c
@@ -175,25 +175,6 @@ static int alloc_encrypt(struct vtun_host *host)
    cipher = host->cipher;
    switch(cipher)
    {
-      case VTUN_ENC_AES256OFB:
-      case VTUN_ENC_AES256CFB:
-      case VTUN_ENC_AES256CBC:
-         blocksize = 16;
-         keysize = 32;
-         sb_init = 1;
-         cipher_type = EVP_aes_256_ecb();
-         pctx_enc = &ctx_enc_ecb;
-         pctx_dec = &ctx_dec_ecb;
-      break;
-      
-      case VTUN_ENC_AES256ECB:
-         blocksize = 16;
-         keysize = 32;
-         pctx_enc = &ctx_enc;
-         pctx_dec = &ctx_dec;
-         cipher_type = EVP_aes_256_ecb();
-         strcpy(cipher_name,"AES-256-ECB");
-      break;      
       case VTUN_ENC_AES128OFB:
       case VTUN_ENC_AES128CFB:
       case VTUN_ENC_AES128CBC:
@@ -204,14 +185,6 @@ static int alloc_encrypt(struct vtun_host *host)
          pctx_enc = &ctx_enc_ecb;
          pctx_dec = &ctx_dec_ecb;
       break;
-      case VTUN_ENC_AES128ECB:
-         blocksize = 16;
-         keysize = 16;
-         pctx_enc = &ctx_enc;
-         pctx_dec = &ctx_dec;
-         cipher_type = EVP_aes_128_ecb();
-         strcpy(cipher_name,"AES-128-ECB");
-      break;
 
       case VTUN_ENC_BF256OFB:
       case VTUN_ENC_BF256CFB:
@@ -225,16 +198,6 @@ static int alloc_encrypt(struct vtun_host *host)
          pctx_dec = &ctx_dec_ecb;
       break;
 
-      case VTUN_ENC_BF256ECB:
-         blocksize = 8;
-         keysize = 32;
-         var_key = 1;
-         pctx_enc = &ctx_enc;
-         pctx_dec = &ctx_dec;
-         cipher_type = EVP_bf_ecb();
-         strcpy(cipher_name,"Blowfish-256-ECB");
-      break;
-
       case VTUN_ENC_BF128OFB:
       case VTUN_ENC_BF128CFB:
       case VTUN_ENC_BF128CBC:
@@ -245,18 +208,19 @@ static int alloc_encrypt(struct vtun_host *host)
          cipher_type = EVP_bf_ecb();
          pctx_enc = &ctx_enc_ecb;
          pctx_dec = &ctx_dec_ecb;
-      break;
-      case VTUN_ENC_BF128ECB: /* blowfish 128 ecb is the default */
+         break;
+      case VTUN_ENC_AES256OFB:
+      case VTUN_ENC_AES256CFB:
+      case VTUN_ENC_AES256CBC:
       default:
-         blocksize = 8;
-         keysize = 16;
-         var_key = 1;
-         pctx_enc = &ctx_enc;
-         pctx_dec = &ctx_dec;
-         cipher_type = EVP_bf_ecb();
-         strcpy(cipher_name,"Blowfish-128-ECB");
-      break;
-   } /* switch(host->cipher) */
+         blocksize = 16;
+         keysize = 32;
+         sb_init = 1;
+         cipher_type = EVP_aes_256_ecb();
+         pctx_enc = &ctx_enc_ecb;
+         pctx_dec = &ctx_dec_ecb;
+         strcpy(cipher_name,"AES-256-CBC");
+    } /* switch(host->cipher) */
 
    if (prep_key(&pkey, keysize, host) != 0) return -1;
    EVP_CIPHER_CTX_init(pctx_enc);
diff --git a/vtun.h b/vtun.h
index 8725eeb..fc7e565 100644
--- a/vtun.h
+++ b/vtun.h
@@ -138,20 +138,16 @@ extern llist host_list;
 #define VTUN_ENCRYPT    0x0008
 
 /* Cipher options */
-#define VTUN_ENC_BF128ECB	1
 #define VTUN_ENC_BF128CBC	2
 #define VTUN_ENC_BF128CFB	3
 #define VTUN_ENC_BF128OFB	4
-#define VTUN_ENC_BF256ECB	5
 #define VTUN_ENC_BF256CBC	6
 #define VTUN_ENC_BF256CFB	7
 #define VTUN_ENC_BF256OFB	8
 
-#define VTUN_ENC_AES128ECB	9
 #define VTUN_ENC_AES128CBC	10
 #define VTUN_ENC_AES128CFB	11
 #define VTUN_ENC_AES128OFB	12
-#define VTUN_ENC_AES256ECB	13
 #define VTUN_ENC_AES256CBC	14
 #define VTUN_ENC_AES256CFB	15
 #define VTUN_ENC_AES256OFB	16
diff --git a/vtund.conf b/vtund.conf
index 9a790be..3b5baeb 100644
--- a/vtund.conf
+++ b/vtund.conf
@@ -150,28 +150,19 @@
 # -----------
 #    encrypt - Enable 'yes' or disable 'no' encryption.
 #	It is also possible to specify a method:
-#	   'blowfish128ecb'    - Blowfish cipher, 128 bit key, mode ECB
 #	   'blowfish128cbc'    - Blowfish cipher, 128 bit key, mode CBC
 #	   'blowfish128cfb'    - Blowfish cipher, 128 bit key, mode CFB
 #	   'blowfish128ofb'    - Blowfish cipher, 128 bit key, mode OFB
-#	   'blowfish256ecb'    - Blowfish cipher, 256 bit key, mode ECB
 #	   'blowfish256cbc'    - Blowfish cipher, 256 bit key, mode CBC
 #	   'blowfish256cfb'    - Blowfish cipher, 256 bit key, mode CFB
 #	   'blowfish256ofb'    - Blowfish cipher, 256 bit key, mode OFB
-#	   'aes128ecb'         - AES cipher, 128 bit key, mode ECB
 #	   'aes128cbc'         - AES cipher, 128 bit key, mode CBC
 #	   'aes128cfb'         - AES cipher, 128 bit key, mode CFB
 #	   'aes128ofb'         - AES cipher, 128 bit key, mode OFB
-#	   'aes256ecb'         - AES cipher, 256 bit key, mode ECB
 #	   'aes256cbc'         - AES cipher, 256 bit key, mode CBC
 #	   'aes256cfb'         - AES cipher, 256 bit key, mode CFB
 #	   'aes256ofb'         - AES cipher, 256 bit key, mode OFB
 #
-#       A special encryption method is provided for use with clients
-#       running pre-3.0 versions:
-#          'oldblowfish128ecb' - Blowfish cipher, 128bit key, mode ECB
-#
-#	Default method is 'blowfish128ecb'.
 #       Ignored by the client.
 #
 # -----------
diff --git a/vtund.conf.5 b/vtund.conf.5
index 149308a..a97fe0c 100644
--- a/vtund.conf.5
+++ b/vtund.conf.5
@@ -198,36 +198,25 @@ specifies encryption method to use.  Encryption \fImethod\fRs include:
 .IP \fBno\fR
 no encryption
 .IP \fByes\fR
-default encryption method (\fBblowfish128ecb\fR)
-.IP \fBblowfish128ecb\fR
-Blowfish cipher, 128 bit key, mode ECB
+default encryption method
 .IP \fBblowfish128cbc\fR
 Blowfish cipher, 128 bit key, mode CBC
 .IP \fBblowfish128cfb\fR
 Blowfish cipher, 128 bit key, mode CFB
 .IP \fBblowfish128ofb\fR
 Blowfish cipher, 128 bit key, mode OFB
-.IP \fBblowfish256ecb\fR
-Blowfish cipher, 256 bit key, mode ECB
 .IP \fBblowfish256cbc\fR
 Blowfish cipher, 256 bit key, mode CBC
 .IP \fBblowfish256cfb\fR
 Blowfish cipher, 256 bit key, mode CFB
 .IP \fBblowfish256ofb\fR
 Blowfish cipher, 256 bit key, mode OFB
-.IP \fBaes128ecb\fR
-.IP \fBoldblowfish128ecb\fR
-Blowfish cipher, 128bit key, mode ECB 
- (for use with 2.6 clients only)
-AES cipher, 128 bit key, mode ECB
 .IP \fBaes128cbc\fR
 AES cipher, 128 bit key, mode CBC
 .IP \fBaes128cfb\fR
 AES cipher, 128 bit key, mode CFB
 .IP \fBaes128ofb\fR
 AES cipher, 128 bit key, mode OFB
-.IP \fBaes256ecb\fR
-AES cipher, 256 bit key, mode ECB
 .IP \fBaes256cbc\fR
 AES cipher, 256 bit key, mode CBC
 .IP \fBaes256cfb\fR